Forum Discussion
Leaked credentials notification?
KalimanneJ As per the Microsoft documentation the leaked credentials service compares users current valid credentials against leaked credentials lists and only checks new leaked credentials found after enabling PHS.
(https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#common-questions)
You could perform a domain level check on Have I Been Pwned https://haveibeenpwned.com/DomainSearch to see if any users in your organization were part of a data breach but as with Microsoft's thinking, if they have since changed their password they wouldn't be considered compromised.
If you have enabled the Identity Protection risk based policies I wouldn't be concerned about not seeing any appear, as the policies will be there in case something is detected,
KalimanneJ As per the Microsoft documentation the leaked credentials service compares users current valid credentials against leaked credentials lists and only checks new leaked credentials found after enabling PHS.
(https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#common-questions)
You could perform a domain level check on Have I Been Pwned https://haveibeenpwned.com/DomainSearch to see if any users in your organization were part of a data breach but as with Microsoft's thinking, if they have since changed their password they wouldn't be considered compromised.
If you have enabled the Identity Protection risk based policies I wouldn't be concerned about not seeing any appear, as the policies will be there in case something is detected,
edinili84 So, there is no functionality already built into Azure that’s similar to the haveibeenpwned.com link?
- Have I Been Pwned will give you a report based on existing emails in your domain. Azure AD Identity Protection will only report your users if there is a new breach, and PHS has already been enabled. Unlike HIBP, it's not a 'retrospective' service, unfortunately.
Ru I understand that it’s just for new breaches, but we have set this up quite a while.
How do we verify that we have the notifications configured correctly that that they are working? It may be possible there have been leaked credentials that we are missing.- Do you have a list of recipients added and enabled in the users at risk detection alerts in the AAD portal? Microsoft doesn't publish it anymore, but the 'high' risk level used to be sufficient to qualify users with leaked credentials for that report. I suppose there's an element of "trust the system" going on here, insofar as there's no test button and nothing that shouts out "you have set this up correctly", short of just making sure you've got recipients configured.
