Skip to main content

Remediate risk signals from Identity Protection & MDI

Implementation Effort: High – Security operations teams must establish and maintain processes to monitor, investigate, and remediate identity-related risk signals, integrating them into existing workflows and tools.

User Impact: Medium – Users may experience additional authentication challenges, account restrictions, or password resets as part of risk remediation efforts.

Overview

Remediating risk signals from Microsoft Entra ID Protection and Microsoft Defender for Identity (MDI) involves a structured approach to detect, investigate, and respond to potential identity threats. Entra ID Protection identifies risks such as atypical travel, anonymous IP usage, and leaked credentials, assigning risk levels to users and sign-ins. MDI monitors on-premises Active Directory activities, detecting behaviors like lateral movement and credential theft attempts.

Integrating these signals into security operations centers (SOCs) enhances the organization's ability to verify explicitly by continuously assessing user and sign-in risks based on real-time data. It supports the principle of assuming breach by proactively identifying and mitigating suspicious activities before they escalate. While least privilege access is primarily about access controls, the insights from these tools can inform adjustments to access policies, ensuring users have only the necessary permissions.

Neglecting to address these risk signals can lead to undetected compromises, allowing threat actors to exploit vulnerabilities, escalate privileges, and exfiltrate data. By incorporating risk signals into SOC playbooks, organizations can standardize responses, such as initiating password resets, disabling accounts, or requiring multifactor authentication, thereby reducing the window of opportunity for attackers.

Reference