Microsoft Expands Azure Active Directory ID Protection Preview with User Risk Policy
Microsoft has improved its preview of the Azure Active Directory Identity Protection service for federated tenants and also expanded the preview to Europe.
Microsoft first rolled out a preview of the Azure AD Identity Protection service in March, but it was just available for U.S. testers. Now the service is "fully supported in Europe," Microsoft announced today. Organizations will need a subscription to the Azure AD Directory Premium service or Microsoft's Enterprise Mobility Suite to use the Azure AD Identity Protection preview.
Azure AD Identity Protection is designed as a safeguard against compromised user credentials. It uses Microsoft's machine-learning technologies to discover possible compromised accounts, checking for six kinds of identity risks. The system produces a score for the risks associated with particular user accounts. It allows IT pros to block a user or issue a multifactor authentication challenge, if wanted. A multifactor authentication challenge is a secondary verification besides a password. For instance, a user also has to verify his or her identity by responding to an instant message or a mobile phone call.
Microsoft has gradually been improving the Azure AD Identity Protection service. In June, it enabled the service to work with organizations that have set up a premises-based federation service for user authentications, such Active Directory Federation Server (ADFS). ADFS is a Windows Server-based identity management system that works with Microsoft's datacenter-based Azure AD service. In early June, Microsoft added the ability to detect risky sign-ins for organizations with federated setups. In late June, it added role-based access controls.
Today, Microsoft also announced that its User Risk Policy is now turned on for organizations using Azure AD Identity Protection preview in federated setups, such as with ADFS or the Ping Federate solution.
User Risk Policy is another scoring component of the Azure AD Identity Protection service besides Sign-In policy. The User Risk Policy taps "accumulated data" over time to assess potentially compromised accounts. For instance, it'll check if a "username and password was leaked on the web," Microsoft's announcement explained. It also checks for patterns in user logins to produce a risk score.
Organizations wanting to try out the User Risk Policy capability in Azure AD Identity Protection preview need to have enabled the password writeback capability for a federated domain, Microsoft's announcement explained. And there are a bunch of requirements for enabling password writeback as well. Microsoft has described password writeback as "an Azure Active Directory Connect component" that "allows you to configure your cloud tenant to write passwords back to your on-premises Active Directory." Azure Active Directory Connect is Microsoft's wizard-like setup tool for connecting with Azure AD services.
So far, Microsoft has been gradually adding capabilities to the Azure AD Identity Protection service. It's not clear when the service will go live.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.