What's new: Starting today, all of Identity Protection's risk event types will be covered for federated identities! Now you can tell if botnet infections, TOR networks, or location anomalies are present in your federated sign-ins. [Note that leaked credentials detection requires that you have enabled password hash sync in your federated tenant.]
What's new: Starting today, blocking or enforcing MFA on risky sessions is available for federated identities. What this means is that your federated identities have an extra layer of protection when they try to access cloud services such as Office 365, Azure, or *any* apps configured for Single Sign-On with Azure Active Directory! If the administrator has configured a policy to enforce MFA on sign-in risks, the next time a risky sign-in is detected, the user is informed that something unusual was detected about their sign-in.
The user is then required to prove their identity by solving a security challenge.
Alternatively, if the administrator has configured a policy to block risky sign-ins, the next time a risky sign-in is detected, it is blocked. Self-recovering by solving multi-factor authentication is not an option in this case.
Note on Multifactor authentication: For federated tenants, multi-factor authentication (MFA) may be performed by Azure Active Directory or by the on-premises AD FS server. By default, MFA will occur at a page hosted by Azure Active Directory. In order to configure MFA on-premises, the –SupportsMFA property must be set to true in Azure Active Directory, by using the Azure AD module for Windows PowerShell. The following example shows how to enable on-premises MFA by using the Set-MsolDomainFederationSettings cmdlet on the contoso.com tenant:
Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMFA $trueIn addition to setting this flag, the federated tenant AD FS instance must be configured to perform multi-factor authentication. You can revisit the instructions for deploying Azure Multi-Factor Authentication on-premises . Note: Only Sign-in risk policy is included in this announcement. User risk policy is currently not supported for federated domains. It is coming soon though!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.