Thursday, July 22, 2021

Azure Identity Protection to protect your credentials

With Azure Identity Protection (Azure AD P2 feature), Azure provides necessary precautions to protect and safeguard identities. 

Some of the common risks with identities are

  • Leaked credentials
  • Malware linked IP addresses
  • Unfamiliar sign-in properties
  • and many more,
As you can assume, it is very difficult to manually monitor each and every corner of the internet to check our credentials are compromised.

As a remedy Microsoft provides us with Identity Protection feature which has an automated detection of identity based risks. 

Identity Protection will provide remediation using different policies. We have two main policies to support us.












User risk policy
Azure will identity user accounts that may have compromised credentials. Policies will define what actions to be performed for such accounts

Based on the severity of the user risk, Azure will classify the riskiness as low, medium and high.

Following is the approach to configure User risk policy

Step 1 : Select target users







  













Step 2 : Select the risk level




















Microsoft recommends to put the threshold to High.


Step 3 : Select the control





















According to this setting in above diagram, user access will be blocked.


Sign-in risk policy
Azure will identify suspicious sign-in attempts of users. Policies will define what actions to be performed for such accounts

Based on the severity of the user risk, Azure will classify the riskiness as low, medium and high.

Following is the approach to configure Sign-in risk policy

Step 1: Select target users





















Step 2 : Select the risk level





















Microsoft recommends to put the threshold to Medium and Above.


Step 3 : Select the control




















According to this setting in above diagram, user access will be blocked

After policies are set, administrators can refer various reports to obtain further insights.



Wednesday, July 21, 2021

Resolving the error: The directory currently selected differs from this key vault's directory

Recently after a migration, I could see a warning message in one of my Azure Key Vaults. It says,

The directory <Logged in directory> currently selected differs from this key vault's directory. Some actions will be disabled. Click for more details














If you can see, the directory name is empty. And the directory id is also different. We need to map the Key Vault to the correct tenant. How can we do it?

It is very easy. Use Azure Cloud Shell and execute following statements.

az account set --subscription "Visual Studio Enterprise Subscription"
$tenantId=$(az account show --query tenantId)                               
az keyvault update -n  --remove Properties.accessPolicies 
az keyvault update -n  --set Properties.tenantId=$tenantId

This resolved the issue.