Since I wrote this post in April describing Microsoft’s excellent Identity Protection feature, Microsoft have been very busy updating and building on it.
Identity Protection is now fully available to European tenants. Great news for those of us based here. One caveat – any customers who used the Identity Protection feature before this official support in Europe will have to onboard again, and reconfigure Identity Protection.
Identity Protection now works well with federated identities. This is new because originally Identity Protection was wrapped solely around cloud-based identities: the authentication for these accounts is handled in the cloud, and the remediation of suspicious activity (for example, a password reset) is also handled in the cloud. Federated identities are not authenticated or remediated in the cloud, but in an on-premises Active Directory, so additional work was required to provide Identity Protection for these accounts.
Anomalies and remediation
With the recent update of Identity Protection, the detection of anomalous login behavior is inserted into the login flow for the federated accounts (even though the actual technical authentication is redirected to the federation IdP, whether ADFS, Ping or whatever). If anomalies are detected, the AAD account is flagged as “at risk”, and remediation is required. The most convenient option for the users is to allow them to remediate their account (e.g. reset their password) during the cloud-mediated logon. This deals with the issue immediately, and does not require action from an on-premises service desk to perform a password reset out of band. To do this, however, AAD must be able to set passwords in the on-premises Active Directory: the “password write-back” feature must be enabled in the AAD Connect service which synchronizes the identities between AAD and on-premises Active Directory. Note that there is still no password on the cloud identity in this scenario – the authentication is still performed ultimately by the on-premises AD.
If password write-back is not possible (due to security policy, for example) the password reset can take place on-premises, and an administrator can “Dismiss All Events” on the AAD account to indicate that it is no longer at risk.
With these updates, Identity Protection is made ever more relevant and useful – another great reason to be using the power and pace of the cloud to support and protect both cloud and on-premises systems.
OCG can help you with this! For more information, contact us at firstname.lastname@example.org.