Azure AD Identity Protection is in public preview! (Whoop whoop!)

First published on CloudBlogs on Mar, 02 2016

Howdy folks,

I am crazy pumped to announce that Azure Active Directory Identity Protection is in public preview! Identity Protection is a new feature of Azure AD that gives organizations around the world a previously unavailable level of security for their cloud identities. As I promised last week, today we've got a deep dive blog post with tons of details on this cool new service. We've been working on this new capability for over a year now with the vision of building the industry's first cloud powered, adaptive machine learning based identity protection system, one that can detect cyber-attacks, mitigate them in real time, and automatically suggest updates to your Azure AD configuration and conditional access policies to help our customers keep their enterprises safe. Today, phishing attacks and account compromise are one of the biggest cyber risks that organizations face. A single compromised identity in your organization can give cyber-criminals an opening into your environment. Once inside, they can perform lateral attacks, identify opportunities to incrementally elevate privileges and eventually gain full control of your resources. Azure AD Identity Protection helps prevent the use of compromised accounts using industry leading machine learning (ML) based real time detection and automated mitigation, helping protect all of the cloud and on-premises applications customers use with Azure AD. This kind of ML based system only works if you have access to huge amounts of relevant data to use in training adaptive ML algorithms, which are critical to success in today's rapidly changing landscape of cybercrime. At Microsoft, we enjoy a unique advantage here because we run many of the world's largest cloud services, including Outlook.com, Xbox Live, Office 365 and Azure and they generate an incredible amount of data. And we put this data to good use! Every day our ML system processes >10 terabytes of data, including information on over 14B logins from nearly 1B users . These login signals are combined with data feeds from Microsoft's Digital Crimes Unit and Microsoft Security Response Center, phishing attack data from Outlook.com and Exchange Online as well as information we acquire from partnering with law enforcement, academia, security researchers, and industry partners around the world. Then we use all of that data and our world class machine learning to continuously train our detection algorithms so that as cyber criminals change their attack methods, the system evolves to detect and block new emerging attacks patterns. All this intelligence results in real-time user and login risk scores for every Azure AD authentication request. Azure AD's Conditional Access system uses these scores to automatically respond to threats by blocking logins, issuing Azure Active Directory Multi-Factor Authentication challenges, or if the evidence is strong enough, requiring the users to change their credentials all based on each organizations unique set of access policies. For example, if our machine learning system discovers that a sign-in originates from a new, anonymized or bot-controlled network location, Azure AD Conditional Access auto-remediation can intercept the request with an adaptive MFA challenge such as an SMS, phone call, push notification or a request for OATH token. Or if our threat intelligence or advanced machine learning algorithms indicate that a user's credentials are compromised, policies can offer automatic protection by blocking the account and requiring the user to complete an MFA challenge and a password change. Since the attackers are unlikely to have access to a second factor of authentication, they are, in practice, blocked from exploiting the compromised identity. Azure AD Identity Protection also notifies the identity admins or security analysts when new compromised users, risky sign-ins, or configuration vulnerabilities are detected in their environment. If Conditional Access policies are enabled, administrators and security analysts can prevent and/or remediate these risks before they are exploited by cyber-criminals. To investigate and remediate risks, administrators and security analysists simply sign in to the Azure portal and get a consolidated view into risky sign-ins and users, remediation recommendations, and in-line response options. Azure AD Identity Protection also identifies configuration vulnerabilities and recommending mitigations, including ways to enhance enterprise security through the use of Azure AD Privileged Identity Management, Cloud App Discovery, and Azure Multi-Factor Authentication. To give you all the ins and outs on the service, Nitika Gupta from the PM team has written an awesome blog post to get you started, which you'll find below.

Hopefully you are as excited about this new set of capabilities as we are. Let us know what you think!

And as always, we'd love to hear any suggestions or feedback you have.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons )

Director of Program Management

Microsoft Identity Division

----------------------------------------------------------------------------------------------------------------------------------------

Hi folks,

I'm Nitika, a Program Manager on the Identity Protection team in the Identity division. This blog post will walk you through Azure Active Directory Identity Protection.

In a nutshell, Azure AD Identity Protection offers the following capabilities:

1.) Detection of identity-based security issues using our signals intelligence, experience, and algorithms.

• Detects issues using machine learning and heuristic rules
• Calculates user risk level – the likelihood that the account credentials are in the hands of cyber-criminals
• Highlights vulnerabilities such as unmanaged apps, users not registered for multi-factor authentication, and unused admin accounts, and provides recommendations in-line to improve your identity security posture

2.) Support investigation of risk events and users flagged for risk.

• Provides email notifications for new risks like users at high risk of having been compromised
• Provides a weekly digest with an overview of your security posture
• Provides relevant and contextual information to support the investigation of anomalous logins and at-risk users

3.) Support for in-line remediation and management of risk events.

• Allows you to Resolve, Ignore, mark as False-Positive or Reactivate issues you are investigating
• Allows you to require the user perform a multi-factor authentication (MFA) challenge and change their password on next login
• Allows you to reset the user's password on the spot
• Allows you to require that all subsequent user logins will require MFA

4.) Harnesses the power of Azure AD Conditional Access policies and real-time risk evaluation to auto-remediate leaked-credentials before they can cause harm:

• Sign-in risk policy allows you to prevent risky sign-ins by either challenging the user for multi-factor authentication or by blocking the sign-in automatically if it appears anomalous.
• User risk policy allows you to automatically remediate risky users by requiring multi-factor authentication followed by a password change, or just blocking the user from logging in.
• Multi-factor authentication registration policy to require users to set up multi-factor authentication on their next sign-in, ensuring they can meet password change or MFA requirements without driving helpdesk costs up.

Now that we understand the high level picture, let's dive into the details.

Getting Started

To get started with Identity Protection, first add it from the Azure Marketplace. Click + New and select Identity + Security , where you'll find Azure AD Identity Protection as a Featured App . Or, just click here .

Once added, you'll see the following dashboard with data for your organization:

To access the Identity Protection preview, you need to be a global administrator in the directory. The preview is available to all Enterprise Mobility Suite / Azure AD Premium customers or anyone who has activated a 30-day Azure AD Premium trial.

How do I use the dashboard?

Identity Protection dashboard provides you with three protection vectors:

• Users flagged for risk – these are users in your directory whose credentials might be compromised based on observed patterns of behavior or discovering their user name and password on the "dark web." The chart shows you the number of users who are currently at risk as well as users who had risk events that were already remediated. Clicking on the chart opens a blade which gives the list of users and the reason why they're flagged.

  From there, you can further investigate individual users by clicking on their names. Identity Protection provides you the IP address, location, timestamp of the sign-in and all other relevant information. After you have investigated, you can remediate risk events by resetting the user's password—this takes control away from any attacker who had the previous password.

• Risk events – these are events that Identity Protection has flagged as high risk and indicate that an identity may have been compromised. Currently, Identity Protection flags six types of risk events:
• Users with leaked credentials
• Irregular sign-in activity
• Sign-ins from possibly infected devices
• Sign-ins from unfamiliar locations
• Sign-ins from IP addresses with suspicious activity
• Sign-ins from impossible travel

  Some of this information has been available previously through the Azure AD Anomalous Activity reports in the Azure Management Portal. Microsoft is continually investing in world class detection and continuously improving the detection accuracy of existing risk events. We're also adding new risk event types on an ongoing basis. To learn more about the risk events, you can read our documentation here .

• Vulnerabilities – These are weaknesses in your environment that can be exploited by an attacker. It is recommended that you address these vulnerabilities to improve the security posture of your organization and prevent attackers from exploiting these vulnerabilities. Identity Protection detects the following vulnerabilities:
  • Users not registered for multi-factor authentication
  • Unmanaged apps discovered in last 7 days from Cloud App Discovery
  • All security alerts from Privileged Identity Management

Identity Protection notifies all the global administrators about compromised users by sending an email alert. In addition, it automatically sends a weekly digest email with a summary of the users flagged for risk, risk events and vulnerabilities.

What policies can I configure to protect my organization?

Identity Protection offers 3 security policies to help protect your organization.

1. Azure Multi-factor Authentication registration policy: Azure Multi-Factor Authentication is used to gain additional assurance of a user's identity. Registering your employees for multi-factor authentication is a critical step in preparing your organization to protect and recover from account compromises.

   Azure AD Identity Protection helps you manage and monitor the roll-out of multi-factor authentication registration by enabling you to define which employees are included in the policy, configure how long they are allowed to skip registration, and view the current registration state of impacted users.

   

2. User risk policy: This is a Conditional Access policy which helps block risky users from signing in, or forces them to securely change their password. You can control which action (block or secure password change) is triggered at different risk levels depending your organization's risk tolerance. This policy blade also provides an estimated impact for the configured policy which helps organizations understand how the policy will impact end user experience. It shows how many users would have been challenged and how many would have been blocked in the previous 30 days if the policy had been in place.

   To securely change the password, users need to first complete multi-factor authentication to ensure it's the legitimate user who is changing the password.

   

3. Sign-in risk policy: This is a Conditional Access policy to automatically mitigate sign-in risk. You can configure a sign-in risk policy to block user sign-in or require multi-factor authentication at different risk thresholds (high/medium/low). Similar to user risk policy, the policy blade provides an estimated policy impact.

   

These policies are great but how will they impact the end user experience?

After an admin has configured a User Risk policy, the users who meet the risk level specified in the policy for password change will be prompted for multi-factor authentication followed by a password change. The experience is designed such that the user understands what's going on as you can see below:

If the user risk policy requires the sign-in is blocked, the user will be provided guidance to contact the admin.

Similarly, if the sign-in risk policy kicks in and an end user needs to complete an MFA challenge, the user is provided guidance as to why they're challenged.

Now that you understand how Identity Protection works, are you ready to try Identity Protection? Check out this Identity Protection playbook which provides guidance on how to simulate risk events for testing purpose and test the security policies.

We'd love to hear your feedback! And don't forget to visit Azure AD Identity Protection documentation to learn more.

Thanks,

Nitika Gupta (@_nitika_gupta)