Microsoft Entra ID Protection.

What is Microsoft Entra ID Protection?

Microsoft Entra ID Protection is a security solution that help organizations detect, investigate, and remediate identity-based risks.

Simply put, Identity Protection is a service used to detect Identity risk and help automate the remediation of these risk.

What is a Risk?

A Risk is simply a compromised identity or a suspicious sign-in activity.

The most common forms of Risk are Anonymous IP address usage, password spray attacks and leaked credentials.

There are two major kinds of Risk: User Risk and Sign-in Risk

User Risk: This refers to compromised identities or suspicious activities related to user accounts. For example, if an unauthorized entity gains access to a user's credentials, it would be flagged as a user risk.

Sign-in Risk: This involves risks detected during sign-ins, such as the use of anonymous IP addresses, password spray attacks, or leaked credentials. Sign-in risks indicate the probability that a given authentication request is not from the authorized owner of the account.

Risks are categorized into three levels:

High,

Medium and

Low Risk.

Key Features of Microsoft Entra ID Protection includes:

Risk Detection: Continuously monitors and detects potential identity risks during sign-ins, generating a risk level for each session

Investigation: Provides detailed reports on risk detections, risky sign-ins, and risky users, allowing administrators to investigate and take appropriate actions.

Remediation: Offers both automatic and manual remediation options. Automatic remediation can enforce access controls like multifactor authentication or secure password resets based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.

When user remediation isn't enabled, an administrator must manually review them in the reports in the portal, through the API, or in Microsoft 365 Defender. Administrators can perform manual actions to dismiss, confirm safe, or confirm compromise on the risks.

Data Integration: Allows organizations to export risk data to other tools for further investigation and correlation, such as SIEM systems.: There are two,

1. You must have a privilege role such as:

Security Administrator, Security Operator, Security Reader, Global Reader and User Administrator.

2. You must have an Entra ID P2 Licenses.

Implementation of Identity Protection is Done in the Entra ID Platform by Using Conditional Access Policy.

There are three default Identity Protection Policies, by which you can configure Identity Protection for users within your Tenant. These includes:

User Risk Policy

Sign-in Risk Policy and

Multifactor Authentication Registration Policy

Then we have Conditional Access. Microsoft is now moving all these Identity Protection policies into the Conditional Access for more conditions and controls.

My Name is Theodora E.

M365 Technical Support Engineer