Azure Friday | Azure Active Directory Identity Protection

Azure Friday | Azure Active Directory Identity Protection

[MUSIC] Hey, I’m Scott Hanselman,
it’s Azure Friday. We’re here with Nitika Gupta, talking about Azure
identity protection.>>Thanks Scott for having me here. So Azure AD identity protection is
a feature of Azure Active Directory, which helps you detect and
prevent against identity attacks. We are the team that does security
for both consumer identity system, which is Microsoft account, as well
as the Enterprise identity system that is Azure Active Directory.>>Interesting, so are you saying
that you’re making available tools that are already being
used internally at Microsoft?>>That’s right, so we had a team that does security for
our consumer services. And we’re bringing that asset
through the Enterprise customers. And we’ve been doing this for years,
so we have a ton of experience. And as Microsoft, we have a ton
of relevant data as well, because we run one of
the biggest media services. We run one of the biggest
identity services, and we have tons of team within
Microsoft that do security that we closely collaborate with as well.>>So when we say identity security, this is more than just having strong
passwords, it’s behavioral, right? It’s how people move around and
how they use their applications.>>Exactly, so, what we do is, we apply machine
learning to identities. So, every time we get a sign in
request, we look at the IP address, the location, the user agent. We look at the user’s sign
in pattern in the past, and based on that, we determine if
it’s a good user or a bad user. And we have policies, which can kick in automatically
to take action against that.>>And when I think about machine
learning and I think about huge amounts of data and millions of
logins, I think about batch jobs and I think about like, well, if Scott
logged in and then a batch ran. And then in 24 hours,
it will tell you or not whether that’s a bad log in.>>This is all real-time.>>You’re doing this in real-time?>>Exactly.>>And how is that even possible?>>[LAUGH] That’s what
machine learning does. So we have systems, which basically learn
automatically from the past data. And they can take action, and there’s no manual
action required at all. And this is very critical because
bad guys move really fast, and it helps us keep up with them.>>So the trick is to make sure
that you stop the bad guys, but not make me feel bad
as I’m logging in.>>That’s right, so
we wanna challenge you for multifactor authentication, only
when we know this was a bad sign in. You don’t wanna cause
friction to end users. At the same time,
we wanna keep them secure as well. So challenge them for them a free or
multifactor auth when needed.>>So I have multifactor auth on my
MSA, right, my Microsoft account. And I noticed that when I’m on my
machine at home, it’s very rare. They prompt me, I don’t know,
once a week or something like that. But I drove up here to Seattle, and I stopped at a Starbucks
in the middle of no where. And then suddenly I’m
getting prompted again. Is that the kind of
behavioral analysis?>>Yes, so your home is
a familiar location for you, and that’s why we know that and
we won’t bug you there. But when you travel to Seattle or
to some other part of the world, we know this is a new location,
this is unfamiliar for you. And we’ll make sure it’s
you by challenging you for multifactor auth.>>Okay, so how are you making
this available to regular people? Me as a developer, I would love
to be able to know that this is a problem and
help my users be more secure.>>Exactly, so the other tool
where IT admins can get insights into what’s going on
within the organization. As an app developer,
if you were to use our ADL library, our authentication library, you’ll
benefit automatically from this.>>Automatically?>>Yes.
>>Okay, so what do we have here?>>Awesome, so Azure AD identity protection
is within the Azure portal. So you go to, and you add identity protection
from the marketplace. Within this dashboard,
there are three protection vectors. First one being users flagged for
risk, so these are the users who
might be compromised. You can further dive into each user, understand what were
the risk events for them. And lastly,
once you have investigated a user, you take action of password
reset to fix their account. But what we really wanna do is
do this automatically, right? It might take hours or days for
an IT admin to go in and fix this issue.>>Exactly, I’m excited about
the amount of information here, but I’m looking at, wow, do I have to
always follow this person around and bother them? I mean, it would be nice if
this happened automatically.>>And sometimes it’s too late,
right? You don’t wanna let the bad
guys be in your account for a couple of hours. So we have automatic policies. Here, you can configure
who the policy applies to. You can define the user risk level,
which is like, when do you wanna trigger these actions based
on your security posture? And these are the actions
we support, so you can say I wanna automatically
trigger password change if the risk level is medium or high.>>Really? Okay, so you’re actually
locking them out, and you have to do a formal complete
restart of their password. Because they’ve done something
that’s so suspicious.>>Exactly, so for instance,
as part of one of the breaches, your username password shows up. And we work with security
researchers to get that feed of data, and we match it against
what’s in the data tree. So if there is a match, we can be like this user’s
account is compromised. And if you have this policy set up,
what happens is the next time that user signs in, they’ll
