%3CLINGO-SUB%20id%3D%22lingo-sub-1560268%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Identity%20protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1560268%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20always%20love%20the%20mailbag%20posts%20(and%20the%20technical%20'goods'%20that%20they%20deliver).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1257350%22%20slang%3D%22en-US%22%3EAzure%20AD%20Mailbag%3A%20Identity%20protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1257350%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EGreetings!%20%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EWe're%20back%20with%20another%20mailbag%2C%20this%20time%20focusing%20on%20your%20common%20questions%20regarding%20Azure%20AD%20Identity%20Protection.%20Security%20is%20always%20top%20of%20mind%20and%20Identity%20Protection%20helps%20you%20strike%20a%20balance%20between%20the%20usability%20required%20for%20end%20users%20to%20be%20productive%20while%20protecting%20access%20to%20resources.%20We%E2%80%99ve%20got%20some%20really%20great%20questions%20from%20folks%20looking%20to%20improve%20the%20effectiveness%20of%20their%20alerts%20and%20to%20increase%20their%20overall%20security%20posture.%20We%20even%20have%20a%20sample%20script%20for%20you!%20I%E2%80%99ll%20let%20Sarah%2C%20Rohini%20and%20Mark%20take%20it%20away.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E-----%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHey%20y%E2%80%99all%2C%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fmarkmorow%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMark%3C%2FA%3E%20back%20again%20for%20another%20mailbag.%20You%E2%80%99ve%20been%20asking%20some%20really%20great%20questions%20around%20Azure%20AD%20Identity%20Protection.%20So%20good%2C%20in%20fact%2C%20I%E2%80%99ve%20kept%20putting%20this%20off%20for%20an%20embarrassingly%20long%20time.%20Then%20I%20called%20in%20for%20some%20help%20from%20some%20excellent%20feature%20PMs%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fsarahhandler%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESarah%20Handler%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Frohinigo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERohini%20Goyal%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1200953935%22%20id%3D%22toc-hId-1200953935%22%20id%3D%22toc-hId-1200953935%22%3EQuestion%201%3A%20I%20want%20to%20bulk%20dismiss%20a%20lot%20of%20Users%20that%20have%20risk.%20How%20can%20I%20do%20this%3F%3C%2FH3%3E%0A%3CP%3EMake%20sure%20that%20before%20you%20bulk%20dismiss%20users%2C%20you%E2%80%99ve%20already%20remediated%20them%20or%20determined%20that%20they%E2%80%99re%20not%20at%20risk.%20Then%20we%20have%20a%20GraphAPI%20call%20you%20can%20make%20to%20dismiss%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Friskyuser-dismiss%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Euser%20risk.%3C%2FA%3E%20We%E2%80%99ve%20put%20together%20a%20little%20sample%20script%20to%20help%20you%20with%20doing%20bulk%20dismissal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe've%20provided%20a%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzureAD%2FIdentityProtectionTools%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Esample%20PowerShell%20script%3C%2FA%3E%20and%20examples%20to%20enumerate%20risky%20users%2C%20filter%20the%20results%2C%20and%20dismiss%20the%20risk%20for%20the%20collection.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mailbag731.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F209453i878D3E3E0C88C388%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22mailbag731.png%22%20alt%3D%22mailbag731.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--606500528%22%20id%3D%22toc-hId--606500528%22%20id%3D%22toc-hId--606500528%22%3EQuestion%202%3A%20How%20do%20we%20detect%20TOR%20or%20anonymous%20VPN%3F%20Is%20it%20based%20off%20exit%20node%20or%20are%20there%20ways%20to%20bypass%20this%3F%3C%2FH3%3E%0A%3CP%3EWe%20detect%20anonymizers%20in%20a%20few%20ways.%20For%20Tor%2C%20we%20continually%20update%26nbsp%3Bthe%20list%20of%20Tor%20exit%20nodes.%20For%20VPNs%2C%20we%20use%20various%20third-party%20intelligence%20to%20determine%20whether%20an%20anonymizer%20has%20been%20used.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1881012305%22%20id%3D%22toc-hId-1881012305%22%20id%3D%22toc-hId-1881012305%22%3EQuestion%203%3A%20How%20should%20we%20handle%20false%20positives%3F%3C%2FH3%3E%0A%3CP%3EThere%20are%20two%20ways%20to%20address%20false%20positives%3A%20giving%20feedback%20on%20false%20positive%20detections%20that%20occur%20and%20reducing%20the%20number%20of%20false%20positives%20that%20get%20generated.%20If%20while%20investigating%20risky%20sign-ins%20you%20find%20a%20detection%20to%20be%20a%20false%20positive%2C%20you%20should%20mark%20%E2%80%9Cconfirm%20safe%E2%80%9D%20on%20the%20risky%20sign-in.%20There%20are%20two%20ways%20to%20prevent%20false%20positives%20in%20Identity%20Protection.%20The%20first%20is%20to%20enable%20sign-in%20risk%20policies%20for%20your%20users.%20When%20a%20user%20is%20prompted%20for%20a%20sign-in%20risk%20policy%20with%20MFA%20and%20passes%20the%20MFA%20prompt%2C%20it%20gives%20feedback%20to%20the%20system%20that%20the%20legitimate%20user%20signed%20in%20and%20helps%20to%20familiarize%20the%20sign-in%20properties%20for%20future%20ones.%20The%20second%20is%20to%20mark%20common%20locations%20that%20you%20trust%20as%20trusted%20locations%20in%20Azure%20AD.