Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Leaked credentials notification?

Iron Contributor

We have hybrid AD with ADFS and also enabled PHS many months ago.

I thought this enabled leaked credentials notifications.  

I am kind of surprised that we could have had zero leaked credentials in all these months.  

 

How can we verify that we have everything set up and configured correctly for leaked credential detection and alerts? 

 

Can we set up a test user with a common password like Password123 and get an alert that the user’s password hash is in a breach database or will it only alert if their username@company.com user ID is in a breach database?

11 Replies
best response confirmed by Kalimanne J (Iron Contributor)
Solution

@Kalimanne J As per the Microsoft documentation the leaked credentials service compares users current valid credentials against leaked credentials lists and only checks new leaked credentials found after enabling PHS.

 

(https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protect...)

 

You could perform a domain level check on Have I Been Pwned https://haveibeenpwned.com/DomainSearch to see if any users in your organization were part of a data breach but as with Microsoft's thinking, if they have since changed their password they wouldn't be considered compromised.

 

If you have enabled the Identity Protection risk based policies I wouldn't be concerned about not seeing any appear, as the policies will be there in case something is detected,

@edinili84 So, there is no functionality already built into Azure that’s similar to the haveibeenpwned.com link?

Have I Been Pwned will give you a report based on existing emails in your domain. Azure AD Identity Protection will only report your users if there is a new breach, and PHS has already been enabled. Unlike HIBP, it's not a 'retrospective' service, unfortunately.

@Ru I understand that it’s just for new breaches, but we have set this up quite a while. 
How do we verify that we have the notifications configured correctly that that they are working?  It may be possible there have been leaked credentials that we are missing. 

Do you have a list of recipients added and enabled in the users at risk detection alerts in the AAD portal? Microsoft doesn't publish it anymore, but the 'high' risk level used to be sufficient to qualify users with leaked credentials for that report. I suppose there's an element of "trust the system" going on here, insofar as there's no test button and nothing that shouts out "you have set this up correctly", short of just making sure you've got recipients configured.

@Ru We are not manually adding users to any alert lists. 
If that’s required, we clearly do not have this working. 

If you have global admins, you have accounts in the list. But the problem could be you have separate admin accounts without mailboxes. Here is the direct link to confirm:

https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/UsersAtRiskAlerts

Check it out and add anyone that's required.

@Ru Our global admins don’t have mailboxes or licensing for Exchange/SharePoint/Teams etc. 

Email is accessed through standard user accounts.

Our global admins and domain admins are not supposed to be using those accounts for accessing email or web surfing. 

Makes sense. In that case, you can add custom email addresses. Just visit the link I posted or it's in AAD portal > Security > Identity Protection > Notify > Users at risk detected alerts > Add custom email here.

@Ru Does this leaked credentials report require P2 licensing for the tenant or any special licensing for the users in the report or the admins running the report?

Afraid I'm not a licensing expert so you'd be best checking directly with a Microsoft representative or your reseller. However generally Microsoft describes EM+S licensing requirements as users who "benefit" from a service rather than administrators, so my guess would be an admin doesn't need a license just to get reports. But please confirm with MS or your reseller.
1 best response

Accepted Solutions
best response confirmed by Kalimanne J (Iron Contributor)
Solution

@Kalimanne J As per the Microsoft documentation the leaked credentials service compares users current valid credentials against leaked credentials lists and only checks new leaked credentials found after enabling PHS.

 

(https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protect...)

 

You could perform a domain level check on Have I Been Pwned https://haveibeenpwned.com/DomainSearch to see if any users in your organization were part of a data breach but as with Microsoft's thinking, if they have since changed their password they wouldn't be considered compromised.

 

If you have enabled the Identity Protection risk based policies I wouldn't be concerned about not seeing any appear, as the policies will be there in case something is detected,

View solution in original post