Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Four major Azure AD Identity Protection enhancements are now in public preview
Published Jan 29 2019 09:00 AM 31.5K Views

Howdy folks,

 

Today I’ve got some pretty exciting news to share. We’ve just put four major Azure Active Directory (Azure AD) Identity Protection enhancements into public preview! 

 

The four enhancements include:

  • An intuitive and integrated UX including security insights, recommendations, sign-ins report integration, and the ability to filter, sort, and perform bulk operations.
  • Powerful APIs that allow you to integrate all levels of our risk data with your ticketing, analysis, or SIEM systems.
  • Improved risk assessment. We continuously tune our heuristic and machine learning systems and are bringing you even more accurate risk analysis to drive your prevention and remediation strategy.
  • Service-wide alignment across risky users and risky sign-ins.

Announced at Ignite 2018, these capabilities are now available to all Azure AD Premium P2 customers. Let’s take a look!

 

An intuitive and integrated UX

The UX is now more intuitive with insights into your security allowing you to gain detailed information on risky user trends and activity.

 

Security overview

The new Security overview provides user and sign-in risk trends to help you spot attacks and understand the effectiveness of your policies. The tiles on the right call out key issues such as high-risk users and unprotected risky sign-ins to help you quickly act on those issues.

 

Azure AD Security overview.Azure AD Security overview.

Risky user report

The new Risky user report gives you better insight into at-risk users. In addition to remediation actions (e.g. reset password, dismiss risk), there’s a ton of new navigation and discovery functionality packed in here.

 

First, the Basic info tab provides the basic user information (e.g. office location). Click the name to open the Azure AD user profile to display the user’s phone number, directory role, manager’s name, memberships, etc.

 

Azure AD Risky users (Basic info).Azure AD Risky users (Basic info).

Second, in the Recent risky sign-ins tab, click any sign-in to see a ton of information on that sign-in.

 

Azure AD Risky users (Recent risky sign-ins).Azure AD Risky users (Recent risky sign-ins).

Third, the Risk events not linked to a sign-in tab shows you detections not tied to a sign in. For instance, the user may have reused their credentials at another site that was compromised.

 

Azure AD Risky users (Risk events not linked to a sign-in).Azure AD Risky users (Risk events not linked to a sign-in).

Fourth, you may want to know why a user got marked as being at risk. While the risk assessment is done by our revamped machine learning system (our secret sauce!), the Risk history tab shows you all the events that contributed to user risk.

 

Azure AD Risky users (Risk history).Azure AD Risky users (Risk history).

Risky sign-ins report

Now let’s cover something brand new—the Risky sign-ins report! Until now, you’ve been correlating our detections to sign-ins. With the new Risky sign-ins report, that’s no longer necessary. The Risky sign-ins report gives you a single, integrated view to see basic sign-in info, risk, device, Multi-Factor Authentication (MFA), and policy information.

 

The Basic info tab gives you information such as the time, IP, location, client, and resource for that sign-in.

 

Azure AD Risky sign-ins (Basic info).Azure AD Risky sign-ins (Basic info).

The Device info tab provides information about a browser, OS, compliance, and device management.

 

Azure AD Risky sign-ins (Device info).Azure AD Risky sign-ins (Device info).

The Risk info tab lists all the detections for a sign-in, so you can see why was a sign-in risky.

 

Azure AD Risky sign-ins (Risk info).Azure AD Risky sign-ins (Risk info).

The MFA info tab tells you the MFA sign-in story (e.g. whether MFA was required, how was it done and the result). Finally, the Conditional Access tab shows how your conditional access policies reacted to a sign-in.

 

Smart feedback

Smart feedback lets you protect your users by acting upon the risk assessment. If you conclude sign-ins were compromised, you can select these sign-ins and click Confirm compromised. Alternatively, you can click Confirm safe.

 

Note: This intel is automatically applied to the specific user and selectively applied to your organization. Additionally, the patterns behind such intel from the entire Azure AD customer base are continuously incorporated.

 

Azure AD Risky sign-ins (Confirm compromised).Azure AD Risky sign-ins (Confirm compromised).

Customization of reports, searching, sorting, and bulk operations

You now have the same controls that exist for other reports in Azure AD. You can quickly filter, sort, and select columns and then take bulk actions throughout Identity Protection. For instance, you can easily share examples of identity risks in your organization with your management teams without needing any technical experience such as:

  • A list of all active, high-risk users sorted by the date of last risk change.
  • A list of successful sign-ins that had Anonymous IP address or Atypical travel since November 23.

