Azure Identity Protection

Azure Identity Protection is a feature of Microsoft Enterprise Mobility + Security and is a premium feature in EMS E5. We conducted a test to see if a user would be blocked while trying to log in from 2 separate locations.

We went to https://portal.azure.com/ and logged in with credentials normally from our home office server. I then created a 2012 Server virtual machine setting up and configuring Active Directory and azure AD Connect.

Using the Tor browser I went to portal.azure.com to login with the same user a 2nd time.

Our Results

Your sign-in was blocked

We’ve detected something unusual about this sign-in.

For example, you might be signing in from a new location, device, or app.

Before you can continue, we need to verify your identity. Please contact your admin.

After viewing more details we get a better picture of what scenario is; at this point to see that the user has tried to sign in a second time from an unknown location and has been blocked.

We can see from the message the sign-in was blocked.

Your sign-in was blocked

We’ve detected something unusual about this sign-in. For example, you might be signing in from a new location, device, or app.

Before you can continue, we need to verify your identity. Please contact your admin.

The following information might be useful to your administrator:

App name: Azure Portal
App id: c44b4083-3bb0-49c1-b47d-974e53cbdf3c
IP address: 62.210.129.246
Device identifier: not available
Device platform: Windows 7
Device state: Unregistered
Signed in as rick.admin@nottstruckingltd.onmicrosoft.com
Correlation ID: 46d66b10-4f50-4e10-a5fb-15a11f06135a
Timestamp: 2017-09-18 20:29:55Z

Sign out and sign in with a different account

We will now create a sign-in risk policy. Login to portal.azure.com -> Azure AD Identity Protection ->Sign-in risk policy

Risky sign-ins

Azure Active Directory detects risk event types in real-time and offline.

Each risk event that has been detected for a sign-in of a user contributes to a logical concept called risky sign-in.

A risky sign-in is an indicator of a sign-in attempt that might not have been performed by the legitimate owner of a user account.

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection#what-is-a-user-risk-level

Azure Active Directory Premium

Azure Identity Protection

Our Results

Risky sign-ins