If you’ve moved your Identity service to Azure Active Directory, or if you’ve connected your Active Directory to Azure Active Directory, you might be interested in what additional security features Microsoft can provide. With Azure Active Directory (Azure AD), Microsoft has access to monitor user sign-in attempts and analyze them for risk, as they happen. Two services related to this are Azure AD Identity Protection and Azure AD Conditional Access.
Azure AD Identity Protection Azure AD Identity Protection is solely focused on risks regarding the compromise of user accounts, including suspicious sign-on attempts. These risks can be categorized as a ‘user risk’ such as credentials that are known to have been leaked or compromised, or as a ‘sign-in risk’’ related to the circumstances of the attempt to sign in, like the attempt coming from an anonymous IP address or a location that’s not usual for that account.
You can configure risk policies to automatically enforce remediation steps, or you can view reports of risk users and risky sign-in attempts, for manual remediation.
Risk policies & remediation The user risk and sign-in risk policies are configured separately and can be applied to all users or selected users and groups. You can also exclude users, for example if they are a member of an included group.
In the policy, you select from the list of Conditions (which is the level of risk like Low or Medium). You don’t need to specify what exact scenario would count as a low, medium or high risk – Microsoft’s threat intelligence determines that automatically.
Then you choose from the list of Controls, or what will happen next. Options for Controls include allow access, block access, allow access but require multi factor authentication (MFA) or allow access but require a password change (depending on the policy type). Of course those last condition options would require that your users have been previously configured for multi factor authentication and self service password reset. There’s one additional policy, the MFA registration policy, you can use to roll out MFA for your users.
Risk reports and integrations Want to see more detail or have manual control over any remediation steps? Check out the detailed reports for risky users, risky sign-ins and risk detections. These reports can be downloaded in .csv or .json format or accessed via the Microsoft Graph API for ingestion into other systems.
Licensing requirements Azure AD Identity Protection requires an Azure AD Premium P2 license, which is also included in the Enterprise Mobility and Security E5 plan. However you can get limited report information on the Azure AD Premium P1 plan and the Azure AD Basic/Free plan. For more information on licensing, visit License requirements.
Azure AD Conditional Access While Azure AD Conditional Access also has policies with Conditions and Access Controls, it’s scope is broader than just Identity. It can use Identity sign-in risk as an input signal, especially in conjunction with other factors like device platform or location, and Conditional Access policies can also apply to all or selected Cloud applications.
Azure AD Conditional Access Policies are also a great way of enforcing extra security restrictions that don’t wait for a risk to be detected, like enforcing that someone is prompted for MFA only if they are outside of the company network (via IP address range or country).
Conditions include sign-in risk (levels Low, Medium, High), Device platforms (like iOS or Windows), Locations (Any, all trusted or selected locations, that you have defined), Client Apps (browser, mobile, modern authentication and Exchange Active Sync), and Device State (to exclude hybrid Azure AD joined devices or devices marked as compliant with Microsoft Intune).
Access controls also have more options, like requiring the device to be marked as compliant or allowing a Cloud app session to be persistent even after closing and re-opening a browser window (without re-prompting for sign in).
Finally, policies can be turned on in Report-only mode, to log the impact of the policy as if it were in place, for testing. You can then review the log to see which events and users would have been impacted.
Examples With Azure AD Conditional Access, you can configure that:
- If a login is coming from an Intune compliant device and the session risk is medium or below, then the sign-in is allowed with no further requirements. - If a login is coming from outside your corporate network and the session risk is medium or above, challenge for MFA and only allow access if it passes.
Also, you could set that certain applications could only be accessed from Intune compliant devices. This is a strong security posture for access to sensitive information, where you can use Intune to enforce the security settings of the device itself (like anti-virus, PIN protection and auto lock times).
Licensing requirements Azure AD Conditional Access requires the Azure AD Premium P1 license, however you will need an Azure AD Premium P2 license if you want to use risk-based conditional access policies. For more information on licensing, see Azure Active Directory pricing.
Which one is right for you? Want to detect if a user account is likely to have been compromised - from leaked credentials or other unusual activity identified by Microsoft's threat intelligence sources? That's Azure AD Identity Protection. This also detects sign-in risks, with a limited number of controls that can be configured.
Want to allow access from known compliant devices and locations, without requiring an MFA challenge? That’s Azure AD Conditional Access. Want to ensure only company-managed devices can access some applications? That’s Azure AD Conditional Access too. Azure AD Conditional Access allows a greater level of configuration of controls.
Need both? Your Azure AD Premium P2 license qualifies you for both capabilities.