Azure AD Identity Protection is in public preview!
Seems Microsoft is on a security tirade lately! Probably has nothing to do with the RSA Conference 🙂
Last week Microsoft made some MAJOR security enhancement announcements, feel free to read many of them below.
https://azure.microsoft.com/en-us/blog/azure-security-center-adds-new-partners-detections-and-more/
Today, they announced the public preview of Azure AD IDP.
To access the Identity Protection preview, you need to be a global administrator in the directory. The preview is available to all Enterprise Mobility Suite / Azure AD Premium customers or anyone who has activated a 30-day Azure AD Premium trial.
NOTE: User and Sign-In risk policies CANNOT be used for Federated domains
Per their announcement, IDP is focused on the following:
- Detection of identity-based security issues using our signals intelligence, experience, and algorithms.
- Detects issues using machine learning and heuristic rules
- Calculates user risk level – the likelihood that the account credentials are in the hands of cyber-criminals
- Highlights vulnerabilities such as unmanaged apps, users not registered for multi-factor authentication, and unused admin accounts, and provides recommendations in-line to improve your identity security posture
2.) Support investigation of risk events and users flagged for risk.
- Provides email notifications for new risks like users at high risk of having been compromised
- Provides a weekly digest with an overview of your security posture
- Provides relevant and contextual information to support the investigation of anomalous logins and at-risk users
3.) Support for in-line remediation and management of risk events.
- Allows you to Resolve, Ignore, mark as False-Positive or Reactivate issues you are investigating
- Allows you to require the user perform a multi-factor authentication (MFA) challenge and change their password on next login
- Allows you to reset the user’s password on the spot
- Allows you to require that all subsequent user logins will require MFA
4.) Harnesses the power of Azure AD Conditional Access policies and real-time risk evaluation to auto-remediate leaked-credentials before they can cause harm:
- Sign-in risk policy allows you to prevent risky sign-ins by either challenging the user for multi-factor authentication or by blocking the sign-in automatically if it appears anomalous.
- User risk policy allows you to automatically remediate risky users by requiring multi-factor authentication followed by a password change, or just blocking the user from logging in.
- Multi-factor authentication registration policy to require users to set up multi-factor authentication on their next sign-in, ensuring they can meet password change or MFA requirements without driving helpdesk costs up.
Let’s take a look!
First let’s find Azure AD Identity Protection in the Azure portal
Hit Create
Nice and clean, hopefully it stays that way!
First, confirm notifications are setup and setup an excluded members if needed
As noted above, federated domains cannot use user or sign-in risk policies
We can then validate our MFA registration settings and enforce further if needed
Let’s take a look at our User Policies
User risk policies are Conditional Access policies that block users from signing in, or change their password. Through these settings, you can control what happens based on the impact/risk.
Users that need to change their password will first be required to complete multi-factor authentication.
Now let’s take a look at Sign-in risk.
Sign-in risk is also a Conditional Access policy to block user sign-in or require MFA at different risk levels.
We can see it already picking up vulnerabilities and alerts!
I haven’t been able to recreate an at-risk/blocked account yet, but Microsoft documented the experience in their announcement:
