Microsoft Entra ID Protection helps organizations detect, investigate, and correct identity risks. Use advanced machine learning to identify access risks and abnormal user behavior, in order to block, challenge, restrict, or allow access. Its primary focus is on identifying suspicious behavior that could indicate compromised identities or unauthorized access attempts. By providing detailed reports, Entra ID's Identity Protection capabilities can help organizations proactively address security issues before they worsen. In this article, we're going to take a closer look at the security features offered by Microsoft Sign In ID.
Your digital identity is the VIP pass for the most precious resources of the organization you work for, the key that unlocks the safe where all the data we want to protect resides.
However, just as safes attract hordes of burglaries ready to force them, your own digital identity and that of your employees and managers is a target for those with malicious intentions.
If you don't use the most up-to-date protections, compromising your credentials becomes child's play; a cybercriminal could easily spread laterally and hack different accounts within your organization and the credentials leaked on the dark web are a rapidly growing business.
Administrative email accesses can be sold for amounts ranging from 500 dollars to as much as 140,000 dollars and accesses to antivirus programs or even to apparently less important accounts, such as those on social media, can be purchased for as little as 10 dollars.
So, let's not fall into the trap of only protecting identities with high-level privileges.
It is necessary to strictly secure all identities and, fortunately, Microsoft is at our side in this battle with Entra ID and Entra ID Protection, an intelligent solution to always keep us one step ahead in the complicated landscape of cybersecurity.
Entra ID Protection, formerly known as Azure AD Identity Protection, is a tool that uses advanced machine learning and connected intelligence to automate risk mitigation and identify identity-based threats, allowing you to block, challenge, restrict or allow access.
Entra ID doesn't just prevent identity compromise by identifying threats and enforcing risk-based adaptive access policies.
In addition to this, it offers a centralized control plan to examine detailed signals and reports, while recognized risks integrate perfectly with tools such as Conditional Access, ensuring well-informed access decisions.
In addition, these risks can be sent to a system of Security Information and Event Management (SIEM), allowing its operational security team to conduct in-depth investigations and respond effectively.
Although some basic risk detection capabilities are already available with a P1 license, to integrate the full range of Entra ID Protection features into your organization, you will need Microsoft Entra ID P2, Entra ID Suite, or Microsoft 365 E5. It is also available as part of the Enterprise Mobility + Security E5 license.
But how does it work in detail? Let's see below what are some of the main features of Entra ID Protection.
In a Zero Trust security approach, where identity is a fundamental element, authentication security can be measured in part based on so-called “signals.” Analyzing these signals allows you to assign a level of 'risk' to a particular user when authenticating to Microsoft 365 services.
In Entra ID, a signal is defined as a property or a particular condition associated with a user and authentication.
Here are a few examples:
These are all examples of signals, and as you can see, Entra ID can detect many of them.
ID Protection use information from the login activities of individual users. By processing this data, it learns typical patterns, including the paths followed and associated policies, to determine the likelihood that a specific authentication request is not of the authorized identity but of an attacker posing as the legitimate user.
The risk can be detected at the level of User And Say Logon.
In addition, two methods or modes of detection and calculation are available:
Contrary to what you might initially think, the terms user risk and access risk are not interchangeable.
Let's see the differences:
The fact that they are two non-interchangeable types of risk should not be misleading, however, as they can easily feed each other and high access risks could contribute to increasing the overall user risk and vice versa.
For example, if an IT administrator with elevated privileges shows risk signs such as logging in from anonymous IPs and suspicious changes to security settings, Entra ID Protection may flag them as a high-risk user.
Through password hashes, Entra ID Protection can determine if an employee's credentials have been disclosed on the internet or sold on the dark web.
A password hash is a cryptographic representation of the password, and by comparing the hashes, the system can identify cases in which a password has been compromised or disclosed. (These calculations are done offline.)
In addition, if an employee attempts to change their password to one that Microsoft knows has already been disclosed, the system will not allow that password to be used.
This tool gives IT administrators deep visibility into users and the ability to create automated workflows in the event of risky events. This reduces the workload for IT staff and minimizes opportunities for hackers to compromise the corporate network.
This type of risk detection occurs in real time, analyzing the history of past accesses to identify unusual accesses. It only takes 5 days for the algorithm to gather enough information about the user's access patterns.
The system stores information about previous logins and generates a risk alert when a login presents characteristics unusual for the user, such as a different IP address, location, device or browser.
This type of risk detection monitors your email inbox for suspicious activity. Analyze any unusual changes to the email rules that control message management. If someone alters these rules abnormally, the system flags them as a potential risk.
