Github repository : https://github.com/ashishmgupta/AzureADIdentityProtection
What is Azure AD Identity Protection?
Identity Protection is a tool in Azure AD that allows organizations to accomplish three key tasks:
- Automate the detection and remediation of identity-based risks.
- Investigate risks using data in the portal.
- Export risk detection data to third-party utilities for further analysis.
Identity Protection identifies risks in the following classifications:
|Risk Detection Type||Description|
|Atypical travel||Sign in from an atypical location based on the user’s recent sign-ins.|
|Anonymous IP address||Sign in from an anonymous IP address (for example: Tor browser, anonymizer VPNs).|
|Unfamiliar sign-in properties||Sign in with properties we‘ve not seen recently for the given user.|
|Malware linked IP address||Sign in from a malware linked IP address|
|Leaked Credentials||This risk detection indicates that the user’s valid credentials have been leaked|
|Azure AD threat intelligence||Microsoft’s internal and external threat intelligence sources have identified a known attack pattern|
Note : Azure AD Identity Protection is fully available in the Azure AD Premium P2 only.
In this blog post, we will focus on detection of the above identity based risks.
There are two steps :
1) From Azure Portal, setup the Application (with a token) with configured permissions to read data from Identity Protection.
2) Python script to use Graph API with the above OAuth token to access the Identity protection data to ingest in your SIEM tool.
Setting up the application in the Azure portal
Azure Active Directory > App Registrations > New Registration
Give the application a name.
Add API permissions.
API Permission > Add a permission
Click Microsoft Graph
Since we want the logs from an application instead for a user, select Application permission.
Now, there are three API and we need specific permissions for them to access data via Graph API.
|API Name||Details||Permission Needed|
|Sign Ins||Allows query Graph API for information on Azure AD sign-ins with specific properties related to risk state, details and level||AuditLog.ReadAll
|Risky Users||Gets users identified by identity protection as risky users.||IdentityRiskyUser.ReadAll|
|Risk Detections||Gets both risky users and sign-in linked risk detections and associated information||identityRiskEvents.ReadAll|
Above API permissions need to be set under Microsoft Graph as shown below.
The Global Administrator of your tenant needs to grant admin consent for the permissions you added.
You should contact them for this and get the consent granted.
Create a new client secret.
Certificate and Secrets > New Client Secret
A secret is automatically generated and can be copied.
Python script to use Graph API to pull Identity Protection data
Below is the screenshot of of a section of the python code which uses the ClientId, Client Secret and the tenant domain to get the OAuth token and then uses the OAuth token to query the Microsoft Graph API to get the identity protection data in the JSON format for both risky users and risky detection.
Full source code is located here :
The code also retries in case of the number of requests crosses the threshold (HTTP 429 Too many requests).
Hope this post helps you implementing and querying the Azure Identity Protection data in your organization.
Please feel free to ask questions in the comments sections below.