Azure AD Reporting: monitoring for compromised credentials
With increasing BYOD trends at companies worldwide, and more employees conducting business on personal devices, an extra vigilance should be applied to monitoring Azure AD sign-in activity to reduce the risk of company-owned data falling into the wrong hands. To add to this challenge, a lot of employees reuse their passwords for multiple accounts without even knowing that they could possibly be compromised.
Our new Azure AD report regarding Compromised Credentials can help identify users whose accounts may have been compromised unknowingly. This new report can help organizations move quickly to secure data on stolen devices and prevent data leaks from growing.
An example of this new audit report is shown below. It provides username, event time, display name, credential type, and the reason for the possibly compromised accounts. Moreover, by clicking ‘Columns’, you can add or remove information from the Compromised Credentials report to customize it as needed. Additional columns provide information regarding Updated Properties as well as Company ID. Any of the columns can have filtering applied, and then it is easy to export, save, print, or schedule the report to run on a regular basis.
Furthermore, using V-tenants or admin groupings within CoreView, allows for the segmentation of the information in these audit reports. If you assign a specific administrator to ONLY view a subset of users, then that is the only group of user activity that will be shown in the audit activity reports they’re allowed to view. These reports can also be added to the ‘Favorite Report’ area by clicking on the star icon close the report name. This enables quick access under the ‘Analyze’ tab once you have logged into the portal.
The data view can be updated instantly by clicking the ‘Refresh Data’ button. The success message appears once the data is refreshed.
In the top right corner of the table you can also adjust the time interval for the data items shown in the report. By using the drop-down picklist: yesterday, 7, 14, 30, 60 or 90 days, or custom range, it is possible to filter the information quickly.
If you suspect that a user account may be compromised, or if you have noticed any kind of suspicious user activity that may lead to a security breach, you may want to consider one or more of the following actions:
- Contact the user to verify the activity
- Reset the user’s password
- Enable multi-factor authentication for additional security
- Wipe the device (selective or local wipe)
- Define policies that lock devices after a certain time of inactivity*
Curious to view this report now? If you are already a customer running CoreView you can discover this report under ‘Audit’ tab together with other Azure AD Reports. Otherwise, take advantage of our free 14-day trial to check out the most advanced Office 365 management suite on the market.
New articles about other Azure AD reports are coming soon. Stay tuned!