Microsoft Entra ID Protection uses advanced machine learning to identify sign-in risks and unusual user behavior, blocking, challenging, limiting, or allowing access. It helps organizations remediate risky users swiftly by enabling automated risk-based policies. Whether it’s an anomalous token or other suspicious activity, Entra ensures robust security.
They evaluate signals generated by sign-in’s and user activity within Entra and Microsoft 365 tools and services.
Microsoft Entra ID Premium Licensing and Logs
Microsoft Entra ID is a cloud-based identity and access management service that helps you secure your organization’s data and resources. It offers different licensing options depending on your needs and budget. Here are some ways that licensing affects your logs:
Without a license, you have limited access to your logs and you may miss important insights and security incidents. For example, you may see Anomalous Token instead of an unfamiliar, risky sign-in location. Licensing is essential for effective identity and access management with Microsoft Entra ID.
Don’t let sign-in risks compromise your Microsoft 365 account. Discover proactive solutions to identify and mitigate risky user behavior and ensure seamless, secure access to your services. Reach out to our security specialists today!
Detection: Offline
This risk detection type identifies sign-ins originating from geographically distant locations. In this scenario with past sign-in behavior data collect, at least one of the locations may be atypical for the user.
Detection:
Offline
This detection indicates sign-in from a malicious IP address. An IP address is considered malicious based on high failure rates because of invalid credentials received from the IP address or other IP reputation sources.
Detection:
Offline
This detection is discovered by Microsoft Defender for Cloud Apps and considers past activity locations to determine new, infrequent locations. Anomaly detection stores information about previous locations used by users in the organization.
Detection:
Offline
This detection type covers Session Tokens and Refresh Tokens indicating that there are abnormal characteristics such as an unusual lifetime or an unfamiliar location.
Detection:
Offline
This detection triggers alerts if an end user inbox has any messages or folders moved or deleted. This detection may indicate that an account is compromised, messages are being intentionally hidden, or the mailbox is being used to distribute spam and malware across your organization.
Detection:
Offline
This detection is discovered by Microsoft Defender for Cloud Apps. This detection identifies that the IP address has been identified as an anonymous proxy IP address.
Detection:
Offline
This risk detection indicates the token issuer is potentially compromised. The claims match known attacker behavior or inconsistent patterns.
Detection:
Offline
Microsoft Defender for Cloud Apps discovers and detects suspicious email forwarding rules. Cyberattacks often involve an inbox rule that forwards a copy of all company emails to a hacker’s external address.
Detection:
Offline
This detection is discovered by Microsoft Defender for Cloud Apps. This detection looks for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
Detection:
Offline
This detection indicates suspicious, anomalous sign-in activity from different countries in the same browser.
Detection:
Offline
Microsoft Defender for Cloud Apps identifies and detects user activities originating from geographically distant locations within a shorter time period than the time it takes to travel from location to location. This risk may indicate that a different user is using the same account credentials.
Detection:
Offline
Microsoft Defender for Cloud Apps looks, detects, and triggers alerts when users access multiple files from SharePoint or OneDrive. An alert is triggered only if the number of accessed files is uncommon for the user or if the files contain sensitive information.
Detection:
Real-time
This risk detection indicates that the token issuer is potentially compromised. The claims include that the token is unusual or matches known attackers.
Detection: Real-time or Offline
This detection indicates that there is additional risk detected usual as a risky user or via a user sign-in risk. Entra ID Premium P2 licenses are paramount for risk detection.
Detection: Real-time
This risk detection type indicates when sign-ins from anonymous IP addresses are used by bad actors attempting anomalous sign-ins for malicious intent.
Detection:
Offline
This detection indicates when an admin confirms a risky user has been compromised.
Detection:
Offline
This risk detection type indicates user activity that is unusual for the user or consistent with known attack patterns. This detection is based on Microsoft's internal and external threat intelligence sources.
Detection: Offline
Microsoft Defender for Endpoint (MDE) detects tokens that enable seamless or single sign-on (SSO) across applications and devices. Usually, attackers perform credential theft or often attempt to move laterally after initial breach into a business.
Detection:
Offline
This creates normal administrative baselines for behavior and spots anomalies like changes to the Entra ID. The detection is triggered when the admin changes something.
Detection:
Offline
This risk detection happens when a multifactor authentication (MFA) prompt is denied. It may mean that the user’s identity is compromised.
Detection: Real-time or Offline
This detection indicates that there is additional risk detected usual as a risky user or via a user sign-in risk. Entra ID Premium P2 licenses are paramount for risk detection.
Detection:
Offline
When hackers compromise valid passwords of legitimate users, they often share them on the dark web or black market. Microsoft leaked credentials checks the dark web for Entra ID credentials to find matches.
Detection:
Offline
This internal and external threat detection type indicates unusual user activity consistent with known cyberattacks.