Azure AD Identity protection has reached “GA” milestone 15th of September and here it’s in action.

Azure Active Directory Identity Protection takes secure identity and access management to the next level by detecting attacks in real time, informing you of risks and applying controls to keep your enterprise safe.

The service detects suspicious activities for users and privileged (admin) identities based on signals like brute force attacks, leaked credentials, sign ins from unfamiliar locations, infected devices and more and provide remediation recommendations to protect against these activities in real-time. More importantly, based on these suspicious activities, a user risk severity is calculated and risk-based conditional access policies can be configured and automatically protect the identities of your

Identity Protection in Action

Activate Identity Protection from Azure portal (search “identity protection” and create). When activated launch the application and welcome screen should look like below. Just reminder that if your organization is using EMS, check changes to EMS licenses.


There are couple of settings to configure. Start with Multi-factor authentication. I have configured MFA registration enforced at next login to all users.


User-Risk policy defines “block access”. Two (2) admin users has been excluded from this policy.


Sign-In Risk policy defines “block access” behavior if risk is identified.


Login to and you can see that domain where I’m logging to is federated because user login is redirected to on-premises ADFS instance.

6                            7                             8

Then I’m traveling quite fast from Espoo, Finland to Netherland with my fancy TOR browser and login to same address After I have input my user credentials the Identity Protection comes in to the play and identifies risk in this  user sign-in and blocks access to O365 services.

9  10  11


Navigating back there is logged event at risk event category. From there you can have more information about the risk, user sign-in and to perform actions for example reset user password if needed.

12  13 14

I have found Identity Protection extremely useful protection mechanism when we are talking about cloud workloads. Here are more details from its capabilities

Detecting risk events and risky accounts:

  • Detecting 6 risk event types using machine learning and heuristic rules
  • Calculating user risk levels
  • Providing custom recommendations to improve overall security posture by highlighting vulnerabilities

Investigating risk events:

  • Sending notifications for risk events
  • Investigating risk events using relevant and contextual information
  • Providing basic workflows to track investigations
  • Providing easy access to remediation actions such as password reset

Risk-based conditional access policies:

  • Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges.
  • Policy to block or secure risky user accounts
  • Policy to require users to register for multi-factor authentication


Guidelines from Microsoft

Exclude users who are likely to generate a lot of false-positives (developers, security analysts)

  • Exclude users in locales where enabling the policy is not practical (for example no access to helpdesk)
  • Use a High threshold during initial policy roll out, or if you must minimize challenges seen by end users.
  • Use a Low threshold if your organization requires greater security. Selecting a Low threshold introduces additional user sign-in challenges, but increased security.


More information

Getting started

Detection and risk

Complete list of risk events