Join Pete Zerger for an in-depth discussion in this video Set up notification and simulate risk events, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] There are a couple of important tasks you should finish before you consider your configuration of Azure Active Directory Identity Protection complete. One of those is configuring notification preferences, and the other is simulating some risk events to test your policies and notifications. You can configure your preferences in regards to Azure AD identity-related risk events in the Azure Portal. So I'll browse to portal.azure.com, supply my Azure AD login.
And I'm going to go back to that Azure Active Directory Identity Protection dashboard, which I have pinned to my desktop here. Remember, you can always go to the lower left of your Portal through More services to search for that dashboard if you don't have it pinned already. If I scroll down in my left menu, we'll see, under Settings, I have some notification-related options, and we have two types of automated notification emails to help you manage user risk and risk events.
One of those are alerts. And I can send alerts on Low, Medium, or High. This is going to lessen my need to be back in this Portal, watching for alerts. I like to set this around Medium, so I get those more probable events without the noise that I'm going to get from low-confidence events. And you'll see here that I can add the users to whom I'd like to send these. And again, even though it shows users, you can add groups as well.
So we can tie these to Office 365 groups and all the functionality that comes with that. So I'll discard those settings for now. And beneath those alerts, you see the Weekly Digest option. So once a week, this is going to send me an email with some summary count of these sorts of alerts. Now, if you'd like to see a sample of that, I'll simply browse to my Office.com Portal here, and we'll look in our email for the most recent of these weekly summary messages.
And here's a Weekly Digest. So it's going to show me for the last week, the risk events, vulnerabilities, and users flagged for risk. And by the way, each of these are clickable, so if you click on any of these regions, it will take you to the right place in the Portal to see what was found in that last reporting period. So let's talk about simulating risk events. To test your notification settings, at least in the case of user compromised alert emails, you may want to simulate a risk event.
And there are a few ways to do this, though some are quite a bit easier than others. So we can simulate sign-ins from anonymous IP addresses. This is quite easy, just using a Tor Browser, which masks your IP address. I'll show you an example of that right now in fact. So you'll need to download the Tor Browser. I've downloaded and installed Tor. And I will, from portal.azure.com URL log in with my normal Azure Active Directory account. I'm simply doing so behind the anonymization of the Tor Browser here, so I'm logging in with an anonymous IP.
So while we're waiting for that login to complete, we'll go back to our Azure Portal, and we'll go back to those risk events. And you'll notice that we have some sign-ins from an anonymous IP address. In fact, those were completed with the Tor Browser. Now you can also execute sign-ins from unfamiliar locations. This is a little bit more difficult. It takes Azure AD Identity Protection a couple of weeks to learn which locations are familiar, so this might not work right away. I do this by remoting into a server or a virtual machine around the world somewhere where I've not logged in before, and sometimes I can trigger this event.
And we can also trigger impossible travel to atypical locations. This does tend to be quite a bit more difficult, and this is going to require either using a VPN connection remoting to a distant server we've never used before or potentially using a Tor Browser add-on. And other risks really can't be simulated in a secure manner, so I'd suggest just using these three options we've discussed here, starting with that anonymous IP option. But these simulations are a great way to ensure that your Azure AD Identity Protection risk policies and notification settings are configured correctly and your administrators will be notified in a timely manner.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure