Last week we released the Users Sharing Authenticator check (initially only compatible with Okta and Duo) for Microsoft Entra ID (Azure AD). When you click on the “Users Sharing Authenticators” check, you will now see Microsoft Entra ID (Azure AD) under “Compatibility”. The check will detect whenever we see a phone number associated with more than one login. If the user is linked, however, this will not cause the check to fail.
As we know, employees may share authenticators when sharing credentials to an account, causing security issues. Furthermore, if users are sharing phones or devices, it can indicate an issue with the onboarding process.
⚠️ Detect Risky User Sign-ins
Keeping a pulse on the risky sign-in behaviors of user accounts when you are managing various activities related to your employees can be challenging. We are excited to introduce a new check for Microsoft Entra ID (Azure AD) called “Sign-in Threat Detected”. With this new check, Oort will now monitor Microsoft Entra ID Risk User events for “high” level risk users and trigger the check.
By default, the check will trigger on “high” risk levels, but by navigating to Check Settings in the check, you can customize the “Ignore list” to fit your needs. When you click on the failing check in the User 360 profile, an activity drawer opens to the right. This drawer gives you useful context for investigation such as insight into the user and why they are failing this check.
Bug Fixes and Minor Improvements
Ignore Slack provider in “No MFA” check. Slack does not return the proper indication if users are using MFA, causing false positives. We now ignore Slack for the No MFA check, which should reduce noise in your environment.
Weekly Digest. The weekly digest email from Oort allows you to get a snapshot of what is going on in your tenet. We have now added Oort admin activity which will give you an at a glance look at key admin activities.
GitHub. For GitHub integration, you will now see the “organization” in the activity drawer.