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-73557842%22%20id%3D%22toc-hId-73557842%22%20id%3D%22toc-hId-73557842%22%3EQuestion%204%3A%20What%20is%20the%20best%20practice%20for%20allowing%20listing%20of%20known%20locations%3F%3C%2FH3%3E%0A%3CP%3EFirst%2C%20you%20want%20to%20make%20sure%20you%E2%80%99re%20putting%20in%20your%20public%20egress%20end%20points.%20This%20helps%20with%20our%20detection%20algorithms.%20We%E2%80%99ve%20recently%20increased%20the%20named%20locations%20to%20195%20named%20locations%20with%202%2C000%20IP%20ranges%20per%20location.%20You%20can%20read%20more%20in%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Flocation-condition%23preview-features%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocs%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20we%20know%20that%20many%20times%20networking%20teams%20make%20changes%20and%20don%E2%80%99t%20notify%20the%20Azure%20AD%20Admins.%20It%E2%80%99s%20good%20to%20have%20a%20process%20to%20work%20through%20the%20Sign-In%20logs%20and%20look%20for%20IP%20ranges%20that%20are%20not%20part%20of%20your%20named%20locations%20and%20add%20those%20as%20well%20as%20remove%20IPs%20that%20no%20longer%20are%20your%20egress%20point.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1733896621%22%20id%3D%22toc-hId--1733896621%22%20id%3D%22toc-hId--1733896621%22%3EQuestion%205%3A%20Does%20AAD%20Leaked%20credentials%20connect%20to%20Troy%20Hunt%E2%80%99s%20%3CA%20href%3D%22https%3A%2F%2Fhaveibeenpwned.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHave%20I%20been%20Pwned%3C%2FA%3E%20API%3F%20Do%20I%20need%20to%20supplement%20with%20other%20scans%3F%3C%2FH3%3E%0A%3CP%3ELeaked%20credentials%20detection%20does%20not%20connect%20to%20Troy%20Hunt%E2%80%99s%20%E2%80%9CHave%20I%20been%20Pwned%E2%80%9D.%20Troy%20does%20an%20excellent%20job%20with%20his%20service%20correlating%20and%20collecting%20public%20dumps.%20Leaked%20credentials%20alerts%20take%20into%20account%20those%20public%20dumps%20as%20well%20as%20non-public%20dumps%20we%20call%20out%20in%20our%20docs%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fconcept-identity-protection-risks%23common-questions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emore%20info%20here%3C%2FA%3E.%20If%20you%20want%20to%20supplement%20the%20Azure%20AD%20leaked%20credentials%20alerting%20with%20other%20feeds%2C%20that%20is%20entirely%20up%20to%20you.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-753616212%22%20id%3D%22toc-hId-753616212%22%20id%3D%22toc-hId-753616212%22%3EQuestion%206%3A%20When%20I%20turn%20on%20Password%20Hash%20Sync%20does%20the%20leaked%20credential%20alert%20on%20existing%20ones%20or%20only%20on%20leaks%20going%20forward%3F%3C%2FH3%3E%0A%3CP%3ELeaked%20credentials%20will%20only%20detect%20on%20leaks%20going%20forward.%20When%20we%20find%20clear%20text%20username%20and%20passwords%20pairs%2C%20we%20don%E2%80%99t%20keep%20them.%20We%20process%20them%20through%20and%20delete%20them.%20We%E2%80%99ve%20updated%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fwhatis-phs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E%20to%20call%20this%20out%20and%20provided%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fidentity-protection%2Fconcept-identity-protection-risks%23common-questions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emore%20info%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20hope%20you've%20found%20this%20post%20and%20this%20series%20to%20be%20helpful.%20For%20any%20questions%20you%20can%20reach%20us%20at%26nbsp%3B%3CA%20href%3D%22mailto%3AAskAzureADBlog%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAskAzureADBlog%40microsoft.com%26nbsp%3B%3C%2FA%3E%2C%26nbsp%3Bthe%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fazure%2Fen-US%2Fhome%3Fforum%3DWindowsAzureAD%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Forums%26nbsp%3B%3C%2FA%3Eand%20on%20Twitter%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FAzureAD%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40AzureAD%26nbsp%3B%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22mailto%3Atwitter.com%2Fmarkmorow%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40MarkMorow%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FSue_Bohn%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40Sue_Bohn%3C%2FA%3E%2C%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FAlex_A_Simons%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40Alex_A_Simons%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-Rohini%20Goyal%2C%20Sarah%20Handler%20and%20Mark%20Morowczynski%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1257350%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20back%20with%20another%20mailbag%20to%20answer%20your%20questions%20regarding%20Azure%20AD%20Identity%20Protection.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1257350%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECustomer%20and%20Partner%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1572042%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Mailbag%3A%20Identity%20protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1572042%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20you%20have%20guidance%20on%20how%20to%20provide%20feedback%20in%20situations%20of%20legitimate%20risk%20but%20no%20comprise%3F%20For%20example%2C%20a%20successful%20authentication%20from%20a%20suspicious%20location%20but%20blocked%20account%20access%20due%20to%20MFA%3F%20I%20consider%20the%20user%20%E2%80%9Cat%20risk%E2%80%9D%20because%20the%20password%20is%20compromised.%20But%20the%20account%20wasn%E2%80%99t%20%26nbsp%3Bcomprised%20thanks%20to%20MFA.%20What%E2%80%99s%20the%20best%20way%20to%20provide%20feedback%20to%20the%20system%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Greetings!

 

We're back with another mailbag, this time focusing on your common questions regarding Azure AD Identity Protection. Security is always top of mind and Identity Protection helps you strike a balance between the usability required for end users to be productive while protecting access to resources. We’ve got some really great questions from folks looking to improve the effectiveness of their alerts and to increase their overall security posture. We even have a sample script for you! I’ll let Sarah, Rohini and Mark take it away.

 

-----

 

Hey y’all, Mark back again for another mailbag. You’ve been asking some really great questions around Azure AD Identity Protection. So good, in fact, I’ve kept putting this off for an embarrassingly long time. Then I called in for some help from some excellent feature PMs Sarah Handler and Rohini Goyal.

 

Question 1: I want to bulk dismiss a lot of Users that have risk. How can I do this?

Make sure that before you bulk dismiss users, you’ve already remediated them or determined that they’re not at risk. Then we have a GraphAPI call you can make to dismiss the user risk. We’ve put together a little sample script to help you with doing bulk dismissal.

 

We've provided a sample PowerShell script and examples to enumerate risky users, filter the results, and dismiss the risk for the collection.

 

mailbag731.png

 

Question 2: How do we detect TOR or anonymous VPN? Is it based off exit node or are there ways to bypass this?

We detect anonymizers in a few ways. For Tor, we continually update the list of Tor exit nodes. For VPNs, we use various third-party intelligence to determine whether an anonymizer has been used.

 

Question 3: How should we handle false positives?

There are two ways to address false positives: giving feedback on false positive detections that occur and reducing the number of false positives that get generated. If while investigating risky sign-ins you find a detection to be a false positive, you should mark “confirm safe” on the risky sign-in. There are two ways to prevent false positives in Identity Protection. The first is to enable sign-in risk policies for your users. When a user is prompted for a sign-in risk policy with MFA and passes the MFA prompt, it gives feedback to the system that the legitimate user signed in and helps to familiarize the sign-in properties for future ones. The second is to mark common locations that you trust as trusted locations in Azure AD.

 

Question 4: What is the best practice for allowing listing of known locations?

First, you want to make sure you’re putting in your public egress end points. This helps with our detection algorithms. We’ve recently increased the named locations to 195 named locations with 2,000 IP ranges per location. You can read more in our docs.

 

But we know that many times networking teams make changes and don’t notify the Azure AD Admins. It’s good to have a process to work through the Sign-In logs and look for IP ranges that are not part of your named locations and add those as well as remove IPs that no longer are your egress point.

 

Question 5: Does AAD Leaked credentials connect to Troy Hunt’s Have I been Pwned API? Do I need to supplement with other scans?

Leaked credentials detection does not connect to Troy Hunt’s “Have I been Pwned”. Troy does an excellent job with his service correlating and collecting public dumps. Leaked credentials alerts take into account those public dumps as well as non-public dumps we call out in our docs, more info here. If you want to supplement the Azure AD leaked credentials alerting with other feeds, that is entirely up to you.

 

Question 6: When I turn on Password Hash Sync does the leaked credential alert on existing ones or only on leaks going forward?

Leaked credentials will only detect on leaks going forward. When we find clear text username and passwords pairs, we don’t keep them. We process them through and delete them. We’ve updated our documentation to call this out and provided more info.

 

We hope you've found this post and this series to be helpful. For any questions you can reach us at AskAzureADBlog@microsoft.com , the Microsoft Forums and on Twitter @AzureAD @MarkMorow, @Sue_Bohn, and @Alex_A_Simons

 

-Rohini Goyal, Sarah Handler and Mark Morowczynski

 

2 Comments

We always love the mailbag posts (and the technical 'goods' that they deliver). 

Senior Member

Do you have guidance on how to provide feedback in situations of legitimate risk but no comprise? For example, a successful authentication from a suspicious location but blocked account access due to MFA? I consider the user “at risk” because the password is compromised. But the account wasn’t  comprised thanks to MFA. What’s the best way to provide feedback to the system?