Identity Protection alerts now available in Microsoft 365 Defender
Azure Active Directory (Azure AD) Identity Protection alerts are now part of Microsoft 365 Defender.
Identity compromise is a pivotal component in any successful attack. By taking control over a legitimate organizational account, attackers gain the ability to move around the network, access organizational resources, and compromise more accounts. With sufficient permissions in hand, attackers have the “keys to the kingdom” to finally achieve their objective – encrypting the entire network, exfiltrating emails or other confidential information, or any other malicious goals. Because of this, it is critical for defenders to have wide visibility into identity activities and gain assistance in spotting suspicious or abnormal activities. This helps defenders identify, investigate, and respond to identity compromise, stopping and evicting attackers from the network.
With the appearance of modern attackers like Nobelium, we have seen identity compromise scenarios taken to the next level - extending across the organization’s on-prem network and cloud environment.
With Nobelium, attackers infiltrated the on-prem network and managed to compromise accounts with permissions to the AD FS server, which serves as an “LSASS of the cloud” – enabling users of the organization to gain access to cloud resources and services. Once attackers gained control of the AD FS server, they were able to mint tokens for cloud access and reach into user’s mailboxes to read and exfiltrate content.
Defenders must be able to monitor and protect identities of all kinds, across on-prem, in the cloud, and in-between.
Identity Protection is an important defense in your battle against identity compromise, bringing visibility and protection of Azure Active Directory identities.
You might already be familiar with the Identity Protection experience in the Azure or Entra Portals. Until now, if you wanted a full understanding of the role of Azure AD identities in end-to-end attacks, you needed to traverse both the Azure portal and the Microsoft 365 Defender portal. Now, we are bringing the Identity Protection alerts into Microsoft 365 Defender. Identity Protection alerts are now correlated into related incidents along with alerts from the other security domains, and can be reviewed directly in Microsoft 365 Defender for a full view of the end-to-end attack. No need to switch portals! This helps drive efficiency and simplicity for security teams investigating incidents to understand the full scope of the attacker’s activity and take action in one place.
Example of an Azure AD Identity Protection alert within an incident
Azure Active Directory Identity Protection leverages trillions of signals to spot compromised identities. Identity Protection takes individual risk detections to compute a user’s overall likelihood of compromise, known as their user risk score. Identity Protection detects suspicious sign-in attempts by Azure AD accounts and uses additional signal to detect indicators of compromise offline. Some of these detections include unfamiliar sign-in properties, anomalous token, anonymous IP address, and leaked credentials. With Identity Protection, you not only gain insights into risky users, but have mechanisms to automatically mitigate and remediate risk.
To best leverage these Identity Protection signals and tune your environment to reduce false positive, we recommend you enable the risky user and risky sign-in policies for automatic remediation.
Additionally, there are several Microsoft 365 Defender correlations that generate new cross-product detections based on the compromised user alerts coming from Azure AD Identity Protection. Alerts include: "Suspicious searches in Exchange Online", "Suspicious quantity of downloaded archive files", "Suspicious domain trust modification following risky sign-in", and "Suspicious Addition of an Exchange related App Role". With this integration, you will also benefit from the combined detection signal.
Investigating Azure AD identity compromise alerts as part of the end-to-end incident helps security teams more easily determine root cause, identify affected identities in the attack, and handle the compromised identities more quickly and efficiently. For example, you can suspend specific accounts to block an attack progression and limit its impact. You can also confirm a user as compromised to move them to high risk in Identity Protection and trigger the aforementioned risky user policy to securely change their password.
A risky user in Microsoft 365 Defender with risk level generated by AAD Identity Protection and confirming that the user is compromised.
Once the incident investigation and response is done, the incident and Azure AD Identity Protection alert can be resolved in Microsoft 365 Defender. You can mark a user as compromised in Azure AD directly from the Microsoft 365 Defender user page. The incident status will automatically update in the Azure AD Identity Protection portal.
In addition to Azure AD Identity Protection alerts now being integrated into the Microsoft 365 Defender experience, they are also available via the Microsoft 365 Defender Incident API, so you can track incidents that include Azure AD Identity Protection alerts in Microsoft Sentinel or any other solution in your SOC.
Example of an Azure AD Identity Protection alert in the Microsoft 365 Defender portal
By default, only the most relevant alerts for the security operation center are enabled. If you want to get all AAD IP risk detections or turn the integration off, you can change it in Microsoft 365 Defender setting page under “Alert service setting” section
We’re excited for you to use and test this new capability, and we’re interested in your feedback! Let us know what you think by using the feedback tool in the Microsoft 365 Defender portal.
Published on:
Learn moreRelated posts
Microsoft Copilot (Microsoft 365): Agents in Copilot Chat available on Edge Sidebar
Use agents in Copilot Chat on Edge Sidebar to simplify tasks. Product Release phase General Availability Release date April CY2025 Platform We...
Microsoft Teams: Detect sensitive content that’s being shared in meetings
Screen content shared during a meeting is protected by detecting sensitive content and alerting the presenter and organizers when it appears. ...
Microsoft Viva Engage app for iOS/Android will have a shorter name in app stores
Coming soon for the Microsoft Viva Engage app for iOS and Android: We will shorten the name for this app from “Viva Engage” to ...
Microsoft 365 Copilot in Forms: Users can reference files and forms to help generate drafts
Coming soon for Microsoft 365 Copilot in Forms: When creating a form with Copilot, users can reference existing documents such as Microsoft Wo...
Microsoft 365 network connectivity test for Microsoft 365 Copilot is generally available
The Microsoft 365 network connectivity test for Microsoft 365 Copilot is rolling out worldwide to general availability. A Microsoft 365 Copilo...
Update: Ensuring Security and Compliance – Keep you Microsoft Teams desktop clients up to date
Versions of the new Teams client that were released more than 90 days ago will be blocked. An in-app warning banner will show up 60 days befor...
AI is changing Microsoft 365 security: 2025 forecasts and best practices
Tap into Microsoft MVP Jasper Oosterveld’s insights as he unpacks how generative AI is reshaping Microsoft 365 security and how IT team...
SharePoint PnP Viva Connections & SPFx JS SIG Call – April 3rd, 2025 – Screenshot Summary
Call Highlights SharePoint Quicklinks: Primary PnP Website: https://aka.ms/m365pnp Documentation & Guidance SharePoint Dev Videos Issues...