Investigate compromised identities from Microsoft Entra ID
5 minutes
5 Questions
Investigating compromised identities from Microsoft Entra ID is a critical skill for Security Operations Analysts. When an identity compromise is suspected, analysts must follow a systematic approach to assess the scope and impact of the breach.
First, access the Microsoft Entra ID portal and navi…Investigating compromised identities from Microsoft Entra ID is a critical skill for Security Operations Analysts. When an identity compromise is suspected, analysts must follow a systematic approach to assess the scope and impact of the breach.
First, access the Microsoft Entra ID portal and navigate to the Security section. Review sign-in logs to identify anomalous authentication patterns, such as logins from unusual locations, unfamiliar devices, or impossible travel scenarios. The Identity Protection dashboard provides risk detections that flag suspicious activities including password spray attacks, credential stuffing, and leaked credentials.
Examine the user's recent activity by reviewing audit logs, which track changes to user accounts, group memberships, and application assignments. Look for unauthorized modifications that could indicate an attacker has escalated privileges or established persistence. Check if new authentication methods were added, such as additional MFA devices or app passwords.
Correlate findings with Microsoft Sentinel by querying the IdentityInfo and SigninLogs tables. Use KQL queries to search for patterns across multiple users that might reveal a broader attack campaign. The UEBA (User and Entity Behavior Analytics) feature helps identify deviations from normal user behavior.
Investigate connected applications and OAuth consent grants, as attackers often abuse these to maintain access even after password resets. Review the enterprise applications section for suspicious third-party app permissions.
Document all findings in the incident timeline and determine the initial compromise vector. Common entry points include phishing attacks, token theft, or legacy authentication exploitation.
Remediation steps typically include resetting credentials, revoking active sessions, reviewing and removing suspicious MFA methods, blocking identified malicious IPs, and enforcing conditional access policies. Consider enabling enhanced security features like continuous access evaluation and requiring phishing-resistant authentication methods for sensitive accounts to prevent future compromises.
Investigate Compromised Identities from Microsoft Entra ID
Why It Is Important
Compromised identities represent one of the most significant security threats organizations face today. When an attacker gains access to a user's credentials, they can move laterally through your environment, access sensitive data, and escalate privileges. Microsoft Entra ID (formerly Azure AD) serves as the identity backbone for most Microsoft 365 and Azure environments, making it a prime target for attackers. Security Operations Analysts must be able to quickly identify, investigate, and remediate compromised identities to minimize damage and prevent further unauthorized access.
What It Is
Investigating compromised identities from Microsoft Entra ID involves using various security tools and signals to detect when user accounts have been taken over by malicious actors. This process leverages:
• Microsoft Entra ID Protection - Detects risky sign-ins and risky users based on machine learning algorithms • Microsoft Defender for Identity - Monitors on-premises Active Directory signals • Microsoft Sentinel - Aggregates identity-related alerts and enables advanced hunting • Microsoft Defender XDR - Provides unified incident investigation across identity, endpoint, and cloud
How It Works
Risk Detection in Entra ID Protection: Microsoft Entra ID Protection calculates user risk and sign-in risk levels (Low, Medium, High) based on signals such as: • Impossible travel patterns • Unfamiliar sign-in properties • Malware-linked IP addresses • Password spray attacks • Leaked credentials detected on dark web • Anonymous IP address usage
Investigation Workflow: 1. Review alerts in the Microsoft Entra admin center under Protection > Risky users and Risky sign-ins 2. Examine the risk detections timeline for each user 3. Correlate with Microsoft Defender XDR incidents 4. Use Microsoft Sentinel workbooks for deeper analysis 5. Check audit logs for suspicious activities like MFA registration changes or consent grants
Remediation Actions: • Confirm user compromised or dismiss the risk • Reset user password (requires re-authentication) • Block user sign-in • Revoke refresh tokens • Review and remove suspicious OAuth app consents • Enable or enforce MFA
Key Investigation Areas
• Sign-in logs: Location, device, application, and authentication method used • Audit logs: Changes to user profile, group memberships, or directory roles • Risky user details: All risk detections associated with the account • OAuth consent grants: Malicious applications the compromised account may have authorized
Exam Tips: Answering Questions on Investigate Compromised Identities from Microsoft Entra ID
1. Know the risk levels: Understand that user risk is cumulative (based on account behavior over time) while sign-in risk is transactional (based on specific sign-in events)
2. Remember remediation order: Password reset dismisses user risk; blocking only prevents new sign-ins but does not dismiss the risk
3. Understand where to investigate: Risky users and sign-ins are found in the Microsoft Entra admin center under Protection, while correlated incidents appear in Microsoft Defender XDR
4. Know the detection types: Familiarize yourself with offline detections (processed after sign-in) versus real-time detections (evaluated during sign-in)
5. Conditional Access integration: Risk-based Conditional Access policies can automate responses like requiring MFA or blocking access when risk is detected
6. Token revocation: When a scenario asks about ensuring an attacker cannot continue using stolen tokens, the answer involves revoking refresh tokens
7. Premium licensing: Remember that Entra ID Protection features require Microsoft Entra ID P2 licenses
8. Portal navigation: Be familiar with the Microsoft Entra admin center navigation paths for identity protection features
9. Dismiss vs Confirm: Dismissing risk marks false positives while confirming compromised triggers password reset requirements