As more IT services move to the cloud, the need for better security features will only increase. People want to be able to log in hassle-free, but organizations need strong authentication security. The fastest way for this move to cloud service to fail is going to be though a large security breach. Microsoft is aware of all these facts, and they are putting a lot of work into ensuring that logging into their cloud servers is both easy and secure.
Microsoft has been investing in security and identity features for Azure Active Directory. These new features are becoming Generally Available (GA) within Azure Active Directory. In this blog post I’m going to delve into some of the new identity protection features in Azure Active Directory.
Exchange Online lead the way into the cloud for Microsoft, but there isn’t a whole lot of growth left there. Microsoft is moving its focus to the EM+S stack as an area to grow “the service.” All the new features I’m going to cover in this blog post need the Azure Active Directory Premium P2 license. This license is a part of the EM+S stack.
Microsoft currently has very little enforcement of that licensing rule in place. As I write, Microsoft requires at least one AADP P2 license in your tenant to activate these features. Microsoft intends to turn on license enforcement for these features. We don’t know for sure when, or even if, Microsoft is going to make that move.
As I tested these features I only had a single EM+S E5 license assigned to my primary account in my Office 365 tenant. I did use accounts without Azure AD Premium licenses assigned for testing. Be warned that if you start using these features without the proper licensing in place, they may stop working without notice.
Privileged Identity Management
Privileged Identity Management (PIM) allows organizations to setup “just-in-time” admin rights. Administrators accounts will not have admin rights except when they request them. There is an option to add an approval process before admin rights kick in.
PIM is not a replacement for dedicated admin accounts. PIM should be used as an extra layer of security for those admin accounts. Even if an admin account is compromised, the attacker would need to get the permissions for that account elevated before it would do her any good.
Self-Service Password Reset
Strong, complex password words that change often are a good basis for a secure network. The down-side to a good password policy is that end-users will need to reset their passwords often. This means that organizations that want to keep secure are also going to incur high support costs for password resets.
Microsoft wants to help with this problem in a couple of different ways. Technologies like Windows Hello for Business that can drop passwords altogether is one solution. Self-Service Password Reset (SSPR) is a new feature of Azure Active Directory can help reduce the support costs of secure passwords.
SSPR gives end-users a way to verify their identity to Azure Active Directory without their password. Once the user is verified, it is safe to allow that user to change their password without the need for a help desk technician.
One of the easiest way to gain unauthorized access to an organization's data is to use social engineering. Getting a help desk technician to give you the password is easier than you'd think. SSPR can end, or reduce, this attack vector.
Azure Active Directory Identity Protection
Azure Active Directory Identity protection (AADIP) helps in determining if an account is hacked. AADIP will watch for an account trying to authenticate from two different locations (based on IP address) that would be impossible.
As each user with AADIP authenticates to Azure AD that user is assigned a risk level. AADIP policies can be configured to enforce various security measures based on that risk level.
AADIP also allows you to use its insights to trigger more stringent authentication requirements. One example is using multi-factor authentication when an account appears compromised.
Microsoft is adding features to AAD that are design to improve the security of your cloud-based IT infrastructure. These new features do need an Azure Active Directory P2 license, which is most common purchased as part of an EM+S license. I have an EM+S E5 license in my Office 365 tenant, and so far, that single license has allowed me to test all these features with several user accounts.
While I can understand the argument that security shouldn’t be an “add-on” service, I do think that these features are worth some extra investment.
Nathan O'Bryan MCSM
Nathan is a five time former Microsoft MVP and he specializes in Exchange, Microsoft 365, Active Directory, and cloud identity and security.