#AzureAD Identity Protection now gets enhanced federation support and is available in Europe

September 13, 2016 Chris Spanougakis

It seems that the #AzureAD team never goes on vacation! This is the only way to explain all these new features the we get, even in summer. So we have two new updates: support for “users at risk” for the customers that use federation for user authentication and the availability of Azure AD Identity protection in Europe.

Let’s first talk a bit about Azure AD Identity Protection. It’s a service that analyzes and secures sign-ins to the applications that are integrated with Azure AD, both Microsoft and third-party ones. Azure AD Identity Protection tries to deal with attacks using two different methods: the first one is called Sign –In Policy and it’s a real time mechanism that evaluates each login and creates a risk score, so to be able to allow or block a login attempt. The second one is called User Risk Policy and it collects data, in order to be able to identify an account that is at risk. If an account is evaluated as a compromised one, then the risk score should be high.

Administrators have also the ability to enable Identity Protection’s built-in User Risk Conditional Access Policy to block a malicious login attempt, or implement multi-factor authentication on these accounts. You can see below what are the options when you want to enforce controls in order to protect a user account:

userriskpolicy  

Now we have something new: User Risk Policies are available for organizations that use federated authentication. When you configure a User Risk Policy, the next time that a user with a high-risk account tries to logon to Azure AD, the user is informed that the account is at risk. At this point the user has to prove their identity using MFA and then change the password:

mfa2

mfa3

mfa4

There are some requirements: Password writeback should be enabled for the federated domain and you need an Azure AD Premium license. If course is possible for the administrator to assign a temporary password to the user and make him change it to a new one the next time that the user logs on. You can see below that an account is considered at risk, because the user logged on from an unfamiliar IP address, so the admin has the option to create a temporary password for the user:

mfa5

As you can see, I’m using my Azure AD subscription to get these screenshots, and this is because it’s available in Europe:

mfa6

I strongly suggest that you give it a try!