What is Sign-In Risk-Based Conditional Access in Azure Active Directory?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey welcome back i want to talk about sign-in risk-based conditional access now this capability allows you to look at a user's sign-in behavior as they sign into an app and if there's anything suspicious about that behavior like maybe they're coming from anonymous ip address or impossible travel or a number of different risk events then go ahead and block that access and so this capability is part of identity protection which is an azure active directory premium plan 2. so let's go ahead and take a look at this in a demo to demo this i'm going to use the tor browser which allows me to anonymize my ip address route my traffic through another country which could then kick off in possible travel and other location-based risk events so let's go ahead and sign into portal.office.com and we should see it get blocked when i try to authenticate and we'll let that authenticate and in just a moment it should detect that my sign in traffic is risky and boom stopped my tracks your sign it was successful but does not meet the criteria to access this resource for example you might be assigned from a browser app or location that is restricted by your admin so risk based conditional access did its job so now let me show you how to set this up okay so within the azure active directory admin portal i'm going to click on security and then i have two options here i could use conditional access to do this or i can use identity protection it's kind of your preference i like conditional access personally but let me show you identity protection so if i come in here and choose sign in risk policy i'll talk about user policy in another video but sign in risk policy i basically scope it to the users i have it scoped to all users right and then my sign in risk is low and above and i'll explain more of these in just a moment and then my controls is block access as opposed to maybe requiring mfa and so i just can just turn that on and boom i'm ready to rock and roll now i like using conditional access because it's a little bit more flexible let me show you what i mean i can specifically choose who i want to apply this to i can choose which apps i want to apply this to so i have it applied to my g suite tenant box dropbox office 365 and a few other apps and then my conditions here there's my sign in risk i'll come back to that and then my grant access is to block it now the conditions let me explain what's happening here on sign and risk so microsoft for obvious reasons does not disclose what is high medium and low and that's for obviously security purposes however from their documentation they describe that a high threshold reduces the number of times a policy is triggered and minimizes the impact to users however it does exclude medium and low detections from the policy which may not block an attacker so if this was production i mean you're going to have to kind of weigh the pros and cons here if you choose low it's going to try to block everything but it's it may have a further impact on a user whereas if you choose high it's going to minimize that impact and block those high risk events for my purposes of the demo i'm going to choose hi and and i'm not going to save here because it's already saved and i've turned it on at that point i'm ready to rock and roll it's basically completed so now let me show you what all the different risk detections are for sign and risk i will put a link in the video description to the documentation here but on this documentation site if we scroll through this it describes user risk which we'll cover in another video and then it jumps into sign in risk so sign and risk is defined by a sign in risk represents the probability that a given authentication request isn't authorized by the identity owner these risks can be calculated in real time or calculated offline using microsoft's internal and external threat intelligence sources including security researchers law enforcement professionals security teams at microsoft and other trusted sources and then you have all the different risk detections so anonymous ip address like a torah browser or anonymous vpn client a typical travel where there's identified two different sign-ins originating from geographically distant locations malware linked ip address like like a botnet as an example unfamiliar sign in properties that's a interesting one admin confirmed user compromised malicious ip address suspicious inbox manipulation rules password spray impossible travel new country activity from anonymous ip address and suspicious inbox 40. now some of these are from microsoft cloud app security which i'll cover that in another video others are built right into azure active directory premium plan too so this is the different types of sign-in risk detections that you're going to want to be familiar with all right well as you can see there's not much to this it's pretty straightforward just make sure you understand what are the risks that this thing is detecting and then understand those thresholds low medium and high and you'll be good to go reference the documentation and then just make sure you can understand the use cases around this so remember this can block a torah browser such as a anonymous ip address or anonymous vpn client and possible travel a number of different things all right folks take care we'll see in the next video whoa hold on a second don't leave yet if you found value in this video click on like because it really helps me out and if you want to see more videos click on subscribe because i have new content being released on a daily basis across security compliance from azure to microsoft 365 and much more

Info

Channel: Matt Soseman

Views: 1,640

Rating: 5 out of 5

Keywords: azure active directory, conditional access, risk based conditional access, tor browser, anonymous IP address, azure active directory premium, aadp2

Id: 2ul5J8nA21M

Channel Id: undefined

Length: 6min 5sec (365 seconds)

Published: Fri Jan 29 2021