Skip to content
Microsoft Secure

The “Top 10 actions to secure your environment” series outlines fundamental steps you can take with your investment in Microsoft 365 security solutions. In “Step 3. Protect your identities,” you’ll learn how to define security policies to protect individual user identities against account compromise and protect your administrative accounts.

Whether or not you have experienced a security incident in the past, you probably know that it’s not a matter of if an attacker will successfully compromise your corporate resources, but when. This is what is meant by an “assume breach” mindset. Preventative measures are critical, but in an “assume breach” world, so are detection and rapid response. Azure Active Directory (Azure AD) Identity Protection can help you rapidly uncover anomalies or suspicious incidents and configure policies that will automate a response. With Azure AD Privileged Identity Management (PIM), you can protect your administrative accounts. The faster you discover a hacker and take back control, the less damage that attacker can do, saving you time, money, and reputation.

Reduce the time an attacker has access to your network

Most breaches begin with stolen or guessed user credentials. Once hackers gain access, they attempt to escalate those privileges, or they exploit their access to discover and target administrative users with access to valuable data. Rapid detection of a compromised account—no matter its access level—is critical. This can be challenging in a large enterprise with thousands of users.

Azure AD uses machine learning to analyze every sign-in to uncover anomalies or suspicious incidents. It then assigns a risk level of low, medium, or high to indicate how likely it is that the sign-in was not performed by the user. This is called a risk event. Azure AD also analyzes risk events for each user and calculates a risk level of low, medium, or high to indicate how likely it is that a user has been compromised. Azure AD Identity Protection uses this data to generate reports and alerts that can be viewed from a dashboard (Figure 1) in the Azure portal or by enabling daily or weekly emails.

Figure 1. Azure AD Identity Protection reports users who are likely compromised.

Automate response with Azure AD risk-based conditional access policies

In addition to reporting, Azure AD Identity Protection also lets you configure policies to automate a response based on conditions you define. A sign-in risk policy is a conditional access policy that you can configure based on the risk level assigned to a sign-in (Figure 2). A user risk policy is a conditional access policy that you can configure based on the likelihood that a user has been compromised. For example, we recommend that you create a sign-in risk policy that forces all medium-risk sign-ins to use Multi-Factor Authentication (MFA). We also recommend users with a high-risk level be required to safely change their password after verifying their identity using MFA. In both instances, these policies will be enforced automatically without any intervention by an administrator. (We’ll go into more details about Azure AD conditional access policies in our next blog.)

Figure 2. Apply a policy that blocks or flags risky sign-ins.

Protect your administrative accounts with Azure AD PIM

Even with good detection and response tools, there is still a chance that a hacker will make it through your defenses. In those instances, you need to minimize the likelihood that a compromised account can operate with a privileged role. Azure AD PIM gives you visibility into the users assigned to administrative roles and allows you to establish rules and policies that govern those accounts. Once you’ve identified the users, you can remove users who don’t need privileged access and move remaining user permissions set from permanent to eligible (Figure 3). A user who is eligible for administrative access must request access every time they wish to perform a privileged task. We recommend that you enable MFA for all privileged roles, so you can verify their identity. We also recommend that you establish time limits for administrator access. Users should only have access long enough to complete the privileged task. These steps will make it much more difficult for a hacker to gain access to your most valuable data and resources.

Figure 3. Protect administrative roles by setting users to “Eligible.”

Learn more

Check back in a few weeks for our next blog post, “Step 4. Set conditional access policies,” where we’ll dive into additional conditional access policies you can apply to your identities to ensure that only authorized people access the appropriate data and apps.

Get deployment help now

FastTrack for Microsoft 365 provides end-to-end guidance to set up your security products. FastTrack is a deployment and adoption service that comes at no charge with your subscription. Get started at FastTrack for Microsoft 365.