In the last blog of the EMS blog series, we talked about Microsoft Cloud App Security for monitoring and managing your cloud applications. Today, we're rounding out the features of Azure AD Premium with a closer look at Risk Based Conditional Access and Privileged Identity Management.

As attackers get more and more creative in their methods to compromise accounts, it is important that the security tools are improved to match.  Two of the newer components of EMS E5, Risk-based Conditional Access and Privileged Identity Management, are just the tools to help protect your users.

What is Risk-based Conditional Access?

In the past, user logins have always been very simple. If you know the account credentials, you are into the system.  Over time, a second layer has been added with multi-factor authentication, but some systems either don’t require MFA or there are accounts that might bypass that security.  With Risk-based Conditional Access, a new third layer of security has been added.  EMS adds machine learning to track and monitor logins and identify accounts that may be compromised even if the credentials entered were accurate.  These risks are evaluated based on a number of criteria, but some of the most common criteria are the following:

• Impossible Travel – If a user signs in from Chicago and then signs in again 10 minutes later from Europe or Asia, the system flags this as a risk. It would be impossible for the user to travel between those two locations in 10 minutes so it is possible the account has been compromised.
• Unfamiliar Locations – Risk-based Conditional Access creates a baseline of all the locations a user might login from during the first few weeks of activity. After that, if a login occurs from a location that is not close to one on this list, it can be flagged as a possible compromised account.
• Suspicious IPs – Because this solution is implemented for all of your users, it can be used in real-time to monitor trends across the environment. If the system notices a number of failed logins from different users on the same IP, it can flag that IP as a possible attacker.  Using the unfamiliar locations data, it can automatically filter out known IPs to minimize false positives, but any other threat it can monitor and block as needed.

Once a risk has been identified, Conditional Access can be configured to require additional security before access is granted.  That additional security might be multi-factor authentication, requiring login from a known device, or simply blocking access until the risk has been cleared.  With this system in place, organizations can be more confident that, even if an account is compromised, EMS can more quickly identify these accounts and take action to protect the data.

What about administrators?  Shouldn’t I be even more concerned about privileged accounts?

Absolutely, and that is the purpose of Privileged Identity Management (PIM).  Just as we mentioned, user logins in the past were a simple "yes" or "no." Admin permissions are often the same – either you are an admin or you aren’t.  However, PIM gives a new option where a user can be granted permissions to request admin access for a pre-set period of time.  This way, they only have admin access when it is needed. If in the future their account is compromised, the risk of it being an admin account is reduced.

In addition, PIM can track when users request this elevated access so that managers can see how often a user has requested to be an admin.  This information can be reviewed via an audit log, or you can let the PIM do all the legwork by generating built-in access review reports.  With this information, a manager can easily determine if the admin permissions are still warranted or can adjust access the roles as necessary to maintain the least access security.

These products finish up our discussion around Azure Active Directory Premium, the first product in EMS.  In our next blog, we will be moving on to the third product, Microsoft Intune.