Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Presenting the new Unfamiliar Sign-in Properties
Published Aug 01 2019 09:00 AM 62.1K Views

Howdy folks,

 

Today we want to tell you about some really awesome improvements we made in Azure AD Identity Protection.

 

Together, these improvements improved our ability to detect compromised sign-ins by over 100 percent! We also reduced our false positive rate by 30 percent—which means a more seamless sign-in experiences for legitimate users and fewer investigations for your security operations personnel.

Maria Puertas Calvo, our lead data scientist, wrote a guest blog post diving into some of the details on this update. You’ll find her blog post below. I hope you’ll find it as interesting as I did!

 

As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum.

 

Best regards, 

Alex Simons (Twitter: @Alex_A_Simons)

Vice President of Program Management

Microsoft Identity Division

 

--------------------------------

 

Hi everyone!

 

I’m excited to share details about the new version of the Unfamiliar Sign-in Properties in Azure AD Identity Protection, which is available with Azure AD Premium P2 subscription. This is an evolution of the Unfamiliar Locations detection that considers past sign-in history of users to detect anomalous activity.

 

In addition to improving our detection rate and reducing false positives, we also made changes to address your feedback that the current unfamiliar locations detection doesn’t cover all your scenarios.  Some of you need policies that apply even in low risk situations, while others need to target their policies only when the risk is very high.

 

With these changes, you now have more control to set risk-based conditional access policies based on your organization’s risk appetite. While the old detection always triggered medium risk, a sign-in flagged by the new Unfamiliar Sign-in Properties can have real-time risk of high, medium, or low. Each risk level is associated with the probability of the authentication being compromised.

 

Let’s explore how it works

The Unfamiliar Sign-in Properties detection is now based on a number called the “risk score.” The risk score is computed in real-time using User and Entity Behavior Analytics (UEBA) and represents the probability that the sign-in is compromised based on the user’s past sign-in behavior.

 

We increased the number of behaviors we look at, including device identifiers, IP address, location, tenant corporate IP addresses, IP carriers, and available browser sessions. We’re continuously adapting to add new ones! One of the new features, the Exchange Active Sync (EAS) mail client ID, allows us to reduce false positives significantly when users are roaming on mobile networks.

 

In addition, we made our algorithms more intelligent to automatically detect your corporate IP addresses based on the traffic pattern Azure AD sees from your organization. This reduces false positives substantially, especially for large organizations whose users are distributed across many locations.

 

Each time a user signs in to Azure AD, the risk score of the sign-in is computed in real-time. Next, the risk score is “bucketized” into one of four possible risk levels. The assigned risk level is based on the probability of a sign-in with a certain risk score being compromised.

 

The four buckets of real-time risk that a sign-in can be assigned to are:

  1. High risk—There is very high possibility that the sign-in is compromised.
  2. Medium risk—There is a reasonable chance that the sign-in is compromised.
  3. Low risk—There is a small chance that the sign-in is compromised.
  4. No detected risk—The probability of the sign-in being compromised is negligible.

Use this today!

You can start using the refreshed version of Identity Protection today to prioritize your risky sign-in investigations using the new real-time risk levels. This version includes all the new UEBA-based detections for medium and high risk. Support for low risk level is coming soon.

 

To take full advantage of this and other detections, make sure you set up conditional access policies that can automatically mitigate the risk in your organization.  For example, you can set up a policy to require MFA on medium-risk sign-ins and another one to block high-risk sign-ins.  To learn more, read What is Azure AD Identity Protection (refreshed)?

 

Stay secure out there!

7 Comments
Copper Contributor

Is this a preview that I need to enable?    OR.....has this been added to the existing functionality of the sign-in risk policies in Azure AD Identity Protection?  

 

We already have Sign-in Risk policies configured via Identity Protection and all users have the P2 license;  just wondering if I need to do something else to take advantage of the "Unfamiliar Sign-in Properties" detection.   This sounds fantastic!!

@Matthew Adkins  Thanks for your comment! Some of these improvements, like the algorithms to identify corporate IP addresses, and the use of EAS device identifiers are already live for all customers without any required changes. The rest of them, including low risk events, will be rolling out soon.  

@Maria_Puertas_Calvo how we can enable user risk or signin risk policy in monitor mode instead of enforcce. we dont want to enable enforcement for all the clients and we want to enable only for browser. what will happen if we enable this setting

Copper Contributor

@Alex Simons (AZURE) @Maria_Puertas_Calvo 

 

Hi,

 

We are using Sentinel and AADIP is integrated. It has been 2 months old now but still the unfamiliar signin properties alert is creating a lot of noise. I see in lot of alerts the external NAT IP's of my organization.  Could you please let me know is there way to add corporate IP's to whitelist to stop this alert from those IP's? 

I see for MCAS there is an article "https://docs.microsoft.com/en-us/cloud-app-security/ip-tags"

 

Any inputs are appreciated! Thank you!

Copper Contributor

We have other MFA and we do not use Microsoft MFA to access Outlook from outside our network. So, how can the Risky Sign-Ins be valid? I am trying to identify whether the Risky sign-ins are legitimate or was it compromised and O

 

 

Copper Contributor

We saw a user who has accessed the email in a different country. It triggered it as High Risk. As, mentioned earlier that this user would have definitely signed using MFA (SecureAuth - We Use), but how could this be a High Risk?  Should the Identity Protection not detect the other MFA that users are using or it only detects if they use Microsoft MFA?

 

 

Copper Contributor

FYI that we are seeing that mobile devices on the Verizon network (we think) are periodically getting an IPv6 cell-data address that cannot be traced to a geo-location (the location info is blank/null), and as such the conditional access country block is getting a false positive and the user is unable to access O365 services from a US-based location.  Any chance the product team can look into this?

Version history
Last update:
‎Aug 19 2021 04:21 PM
Updated by: