Super Security Showdown – Part 1: Azure Active Directory Identity Protection

Last week, Microsoft announced the Public Preview of Azure Active Directory Identity Protection. Also at the beginning of this month, they also announced the Windows Defender Advanced Threat Protection.

Granted, security is a top concern for many organizations, but with all these similar security products and services being released, it can be a little confusing. So let’s take a look at a few of these, compare, and understand when and how they are used.

 

Azure Active Directory Identity Protection

Overview of Azure Active Directory Identity Protection

Let’s start with the most recently announced.

Obviously, since this service is targeted to Azure Active Directory, it is a cloud-based solution. What is interesting is that it uses machine learning and will provide suggestions about updates to your Azure Active Directory, including configuration and conditional access policies. Microsoft also states that it will provide automated mitigation to detected threats.

Here’s an interesting excerpt from the article:

Every day our ML system processes >10 terabytes of data, including information on over 14B logins from nearly 1B users. These login signals are combined with data feeds from Microsoft’s Digital Crimes Unit and Microsoft Security Response Center, phishing attack data from Outlook.com and Exchange Online as well as information we acquire from partnering with law enforcement, academia, security researchers, and industry partners around the world.

That gives a new meaning to “BIG DATA”! 10 terabytes a day! 14 billion logins! Not to mention additional information from 3rd parties. Very interesting.

Further in the article it states:

All this intelligence results in real-time user and login risk scores for every Azure AD authentication request. Azure AD’s Conditional Access system uses these scores to automatically respond to threats by blocking logins, issuing Azure Active Directory Multi-Factor Authentication challenges, or if the evidence is strong enough, requiring the users to change their credentials all based on each organizations unique set of access policies.

So these Risk Scores feed into that automated mitigation. Here is the list of current risk events that are detected:

  • Users with leaked credentials
  • Irregular sign-in activity
  • Sign-ins from possibly infected devices
  • Sign-ins from unfamiliar locations
  • Sign-ins from IP addresses with suspicious activity
  • Sign-ins from impossible travel

What is also of interest is the Security Policies that you are able to configure. There are currently 3, but the one I find the most interesting is the Azure Multi-factor Authentication registration policy. With it you can “manage and monitor the roll-out of multi-factor authentication registration by enabling you to define which employees are included in the policy, configure how long they are allowed to skip registration, and view the current registration state of impacted users.” So you can track how many users in your organization have Multi-Factor Authentication, and report on compliance to this policy.

Azure Active Directory Multi-factor Authentication Registration Policy

Azure Multi-factor Authentication registration policy

Azure Active Directory Identity Protection Requirements

That’s enough of an overview, what are the requirements?

Requirements: Enterprise Mobility Suite, or Azure AD Premium

Pro’s: If you’re already using Azure AD Premium, then it’s easy to sign up for this new service.

Con’s: Currently, the policies do not work in federated domains. However, according to the comment thread in the article from Alex Simons: “We don’t support federation in this first preview but look for an update in about 8 weeks that does.” That comment was posted 2 days after the article was published. So doing a little math, we should expect ADFS and federated domains to work with this new service somewhere by the end of April.

Also, since this is a Preview service, it is currently available only for directories with a Country or Region value of United States.

 

Azure Active Directory Identity Protection Reference Material:

 

So that’s the new Azure Active Directory Identity Protection. In the next article we will explore Windows Defender Advanced Threat Protection.

%d bloggers like this: