How to set up Azure AD to spot risky users

This is Susan Bradley for CSOOnline. Today’s topic is going to be about why you might want to look at different levels of Azure Active Directory. There’s several basic layers, free, basic, premium p1 p2. Now why would you want premium P2. I’m going to give you an example of why you might want to look into having just a license for that. There’s a lot of things you can do in an Azure best practices checklist but one of the ones talked about on this checklist here is setting up a sign in risk policy and a user risk policy.. What the user risk policy does is look at the activities of the user and flags the person if they’re doing something risky. If they use Leaked credentials it compares that to monitoring public and dark web sites by working with researchers law enforcement and security teams. It looks at information from anonymous IP addresses and that are done in real time. So it checks to see if anybody is using a tor browser or anonymizing VPNs. It looks to see if somebody is logging in such a manner that just doesn’t make sense. Like for example they’ve logged in from say the Pacific Coast an hour later they’re logging in from the East Coast. Now we don’t have the fast airplanes anymore so that’s virtually impossible. It looks at signings from unusual locations or anything that just. Isn’t familiar to the system. And it flags you with a report. To get started with it with this you have to go to the user marketplace and enable Azure identity protection. While there check out the other modules that are up there too. You want to then go to the dashboard of the user identity protection. Already on this test account you can see it sees that my user does not have multi factor authentication and it’s flagging it as risky activity. So now we want to set up a sign in risk policy. Now I’ve already set up a sample policy. I’ve select a user. The condition I’m picking is sign in risk. And I’m choosing high risk. Now this takes a little bit of an explanation. High risk doesn’t mean what you might think it means. High risk means that the events they’re seeing means that the identities are already being compromised. That there’s a high risk that the person has been already been taken over. If you choose low risk it means it’s going to have potentially much more false positives. So you probably want to start out setting your policy with a high sign in risk. Now going back to our versions of Azure A.D.. If you have the free and basic. You will get just limited reports. You have to purchase a P1 or P2 before you get the advanced reports. And for identity protection you need that P2. If you want privileged identity management you also need to P2. Now you can mix and match. You can purchase just a P2 just for your global administrator accounts and then a P1 for the rest of the users in your in your domain. Once you’ve set up the report you can then click on the preview and see if there’s anyone impacted. Now in my sample case obviously there’s no one impacted but if you had someone doing risky activity or unusual signings you’d have a listing there. While you’re in this identity section you also want to take a look at something called the Identity secure score and it lets you know what additional things you can do. You want to get that score as high as you can and kind of balance it out between usability and security. In my case I’m only at a really low 27 and there’s a lot more things I can do. So again you’ll want to take a look at that and look at the things that you can turn on in your organization. Until the next time it’s Susan Bradley. And I’d highly recommend that you sign up for the IDG tech talk, Go over there on YouTube and sign up for daily videos on topics. Until the next time this is Susan Bradley.