Today I’ve got some pretty exciting news to share. We’ve just put four major Azure Active Directory (Azure AD) Identity Protection enhancements into public preview!
The four enhancements include:
Announced at Ignite 2018, these capabilities are now available to all Azure AD Premium P2 customers. Let’s take a look!
An intuitive and integrated UX
The UX is now more intuitive with insights into your security allowing you to gain detailed information on risky user trends and activity.
The new Security overview provides user and sign-in risk trends to help you spot attacks and understand the effectiveness of your policies. The tiles on the right call out key issues such as high-risk users and unprotected risky sign-ins to help you quickly act on those issues.
Risky user report
The new Risky user report gives you better insight into at-risk users. In addition to remediation actions (e.g. reset password, dismiss risk), there’s a ton of new navigation and discovery functionality packed in here.
First, the Basic info tab provides the basic user information (e.g. office location). Click the name to open the Azure AD user profile to display the user’s phone number, directory role, manager’s name, memberships, etc.
Second, in the Recent risky sign-ins tab, click any sign-in to see a ton of information on that sign-in.
Third, the Risk events not linked to a sign-in tab shows you detections not tied to a sign in. For instance, the user may have reused their credentials at another site that was compromised.
Fourth, you may want to know why a user got marked as being at risk. While the risk assessment is done by our revamped machine learning system (our secret sauce!), the Risk history tab shows you all the events that contributed to user risk.
Risky sign-ins report
Now let’s cover something brand new—the Risky sign-ins report! Until now, you’ve been correlating our detections to sign-ins. With the new Risky sign-ins report, that’s no longer necessary. The Risky sign-ins report gives you a single, integrated view to see basic sign-in info, risk, device, Multi-Factor Authentication (MFA), and policy information.
The Basic info tab gives you information such as the time, IP, location, client, and resource for that sign-in.
The Device info tab provides information about a browser, OS, compliance, and device management.
The Risk info tab lists all the detections for a sign-in, so you can see why was a sign-in risky.
The MFA info tab tells you the MFA sign-in story (e.g. whether MFA was required, how was it done and the result). Finally, the Conditional Access tab shows how your conditional access policies reacted to a sign-in.
Smart feedback lets you protect your users by acting upon the risk assessment. If you conclude sign-ins were compromised, you can select these sign-ins and click Confirm compromised. Alternatively, you can click Confirm safe.
Note: This intel is automatically applied to the specific user and selectively applied to your organization. Additionally, the patterns behind such intel from the entire Azure AD customer base are continuously incorporated.
Customization of reports, searching, sorting, and bulk operations
You now have the same controls that exist for other reports in Azure AD. You can quickly filter, sort, and select columns and then take bulk actions throughout Identity Protection. For instance, you can easily share examples of identity risks in your organization with your management teams without needing any technical experience such as:
Note: For a smooth transition, we’ll ensure the existing and the new UX are in-sync, so you can switch between the two.
All the data you access through the new UX is available to you via the MS-Graph APIs. You can programmatically route Identity Protection data into your SIEM, storage, ticketing, or alerting system through the following APIs.
Risky users API
The Risky users API gives provides insight into risky users. With this API, you can ask questions such as:
This Sign-ins API lets you view all the information associated with sign-ins. It helps you ask questions such as:
Note: To ensure your workflow continuity, the existing IdentityRiskEvents API will continue to work throughout the preview.
Improved risk assessment
The UX/API benefits above are just the tip of the iceberg. Under the hood, we significantly improved both our user risk and sign-in risk assessment via supervised machine learning advancements. So, your policies become much better at stopping the bad actors.
New—Sign-in risk (aggregate)
Identity Protection now gives you an aggregate risk considering all the malicious activity detected on a sign-in. This helps prioritize your sign-in investigations. It includes real-time detections (detections that trigger during the sign-in), non-real-time detections (detections that trigger minutes after the sign-in), detections made by partner security products, and other features of a sign-in (e.g. location, time, IP, proxy).
We made a huge leap in our user risk assessment by leveraging our advancements in supervised machine learning, new machine learning layer at the sign-in level, and smart feedback. This means your user risk policy is now more effective than ever at automatically blocking or remediating those risky users.
Service-wide alignment across risky users and risky sign-ins
After carefully listening to our customers, we learned that two entities—risky users and risky sign-ins—are most relevant to IT admins for identity compromise. So, we designed the refreshed Identity Protection entirely around these two entities.
You now have the following available for both risky users and risky sign-ins:
Note: To help you leverage all the above enhancements, we also revamped our documentation.
Finally, here are a few comments from customers who used the refreshed Azure AD Identity Protection:
Try the refreshed Azure AD Identity Protection and please share your thoughts via the in-product prompts or in the comments below. We always love to hear your feedback and suggestions, and look forward to hearing from you!
Alex Simons (@Alex_A_Simons )
Corporate VP of Program Management
Microsoft Identity Division
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.