Seems Microsoft is on a security tirade lately! Probably has nothing to do with the RSA Conference 🙂

Last week Microsoft made some MAJOR security enhancement announcements, feel free to read many of them below.

http://blogs.microsoft.com/blog/2016/02/25/enterprise-security-for-our-mobile-first-cloud-first-world-2/

http://techcrunch.com/2016/02/25/microsoft-begins-to-make-advances-on-nadellas-broad-security-vision/

https://blogs.office.com/2016/02/25/new-security-management-and-transparency-capabilities-coming-to-office-365

https://blogs.technet.microsoft.com/systemcenter/2016/02/25/new-security-capabilities-in-operations-management-suite/

https://blogs.technet.microsoft.com/ad/2016/02/24/identity-and-security-innovations-for-your-enterprise/

https://azure.microsoft.com/en-us/blog/azure-security-center-adds-new-partners-detections-and-more/

http://blog.fortinet.com/post/microsoft-azure-security-center-fortinet-scaling-security-securing-the-cloud

Today, they announced the public preview of Azure AD IDP.

To access the Identity Protection preview, you need to be a global administrator in the directory. The preview is available to all Enterprise Mobility Suite / Azure AD Premium customers or anyone who has activated a 30-day Azure AD Premium trial.

NOTE: User and Sign-In risk policies CANNOT be used for Federated domains

Per their announcement, IDP is focused on the following:

  1. Detection of identity-based security issues using our signals intelligence, experience, and algorithms.
  • Detects issues using machine learning and heuristic rules
  • Calculates user risk level – the likelihood that the account credentials are in the hands of cyber-criminals
  • Highlights vulnerabilities such as unmanaged apps, users not registered for multi-factor authentication, and unused admin accounts, and provides recommendations in-line to improve your identity security posture

2.) Support investigation of risk events and users flagged for risk.

  • Provides email notifications for new risks like users at high risk of having been compromised
  • Provides a weekly digest with an overview of your security posture
  • Provides relevant and contextual information to support the investigation of anomalous logins and at-risk users

3.) Support for in-line remediation and management of risk events.

  • Allows you to Resolve, Ignore, mark as False-Positive or Reactivate issues you are investigating
  • Allows you to require the user perform a multi-factor authentication (MFA) challenge and change their password on next login
  • Allows you to reset the user’s password on the spot
  • Allows you to require that all subsequent user logins will require MFA

4.) Harnesses the power of Azure AD Conditional Access policies and real-time risk evaluation to auto-remediate leaked-credentials before they can cause harm:

  • Sign-in risk policy allows you to prevent risky sign-ins by either challenging the user for multi-factor authentication or by blocking the sign-in automatically if it appears anomalous.
  • User risk policy allows you to automatically remediate risky users by requiring multi-factor authentication followed by a password change, or just blocking the user from logging in.
  • Multi-factor authentication registration policy to require users to set up multi-factor authentication on their next sign-in, ensuring they can meet password change or MFA requirements without driving helpdesk costs up.

Let’s take a look!

First let’s find Azure AD Identity Protection in the Azure portal

030216_1811_AzureADIden1.png

Hit Create

030216_1811_AzureADIden2.png

Nice and clean, hopefully it stays that way!

030216_1811_AzureADIden3.png

First, confirm notifications are setup and setup an excluded members if needed

030216_1811_AzureADIden4.png

As noted above, federated domains cannot use user or sign-in risk policies

030216_1811_AzureADIden5.png

We can then validate our MFA registration settings and enforce further if needed

030216_1811_AzureADIden6.png

Let’s take a look at our User Policies

User risk policies are Conditional Access policies that block users from signing in, or change their password. Through these settings, you can control what happens based on the impact/risk.

Users that need to change their password will first be required to complete multi-factor authentication.

030216_1811_AzureADIden7.png 030216_1811_AzureADIden8.png

Now let’s take a look at Sign-in risk.

Sign-in risk is also a Conditional Access policy to block user sign-in or require MFA at different risk levels.

030216_1811_AzureADIden9.png

We can see it already picking up vulnerabilities and alerts!

030216_1811_AzureADIden10.png 030216_1811_AzureADIden11.png 030216_1811_AzureADIden12.png

I haven’t been able to recreate an at-risk/blocked account yet, but Microsoft documented the experience in their announcement:

030216_1811_AzureADIden13.png 030216_1811_AzureADIden14.png

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>