Hello and welcome to Azure Identity Protection. In this lesson, we’ll take a look at what it is and what it does.

Azure Identity Protection is used to automatically detect identity-based risks and to help automate remediation of those risks. You can use it to investigate identity-based risks, using data in the portal, AND you can use it to export risk detection data to a third-party SIEM.

Signals picked up by Identity Protection can also be forwarded to other Azure services, like Conditional Access, for example. Doing this allows Conditional Access to make access decisions that are based on the risk signals generated by Identity Protection. This automation helps organizations pick up on risks much quicker and it helps remediate those risks far more quickly than a manual intervention could.

Identity Protection can identify all kinds of identity-centric risks, including those that you see on your screen.

It can identify others as well, but these are the most common.

When Identity Protection detects a risk, remediation actions can be automatically triggered. For example, Identity Protection can automatically force a user to perform Multi-Factor Authentication, or maybe reset their password using SSPR, or you can even automatically block the user until an admin investigates and takes action.

When investigating detections that are picked up by Identity Protection, you can leverage three different reports to assist you in your efforts. You can leverage the Risky Users report, the Risky Sign-Ins report, and the Risk Detections report.

The Risky Users Report allows you to determine users that have been deemed risky, it allows you to view users who have had risk remediated, and those who have had a risk dismissed.

The Risky Sign-ins Report contains up to 30 days’ worth of data that’s filterable. You can use this report to identify sign-ins that have been classified as at risk, confirmed compromised, confirmed safe, dismissed, or remediated.

And then you have the Risk Detections Report. This report contains up to three months’ worth of filterable data that can be used to find information about all risk detections, including other risks triggered at the same time, and even the locations where sign-in attempts have come from.

Let’s talk a little bit about risk levels, now. When Azure Identity Protection identifies a risk, it categorizes is into one of three tiers. You have the low, medium, and high tiers. Each tier represents a higher confidence level in a risk that’s been assigned to that tier. In other words, there is higher confidence in a risk being an actual risk if it is categorized as a high risk rather than a medium risk. The same goes for a risk categorized as medium versus low. This means that, while there may be some low risks that aren’t really risks at all, those that are categorized as high risks should raise all kinds of red flags, because confidence is high that those risks are, indeed, high risks that need to be addressed.

Now, before we wrap up this lesson, I just want to touch on permissions and licensing as they relate to Azure Identity Protection. More specifically, I want to point out that you need to be a Security Reader, a Security Operator, a Security Administrator, a Global Reader, or a Global Administrator to access Azure Identity Protection. The role you are assigned will determine what specific actions you can take with it.

The table on your screen breaks them down.

As far as licensing goes, I just want to mention that, while you can get a little bit of Azure Identity Protection reporting if you have an Azure AD Premium P1 license, to really do anything meaningful with Azure Identity Protection, you need to possess an Azure AD Premium P2 license. 

So, with that, join me in the next lesson, where we’ll take a look at the different Identity Protection Policies that are available.