Forum Discussion
Leaked credentials notification?
We have hybrid AD with ADFS and also enabled PHS many months ago.
I thought this enabled leaked credentials notifications.
I am kind of surprised that we could have had zero leaked credentials in all these months.
How can we verify that we have everything set up and configured correctly for leaked credential detection and alerts?
Can we set up a test user with a common password like Password123 and get an alert that the user’s password hash is in a breach database or will it only alert if their mailto:username@company.com user ID is in a breach database?
KalimanneJ As per the Microsoft documentation the leaked credentials service compares users current valid credentials against leaked credentials lists and only checks new leaked credentials found after enabling PHS.
(https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#common-questions)
You could perform a domain level check on Have I Been Pwned https://haveibeenpwned.com/DomainSearch to see if any users in your organization were part of a data breach but as with Microsoft's thinking, if they have since changed their password they wouldn't be considered compromised.
If you have enabled the Identity Protection risk based policies I wouldn't be concerned about not seeing any appear, as the policies will be there in case something is detected,
11 Replies
KalimanneJ As per the Microsoft documentation the leaked credentials service compares users current valid credentials against leaked credentials lists and only checks new leaked credentials found after enabling PHS.
(https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#common-questions)
You could perform a domain level check on Have I Been Pwned https://haveibeenpwned.com/DomainSearch to see if any users in your organization were part of a data breach but as with Microsoft's thinking, if they have since changed their password they wouldn't be considered compromised.
If you have enabled the Identity Protection risk based policies I wouldn't be concerned about not seeing any appear, as the policies will be there in case something is detected,
edinili84 So, there is no functionality already built into Azure that’s similar to the haveibeenpwned.com link?
- Have I Been Pwned will give you a report based on existing emails in your domain. Azure AD Identity Protection will only report your users if there is a new breach, and PHS has already been enabled. Unlike HIBP, it's not a 'retrospective' service, unfortunately.
