Feb 14 2021 09:11 PM - edited Feb 14 2021 09:13 PM
We have hybrid AD with ADFS and also enabled PHS many months ago.
I thought this enabled leaked credentials notifications.
I am kind of surprised that we could have had zero leaked credentials in all these months.
How can we verify that we have everything set up and configured correctly for leaked credential detection and alerts?
Can we set up a test user with a common password like Password123 and get an alert that the user’s password hash is in a breach database or will it only alert if their username@company.com user ID is in a breach database?
Feb 14 2021 10:12 PM
Solution@Kalimanne J As per the Microsoft documentation the leaked credentials service compares users current valid credentials against leaked credentials lists and only checks new leaked credentials found after enabling PHS.
You could perform a domain level check on Have I Been Pwned https://haveibeenpwned.com/DomainSearch to see if any users in your organization were part of a data breach but as with Microsoft's thinking, if they have since changed their password they wouldn't be considered compromised.
If you have enabled the Identity Protection risk based policies I wouldn't be concerned about not seeing any appear, as the policies will be there in case something is detected,
Feb 14 2021 11:15 PM
@edinili84 So, there is no functionality already built into Azure that’s similar to the haveibeenpwned.com link?
Feb 15 2021 11:53 AM
Feb 15 2021 12:12 PM
@Ru I understand that it’s just for new breaches, but we have set this up quite a while.
How do we verify that we have the notifications configured correctly that that they are working? It may be possible there have been leaked credentials that we are missing.
Feb 15 2021 12:27 PM
Feb 15 2021 12:32 PM
@Ru We are not manually adding users to any alert lists.
If that’s required, we clearly do not have this working.
Feb 15 2021 12:34 PM
Feb 15 2021 01:14 PM
@Ru Our global admins don’t have mailboxes or licensing for Exchange/SharePoint/Teams etc.
Email is accessed through standard user accounts.
Our global admins and domain admins are not supposed to be using those accounts for accessing email or web surfing.
Feb 16 2021 12:37 AM
Feb 16 2021 09:28 AM
@Ru Does this leaked credentials report require P2 licensing for the tenant or any special licensing for the users in the report or the admins running the report?
Feb 16 2021 12:42 PM
Feb 14 2021 10:12 PM
Solution@Kalimanne J As per the Microsoft documentation the leaked credentials service compares users current valid credentials against leaked credentials lists and only checks new leaked credentials found after enabling PHS.
You could perform a domain level check on Have I Been Pwned https://haveibeenpwned.com/DomainSearch to see if any users in your organization were part of a data breach but as with Microsoft's thinking, if they have since changed their password they wouldn't be considered compromised.
If you have enabled the Identity Protection risk based policies I wouldn't be concerned about not seeing any appear, as the policies will be there in case something is detected,