Site icon Windows Active Directory

How to monitor untrusted logon events in Microsoft Entra ID

One crucial aspect of maintaining security is detecting login attempts originating from outside of your organization’s trusted locations.

While username and password are the most common login credentials, other secure methods have also been developed in recent times:

Detecting logons outside of trusted locations in Microsoft Enterprise Identity (Entra ID) involves identifying user login attempts that originate from unfamiliar or potentially risky locations. These locations could be geographically distant from your organization’s usual operating area or associated with suspicious internet connections. This process usually involves supervising authentication events and contrasting them against predefined criteria for trusted locations.

Why detect logins outside trusted locations?

Identifying logins from unexpected locations can help you catch potential security threats. Imagine a login attempt originating from a country where your employees typically don’t work. This could be a red flag for a compromised account or a targeted attack.

Mitigating Risk: By being proactive, you can take steps to prevent unauthorized access or reduce potential damage. For example, you might require multi-factor authentication (MFA) for any login attempt from an untrusted location.

Compromised Credentials: If a user’s credentials are stolen and used to log in from an unexpected location, detecting this anomaly can help us contain the breach and prevent further damage.

Understanding the detection process:

This detection process happens continuously whenever a user attempts to log in to Entra ID. The system analyzes the login attempt’s origin (IP address) and compares it against a predefined list of trusted locations.

The trusted locations are typically defined based on your organization’s specific needs. They could encompass your company’s office IP addresses, known branch locations, or even specific countries where your employees are authorized to work remotely.

Entra ID uses IP geolocation services to determine the approximate physical location associated with a user’s login attempt. This IP address is then compared against the pre-configured list of trusted locations. If a match is not found, the system might label the login attempt as potentially risky.

The general approach to detect logons outside of trusted locations in Microsoft Entra ID is given below:

1. Define Trusted Locations:

Identify the locations (e.g., physical offices, VPN networks) that are considered trusted for user logons. This could include IP address ranges, subnet masks, specific geographical locations, or other network identifiers.

2. Collect Authentication Logs:

Make use of logging and auditing features available in Microsoft Entra ID or related components (such as Active Directory, Azure AD, or Microsoft 365) to collect authentication logs and events. Ensure that logging is enabled for relevant authentication activities.

3. Analyse Authentication Events:

Examine authentication logs to identify logon events, inclusive of successful and failed logons, along with pertinent details such as the user’s identity, source IP address, timestamp, and authentication method.

 4. Compare Against Trusted Locations:

Weigh up the source IP addresses of logon events against the predefined list of trusted locations. If the source IP address of a logon event falls outside of the trusted locations, flag it as a potential security risk.

 5. Alerting and Notification:

Deploy alerting mechanisms to notify administrators or security teams when logon events from untrusted locations are detected. This could necessitate sending email alerts, generating tickets in a security incident management system, or activating automated response actions.

 6. Investigation and Response:

Upon receiving alerts, look into the logon events to determine their legitimacy. This may presume tallying logon events with other security data sources, carrying out user behaviour analysis, or communicating with the user for verification.

7. Mitigation and Remediation:

Take pertinent action to alleviate any security risks linked with logons from untrusted locations. This could include temporarily blocking access, resetting user credentials, or administering additional authentication factors.

8. Continuous Monitoring and Review:

Continuously monitor authentication logs and clarify the criteria for trusted locations based on advancing security requirements and organizational policies. Periodically review detection mechanisms and response procedures to ensure effectiveness.

Native Solution:

1. Open portal.azure.com -> Click “Azure Active Directory”.

2. In the Monitoring section, click “Sign-ins”.

3. Click Download -> CSV.

4. Import the resulting file into Microsoft Excel:

In Excel, click File -> Open –> Choose the file you just downloaded.

In the Text Import Wizard, choose Data Type “Delimited” and tick the “My data has headers” box -> Click Next.

In the Delimiters section, tick “Comma” -> Click Next.

Scroll through the fields preview and choose “Do not import column (skip)”, leaving only following columns: Date (UTC), User, Username, IP address, Location, Status. (For more logon details, you can also leave the “Application”, “Resource”, “Authentication requirement”, “Browser”, “Operating System” fields checked.) -> Click “Finish”.

5. Filter by trusted locations (or IP addresses) using the “Location” (or “IP address”) column.

6. Review the results:

To save this report for future use, click “Tools” -> Click “Save as report” -> Specify a name for your report ‑> Click “Save”. 

By following these steps, organizations can detect and acknowledge to logon events from untrusted locations, helping to arrest unauthorized access and increase overall security posture within their Microsoft Entra ID environment.

Exit mobile version