Requiring password change for users whose credentials are leaked in Azure Identity Protection

Occasional Contributor

We have E5 license for Office 365 so receive alerts if a user's credentials are leaked. I know in Azure Identity Protection for such scenarios the Risk is High and event type is "Leaked user credentials".

 

1. Can we create a rule in Azure Identity Protection if Risk is High and event type is "Leaked user credentials", require a password change, alert XYZ people? If so, how? Our Azure admin is really new and needs step by step guidance and he won't give us rights to explore what is allowed in Azure Identity Protection.

 

2. If no such rule can be created, are there any PowerShell scripts already existing which we can integrate with our Azure AD so that if Risk is High and event type is "Leaked user credentials", require a password change, alert XYZ people? I am sure the scenario is common as if a user's credentials are leaked at 1 am on a morning, no system admin is awake to reset the credentials so we need to automate it.

 

3. Any other suggestions would be appreciated so that we can keep an eye on those user accounts to see if they are repeatedly come up in leaked credentials.

 

We already have MFA enabled for all our Office 365 accounts and Azure AD.

 

Thanks

4 Replies
I would take a look at Azure Sentinel. It's Microsoft's SIEM/SOAR based on Azure. Integrating just IDP alerts is actually free.

You could then create a Playbook => Logic App which does these actions. This will be the easiest way to achieve what you are trying.

Hi @Thijs Lecomte,

 

Thanks for the suggestion, but our company has Splunk so Azure sentinel is not an option.

 

Any other way we can create a logic app to do this?

 

 

@s_p_9 

 

You can leverage Azure Identity Protection to create a User Risk Policy that says if any user's Risk Status is High then require a password change. This is set using the User Risk Policy option under Identity Protection. See the below screen shot

PeterJ_Inobits_0-1605527097035.png

 

Have you enabled combined security information registration in your tenant? I strongly recommend you do and also enable Azure AD SSPR for all warm blooded user accounts. 

 

When this is all setup any user whose Risk Level hits High will automatically be forced to change their password. 

 

You can also use Powershell to find all users whose Risk state is high and send a list to a DL for example. You can also raise an alert in several different portals in Azure when a User's Risk level hits high. Currently the only event that will cause a User Risk Status to be High is actually leaked credential detection so this should work.    

 

 

You can always look for the right alert in the Security Graph and then execute a Logic App.

Or better yet, ingest it into Splunk and do the automation there.

Check out this example: https://medium.com/wortell/logic-apps-the-graph-security-api-integrate-all-microsoft-products-in-you...