With the launch of another new great service around (cloud-)identity in Azure, Microsoft today unveiled a service where they’ve been working on for the last year; Azure Active Directory Identity Protection. With this new service, available in Public Preview today, your business can take immediate advantage of Microsofts’ experience in running Global services, which result in an enormous amount of user logon-data. This data is analyzed by Machine Learning on a daily basis, to result in risk scores for every Azure AD authentication request.
How can your business benefit from this data in Microsofts’ data centers? An example Microsoft provides is: “If our data indicates that a sign-in originates from a new, anonymized or bot-controlled network location, Azure AD Conditional Access can intercept the request and require the user to complete an MFA challenge and a password change. Since the attackers are unlikely to have access to a second factor of authentication, they are, in practice, blocked from exploiting the compromised identity.”
How to get started
You can find this new service in the Azure Marketplace, just look for “identity”
Then autocomplete to Azure AD Identity Protection
What is currently detected in this preview-stadium?
In a nutshell, Azure AD Identity Protection
- Detects identity-based security issues through ML analysis of Microsoft data.
- Supports investigation of security events and users flagged for risk.
- Supports in-line remediation and management of risk events.
- Harnesses the power of Azure AD Conditional Access policies and real-time risk evaluation to auto-remediate leaked-credentials before they can cause harm.
But what is a “conditional access policy” then?
A conditional access policy allows users access to resources if they comply to certain rules defined by the organisation. For Azure AD Identity Protection, currently we have three policies, of which two are conditional access policies (CAP).
- Azure Multi-Factor Authentication registration policy
- User Risk policy (CAP)
- Sign-in Policy (CAP)
From the Azure Active Directory Identity Protection (AADIP) dashboard, you can define those policies in the settings blade.
In the Azure Multi-Factor Authentication registration policy you can require users to set up multi-factor authentication on their next sign-in, ensuring they can meet password change or MFA requirements.
The User Risk policy enables you to automatically remediate riskfull users by requiring multi-factor authentication followed by a password change, or just blocking the user from logging in.
The Sign-in policy grants you the magic to prevent risky sign-ins by either challenging the user for multi-factor authentication or by blocking the sign-in automatically if it appears anomalous.
After an admin has configured a User Risk policy, the users who meet the risk level specified in the policy for password change will be prompted for multi-factor authentication followed by a password change. The experience is designed such that the user understands what’s going on.
If the user risk policy or the sign-in policy are triggered and requires an MFA challenge or worse (for the user), the sign-in is blocked, the user will be provided guidance. Azure AD Identity Protection also notifies the identity admins or security analysts when new compromised users, risky sign-ins, or configuration vulnerabilities are detected in their environment. If Conditional Access policies are enabled, administrators and security analysts can prevent and/or remediate these risks before they are exploited by cyber-criminals.
If the information above isn’t enough to satisfy your curiousity, Microsoft also provided an Identity Protection playbook which shows you how to simulate risk events for testing purposes. And ofcourse here’s a link to the documentation.
Want to know more, or did any questions come up when you were reading this? Do you have some feedback for me? Leave a comment or drop me an email.
Until the next time, until then, keep it cloudy!