At the end of September 2023, Microsoft Entra ID Protection received a new pretty cool feature that brings hybrid users to the same level of protection and auto-remediation as cloud users.

The ability to remediate risk in Microsoft Entra ID Protection (former Azure AD Identity Protection) has been there for years already but in a hybrid scenario it has had some challenges. For example, earlier when the on-premises user risk level was raised and Conditional Access (or EIDP policies) required password change the change notification didn’t reach Microsoft Entra ID even though the password was actually changed at the on-premises hybrid user.

This led to a situation in some organizations where User Risk policies were not implemented at the same level as User Sign-in policies. At the end of the day, EIDP didn’t protect users as well as it could be.

For background information on how Entra Identity Protection and its integrations with other Microsoft security solutions are working take a look at one of my blogs about the topic which I wrote end of 2022:

Entra ID Protection Policies (EIDP)

For background information, it’s important to understand how IPC actually works. The following picture below shows a high-level architecture of the solution (picture source ‘Microsoft IPC presentation’).

Side note: the figure below uses example detections and the full list of IPC up-to-date detections is found on learn.microsoft.com.

EIDP Detection Mechanisms

Real-time detections

Real-time detections are based on the detection rules that are evaluated during the authentication pipeline. The initial purpose is to detect possible malicious activity during the authentication process. Latency with real-time detections before showing up in the reports is 5-10 minutes. Examples detections:

  • Unfamiliar sign-in properties – This risk detection type considers past sign-in history to look for anomalous sign-ins. The system stores information about previous sign-ins and triggers risk detection when a sign-in occurs with properties that are unfamiliar to the user. 
  • Anonymous IP address – This risk detection type indicates sign-ins from an anonymous IP address (for example, Tor browser or anonymous VPN). These IP addresses are typically used by actors who want to hide their sign-in information (IP address, location, device, and so on) for potentially malicious intent.

Offline detections

Offline detections are detected after the user has been signed in and is doing possible malicious activity after the initial sign-in. Offline detections may not show up in the reporting for 48 hours but in my experience. it can take several days before the malicious activity is shown on the reports. Example detections:

  • Atypical travel – This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. The algorithm takes into account multiple factors including the time between the two sign-ins and the time it would have taken for the user to travel from the first location to the second. This risk may indicate that a different user is using the same credentials.
  • Anomalous token – This detection indicates abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens.
  • Password spray – A password spray attack is where multiple usernames are attacked using common passwords in a unified brute force manner to gain unauthorized access. This risk detection is triggered when a password spray attack has been successfully performed. For example, the attacker is successfully authenticated, in the detected instance.

Key takeaway: Real-time detections may not show up in reporting for 5 to 10 minutes. Offline detections may not show up in reporting for 48 hours.

Pre-Requisites & Configuration

Let’s take a look at how this new feature looks in action and how the changes can be tracked in security solutions.

Configuration

Configuration is a really simple one to establish. Just enable the following feature in the Microsoft Entra ID Protection setting and verify that you have ‘password hash sync‘ enabled and you are good to go.

If you don’t have the password sync enabled you are missing some detections, such as leaked credentials. To read more about the enablement if don’t have it in place yet from here.

When enabled, users’ risks will be automatically remediated when their passwords are changed on-premises, and customers can confidently deploy a user risk policy to effectively protect their hybrid users.

This new feature provides two new capabilities:

  • Risky hybrid users can self-remediate without administrators intervention.
    • When a password is changed on-premises, user risk is now automatically remediated within Entra ID Protection, resetting the current user risk state.
  • Organizations can proactively deploy user risk policies that require password changes to protect their hybrid users.
    • This option strengthens your organization’s security posture and simplifies security management by ensuring that user risks are promptly addressed, even in complex hybrid environments.

Test Drive

In this section, we take a look at how the new feature works in action.

User Risk

In the figure below, we can see that my hybrid user ‘Robert Hathley’ is marked as a high-risk user in Entra ID Protection (EIDP). This is the outcome of attack patterns I used to test EIDP capabilities.

From Log Analytics workspace it’s seen that the detection source for risk events from Robert is actually Defender for Cloud Apps (MDA).

Password Reset at On-Premises

At this point, user risk (offline) is detected and the user is flagged as a high-risk user in Entra ID. Because Conditional Access Policies (CAP) are in place and require users to change their password at the next login the user experience is like on the left figure below.

On the other hand, if the user changes the password at the on-premises AD the status of this action was not synced earlier to Entra ID and led to a situation where CAP required password change again.

Entra ID Protection

Now with the recent updates enrolled and enabled (+ pre-requisites configured), the user risk is updated (remediated) after an on-premises password change.

On the left figure below you can see that AAD Connect (or AADSync in my case) has triggered password change state synchronization from on-premises to Entra ID environment.

On the right figure, you can see that the risk state is ‘remediated’.

Raw Data

It is possible to ingest EIDP raw data from Microsoft Entra ID to Azure Log Analytics and leverage the collected data in custom detections or hunting. The queries below are starting points and examples to demonstrate what kind of events you will get into Log Analytics about the activities I’ve been going through in the earlier sections.

The first query just pulls out the user data from sign-in logs that contain risk-level information

SigninLogs
| where Identity == 'Robert Hahtley'
| where RiskLevelAggregated != 'none'

The second one shows user risk event data from the same user with more parameters included such as RiskEventType, RiskDetail, RiskLevel, RiskState, and detection source.

AADUserRiskEvents
| where UserPrincipalName == 'Roberth@feta.fi'
| where DetectionTimingType == 'offline'
| extend Alert = tostring(AdditionalInfo[1].Value)
| extend Country = tostring(Location.countryOrRegion)
| project TimeGenerated, RequestId, RiskEventType, RiskDetail, RiskLevel, RiskState, Source, Country, Alert

The third one combines SignInLogs and AADUserRiskEvents tables and data from these ones

union SigninLogs, AADUserRiskEvents
| where CorrelationId == '06ba283d-9c27-4119-97da-79a122cb0aac'
| project TimeGenerated, OperationName, Category, ResultType, ResultDescription, CorrelationId, AppDisplayName, RiskDetail, RiskEventTypes_V2, RiskLevelAggregated, RiskLevelDuringSignIn, RiskState, RiskEventType, Source

Summary

The new feature closes the gap between cloud & hybrid users in EIDP scenarios. Now, when password changes are synced through AAD Connect / AD Sync from on-premises to cloud the new capabilities provides wider coverage for hybrid users and now EIDP policies can be targeted for them also without fear of losing productivity at the same time with auto-remediation policies