Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Ignite Keynote Demo Recap: Detecting Anomalous Sign-Ins with EMS
Published Sep 08 2018 06:34 AM 525 Views
Iron Contributor
First published on CloudBlogs on May 04, 2015

What’s new:

This demo showed the variety of Machine Learning-backed algorithms Azure AD uses to help organizations protect their users. In the keynote I showed a report that tracked logins to the same account from locations that are too far apart for that distance to have been traveled between logins. I call it “ The Impossible Travel Report .” The demo also gave everyone an early look at a new security report which will be released into Preview later this month. In this report we are able to surface accounts from your organization that are up for sale in the “seedier” part of the web. This new report is a great example of the new security value we’re bringing to organizations and how it delivers many of the same protection mechanisms we use to protect Microsoft Accounts consumer identities. In building these reports and protection mechanisms, we’ve aggregated data and intelligence across multiple sources, e.g. our enterprise authentication system, our consumer identity system, malware information from out Digital Crimes Unit , as well as other partners

How this helps:

Traditional security solutions that focus on only perimeter-based controls simply do not work. IT needs a new approach to secure their organizations in a way that accounts for how devices and apps are used every day (aka the way we are all constantly accessing tons of apps, on different devices, from lots of different places). This demo represents a way for IT to add analytics-driven security controls to the security they already have. Azure Active Directory’s ML-based anomaly detection reports analyze login patterns across the nearly 10 Billion authentications handled by Azure AD every week. When combined with data from our consumer identity systems and other sources, this data is used to detect anomalies and alert IT. Once IT is aware of these anomalous activities – activities that are likely an indication of compromised accounts – they can take action, e.g. changing the password or challenging the user with a multi-factor authentication.

Why you need this in your life:

  • Azure AD is constantly monitoring user authentication behavior to detect anomalies that might be indicative of identity compromise.
  • This constant monitoring allows IT to quickly identify attacks to their organization and take action.
  • Having Azure AD do the heavy lifting of nonstop user authentications monitoring allows IT to focus on the mission-critical task of remediation.
  • You can catch these compromised accounts and stop attacks!

What you’ll need to get started:

  • A subscription to Azure Active Directory Premium in EMS is required for many of the security reports shown in the demo.

Get to work!

To read the recaps for the other ten demos, visit .

Version history
Last update:
‎Sep 08 2018 06:34 AM
Updated by: