Microsoft Azure AD Identity Protection Deep Dive

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone in this video i want to talk about azure ad identity protection a capability that's focused on examining the risk and then giving me actions to enforce based on risk remediate investigate based on risk as part of azure ad premium p2 so it is a p2 feature this is going to work for both users and workload identities i.e service principles as always this is useful please go ahead and like subscribe comment and share and hit the bell icon to get notified of new videos now if we just go and look at azure ad identity protection straight away it gives that idea that hey we're focused on risk and there's two key types of risk it's really focusing on we can see this idea of well hey risky users and it's giving me information on those and then the idea of risky signings and then we can do various things based on the risk of a signing based on the risk of an individual user now when i think about risk there's really four pillars that drives the idea of risk i can firstly think about a pillar where i want to focus on the identify risk and with that identification there might be some element of reporting based on that identification so i want to be able to hey find out there's some risk going on now the next pillar i'll think about is well based on that risk i maybe want to do some enforcement so i want to enforce on risk to try and mitigate when that risky thing is actually happening so how can i actually enforce based on risk there's a number of different ways we can do that but the big one is going to be conditional access but as we will see there are other options now i may also want to think about well i want to investigate risk and for this there's logs there's various types of information available to me and then finally how do i actually remediate risk hey there's some risk happening well what can i do to resolve the state of that risk and as we'll see there's really two types there's the idea of automatic remediation and then there's things as an administrator i can do to manually go and help with that remediation but we have these four key pillars we think about as part of this now i keep using this term risk and i can think of risk as actually happening at a number of different places so if i just focus for a second on the idea of okay well what is this risk when is this risk thing happening and i can imagine well at signing and assign in event to azure ads like maybe to aad that could be when hey i'm detecting some element of risk a bad actor is trying to sign in something's happening that is some idea of risk that's going on in my environment it could also be after login so after login so after my sign in through some behavior in an app now this is not a focus of azure ad identity protection i want to stress that point that's not something identity protection is focused on there are other solutions that look at behaviors when you're inside an application and that is where other things and other technologies can help with that but obviously that can happen there's risk that can occur there as well and then outside of sign ins well there's other indications that there's some risk i can think about for example an indication of credential compromise for example hey i go and find a user's credentials that have been leaked on the dark web i find their username i find their password remember that's one of those reasons we like that hash of the hash synchronized from ad to azure id even if i'm not doing native cloud authentication if we have that hash of the hash of the password then microsoft as part of their checks can actually go and when they're scouring the dark web and they find these leak credentials and say hey look um we found elite credential and the password we found actually matches what is that real credential and then can do things based on that now there are many different types of signal both internal and external there's many different types of their cyber security teams at microsoft they're security experts they're trolling dark web they're doing lots of different things they're signals from my authentication request so there's a huge amount of data comes in that actually comprises of understanding this risk i cannot add my own threat intelligence signals today so it's only based on those microsoft ones and one of the big things it does is it adds machine learning to this all up process it's not just looking for some fixed idea of this signal means this it's going to be able to leverage the machine learning to better identify new patterns of risk to find patterns in the data faster so it can adapt a much quicker experience now realize it does have to learn so when i think about what azure id identity protection is going to do and start identifying risks it has to have a period of learning to work out what's normal and so i can think about there's going to be a certain number of signings that has to occur and after it's gone through that number then it can actually start detecting hey this is abnormal something else is going on and can start picking up and detecting on that so what are risky things uh how are they detected how are they used so i can come back to thinking about this idea of identifying the risk leveraging that to hey what do we do with these risk things and there's actually kind of a pyramid that leads up into really well what is risk and so we go for red identify that risk idea now at the very bottom so we're going to draw layers of this i can think about well there are risk detections now there are many different types of these and we're going to go through and look at exactly what are some of these but they're going to be multiple different risk detections going on through the history of the users life cycle there's all these different risk detections that happen i could think about it could be something specific to a signing hey you're using an anonymous ip you've got some impossible travel you've signed in from moscow you don't normally you're signing in from a linux device you normally sign in from a windows device it's impossible travel all these different signals and it can pick up and it will generate some kind of risk detection now some of those are part of a sign-in event so i can then think about well there are risky sign-ins and obviously a risky signing would be part of hey i'm detecting that because of some risk detections so hey i might have some risky sign-ins based on specific detection so that particular authentication that i'm doing there's something risky about that based on some detections that it saw as part of that signing and then i can think at the top is the idea of a risky user so this is the kind of user entity themself now their overall risk well that could be based on hey there were risky sign ons but it might also be a risk detection it was not related to a sign-on we can go back to that idea that hey we found their credentials leaked on the dark web that's not related to a particular in but it's still a risk detection that goes into the idea of their overall risk status so the overall riskiness of the user is yes based on the risky sign-ins that might have been seen and it's based on the idea of hey are there other risk detections that we have actually seen now when i think about these risk detections what are those various risks that are going to make those up and there are many different signal types and we can actually go and look at these so if we jump over for a second now here we're looking at all the different types of risk it goes through well what is risk and this is a great article to go and look through but what i'm focused on right now is this idea of risk types and detection and once again it's stressing the idea of user risk sign-in risk and then is it calculated in real time was it calculated offline and these are important when we start thinking about some of that enforcement and the remediation because we get different things based on is this real-time or offline signal notice it is also telling us hey look detections may not show up in reporting for five to ten minutes offline detections may not show up for 48 hours so there's a number of timing things to be aware of here now let's go and look at some of the types now again let's focus on the idea of user linked detections so this is not related to a specific sign-in event and we can get the idea of these we can see the idea of hey look leaked credentials this is where it's going on that dark web it's been pasted somewhere this is found through the microsoft security capabilities that scour in that dark web then there's the idea of hey azure ad threat intelligence something very unusual about the user consistent with some known attack pattern so that's based on the user and then there are sign in risk so this is based on a particular sign-in event and we want to pay attention here is this idea of detection type because we'll notice some are real time and some are offline hey real time anonymous ip address offline atypical travel now this is the idea that hey distant geographical locations that's very atypical are unusual for the user and machine learning will look at the distance between those locations it's like it really doesn't seem very possible there's all these different types hey token issuer malware linked ip address again based on the microsoft cyber security and taking down those bad bot nets etcetera it knows ip addresses that have been associated with something bad and can identify that suspicious browser unfamiliar signing properties again this is a big one and this is real time this is probably the most significant one so this is looking at my past signings details about it locations types of device times i normally authenticate many different things here and builds in the idea of what's a typical sign-in property for me and i can keep going down and i see many other ones available password spray hey i'm having this idea of very common passwords i just sprayed at the authentication across multiple usernames trying to get a hit because it's common password maybe someone's got it impossible travel hey look the distance is just not possible to be legitimately signing in between those locations new countries etc and we can see also this is idea of other risk detection additional risk detected now if you see additional risk detected it's because you're not azurity premium p2 azure 80 premium p2 gives you the detail if i'm not p2 then it might just say hey look if i'm free or p1 we detected some risk but we don't tell you exactly what the risk is then there's idea of risk levels and other things like that but the key thing i wanted you to really pay attention to there was this idea of hey there's both user risk there's sign-in risk and then there's the idea of how they are processed so if i think about these for a second if i think about those risks once again there's that idea let's go over of how are they processed so i can think here of types and processed i.e is it real time or is it offline so if i'm thinking about at signing time to azure id yes there are those two key ones we saw that are real time so we absolutely have some that are real time but we also saw there are many that are offline if it was an indication of credential compromise like that dark web well that is only offline there are no real-time signals that are going to be used as part of that and remember the two big real-time ones we're going to focus on is that idea of anonymous ip very few good things are coming from an anonymous ip address i'm using a tor browser or something and then that idea of unfamiliar um sign in properties and again this one's huge this idea of unfamiliar signing properties is generally going to be that biggest indication now this could change so in the description below i have the links to the documents you should always go and check those because it might change in the future but these are the big ones if you think about hey the properties of a signing what do we know well that machine learning remember so that's a key point when i think about all of these these risk detections these