Loading...

Identity Protection alerts now available in Microsoft 365 Defender

Identity Protection alerts now available in Microsoft 365 Defender

Azure Active Directory (Azure AD) Identity Protection alerts are now part of Microsoft 365 Defender.

 

Identity compromise is a pivotal component in any successful attack. By taking control over a legitimate organizational account, attackers gain the ability to move around the network, access organizational resources, and compromise more accounts.  With sufficient permissions in hand, attackers have the “keys to the kingdom” to finally achieve their objective – encrypting the entire network, exfiltrating emails or other confidential information, or any other malicious goals. Because of this, it is critical for defenders to have wide visibility into identity activities and gain assistance in spotting suspicious or abnormal activities. This helps defenders identify, investigate, and respond to identity compromise, stopping and evicting attackers from the network.

 

With the appearance of modern attackers like Nobelium, we have seen identity compromise scenarios taken to the next level - extending across the organization’s on-prem network and cloud environment.

 

With Nobelium, attackers infiltrated the on-prem network and managed to compromise accounts with permissions to the AD FS server, which serves as an “LSASS of the cloud” – enabling users of the organization to gain access to cloud resources and services. Once attackers gained control of the AD FS server, they were able to mint tokens for cloud access and reach into user’s mailboxes to read and exfiltrate content.  

 

Defenders must be able to monitor and protect identities of all kinds, across on-prem, in the cloud, and in-between.

Identity Protection is an important defense in your battle against identity compromise, bringing visibility and protection of Azure Active Directory identities.  

 

You might already be familiar with the Identity Protection experience in the Azure or Entra Portals. Until now, if you wanted a full understanding of the role of Azure AD identities in end-to-end attacks, you needed to traverse both the Azure portal and the Microsoft 365 Defender portal. Now, we are bringing the Identity Protection alerts into Microsoft 365 Defender. Identity Protection alerts are now correlated into related incidents along with alerts from the other security domains, and can be reviewed directly in Microsoft 365 Defender for a full view of the end-to-end attack. No need to switch portals! This helps drive efficiency and simplicity for security teams investigating incidents to understand the full scope of the attacker’s activity and take action in one place.

 

Idan_Pelleg_9-1666685411653.png

 

Example of an Azure AD Identity Protection alert within an incident

 

Azure Active Directory Identity Protection leverages trillions of signals to spot compromised identities. Identity Protection takes individual risk detections to compute a user’s overall likelihood of compromise, known as their user risk score. Identity Protection detects suspicious sign-in attempts by Azure AD accounts and uses additional signal to detect indicators of compromise offline. Some of these detections include unfamiliar sign-in properties, anomalous token, anonymous IP address, and leaked credentials. With Identity Protection, you not only gain insights into risky users, but have mechanisms to automatically mitigate and remediate risk.

To best leverage these Identity Protection signals and tune your environment to reduce false positive, we recommend you enable the risky user and risky sign-in policies for automatic remediation.

 

Additionally, there are several Microsoft 365 Defender correlations that generate new cross-product detections based on the compromised user alerts coming from Azure AD Identity Protection. Alerts include: "Suspicious searches in Exchange Online", "Suspicious quantity of downloaded archive files", "Suspicious domain trust modification following risky sign-in", and "Suspicious Addition of an Exchange related App Role". With this integration, you will also benefit from the combined detection signal.

 

Investigating Azure AD identity compromise alerts as part of the end-to-end incident helps security teams more easily determine root cause, identify affected identities in the attack, and handle the compromised identities more quickly and efficiently. For example, you can suspend specific accounts to block an attack progression and limit its impact. You can also confirm a user as compromised to move them to high risk in Identity Protection and trigger the aforementioned risky user policy to securely change their password.

 

user aad.gif

A risky user in Microsoft 365 Defender with risk level generated by AAD Identity Protection and confirming that the user is compromised.

 

Once the incident investigation and response is done, the incident and Azure AD Identity Protection alert can be resolved in Microsoft 365 Defender. You can mark a user as compromised in Azure AD directly from the Microsoft 365 Defender user page. The incident status will automatically update in the Azure AD Identity Protection portal. 

 

In addition to Azure AD Identity Protection alerts now being integrated into the Microsoft 365 Defender experience, they are also available via the Microsoft 365 Defender Incident API, so you can track incidents that include Azure AD Identity Protection alerts in Microsoft Sentinel or any other solution in your SOC.

 

Idan_Pelleg_13-1666685500418.png

Example of an Azure AD Identity Protection alert in the Microsoft 365 Defender portal

 

By default, only the most relevant alerts for the security operation center are enabled. If you want to get all AAD IP risk detections or turn the integration off, you can change it in Microsoft 365 Defender setting page under “Alert service setting” section

 

Idan_Pelleg_14-1666685553703.png

 

 

 

We’re excited for you to use and test this new capability, and we’re interested in your feedback! Let us know what you think by using the feedback tool in the Microsoft 365 Defender portal.

Published on:

Learn more
Microsoft 365 Defender Blog articles
Microsoft 365 Defender Blog articles

Microsoft 365 Defender Blog articles

Share post:

Related posts

Microsoft Copilot (Microsoft 365): Agents in Copilot Chat available on Edge Sidebar

Use agents in Copilot Chat on Edge Sidebar to simplify tasks. Product Release phase General Availability Release date April CY2025 Platform We...

3 hours ago

Microsoft Teams: Detect sensitive content that’s being shared in meetings

Screen content shared during a meeting is protected by detecting sensitive content and alerting the presenter and organizers when it appears. ...

3 hours ago

Microsoft Viva Engage app for iOS/Android will have a shorter name in app stores

Coming soon for the Microsoft Viva Engage app for iOS and Android: We will shorten the name for this app from “Viva Engage” to ...

3 hours ago

Microsoft 365 Copilot in Forms: Users can reference files and forms to help generate drafts

Coming soon for Microsoft 365 Copilot in Forms: When creating a form with Copilot, users can reference existing documents such as Microsoft Wo...

3 hours ago

Microsoft 365 network connectivity test for Microsoft 365 Copilot is generally available

The Microsoft 365 network connectivity test for Microsoft 365 Copilot is rolling out worldwide to general availability. A Microsoft 365 Copilo...

3 hours ago

Update: Ensuring Security and Compliance – Keep you Microsoft Teams desktop clients up to date

Versions of the new Teams client that were released more than 90 days ago will be blocked. An in-app warning banner will show up 60 days befor...

3 hours ago

AI is changing Microsoft 365 security: 2025 forecasts and best practices  

Tap into Microsoft MVP Jasper Oosterveld’s insights as he unpacks how generative AI is reshaping Microsoft 365 security and how IT team...

20 hours ago

SharePoint PnP Viva Connections & SPFx JS SIG Call – April 3rd, 2025 – Screenshot Summary

Call Highlights   SharePoint Quicklinks: Primary PnP Website: https://aka.ms/m365pnp Documentation & Guidance SharePoint Dev Videos Issues...

1 day ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy