Today we want to tell you about some really awesome improvements we made in Azure AD Identity Protection.
Together, these improvements improved our ability to detect compromised sign-ins by over 100 percent! We also reduced our false positive rate by 30 percent—which means a more seamless sign-in experiences for legitimate users and fewer investigations for your security operations personnel.
Maria Puertas Calvo, our lead data scientist, wrote a guest blog post diving into some of the details on this update. You’ll find her blog post below. I hope you’ll find it as interesting as I did!
As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure AD feedback forum.
I’m excited to share details about the new version of the Unfamiliar Sign-in Properties in Azure AD Identity Protection, which is available with Azure AD Premium P2 subscription. This is an evolution of the Unfamiliar Locations detection that considers past sign-in history of users to detect anomalous activity.
In addition to improving our detection rate and reducing false positives, we also made changes to address your feedback that the current unfamiliar locations detection doesn’t cover all your scenarios. Some of you need policies that apply even in low risk situations, while others need to target their policies only when the risk is very high.
With these changes, you now have more control to set risk-based conditional access policies based on your organization’s risk appetite. While the old detection always triggered medium risk, a sign-in flagged by the new Unfamiliar Sign-in Properties can have real-time risk of high, medium, or low. Each risk level is associated with the probability of the authentication being compromised.
Let’s explore how it works
The Unfamiliar Sign-in Properties detection is now based on a number called the “risk score.” The risk score is computed in real-time using User and Entity Behavior Analytics (UEBA) and represents the probability that the sign-in is compromised based on the user’s past sign-in behavior.
We increased the number of behaviors we look at, including device identifiers, IP address, location, tenant corporate IP addresses, IP carriers, and available browser sessions. We’re continuously adapting to add new ones! One of the new features, the Exchange Active Sync (EAS) mail client ID, allows us to reduce false positives significantly when users are roaming on mobile networks.
In addition, we made our algorithms more intelligent to automatically detect your corporate IP addresses based on the traffic pattern Azure AD sees from your organization. This reduces false positives substantially, especially for large organizations whose users are distributed across many locations.
Each time a user signs in to Azure AD, the risk score of the sign-in is computed in real-time. Next, the risk score is “bucketized” into one of four possible risk levels. The assigned risk level is based on the probability of a sign-in with a certain risk score being compromised.
The four buckets of real-time risk that a sign-in can be assigned to are:
High risk—There is very high possibility that the sign-in is compromised.
Medium risk—There is a reasonable chance that the sign-in is compromised.
Low risk—There is a small chance that the sign-in is compromised.
No detected risk—The probability of the sign-in being compromised is negligible.
Use this today!
You can start using the refreshed version of Identity Protection today to prioritize your risky sign-in investigations using the new real-time risk levels. This version includes all the new UEBA-based detections for medium and high risk. Support for low risk level is coming soon.
To take full advantage of this and other detections, make sure you set up conditional access policies that can automatically mitigate the risk in your organization. For example, you can set up a policy to require MFA on medium-risk sign-ins and another one to block high-risk sign-ins. To learn more, read What is Azure AD Identity Protection (refreshed)?