For example, if suspicious rules are created, such as deleting or moving messages or folders to a user's inbox, the system generates an offline alert. This allows you to detect anyone who is trying to compromise your account, send spam or malware within your organization, or hide messages.
This offline detection mechanism is based on the assumption that if the IP address of your identity has a history of contacting a recognized bot online, it will be treated as potentially infected with malware.
For example, in the context of Bring Your Own Device (BYOD) or remote workers and contractors, if they connect remotely to the corporate network and the device's IP address has been marked for a past association with a known bot, this raises concerns. This scenario could indicate that the device, and therefore the user's identity, may unknowingly host malware.
We have created the Infrastructure & Security team, focused on the Azure cloud, to better respond to the needs of our customers who involve us in technical and strategic decisions. In addition to configuring and managing the tenant, we also take care of:
With Dev4Side, you have a reliable partner that supports you across the entire Microsoft application ecosystem.
Recently, Microsoft announced some major updates to its Entra ID Protection service. The new capabilities offer administrators a simplified implementation of risk policies, a comprehensive impact analysis, and robust defense mechanisms against sophisticated security threats.
Microsoft has announced its plans to enable Entra ID Conditional Access policies by default for certain Microsoft 365 tenants. The company is gradually implementing these Microsoft-managed policies, with the goal of encouraging organizations to switch to multifactor authentication.
The new Entra ID dashboard provides key metrics, charts, and recommended actions to help administrators understand their organization's security posture.
IT administrators can now simply click on the 'attack counts' option in the Attacks chart to access the Risk Detections report for a more in-depth analysis. This report includes a new “Attack Type” column that details the main types of attacks.
Microsoft has also released a new feature that allows administrators to enable on-premises password resets to reset the user's risk in the Identity Protection settings.
Microsoft has just released a new Identity Protection risk analysis workbook to help administrators understand the implications of these changes on their environments.
This workbook allows IT administrators to analyze the impact of activating risk-based Conditional Access policies, which could potentially block user access, require multifactor authentication, or facilitate secure password changes.
To access the new workbook, users will need to log in to the Microsoft Login admin center as a minimum as a Report Reader. Navigate to Identity > Monitoring and Health > Workbooks, then choose the “Risk-Based Access Policy Impact Analysis Workbook” option available under Identity Protection.
Finally, the last important innovation is certainly the integration of Entra ID with Security Copilot, Microsoft's new AI assistant specifically dedicated to cybersecurity.
By combining the two, Entra ID admins will finally be able to access the potential of artificial intelligence capabilities to simplify their work through automated analysis of risk patterns and will also be able to have the AI generate detailed and comprehensive reports on incidents.
But not only that. In fact, with Security Copilot, Entra ID admins will also be able to obtain and provide automatic recommendations for remediation using the extensive knowledge database of the AI assistant, trained on the Redmond company's vast cybersecurity knowledge base.
Microsoft Defender for Identity and Entra ID Protection are both identity protection solutions offered by Microsoft, but they focus on different aspects and functionality.
Both, Microsoft Defender for Identity and Entra ID Identity Protection, work to protect Microsoft-based domain accounts.
However, there are significant architectural differences between the two services, which require deployment configurations in the Microsoft domain environment and licenses. In addition, the capabilities supported by the products and the available integrations are also different.
Defender for Identity is more flexible for on-premise deployments and analyzes a wider variety of information, including the ability to monitor network traffic. Defender for Identity supports on-premise attack detection in hybrid implementations of AD Federated Services (ADFS).
Defender for Identity also supports integration into the larger Microsoft XDR environment, including integration with Microsoft 365 Defender and Cloud App Security.
Entra ID Identity Protection, on the other hand, operates exclusively in the Azure cloud and combats threats against Entra ID instances.
The Identity Protection product design shows tight integration with the rest of the Entra ID environment and with Azure cloud services, working to enforce policies and automate the detection and subsequent remediation of identity-related risks.
In this summary table, let's see what the main differences are.
As you can see Entra ID Identity Protection and Microsoft Defender for Identity are designed to protect identities, but in different contexts (cloud and on-premises), but this does not mean that they are mutually exclusive.
When making a strategic decision about your risk management policies, it's important to consider an organization's overall attack surface and the possibilities of managing it.
Applying practical and appropriate mitigations or preventive controls is often more important and effective than simply analyzing or acquiring more data. Both of these solutions will help you mitigate identity-related threats, but in different ways.
Therefore, it's important to understand the respective security results you can expect to achieve using Defender for Identity, Azure AD Identity Protection, or both.
Entra ID Protection's offline computing capabilities and its integration with Microsoft threat intelligence make it a powerful tool for administrators, who can easily verify user risk based on the detection capabilities attached to the user.
The integrated nature of Identity Protection with the rest of the Entra ID suite offers an improved and immediate response capability that is not present in Defender for Identity.
Conversely, even though Entra ID Identity Protection can generate alerts about identity-related issues in a hybrid environment, it will not have the ability to protect or generate alerts about serious on-premise attacks that pose a serious risk to many organizations.
Defender for Identity's unparalleled capabilities in exposing attackers' attempts to dominate a domain or move laterally within a network are some of the most powerful ways an organization can limit the potential impact of a serious breach scenario.
The protection of digital identities should not be taken as an element of secondary importance, on the contrary, any organization that values its reputation for its time and its finances should immediately begin to implement the best policies and the best tools to ensure that its digital IDs are already secure today.
And among the tools that can help to significantly improve your security posture are the tools of the Entra ID suite and its Identity Protection features, which in the contemporary digital landscape have established themselves as the shield that companies were looking for to defend the digital identities of employees from the numerous malicious agents that crowd the network today.
If your goal is therefore to have the best defenses for your business, we can only invite you to go deeper through the official Microsoft documentation and experience first-hand the features of Entra ID Protection and add a layer of protection that can seriously make the difference between a secure digital infrastructure and a data breach.
Entra ID Protection is a Microsoft solution that helps organizations detect, investigate and correct risks related to digital identities. It uses advanced machine learning to identify risky logins and abnormal user behavior, allowing protection measures such as blocking, limiting, or requiring additional authentication to be applied. The goal is to prevent the compromise of business accounts and strengthen the security of the digital environment.
Entra ID Protection offers advanced risk analysis based on signals such as the IP address, geolocation, the device used and the type of login client. It monitors user behavior to detect anomalies, identifies compromised credentials, analyzes sign-in properties to detect unusual logins, and reports suspicious activity in e-mail boxes. It also integrates these capabilities with tools such as Conditional Access to automate threat mitigation.
The system detects two main categories of risk: user risk and access risk. User risk analyzes the general behavior of an account, identifying suspicious activity that could indicate a compromise, such as logins from unusual locations. The access risk, on the other hand, evaluates every single authentication request, reporting abnormal attempts such as repeated logins with incorrect passwords or logins from IP addresses known to be associated with malware.
Some basic Entra ID Protection features are available with the Microsoft Entra ID P1 license. However, to access all the advanced features, such as full integration with machine learning and more detailed risk analysis, you must have Microsoft Entra ID P2, Entra ID Suite, or Microsoft 365 E5. The service is also included in the Enterprise Mobility + Security E5 license.
Entra ID Protection is designed to operate exclusively in the cloud and protect Entra ID instances. It is not intended for monitoring on-premises Active Directory environments. For the protection of local environments, Microsoft offers Defender for Identity, which analyzes network traffic and user behavior within on-premises infrastructures, detecting lateral movements and attempts to escalate privileges.
Entra ID Protection focuses on protecting identities in the cloud, monitoring login attempts and enforcing security policies to prevent account compromise. Defender for Identity, on the other hand, is designed for the security of on-premises and hybrid environments, analyzing network traffic and activities on domain controllers to detect sophisticated attacks such as pass-the-hash or golden ticket. While Entra ID Protection integrates its analytics with Conditional Access to make real-time access decisions, Defender for Identity integrates with SIEM and XDR to provide broader monitoring of business security.
Entra ID Protection uses hashes of passwords to compare them with databases of credentials leaked on the dark web. If a correspondence is detected, it reports the account as compromised and can automatically activate protection measures, such as the mandatory password reset. It also prevents users from setting passwords known to have already been disclosed, reducing the risk of attacks based on stolen credentials.
The integration between Entra ID Protection and Security Copilot allows administrators to exploit artificial intelligence to automate the analysis of risk patterns and generate detailed reports on incidents. Security Copilot provides automated recommendations for threat remediation, based on Microsoft's extensive security knowledge base. Thanks to this integration, administrators can make faster and more effective decisions when managing identity-related risks.
The Infra & Security team focuses on the management and evolution of our customers' Microsoft Azure tenants. Besides configuring and managing these tenants, the team is responsible for creating application deployments through DevOps pipelines. It also monitors and manages all security aspects of the tenants and supports Security Operations Centers (SOC).
