Azure AD Identity Protection and Azure ATP, combine cloud and on-prem ID security!
With the ongoing battle against identity theft both online and offline (yes, you’re not safe their either) organizations are looking for 24/7 surveillance of their cloud AND on-prem environments.
To give them this kind of control, monitoring and taking automated actions is a must and this is where Microsoft’s products comes in to the picture.
With the unified Cloud App Security feature Microsoft has given us the ability to see what’s happening in our IT landscape and be alerted when something isn’t right.
In this blog I will be taking you through the basic process of setting up both on-prem and cloud identity protection.
Let’s talk about requirements, what do we need in order to get to this set up.
|Azure ATP||EMS E5 or Microsoft 365 E5||https://docs.microsoft.com/nl-nl/azure-advanced-threat-protection/atp-technical-faq#where-can-i-get-a-license-for-azure-advanced-threat-protection-atp|
|Azure AD Identity Protection||Azure AD Premium P2, EMS E5 or Microsoft 365 E5||https://docs.microsoft.com/nl-nl/azure/active-directory/identity-protection/overview-identity-protection#license-requirements|
|Cloud App Security||Microsoft 365 E5 (to use all of the features)||https://aka.ms/mcaslicensing|
The only thing we will need (and monitor) is one or multiple Domain Controller(s) in our environment.
Let’s get to it!
Creating the instance
To start off we will need to create a new Azure ATP instance, you can do this by simply going to http://portal.atp.azure.com/ and it will automatically ask you if you want to create a new instance. Then you will need to enter your domain (administrator) credentials in order for Azure ATP to start collecting logs from your domain controllers which include security events.
Installing the ATP Sensor
Then you will start to install the ATP sensor on all the domain controllers in your environment, this ensures that every event that happens based on authentication will reach Azure ATP. To authenticate the ATP sensor you will fill in the Access Key located under Settings > Sensors.
Integrating Azure ATP and Identity Protection
Next up is integrating the Azure ATP and Identity Protection services with the Cloud App Security feature. We will be using the MCAS dashboard to create policies and check out any alerts coming from our various sources like the on-prem domain controllers and cloud services like Office 365.
Create a new policy with mail and text (SMS) alert
Next up is creating a new policy which will alert us as soon as a password has been changed in our on-premise domain. It will also suspend the user because changing the password of the Administrator is forbidden in our case (made this up of course 😉 ).
As you will see in the below video there are a lot of parameters and IF-ELSE constructions you can make and set alerts for. You are even able to create a Power Automate playbook which responds to the alerts you set up, but that’s not something this blog will address.
You will also be able to set actions for various cloud apps like Office 365. This includes suspending the user so it won’t be able to sign-in to cloud apps when the on-premise account acts suspicious.
Signing up for all notifications via email and text (SMS) alerts
Apart from setting up alerts for specific policies there are already a lot of basic policies set up so to make sure you get all the alerts it’s best to sign up for notification emails and/or text messages. This is quite easy to activate, just enable it under your User Settings.
The end result
After where done with setting up the Azure ATP sensors, integration and policies it’s time to look at the end result.
With the “Password change on DC” policy I’ve triggered an alert by changing the local Administrator’s password.
As you can see you will receive an email and text message just as we had set up!
So how cool is this? You get an alert and response system which also spans across your entire IT environment!
I hope you liked reading this blog and if you have any questions, please leave a comment.