automatically get prompted for multifactor auth and
password change. And now their account is no longer
at risk because they’re fixed, and they’re no longer weak.>>So
if we look at security websites, like Troy Hunt’s have I been pwned,
I can subscribe to that as a user. And he’ll tell me if my password
shows up in one of the breaches, but that’s a lot of pressure for
me as a user. You’re telling me that the service
can understand those things and take care of that kind of stuff for
me?>>Automatically for you. And we prompt you for
password change when you sign in. You don’t have to worry about
going to and then go and change your password here.>>Sure, and you said that I
added this from the marketplace. This is a product that I
then apply to my Azure AD?>>Yes, it’s an add-on to Azure AD.>>And is that hard to set up? Is this a big deal to impose
upon my organization?>>Three clicks to get started
with identity protection.>>Seriously?>>Yeah, it’s really three clicks.>>Does it cost money?>>It does require premium plan.>>Okay, so if you’re paying for
Azure AD, and you have a premium plan, then
this is part of the premium plan?>>Yes, it’s part of
Azure AD premium plan too.>>And then this gets
smarter as we’re going. You were saying that because
of the machine learning, it’s gonna get more and
more secure and apply new->>Yes, and we have a team of analysts who are
actually working on analyzing this data and thinking of smarter ways
to prevent these attacks as well. So along with machine learning, we have a lot of people thinking
about this problem really hard. And we keep improving
our algorithms.>>And you said that there’s an SDK
that I can use as a developer?>>As a developer, you can actually
integrate with our authentication libraries, Azure AD
authentication libraries. And then if you do it, you’ll automatically benefit
from identity protection.>>So you’re gonna silently
impose the multifactor auth kinds of things, depending on the
actions that you see my users take?>>So what happens is these policies
are enforced by the IT admin. So if you’re using the right
identification libraries, what happens is we can take those
actions as configured by the IT pro. Now we wanted to talk a little bit
about what kinds of things you look at about the user. Are you looking at their IP address? If we look at one of
these risk events, how did you know they were risky? You said that you looked at
user agent, and what else?>>Yeah, so I can actually walk you
through some of the risk events.>>Let’s do it.>>So I talked briefly
about lead credentials. The second thing we detect
is anonymous IP addresses. So these are sign ins
are coming from TOR browser. And based on external reasearch, we know 94% of TOR traffic is
coming with malicious intent. Why would someone try to hide
their tracks or IP addresses, so that’s suspicious, right? So something for
organizations to look into for sure. So we can detect TOR, we can
detect sign ins coming from botnet infected devices, we can detect-
>>Known botnets?>>Yes, so we work with
the Microsoft Digital Crime Unit, who’s responsible for
taking down botnets and get a feed of IP addresses
that we can consume.>>So they’re already poisoned, and then now if someone’s logging in
from there, you know it’s a problem. This is lovely, look at this, impossible travels to atypical
locations, what does that mean? I’m on a boat in the middle
of the Atlantic.>>Scott is signing in from here. And then there’s Clark too,
who’s signing in from, for instance, India. That’s odd,
how can Scott be in two places?>>That is a really
interesting thing. I was setting up a computer,
true story, for my cousin. He’s in South Africa,
we’re using What’sApp, and he temporarily sent me a password. And I set up his Windows Live, and
Windows was like, wait a second.>>Exactly.>>He’s logged in right
now in South Africa, and now you’re logging in in Portland,
is that okay? And we got prompted for
two factor auth, he then received a text message,
and it didn’t feel bad though. Because it was very
clear what happened, it told us this is a weird thing. It didn’t make us feel guilty
as users cuz we were doing something legitimate.>>Yeah, exactly,
that’s what our systems do.>>Mm-hm, so sign ins from infected
devices, that’s the botnet, and then here’s the leaked credential. That’s where a known leaked
credential is being used.>>Yeah, so we get the feed of
username passwords that are leaked, and we match it
against the data tree. So we also have what we call sign
ins from unfamiliar locations. So for every user, we keep track
of what are familiar locations for that user. And if you come from a new location,
maybe you’re travelling, or maybe some bad guy is trying to sign
into your account, we flag that and we make sure we challenge you.>>That makes sense. I’m going to Kenya on Tuesday,
so I will expect to be prompted immediately when I log in to
Azure to get my presentation.>>That’s right. Absolutely, it will.>>Very cool, so
people can set this up right now, if they have their premium plan for
Azure AD. Where do they go in
the portal to set this up?>>So it’s very simple. So you go to the marketplace here,
and under that Security + Identity, and here you find
identity protection. You simply click on Create. And that’s all you have to do,
that’s all, and you’re done. You have identity protection here,
and you can start using it.>>Very cool, thanks so
much for sharing.>>Thank you, Scott,
for having me here.>>All right, we’re learning all
about Azure identity protection here on Azure Friday. [MUSIC]

Daniel Ostrander

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *