Last week, Microsoft announced the Public Preview of Azure Active Directory Identity Protection. Also at the beginning of this month, they also announced the Windows Defender Advanced Threat Protection.
Granted, security is a top concern for many organizations, but with all these similar security products and services being released, it can be a little confusing. So let’s take a look at a few of these, compare, and understand when and how they are used.
- Azure Active Directory Identity Protection
- Windows Defender Advanced Threat Protection
- Microsoft Advanced Threat Analytics
- Azure Security Center
- OMS Security and Audit solution
Azure Active Directory Identity Protection
Overview of Azure Active Directory Identity Protection
Let’s start with the most recently announced.
Obviously, since this service is targeted to Azure Active Directory, it is a cloud-based solution. What is interesting is that it uses machine learning and will provide suggestions about updates to your Azure Active Directory, including configuration and conditional access policies. Microsoft also states that it will provide automated mitigation to detected threats.
Here’s an interesting excerpt from the article:
Every day our ML system processes >10 terabytes of data, including information on over 14B logins from nearly 1B users. These login signals are combined with data feeds from Microsoft’s Digital Crimes Unit and Microsoft Security Response Center, phishing attack data from Outlook.com and Exchange Online as well as information we acquire from partnering with law enforcement, academia, security researchers, and industry partners around the world.
That gives a new meaning to “BIG DATA”! 10 terabytes a day! 14 billion logins! Not to mention additional information from 3rd parties. Very interesting.
Further in the article it states:
All this intelligence results in real-time user and login risk scores for every Azure AD authentication request. Azure AD’s Conditional Access system uses these scores to automatically respond to threats by blocking logins, issuing Azure Active Directory Multi-Factor Authentication challenges, or if the evidence is strong enough, requiring the users to change their credentials all based on each organizations unique set of access policies.
So these Risk Scores feed into that automated mitigation. Here is the list of current risk events that are detected:
Users with leaked credentials
Irregular sign-in activity
Sign-ins from possibly infected devices
Sign-ins from unfamiliar locations
Sign-ins from IP addresses with suspicious activity
Sign-ins from impossible travel
What is also of interest is the Security Policies that you are able to configure. There are currently 3, but the one I find the most interesting is the Azure Multi-factor Authentication registration policy. With it you can “manage and monitor the roll-out of multi-factor authentication registration by enabling you to define which employees are included in the policy, configure how long they are allowed to skip registration, and view the current registration state of impacted users.” So you can track how many users in your organization have Multi-Factor Authentication, and report on compliance to this policy.
Azure Active Directory Identity Protection Requirements
That’s enough of an overview, what are the requirements?
Requirements: Enterprise Mobility Suite, or Azure AD Premium
Pro’s: If you’re already using Azure AD Premium, then it’s easy to sign up for this new service.
Con’s: Currently, the policies do not work in federated domains. However, according to the comment thread in the article from
Also, since this is a Preview service, it is currently available only for directories with a Country or Region value of United States.
Azure Active Directory Identity Protection Reference Material:
- Azure AD Identity Protection is in public preview! (Whoop whoop!): https://blogs.technet.microsoft.com/ad/2016/03/02/azure-ad-identity-protection-is-in-public-preview-whoop-whoop/
- Azure Active Directory Identity Protection: https://azure.microsoft.com/en-us/documentation/articles/active-directory-identityprotection/
So that’s the new Azure Active Directory Identity Protection. In the next article we will explore Windows Defender Advanced Threat Protection.