Azure servicesMicrosoft Entra ID

Step-by-Step guide to manage Impossible travel activity alert using Azure cloud app security

Let’s assume one of user in your sales team log in to https://myapps.microsoft.com and launch salesforce app successfully from his office in UK. Few minutes later the same user made successful login from Canada. Unless user is using remote connection, it is not impossible. Still someone can’t travel that fast ?. Azure Active Directory capable of detect this type of impossible sign-in activities. However, detection type for this kind of activities is “offline”. Which means reporting latency for these alerts are between 2 to 4 hours

Azure cloud app security also capable of detecting these types of activities but it is real-time as it detects activities based on sessions. It helps administrators to react faster and protect infrastructure from potential breach. In this demo, I am going to demonstrate how to fine tune built in azure cloud app security policy for Impossible travel activity and prevent breach. 

Before we start, first we need to integrate SaaS app with cloud app security. In my previous post I demonstrate how to do that. So please go ahead and read it on http://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/

In my demo I am using salesforce app. 

1. Once integration is done, log in to https://portal.cloudappsecurity.com as global administrator.

2. Then go to Settings | Conditional access app control

3. There you should be able to see your app under Conditional access app control tab. It should be in healthy connected status. 

4. Then click on Control | Policies

5. Under policies, click on impossible travel policy 

6. This is a built-in policy. as you can see it doesn’t have any actions attached to it. if CAS detect such activity, it will still be reported under CAS dashboards. 

7. In my environment, I like to get an alert if its detect such activity. To do that, click on Send alert as email option under Alerts. Then define email address in text box. 

8. I also like to suspend the user account, so it gives my team enough time to review the alert and do the necessary adjustments. To do that, click on All apps under Governance and click on Suspend user check box. 

9. To complete the action, click on Update.

10. Policy is updated now. For testing I am login from two VMs located on two different locations.

11. Once the login is done, I came back to https://portal.cloudappsecurity.com. Then click on Salesforce app.

12. Under the alerts I can see it detected impossible travel activity. Click on it to view more details.

13. In there we can see in-details error description & activity log. 

14. According to policy, I also should get email alert. When I log in to email I can see email alert for the activity as expected. 

15. According to policy it also should suspend the user account. When I try to login again as the same user I got following account lock out error. 

Cool ha? As expected policy detects the activities in real-time and take necessary actions as defined. 

This marks the end of this blog post. If you have any further questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Related posts
Microsoft Entra ID

Step-by-Step: Enabling MFA for Azure Administrative Portals via Microsoft Entra ID Conditional Access

As per the recent Microsoft Digital Defense Report 2023 (available at…
Read more
Azure services

Microsoft Entra Permissions Management – Part 01 – Azure Subscription Onboarding

Today’s rapidly changing digital landscape creates new identity and access challenges. Microsoft…
Read more
Microsoft Entra ID

Step-by-Step Guide to Azure AD PIM and Conditional Access Integration (Public Preview)

In privilege identity management, we can enforce MFA verification during the activation process.
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

3 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *