The vast majority of security breaches today occur when attackers gain access to an IT environment using stolen identities or accounts. It’s therefore crucial that you monitor your RIA firm’s accounts and passwords to determine if they have been compromised. One of the best tools for this is Azure Active Directory (Azure AD) Identity Protection.
What is Azure AD Identity Protection?
Identity Protection is a feature that allows organizations to automatically detect, investigate, and remediate suspicious logins or users.
Specifically, it looks for sign-in risks and user risks.
Sign-in risks measure the likelihood that a sign-in attempt was made by someone other than the user. The red flags include:
- Sign-ins from anonymous IP addresses
- Sign-ins from malware-linked IP addresses
- Sign-ins from atypical locations (e.g., when two or more sign-ins occur from distant locations within a short period of time)
- Sign-ins with unfamiliar properties that have not been seen recently for a given use
Meanwhile, user risks represent the likelihood that an account is compromised. These risks are often associated with unusual behavior (e.g., when an account shows unusual activity or when its usage patterns are similar to known attacks) or leaked credentials.
While Microsoft does not provide specific details about how they calculate risk, they determine what qualifies as risky sign-ins by using learnings and data they acquired from Azure AD, public Microsoft accounts, and Xbox.
Identity Protection comes with Microsoft 365 E5, Microsoft 365 E3 with the E5 Security add-on, EMS E5, or Azure AD Premium P2 licenses.
Identity Protection policies
With Identity Protection, your IT service provider can define whether a risk is low, medium, or high and determine the acceptable level of risk for your RIA firm. Then, they can set up alerts and automate responses or actions to identified risks through risk policies.
There are different risk policies that your IT service provider can enable depending on the type of risk. A sign-in risk policy analyzes every user sign-in and gives a risk score based on the probability that the sign-in was not performed by the real account owner. Based on this score, Identity Protection can either block access, allow access, or allow access but require multifactor authentication (MFA).
Once a sign-in risk is identified, the user is informed of what triggered the risk and what action they need to take to remediate the issue. They might receive this notification, for example:
On the other hand, a user risk policy uses knowledge about a user’s normal behavioral patterns to calculate the probability that their identity was compromised. Based on this risk score, Identity Protection decides whether to block access, allow access, or allow access but require a password change using Azure AD self-service password reset.
As with a sign-in risk, once a user risk is identified, the user is informed of what triggered the risk and what they need to provide to resolve the issue. They might receive this notification:
Lastly, Identity Protection can help your firm implement an MFA registration policy that provides a second layer of protection to user identities by asking users to complete an additional verification step after entering their username and password. What’s great about enabling this policy is it ensures that new users are registered for MFA from the first time they log into their account.
So after your IT service provider configures an MFA registration policy, Identity Protection will prompt your users to register for MFA the next time they sign in. The user will get this notification:
They will have 14 days to complete the registration. During this two-week period, users can choose not to register yet still be allowed to use the service. After that, they will have to complete registration before they are allowed to sign in again.
Investigating and remediating risks enables your IT service provider to identify weaknesses in your security strategy and understand how to improve your firm’s identity security posture.
Investigating and remediating detected risks
Once Identity Protection detects risks in your environment, it generates reports that your IT service provider can use to investigate the said risks. These reports contain information that can help your IT service provider make an informed decision as to whether they think the user is legitimate or the account has been compromised. Should your IT service provider decide that the case is the latter, they must take action to remediate the risks — that is if they’re not already using risk policies to automatically deal with these risks.
Investigating and remediating risks enables your IT service provider to identify weaknesses in your security strategy and understand how to improve your firm’s identity security posture.
Need help securing your RIA firm’s identities?
We at RIA WorkSpace thrive and excel in helping small- and mid-sized RIA firms manage and secure their IT operations. Contact us today to learn how our customized solutions can help you better respond to identity risks and avoid them and other cyber risks in the future.