News

Azure Active Directory Identity Protection Preview Released

• By Kurt Mackie
• 03/02/2016

Microsoft released a preview today of its new identity protection service, which is powered by Azure cloud services.

Microsoft is promising that Azure AD Identity Protection will help ward off compromised user accounts and configuration vulnerabilities. The preview is an application that can be added from the Azure Marketplace collection of apps using the Azure management portal.

This service needs to be set up by an organization's global administrator. It's available to subscribers to Microsoft's Enterprise Mobility Suite and/or the Azure Active Directory Premium service. Alternatively, the preview can be tested using a 30-day Azure Active Directory Premium trial account.

Azure AD Identity Protection is Microsoft's newest machine-learning based security solution for organizations. Microsoft earlier promised that the preview would be arriving sometime this week. The company has been working on this solution for over a year, according to Alex Simons, director of program management for the Microsoft Identity Division.

Simons described Azure AD Identity Protection as "the industry's first cloud powered, adaptive machine learning based identity protection system, one that can detect cyber-attacks, mitigate them in real time, and automatically suggest updates to your Azure AD configuration and conditional access policies to help our customers keep their enterprises safe."

This service protects against potential user identity compromises by using threat data to assign login risk scores. It uses signals data from Microsoft's applications and pulls threat information from the company's analysis centers, such as the Microsoft Digital Crimes Unit and the Microsoft Security Response Center.

Azure AD Identity Protection sends e-mail notifications to IT pros when the service detects accounts at high risk. They also get a weekly security overview. IT pros can take action when presented with a risky account. They can resolve the issue, ignore false positives, challenge the user with multifactor authentication, or compel a password reset.

Currently, the service detects six kinds of identity risks, per Microsoft's announcement:

• Users with leaked credentials
• Irregular sign-in activity
• Sign-ins from possibly infected devices
• Sign-ins from unfamiliar locations
• Sign-ins from IP addresses with suspicious activity
• Sign-ins from impossible travel

The "impossible travel" scenario happens when logins from two geographically separate areas take place in a shorter time than it would take to travel between those areas, per Microsoft's "Identity Protection Glossary." However, there's a bit of a learning curve involved for the service. Microsoft's "Azure AD Identity Protection" documentation explains that there's a 14-day learning period for the system to recognize the sign-in behavior of a new user. False-positives could occur if a new device is used or if the user accesses "a VPN that is typically not used by other users in the organization," according to Microsoft's documentation.

Organizations can set policies when using Azure AD Identity Protection. The service can be set to push messages down to end users when they are blocked. They can be asked to contact the account administrator or pass a multifactor authentication challenge to gain access, for instance.

Azure AD Identity Protection seems to be associated with other Azure security protection services, such as "Azure AD Privileged Identity Management, Cloud App Discovery, and Azure Multi-Factor Authentication," per Simons' description. Those potential Azure service dependencies weren't explained in detail in Microsoft's announcement. Possibly, those services would have to be purchased separately.  

Microsoft's documentation indicates that the Privileged ID Management service controls the security alert system. Cloud App Discovery is used to find unmanaged cloud apps. The Azure Multi-Factor Authentication service sends password alternatives to permit access, such as a "phone call, text message, or mobile app notification or verification code and 3rd party OATH tokens," according to Microsoft's documentation.