Azure AD Identity Protection now revolves around risky users and risky sign-ins

Launched in September 2018, Microsoft Threat Protection (MTP) integrates a number of Microsoft services to provide a fully integrated, end-to-end solution for securing the entire attack surface of enterprises: identities, endpoints, user data, cloud apps, and infrastructure.

Azure AD Identity Protection

Since MTP’s launch, Microsoft has slowly been polishing the offering by adding new and improved features such as an updated Azure Security Center, new automation capabilities, and new tools for enterprise security and compliance teams.

Latest improvements

The latest enhancements are to Azure AD Identity Protection and include:

  • A more intuitive user experience
  • APIs for integrating risk data with ticketing, analysis or SIEM systems
  • Improved risk assessment
  • A service-wide alignment across risky users and risky sign-ins.

To improve the user experience, there’s a new Security Overview dashboard that shows user and sign-in risk trends, a new Risky user report that gives better insight into at-risk users, and a new Risky sign-ins report.

Azure AD Identity Protection

Both of those reports allow administrators to improve the detection accuracy, either by:

  • Marking whether a sign-in is safe or compromised
  • Dismissing user risk if they believe it to be a false positive or if they’ve already taken remediation actions (e.g., password reset).

The data that can be viewed through the aforementioned dashboard and reports can also be routed directly to ticketing, alerting and SIEM systems via the new Risky users API and Sign-ins API.

Finally, user risk and sign-in risk assessment has been improved via supervised machine learning advancements, making it easier to prioritize sign-in investigations and making the company’s user risk policy more effective at automatically blocking or remediating risky users.

Alex Simons, Corporate VP of Program Management for Microsoft’s Identity Division, says that the Identity Protection refresh is the result of carefully listening to customers.

“We learned that two entities—risky users and risky sign-ins—are most relevant to IT admins for identity compromise. So, we designed the refreshed Identity Protection entirely around these two entities,” he noted.

Don't miss