On Wednesday 7 September, Microsoft announced that Azure AD Identity Protection, Azure AD Privileged Identity Management and Azure AD Premium P2 are going to be generally available from the 15 September 2016. Let’s take a look at why you need these solutions, what they enable you to do and, for those that have been trialling these apps, what it means for your licenses and tenants.
What is Identity Protection and Privileged Identity Management?
The world we live in
Employees often use their work email address and password to sign up to accounts they shouldn’t, such as online shopping or social media. It’s virtually impossible to stop employees using their work credentials for these services – user education and corporate policies only go so far in solving the problem.
With many data breaches over the last few years, there are nearly 1.5 billion exposed credentials. A large proportion of which are bound to be corporate credentials. In just the one year, the number of credentials exposed in data breaches has risen 97%. Even big online services like Myspace (350 million user accounts), LinkedIn (165 million user accounts), Dropbox (69 million user accounts) and Tumblr (66 million user accounts), to name a few, have suffered data breaches and exposed user credentials to the internet’s dark underworld. Coupled with this, there are complex bot networks trying to guess the usernames and passwords of your employees.
In today’s world, where digital crime is big business, these credentials are often used to obtain corporate data for financial gain, costing businesses millions each year.
So, how do these new applications help?
Azure AD Identity Protection
Identity Protection is a unique cloud service that helps to protect accounts. It does this by analysing threats based on data obtained from various sources. This includes the Microsoft Digital Crimes Unit, which incorporates analysis on over 10Tb of data daily from 12 billion daily authentications and millions of daily attacks. It uses the latest advancements in machine-based learning to find the threats. It displays its findings in simple graphs within the Identity Protection portal and allows you to apply policies based on the risk level.
For example, if an employee’s work credentials are exposed during a data breach of an online shopping cart, this would be flagged as a high-risk event. When the employee next authenticates, your policies can force that authentication to require Multi-Factor Authentication (MFA) – and also force the user to change their password, removing any threat completely.
Azure AD Privileged Identity Management (PIM)
PIM is designed to identify and manage those users in the organisation who have increased privileges within the directory. It does this by first scanning all the users and their roles within Azure Active Directory, then converting their permanent role to “just in time”. This means that whilst they are not performing administrative type tasks, they have a normal user account. When they need to perform an administrative function, they can very quickly promote their status to an administrator role, with the added benefit that escalation is audited.
There are a number of configurable options, such as requiring MFA or a support ticket number for role activation. PIM also provides alerts to notify people when a user activates their roles.
Do you need these applications?
These apps greatly reduce the risk to your business by removing the threats associated with the use of corporate identities and the ever-growing adoption of cloud services. They reduce the need to rely on policies and procedures, which, let’s be honest, not all employees follow. PIM protects your administrators from exposure and allows them to act as normal users when not undertaking administration tasks. Perhaps your credentials have been exposed at some point. You can check using this website, Have I Been Pwned?
What happens to my trial versions on 15 September?
For those tenants that have enabled either of these apps, you will be glad to hear that Microsoft will not be turning them off on the 15 September and leaving you unprotected. We have been informed that any tenants with Identity Protection or Privileged Identity Management enabled before the GA date will get to keep them for a few months – at no charge. This will allow you to raise the necessary paperwork to upgrade your current Azure AD license to the Azure AD P2 license.
If you want to know how your company can automate identity management processes more effectively, take your Identity and Access Management Assessment. You’ll find out how equipped your business is to meet evolving security and compliance requirements, and receive a tailored report with suggested improvements to your identity strategy.