Note: For a smooth transition, we’ll ensure the existing and the new UX are in-sync, so you can switch between the two.

 

Powerful APIs

All the data you access through the new UX is available to you via the MS-Graph APIs. You can programmatically route Identity Protection data into your SIEM, storage, ticketing, or alerting system through the following APIs.

 

Risky users API

The Risky users API gives provides insight into risky users. With this API, you can ask questions such as:

  • How risky is user ‘Lily’?
  • Who are my High and Medium risk users?
  • How many users showed up at Medium or High risk between Labor Day 2018 and Halloween 2018?

Sign-ins API

This Sign-ins API lets you view all the information associated with sign-ins. It helps you ask questions such as:

  • How risky is this sign-in and why?
  • Show me all the info of all risky sign-ins that were successful around Thanksgiving 2018?
  • What is the list of all successful sign-ins that came in last week from countries I don’t operate in?
  • What is the list of all sign-ins user ‘Zach’ had in the last one month from Anonymous IP addresses?

Note: To ensure your workflow continuity, the existing IdentityRiskEvents API will continue to work throughout the preview.

 

Improved risk assessment

The UX/API benefits above are just the tip of the iceberg. Under the hood, we significantly improved both our user risk and sign-in risk assessment via supervised machine learning advancements. So, your policies become much better at stopping the bad actors.

New—Sign-in risk (aggregate)

Identity Protection now gives you an aggregate risk considering all the malicious activity detected on a sign-in. This helps prioritize your sign-in investigations. It includes real-time detections (detections that trigger during the sign-in), non-real-time detections (detections that trigger minutes after the sign-in), detections made by partner security products, and other features of a sign-in (e.g. location, time, IP, proxy).

Improved—User risk

We made a huge leap in our user risk assessment by leveraging our advancements in supervised machine learning, new machine learning layer at the sign-in level, and smart feedback. This means your user risk policy is now more effective than ever at automatically blocking or remediating those risky users.

 

Service-wide alignment across risky users and risky sign-ins

After carefully listening to our customers, we learned that two entities—risky users and risky sign-ins—are most relevant to IT admins for identity compromise. So, we designed the refreshed Identity Protection entirely around these two entities.

 

You now have the following available for both risky users and risky sign-ins:

table1.png

Note: To help you leverage all the above enhancements, we also revamped our documentation.

 

Customer comments

Finally, here are a few comments from customers who used the refreshed Azure AD Identity Protection:

 

  • “The new version of AADIP provides a lot of benefit by having a general overview showing all risky sign-ins or all risky users compared to the flip side of seeing the event first and having to drill down. Having a quick overview list of people or sign-in's that can't allow any to go missed is beneficial. In addition, the greater plethora of data on the events is beneficial. It's nice not to have to drill down to that data through the user's sign-in history blade and see it right away on the event. The ‘Confirm compromised’ feature is great.”—The Walsh Group

 

  • “Our team has been working with the new interface and dashboard for two months now. Usability is significantly improved, and it makes our daily work much easier. This saves us a lot of time and we got all information in one view in seconds. Thank you very much.” —Abtis

 

  • “The new Azure AD Identity Protection dashboards give you a clear view of risky users as well as risky sign-ins. It gives IT teams the ability to quickly see if risky sign-ins have been protected by MFA or not. Clicking the dashboards allows you to easily drill down into the events to investigate risky users/sign-ins.” Identity Experts

 

  • “It was delighting to see the exact issues we are experiencing are being resolved in the next release.” BDO Netherlands

Next steps

Try the refreshed Azure AD Identity Protection and please share your thoughts via the in-product prompts or in the comments below. We always love to hear your feedback and suggestions, and look forward to hearing from you!

 

Best regards,

 

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

16 Comments

That's a great set of additions, kudos. Will definitely play with them and report back :)

Copper Contributor

Would be great to see these rolling out to Azure B2C too, with custom user flows including additional login challenge (e.g. MFA) for "risky" logins

ChrisWebb - totally agree! The data is already piped in. Now the team is working on exposing the right views and reports.

 

Regards

Alex

Microsoft

That's great, @Alex Simons (AZURE) - adding a risk metric to B2C is definitely tricky, but this will be huge. Thank you for the update. 

Steel Contributor

Awesome! It seems like these previews are in the portal.azure.com > "Azure Active Directory" blade rather in the "Azure AD Identity Protection" blade. Is this the plan going forward to put these under "Azure Active Directory" and move away from the "Azure AD Identity Protection" blade? I've always found these two different blades confusing to explain to our customers. Better keep them in "Azure Active Directory" and light up features/choices depending on which Azure AD Premium level you are on.

Steel Contributor

I'm missing the "Investigate with Azure ATP" link. Is this missing in this preview or is it because this particular risky user does not have the proper license (Windows E5 if we're talking Windows Defender ATP)?

Brass Contributor

That's awesome. I would look to see when we can have features like Custom "Risk based CA" as currently we're bound to have 1 policy only and i can't have multiple policies based on different user population. Kudos to the team for phenomenal work for last few years.

Microsoft

@Jonas Back, yes, this preview is in Azure Portal >> Azure Active Directory. Azure AD Identity Protection is a feature of Azure AD and thus listed in Azure Portal >> Azure Active Directory.  We plan to consolidate all security features there going forward so you don't have to look for individual blades to look for Azure AD's security features. To answer your other question: "Investigate with Azure ATP" is not in this public preview. Hope this helps.
 
Thanks, Rajat

Brass Contributor

I think I would like to see IPv6 Address Lookup in Azure AD Identity Protection Areas & Azure AD Sign Ins and Audits. MCAS seems to be able to look up their location but AADIDP / AAD Sign Ins & Audits can't. 

Brass Contributor

I would also like to Azure AD Identity Protection service start considering or flagging if an Unknown IP, Unfamiliar Location, or Imposible traveller risks are being impacted by a Anonymising VPN Service, especially for publicly accessible common services (Exchange Online, SharePoint/OneDrive, etc). I'm aware that not all of the providers would be publishing their server IP addresses, or that they would be using IP addresses under their own ASN, or that any list would be complete or up to date.

 

That said, if there was just a flag next to the IP address identifying it as a 'Possible Public VPN Traffic' or something like that and still leaving the decision up about how to act with the person reviewing the alert. Of course if it was in the logic you could configure for conditional access or even the detection algorithm then all the better. 

 

I'm also aware that this would not be an easy problem to solve, but it's a trend i'm seeing in false positive alerts and even if you mandate via policy not to use them or only use Corporate VPN's, sometimes the alternatives (Hotel Internet, Free Wifi, etc) may be worse, especially if its a personal device or you are a cloud only style of user/organisation. 

Microsoft
@LT22, feedback noted. Thanks for sharing.
Copper Contributor

The Risky users tab keeps showing users at risk although they are already dismissed or even users already deleted.

Reported this with Microsoft Support, answer is it is stil a preview so things might not yet work as intended.

Is there any view on when it will become GA and then work as intended ?

Microsoft
@mrebrink, thanks for your feedback! Could you please send us an example (userObjectID) of one 'already dismissed' user and one 'already deleted' user that is showing up in the Risky users report by default? We would also need your tenant ID. The issue you are facing doesn't need to wait till GA to get fixed. (I'll DM you my email).
Brass Contributor

Hello All im really happy with the new UX and it is a huge improvement from the last Version.

Here are two things which I would like to mention though.

 

1. I like the Legacy Authentication Box which shows you how many users used Legacy Auth in the Last week. But as far as I can tell, it only is a link for the Secure Score Blade it does not bring you or show you in any way the actual Usernames which used Legacy Auth and with what Service. If I'm wrong and there is a way to easily see this, please I'm happy to know :)  Also with regards to the Report Columns I know you can click together the Protocols or Options which are considered Legacy Auth and I assume your score gets it from there, but for Security Admins it would be easier if you could just list all of them together under "Legacy Auth" visualized and named who it is and which Service he/she is using. Again if this is already possible in a more easier way and I have overlooked it let me know.

 

2. I'm happy that we can finally send Reports to other People or Distribution lists outside of the Global Admin or Security Admin Scope. Although the same would be good for Weekly Digest which is unfortunately still not possible :)

 

Any way that are my two only remarks otherwise the Product is now really handy.

 

Cheers

Ueli

Copper Contributor

Hello,

 

Why in the Risk History, the actor is set to "Azure AD" ? Could you please explain since it is kind of confusing.

Thanks & Regards
Bruce

Microsoft

@BehRusheans , those changes in user risk are triggered by Azure AD. (e.g. a detection increasing the user risk) and not by the admin.

Version history
Last update:
‎Jul 24 2020 01:45 AM
Updated by: