Howdy folks,I am crazy pumped to announce that Azure Active Directory Identity Protection is in public preview! Identity Protection is a new feature of Azure AD that gives organizations around the world a previously unavailable level of security for their cloud identities. As I promised last week, today we've got a deep dive blog post with tons of details on this cool new service. We've been working on this new capability for over a year now with the vision of building the industry's first cloud powered, adaptive machine learning based identity protection system, one that can detect cyber-attacks, mitigate them in real time, and automatically suggest updates to your Azure AD configuration and conditional access policies to help our customers keep their enterprises safe. Today, phishing attacks and account compromise are one of the biggest cyber risks that organizations face. A single compromised identity in your organization can give cyber-criminals an opening into your environment. Once inside, they can perform lateral attacks, identify opportunities to incrementally elevate privileges and eventually gain full control of your resources. Azure AD Identity Protection helps prevent the use of compromised accounts using industry leading machine learning (ML) based real time detection and automated mitigation, helping protect all of the cloud and on-premises applications customers use with Azure AD. This kind of ML based system only works if you have access to huge amounts of relevant data to use in training adaptive ML algorithms, which are critical to success in today's rapidly changing landscape of cybercrime. At Microsoft, we enjoy a unique advantage here because we run many of the world's largest cloud services, including Outlook.com, Xbox Live, Office 365 and Azure and they generate an incredible amount of data. And we put this data to good use! Every day our ML system processes >10 terabytes of data, including information on over 14B logins from nearly 1B users . These login signals are combined with data feeds from Microsoft's Digital Crimes Unit and Microsoft Security Response Center, phishing attack data from Outlook.com and Exchange Online as well as information we acquire from partnering with law enforcement, academia, security researchers, and industry partners around the world. Then we use all of that data and our world class machine learning to continuously train our detection algorithms so that as cyber criminals change their attack methods, the system evolves to detect and block new emerging attacks patterns. All this intelligence results in real-time user and login risk scores for every Azure AD authentication request. Azure AD's Conditional Access system uses these scores to automatically respond to threats by blocking logins, issuing Azure Active Directory Multi-Factor Authentication challenges, or if the evidence is strong enough, requiring the users to change their credentials all based on each organizations unique set of access policies. For example, if our machine learning system discovers that a sign-in originates from a new, anonymized or bot-controlled network location, Azure AD Conditional Access auto-remediation can intercept the request with an adaptive MFA challenge such as an SMS, phone call, push notification or a request for OATH token. Or if our threat intelligence or advanced machine learning algorithms indicate that a user's credentials are compromised, policies can offer automatic protection by blocking the account and requiring the user to complete an MFA challenge and a password change. Since the attackers are unlikely to have access to a second factor of authentication, they are, in practice, blocked from exploiting the compromised identity. Azure AD Identity Protection also notifies the identity admins or security analysts when new compromised users, risky sign-ins, or configuration vulnerabilities are detected in their environment. If Conditional Access policies are enabled, administrators and security analysts can prevent and/or remediate these risks before they are exploited by cyber-criminals. To investigate and remediate risks, administrators and security analysists simply sign in to the Azure portal and get a consolidated view into risky sign-ins and users, remediation recommendations, and in-line response options. Azure AD Identity Protection also identifies configuration vulnerabilities and recommending mitigations, including ways to enhance enterprise security through the use of Azure AD Privileged Identity Management, Cloud App Discovery, and Azure Multi-Factor Authentication. To give you all the ins and outs on the service, Nitika Gupta from the PM team has written an awesome blog post to get you started, which you'll find below.
Hopefully you are as excited about this new set of capabilities as we are. Let us know what you think!
And as always, we'd love to hear any suggestions or feedback you have.
Alex Simons (Twitter: @Alex_A_Simons )
Director of Program Management
Microsoft Identity Division
I'm Nitika, a Program Manager on the Identity Protection team in the Identity division. This blog post will walk you through Azure Active Directory Identity Protection.
In a nutshell, Azure AD Identity Protection offers the following capabilities:
1.) Detection of identity-based security issues using our signals intelligence, experience, and algorithms.
2.) Support investigation of risk events and users flagged for risk.
3.) Support for in-line remediation and management of risk events.
4.) Harnesses the power of Azure AD Conditional Access policies and real-time risk evaluation to auto-remediate leaked-credentials before they can cause harm:
Now that we understand the high level picture, let's dive into the details.
To get started with Identity Protection, first add it from the Azure Marketplace. Click + New and select Identity + Security , where you'll find Azure AD Identity Protection as a Featured App . Or, just click here .
Once added, you'll see the following dashboard with data for your organization:
To access the Identity Protection preview, you need to be a global administrator in the directory. The preview is available to all Enterprise Mobility Suite / Azure AD Premium customers or anyone who has activated a 30-day Azure AD Premium trial.
How do I use the dashboard?
Identity Protection dashboard provides you with three protection vectors:
From there, you can further investigate individual users by clicking on their names. Identity Protection provides you the IP address, location, timestamp of the sign-in and all other relevant information. After you have investigated, you can remediate risk events by resetting the user's password—this takes control away from any attacker who had the previous password.
Some of this information has been available previously through the Azure AD Anomalous Activity reports in the Azure Management Portal. Microsoft is continually investing in world class detection and continuously improving the detection accuracy of existing risk events. We're also adding new risk event types on an ongoing basis. To learn more about the risk events, you can read our documentation here .
Identity Protection notifies all the global administrators about compromised users by sending an email alert. In addition, it automatically sends a weekly digest email with a summary of the users flagged for risk, risk events and vulnerabilities.
What policies can I configure to protect my organization?
Identity Protection offers 3 security policies to help protect your organization.
Azure AD Identity Protection helps you manage and monitor the roll-out of multi-factor authentication registration by enabling you to define which employees are included in the policy, configure how long they are allowed to skip registration, and view the current registration state of impacted users.
To securely change the password, users need to first complete multi-factor authentication to ensure it's the legitimate user who is changing the password.
These policies are great but how will they impact the end user experience?After an admin has configured a User Risk policy, the users who meet the risk level specified in the policy for password change will be prompted for multi-factor authentication followed by a password change. The experience is designed such that the user understands what's going on as you can see below:
If the user risk policy requires the sign-in is blocked, the user will be provided guidance to contact the admin.
Similarly, if the sign-in risk policy kicks in and an end user needs to complete an MFA challenge, the user is provided guidance as to why they're challenged.
Now that you understand how Identity Protection works, are you ready to try Identity Protection? Check out this Identity Protection playbook which provides guidance on how to simulate risk events for testing purpose and test the security policies.
We'd love to hear your feedback! And don't forget to visit Azure AD Identity Protection documentation to learn more.
Nitika Gupta (@_nitika_gupta)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.