risky sign-ins there's a whole key point that's going on here around machine learning it's looking at the properties of every single event that happens around that sign in and learns what is normal so if i think about unfamiliar well we know hey normal login times normal devices normal applications normal ips normal countries and if you have a sign-in that has any of those that are non-familiar that machine learning and the algorithms can start to ascertain a certain amount of risk and then if you start to combine multiples of those hey it's a unusual device in an unusual country an unusual time well that's going to start to signal now different attributes have different weightings for how much of a signal how important they're going to be and that machine learning also has a key balance because there is a balance because we can't be too um specific or too urgent and we get a lot of false positives we have too many false positives then it almost becomes useless so there's this balance of false positives in that assessment to pick a score that provides pain to bad actors while maintaining a good amount of user pain so it's very minimal impact to the good users there shouldn't be many false positives but you want to find that balance so that hey if i am a bad actor it's going to cause the most amount of pain to those bad actors now when i think about this when i think about this idea of okay these real time signals and now i want to start focusing and shifting to this idea of enforcing on risk so when i think of enforcing on risk i think conditional access now i'm going to come back to there are other options here that conditional access is the big one i want to use now a key thing to remember conditional access is an azure ad premium p1 or above feature identity protection is an azure ad premium p2 feature i.e i have all the capabilities of p1 so if i have identity protection i absolutely have conditional access and so what i want to be thinking of is using conditional access for this protection now there are two different levels of things i can focus about i can think about enforcing on risk at a signing event and i can think about doing something based on a user's risk status so those are the two elements that i can really do things on and in terms of a particular signing event well the events we can use are these real time ones so when i think about sign in it's these signals so when i do conditional access and i'm looking at signing risk these are the two signals it's looking at now when it's the user risk or the user risk remember think of that pyramid the user risk is all of the sum the worst signing risk other signals like leap credentials that goes into the user's overall risk so the u is a risk hey there's a whole set of different things that comprises of that so let's look at this for a second because this is kind of a key way we want to do enforce on risk i want to use conditional access so if i jump over to the portal now i'm using the azure ad portal i do not have to use the azure ad portal but this is just this aad.portal.azure.com all of the same things are available in portal.azure.com it's just as the name suggests this is really focused on azure ad related technologies i can add some favorites nicer to just focus on azure ad has this nice default dashboard about it so i'm going to use this and i've added azure ad identity protection as one of my favorites again i can go to all services and i could flag particular services that i really kind of care about if i wanted it there in my favorites so go to azure ad identity protection remember that's my overview page but what i want to think about right now is that conditional access so i'll go to azure active directory under manage i'm going to go to my security and this is just regular conditional access and then i'm going to go to conditional access and i can create a new policy from scratch or based on some templates if i say new policy what we're focused on here are the conditions and it's these two user risk and signing risk now i should only be using these if i have azure ad premium p2 license for the use of this impacts like many things it's not enforced if my azure ad tenant has at least one azure ad premium p2 license in it well then this will be available but if i'm using it for users that are not correctly licensed i'm out of compliance so here i could for the user risk hey i could configure this to yes and then say when does this trigger is it based on high high and medium high medium low i pick that combination so remember that's the user's risk level top of the pyramid sign in risk hey i can turn this on as well and once again i can set well is this configured and again what is this applying to what level of sign and risk does this apply to and once i've done that then i can obviously have controls yes you could block block is generally not a good idea so let's say for example hey if there's a risk i want to block it if we block it there's no ability for the user to try and self-remediate whereas if i say well grant access but hey i'm going to require them to do an mfa that's a great idea if it's a sign-in risk we're thinking something's abnormal about the sign-in risk let's make them do a multi-factor authentication that's really going to prove it is who they say they are if it was a user risk well let's make them change the password the user risk is overall the user seems compromised this is probably good for them to change the password and those are actually some really good best practices recommendations for that so if i do think about that conditional access and i think about what's a good thing to actually use to remediate a very common one we'll actually see is signing if it's medium or above make them do an mfa and when they do that mfa it proves to azure ad hey this really is them so it does a self-remediation it flags that oh it is legitimate and it helps that machine learning learn so they're less likely to get prompted the next time if it's user if it's high make them do a self service password reset i.e they're registered for that they go into the portal they change the password through the portal again that would show hey they changed their password i've now can reduce that user risk if they don't change the password through self-service password reset if they go on premises to ad and change the password and it syncs up through azure ad connect he doesn't know that so that would not count so that something else would would have to go on there to actually go and remediate an admin could go in and say hey the user is healthy now but ideally this is what we want to do and there are some other best practices around this i'm going to talk about but when i think of conditional access don't put them both in the same policy because i'm trying to do different things i might have one conditional access policy for signing risk do hey require an mfa different one for user risk hey make them go and do a password change i self-service password reset now while i'm showing you conditional access just one nice thing to be aware of is typically we kind of target this idea of all applications but another thing we can actually do is when i think about the cloud application i can also target a particular type of user action and the one i care about here is this register security information so i could create a conditional access policy that targets hey when they're trying to register that combined security registration that's used for mfa and self-service password reset and what i could do is i could say hey when they're trying to do that initial security combined registration maybe my control is maybe it has to be a compliant device maybe it has to be from a known location to allow it so in other conditions i can add things like locations so i might add a certain location so that's a nice thing again it's not related to azure id identity protection but this ability to set some conditions for that initial security registration is a really nice thing to be able to do and i really do want to stress this idea of controls and especially this mfa this is how you want to do multi-factor authentication i don't want to just constantly bombard people for mfa mfa mfa they get into a bad habit they get muscle memory and they'll just click yes yes yes that's me that's me remember in the early days was it vista and user access control you constantly got prompted you tried to open notepad you an administrator you just always clicked yes you didn't pay any attention to what it was asking if i constantly prompt people for mfa they're just going to always say yes about giving any attention to why they're being prompted so i want to think about i only want to give that mfa prompt if i'm detecting something so i'm detecting some height and risk in that cylon they're trying to access a high privileged application they're trying to elevate using producer density management that's when i want to do an mfa so it's out the ordinary they get their attention they're like oh this is unusual am i really doing this thing oh i am okay fine i'll carry on so really just think about that as part of how i use these technologies okay so building on this there's logs there's fantastic logging i can go and get information on it and i'm showing the portal but there's an api i can use as well i can use apis to go and get the risk state of users and sign-ins of i can remediate risk i can say no this was good i can confirm this is bad so the apis can do all of this stuff as well but then how do i remediate the risk i want to be able to clean up and say actually this sign-in was good and the user is no longer risky and this helps self-heal the state and lets that machine learning learn so let's see a bad thing happen so i'm going to use a tour browser and as we kind of talked about generally there's not a huge amount of good things happening through an anonymous environment if i go to portal.azure.com and i'm going to sign in so let's sign in as bruce net remember what the tor browser is doing is bouncing bouncing me around the world and what is detected is exactly what we'd hope this is kind of dodgy suspicious activity detected we've detected something unusual about this sign-in might be a new location device or apps remember what we talked about that idea of unfamiliar signing properties it's detecting strange things happening and it's telling me you need to verify now if i verify i can ask well okay it's doing that mfa it's going to now go and text me to say hey is this really really you and assuming i actually go in and give the right number so let's go in here and do that mfa that's going to help it learn so if this was a brand new device and a brand new legitimate location obviously mine isn't really i'm kind of to faking this it would learn and it would say okay let's just just like okay this was really then they did an mfa that proved who they was so it will help fix that and stop me keep being prompted in the future so as i think about remediation there's automatic remediation so from an automatic perspective if i do that mfa for a sign in and it's successful well hey it shows how that was really them likewise if it's user risk and i do a password change via self service password reset that's the important part hey it's helping it's going to now show i'm remediating that risk as well now the other option is absolutely i can buy the portal by the api i could manually as an administrator say no no this is good if we jump over what i can do we go back to that identity protection now remember we're seeing all these risk kind of events on that main nice overview page it's showing me these nice risk things i have this reporting risky users risky signings risky workload identities remember that service principles risk detections so i can see all of these different things this is going to report i think for 90 days so i looked at risk detections i'm seeing all these individual risks hey look a password spray attempt at an account activity from anonymous so i'm seeing all of these particular things a new country i can add filters to these so i could say hey i could filter based on particular risk detail for example and i can say what sort of detail do i want to focus on so i can get really granular information on what i care about here but then as an administrator i can go and see more information over here on the right about things associated with the risk detection but then i could also go and select a particular risk detection and i could say hey look i want to see the late risky signing to this particular detection now if i do that now i can actually go and see the risky sign-ins now i can see the detail of the sign-in from here now i can manually make some choice i could say actually this was a safe signing that's going to help the machine learning learn or i could say no this really was bad and again it helps the machine learning learn say hey yeah this was a bad thing i tracked this correctly carry on and it will now be confirmed as a bad sign-in which again can then help to go to the user's overall risk likewise if we come out this so i could just go to all risky sign-ins i can see all those different risky sign-ins that are occurring i can go and look at risky users so i could look at a risky user and once again i have these manual options of hey look well i could reset password i could confirm the user is compromised i could dismiss the user risk i could block the user or we could actually dive into an investigation using azure defender so here i can actually have the ability to go in and start doing manual actions so we have the idea that yes there's certain amounts of automatic remediation that can occur based on hey i do an mfa i do something else that proves that signing is legitimate i do a self service password reset hey that would make me do an mfa to change the password so that would reduce the user risk or i can manually go in and perform remediations against it so there's various different options now when i think about the reporting just remember remember we have these different types of signals conditional access signing so that sign-in risk only used the real-time signals when i'm looking at the reporting of risky sign-ins it's looking at real-time and offline signals related to sign-in when i'm looking at the user risk report it's looking at basically everything remember that pyramid it's looking at all of the signings that have occurred for that user and things that weren't related to a sign-in so understand the reporting uses both real-time and offline signals conditional access for signing risk can only use the real time that anonymous ip and unfamiliar signing properties so that's the the key idea now i do keep talking about conditional access and that really is the best way of doing this conditional access gives me a lot of flexibility remember i could do different configurations based on different groups of users other things as part of the environment if the device is healthy if it's hybridized already joined locations i can run a conditional access into a pool only mode to not actually take effect and that's a very common thing you're going to do when i start out with these things i might actually run into report only mode so i get everything set up but rather than enforcing on it and making mfa's or making change passwords i'll just run in a reporting mode to see what will happen and then once i feel confident i've got it right well then i can actually turn it on an enforcement mode so that's that's a key thing when i look at my conditional access policies you'll see that down there so hey i jump over to my aad my security my conditional access and anything i look at at the bottom you see this enable policy and i have the idea of on off report only so it will only won't enforce any kind of action on it but i'll be able to see what what would have happened what is the effect of that i'll see that in all of my reports but there is also the idea of azure ad identity protection security policies so yes conditional access is the preferred way but i can also do aad identity protection and policy but it's very generic it doesn't have the same granularity as conditional access which is why hey eric it exists but if you own identity protection you own conditional access i wouldn't really touch it but i'll show you it just to be complete so if i go back to my identity protection we have this protect area and we can see i've got protection for signing risks i can target particular users if i wanted to i can exclude and then i can pick the sign in risk and then i have controls i can block or require mfa those are my choices likewise i have user risk policy again i can tweak which users i can tweak at which point i fire this off and then i have controls block or require password change that's it and again we really don't like the idea of block on either one of these because it gives the user no ability to self-remediate resolve the problem and let identity protection learn so ideally let them self-remediate using these controls but you can see i mean that's all i can do there's one of these for each i can't have other factors as part of this so the recommendation hey use conditional access under no circumstance use both if you start trying to use hey i'm going to have some sign-in risk or use a risk as part of initial access and i have these policies set i might see very strange things so you pick one if i start doing it in conditional access turn off those identity protection policies just implement it in conditional access and remember keep them separate conditional access policies for signing conditional access policies for user both those the different types of risk now there was another thing we had there outside of the risk was mfa registration policy so this can help me drive people signing up for mfa now although it says the word mfa remember most of us are now running in that combined experience when we register for mfa we're also doing the registration for self-service password reset if i go and look at azure ad i look at if i remember this user settings and if i go to manage user feature settings down here at the bottom i have this option for combined security information registration experience and what that means is whether they're being driven to sign up for mfa or self-service password reset it will go to a combined experience that gets the information from the user that basically populates both so they are now signed up for mfa and self service password reset so here in identity protection although it's called mfa registration policy if i drive it with this if i turn this on which i do not have this turned on but if you did it would now drive them to go and sign up for that combined security registration experience which is the default for most organizations now that combined remember that conditional access policy i showed you i could target that security registration to require a more secure environment for that mfa that combined security registrations that's a good thing to do there are other ways i could drive this and again it's not recommended to have multiple ways driving the sign up i could have a conditional access policy and maybe i'm targeting a very common resource users access and require mfa or the first time they access it it would drive them to perform that combined security registration experience there's a password reset registration experience again if i'm combined it will also do that mfa capability as well and we can that's just over in azure ad i guess i'll show you that quick so it's an alternative approach azure id we have the idea of password reset if i use this functionality hey if that's enabled once again because it's combined it will also do mfa and self-service password reset so those are other options i can do and then obviously i've shown these reports already so while i'm over here reporting will show all the detail based on the level of the tenant so this is a key point i have p2 so if i looked at my azure ad instance my azure at the license is azure ad premium p2 because i have some p2 users the reporting we see in azure ad identity protection the conditional access functionality is based on the tenant's level it is not checking at a per user level so i look at these reports i will see whatever is the level of my tenant now remember especially on the conditional access you're out of compliance if i'm doing user or sign-in risk level conditional access policies and the users don't have a p2 i'm out of compliance with my licensing but i will see the level of detail based on my tenant so obviously here i'm seeing fantastic detail my detection type i'm seeing the exact reason for the risk detection over here so i get the complete detail because my tenant is p2 for my risky sign-ins i see the exact detail i see the exact risk state same for my risky users i get the risk level high high low but this varies based on your tenant if we go and look at the documentation it tells us look if i am running three i or p1 so if i'm doing p1 or 3 i cannot do conditional access either the aad conditional access or the aad identity protection policies security reports overview i only get if i am p2 now when i get the security reports if i'm p2 for all of these types of reports as i would expect i get full access always if i'm free or p1 well risky users and risky sign-ins i get limited information and it will only give me that if if it's used if it's a medium or high but it won't give me any detail we'll say hey look users are risky but it won't tell you why they're risky and for the signings it will give you very limited information it will just say there's some additional risk for p1 for risk detections again i get limited information free i don't get anything and then all the other features notifications policy for registration weekly digest is only if i am p2 so it's very different configurations and so for the the most part i mean this is a fantastic feature i really think when i think mfa i want to do mfa only if i'm doing some privilege identity management escalate elevation which is a p2 feature pima's p2 anyway i want to do mfa if i'm detecting additional risk that's this and maybe if i'm accessing some very high privileged application now i can also take these risks and get them to azure sentinel there is a connector for that azure id diagnostic settings can also send the the risk information to a log analysis workspace for example or all those various different things there are notifications built in so if we go and look one of the things we have over here is hey users at risk detected alerts so if we detect risk i can enable certain people to get notified and what i would actually see as i've got some examples here look user at risk detected and then i could jump over a viewer detailed report but it's letting me know very quickly hey a high risk user i could now go and do something about that and obviously if i took these and sent them to something like log analytics workspace i can use azure monitor alerts to also do things i could trigger action groups to go and run some action to do other things i can also get a weekly digest and send that so a summary of the overall risk state and that's kind of over here how you know risky signings detected new risky users detected and again i can jump to various places actually for that so there are many things that i can do just kind of out of the box and what's actually kind of interesting is microsoft accounts actually use a lot the same technology so your microsoft account actually does a lot of the same things and that's a good thing because all that intelligence they get from microsoft accounts that actually feeds into this as well so there's a lot of shared infrastructure and knowledge between azure id and kind of those home user microsoft accounts to feed that overall risk status so that's really kind of an overview of this there's also a nice little identity score so if we jump over just for a quick second when i go to my overview you do have this identity secure score and what this is really based on is a whole set of factors but i can go and look at this and i could go and see well what are the things i could do and it tells me well what is the kind of impact if i was to do this so user impact what's going to be the maybe work or pain point for the user and then what is the work for me as an administrator to actually implement now obviously ensure all users can complete well that might be fairly painful for everyone but that's a huge very beneficial thing to do my score impact is nearly eight percent so there are great things i can do so if you're not sure where to start i would go and look at this identity secure score maybe look at the things that have the biggest score impact and start going through those to increase my posture one other element so this is all great this is all based around the idea that i remember have my azure ad tenant so this is me this is mine and obviously i have my users in there and everything else what about if i have guest users there's someone else's another not me there's another tenant with a user in it and what i've done is i've added them remember i can add guest users using b to b so it's an external identity so now they have a little stub object in my tenant the authentication is still happening over here they have no password here it's a external reference to their object in their home tenant and that has a lot of bearing on things because i can for b to b i can also use azure ad identity protection for b to b we can use that m a u license now that's the new model there used to be hey for every one person license for premium i got five guest users they've actually moved away from that what we now have the idea of is you have these monthly active users and you get 50 000 free and then you pay a little bit of money for the ones beyond that so 50 000 guest users hey i can just use whatever is the highest premium capability of my tenant so that replaces that whole five to one thing but now let's think about policies related to risk so if i think policy related to risk signing risk so i'm being authorized for some resource i want an access token so where is the sign in risk evaluation well that's actually happening here because they're trying to get an access token although they get kind of the original authentication happens over here the authorization for an access token to something goes against mine and so i see the properties of the sign in so i'm evaluating signing risk at my tenant the user risk state the user's risk evaluation what happens there on their home tenant i don't have the ability to evaluate their user risk i'm not tracking that for guest users so although i'll know the user risk i'll get information as part of the claims about them from their home tenant i i'm not evaluating my own i'm evaluating my own sign-in risk for them as part of the authorization get the access token i am not evaluating the user risk so why that's really important is the policies i might create if i create a conditional access policy and if my policy was based on user risk and maybe it's hey i want to do my my action is password reset well they're going to be blocked there is no way for me to trigger a password reset i can't make a self-service password reset when i have no password it's over there so just realize for b to b guess if i have a user risk policy and my remediation is change password it's just going to block but it's going to say hey you're blocked because there is no way for me to do that they'll have to go and on their side do a self-service password reset manually get their user risk state remediate on their side and then that will come over but that's just kind of a key thing to consider i'm not saying you should not you should block them or exclude them there's risk there but just realize you can't help their remediation they'll just get blocked i can't make them go and do a self-service password reset b2c business to consumer it has a very similar set of capabilities that i can turn on as a per user step up so i can also have identity protection as part of my b2c and that's really it when you're getting started there is a risk analysis workbook so if i go and look at how to use azurity workbooks this is a good document again i've got this linked in description below i can use that identity protection risk analysis workbook and the usage to understand a distribution of risk users risk detections all these different types of things so it's just some good information to have there and that was it so that was my really what i wanted to cover as part of this really the key goal and the point here is hey look we have this idea of risk detections that some of those will build up into a particular signing event and give me an idea of the risk of a signing event and then those particular sign-in events and other things that weren't signing related go into the overall state of the user the best way to do enforcement is conditional access have separate policies based on signing risk and user risk do not combine and also use the azure ad identity protection policy it's going to get very very confusing avoid using block it's better to drive things like mfa and password reset using self-service password reset it helps self-heal and self-remediate that state it helps the engine learn remember the conditional access sign-in is only based off the real time but those are big ones but then the overall reporting for sign ins considers the offline signals as well and then obviously we had reporting around the user risk and those individual risk detections it is a p2 feature so remember to use that conditional access really to use anything around if i'm getting benefit i should be having p2 for my users um b2b applies to as well but just realize hey if it's user risk and my remediation is make them change password i'm just gonna block the user so as always i hope that was useful um there was a lot of work goes into these so subscribe really is appreciated on the video but until next time take care you

Info

Channel: John Savill's Technical Training

Views: 38,033

Rating: undefined out of 5

Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, azure ad, identity, risk

Id: Nx2ych3xHl0

Channel Id: undefined

Length: 56min 25sec (3385 seconds)

Published: Tue Feb 15 2022