WEBVTT 0:00:02.700000 --> 0:00:09.320000 In this video, we're going to take a look at Azure Active Directory Identity 0:00:09.320000 --> 0:00:12.960000 Protection. Let's talk about what we're going to talk about. 0:00:12.960000 --> 0:00:19.140000 We're going to start off with a simple description of what Azure AD Identity 0:00:19.140000 --> 0:00:30.240000 Protection is and what it does. 0:00:30.240000 --> 0:00:32.600000 Let's dive right in. 0:00:32.600000 --> 0:00:37.260000 I'm going to start off talking about some of the key elements of Azure 0:00:37.260000 --> 0:00:39.640000 AD Identity Protection. 0:00:39.640000 --> 0:00:41.320000 First of all, what is it? 0:00:41.320000 --> 0:00:45.080000 Well, it's a machine learning system that is looking at patterns related 0:00:45.080000 --> 0:00:50.520000 to the use of your Azure AD and looking for suspicious or the way they 0:00:50.520000 --> 0:00:54.360000 term it is risky behavior or risky patterns. 0:00:54.360000 --> 0:01:00.920000 And there's two different risks that are assessed by the identity protection. 0:01:00.920000 --> 0:01:05.340000 There is sign-in risk and there is account risk. 0:01:05.340000 --> 0:01:11.500000 So sign-in risk would be an immediate thing, an immediate action or event, 0:01:11.500000 --> 0:01:17.560000 whereas the account or user risk may be calculated over more time. 0:01:17.560000 --> 0:01:19.320000 And in some cases, a sign-in risk as well. 0:01:19.320000 --> 0:01:24.300000 But that's the idea is that this is a system that's monitoring the usage 0:01:24.300000 --> 0:01:27.540000 of your identities in Azure AD. 0:01:27.540000 --> 0:01:28.740000 What else do we have? 0:01:28.740000 --> 0:01:30.720000 First of all, what are the risk events? 0:01:30.720000 --> 0:01:34.940000 And you can see right now, this is the list as of the time of this recording 0:01:34.940000 --> 0:01:36.680000 of what the events are. 0:01:36.680000 --> 0:01:40.780000 Now, I say that and I caveat that because this is an evolving and should 0:01:40.780000 --> 0:01:42.620000 be an evolving system. 0:01:42.620000 --> 0:01:51.220000 We have atypical travel, right? 0:01:51.220000 --> 0:01:54.280000 So this is now logging in from Perth, Australia. 0:01:54.280000 --> 0:01:56.240000 And so that would be something that might be a flag. 0:01:56.240000 --> 0:01:57.600000 Not that there's anything wrong with Perth. 0:01:57.600000 --> 0:01:59.780000 I haven't been there, but I hear it's wonderful. 0:01:59.780000 --> 0:02:05.080000 Also, if it's coming from an anonymous IP address, so if somebody is using 0:02:05.080000 --> 0:02:09.500000 a VPN service and their system is anonymized and then they're coming in 0:02:09.500000 --> 0:02:13.000000 and trying to authenticate, that would be a flag. 0:02:13.000000 --> 0:02:17.760000 Any kind of unfamiliar sign-in properties, maybe it's coming from a different 0:02:17.760000 --> 0:02:21.200000 device, different browser, etc. 0:02:21.200000 --> 0:02:25.020000 If it's coming from an IP address that is known to be linked to malware, 0:02:25.020000 --> 0:02:27.640000 then obviously that's going to be a risk. 0:02:27.640000 --> 0:02:33.740000 And also, if it is a leaked credential, what happens is Microsoft monitors 0:02:33.740000 --> 0:02:39.420000 a lot of these sites that deal in stolen identities and they're looking 0:02:39.420000 --> 0:02:44.380000 for identities that have been leaked there and it's not foolproof. 0:02:44.380000 --> 0:02:47.860000 But that's actually, I think, really pretty cool in terms of what your 0:02:47.860000 --> 0:02:50.320000 risk events are. 0:02:50.320000 --> 0:02:56.000000 Now, those risk events are really analyzed to generate risk levels. 0:02:56.000000 --> 0:02:59.100000 And it's a very simple system, low, medium, high. 0:02:59.100000 --> 0:03:02.300000 Now, you don't really change what those definitions are. 0:03:02.300000 --> 0:03:05.180000 You don't change what those definitions are, but it does make it easy 0:03:05.180000 --> 0:03:08.400000 to deal with. You kind of have to trust Microsoft and their security team 0:03:08.400000 --> 0:03:11.920000 that those are reasonable levels. 0:03:11.920000 --> 0:03:14.800000 And you can look and see what goes into those levels. 0:03:14.800000 --> 0:03:20.420000 Now, in order to implement this, you implement what are called risk policies. 0:03:20.420000 --> 0:03:21.880000 And I'm going to demonstrate that. 0:03:21.880000 --> 0:03:25.400000 And it's really at the heart of what identity protection does for you. 0:03:25.400000 --> 0:03:28.540000 And there's two types of policies that you can define. 0:03:28.540000 --> 0:03:33.460000 You can define a login policy and you can define a user policy. 0:03:33.460000 --> 0:03:37.260000 And really, I think it's the easiest thing is just to see them to understand 0:03:37.260000 --> 0:03:41.720000 what each one does, because they're slightly different, but they are closely 0:03:41.720000 --> 0:03:47.440000 aligned. One other thing to understand is that this requires Azure AD 0:03:47.440000 --> 0:03:54.060000 Premium P2. So if I am using this, then I am using Azure AD Premium P2, 0:03:54.060000 --> 0:03:58.740000 and I have to take that into account when I'm costing out my overall Azure 0:03:58.740000 --> 0:04:03.820000 architecture. Without further ado, let's go ahead and let's take a look 0:04:03.820000 --> 0:04:08.560000 at how you would implement identity protection, because I think the concepts 0:04:08.560000 --> 0:04:09.660000 here are pretty straightforward. 0:04:09.660000 --> 0:04:13.920000 And frankly, as it should be, the whole system is pretty easy to use, 0:04:13.920000 --> 0:04:15.620000 and it does a lot of things for you. 0:04:15.620000 --> 0:04:19.860000 So I'm going to go ahead and pull up my dashboard. 0:04:19.860000 --> 0:04:22.620000 Now, there are a couple of things that I have already done. 0:04:22.620000 --> 0:04:26.400000 And I will tell you that the show and tell on this is going to be relatively 0:04:26.400000 --> 0:04:30.320000 disappointing, because I don't have any activity to show, but you can 0:04:30.320000 --> 0:04:32.160000 see all the components. 0:04:32.160000 --> 0:04:36.940000 I'm going to say I don't have any activity to show because my security 0:04:36.940000 --> 0:04:40.340000 hygiene is so good, there wouldn't be, but the reality is I created this 0:04:40.340000 --> 0:04:44.180000 this morning. I created this directory, this tenant this morning. 0:04:44.180000 --> 0:04:47.660000 So anyways, let's go ahead and take a look at what we're going to take 0:04:47.660000 --> 0:04:54.100000 a look at. First of all, in order for me to implement this, I need Azure 0:04:54.100000 --> 0:05:01.140000 Active Directory to be in the Premium P2 license mode, or I need to probably 0:05:01.140000 --> 0:05:05.100000 a more direct way to say that, is that I need the Premium P2 license, 0:05:05.100000 --> 0:05:09.960000 which I have associated already with this. 0:05:09.960000 --> 0:05:16.280000 I have the trial version, which you have for the first 30 days. 0:05:16.280000 --> 0:05:18.620000 I've got 100 licenses that are available. 0:05:18.620000 --> 0:05:21.660000 Again, these are licensed by individual user. 0:05:21.660000 --> 0:05:24.640000 And you can also set up group licensing where you don't have to add every 0:05:24.640000 --> 0:05:27.000000 user, but it's still charged by every user. 0:05:27.000000 --> 0:05:28.040000 And it's really easy to get. 0:05:28.040000 --> 0:05:29.500000 You can just click and add. 0:05:29.500000 --> 0:05:31.900000 It takes a few minutes for it to catch up. 0:05:31.900000 --> 0:05:34.840000 And if you're trying to do it really quickly, give it a few minutes after 0:05:34.840000 --> 0:05:39.160000 you add it, and then refresh, don't hit the refresh within the portal, 0:05:39.160000 --> 0:05:40.780000 but refresh the entire page. 0:05:40.780000 --> 0:05:44.060000 And it should pick up the fact that you have that license. 0:05:44.060000 --> 0:05:48.400000 Okay, so that's the first thing that I need, is I need to have that Premium 0:05:48.400000 --> 0:05:52.520000 P2 license. And then the next thing that I'm going to do, and I've pretty 0:05:52.520000 --> 0:05:57.560000 got that in my search, is I'm going to go to Azure AD Identity Protection, 0:05:57.560000 --> 0:06:03.560000 which is interesting, even though it's tied to your Azure AD tenant, it's 0:06:03.560000 --> 0:06:09.580000 a different lens, a different view. 0:06:09.580000 --> 0:06:13.100000 And so I'm going to go ahead and take a look at it. 0:06:13.100000 --> 0:06:17.680000 So I've pulled up my Azure AD Identity Protection Blade. 0:06:17.680000 --> 0:06:19.560000 That was the word I was looking for. 0:06:19.560000 --> 0:06:24.880000 And I can see that right now I have zero users flagged for risk. 0:06:24.880000 --> 0:06:29.240000 I'm going to go ahead and just go through the settings here. 0:06:29.240000 --> 0:06:32.420000 I'm going to start not at the top, but at the configure, because kind 0:06:32.420000 --> 0:06:35.520000 of makes sense. That's probably what you need to do first. 0:06:35.520000 --> 0:06:39.000000 The first thing would be MFA registration. 0:06:39.000000 --> 0:06:44.360000 And this is going to be the registration policy for MFA. 0:06:44.360000 --> 0:06:46.840000 And I can choose who would need MFA. 0:06:46.840000 --> 0:06:50.480000 So this is just a global MFA, and this would be the easiest way, for example, 0:06:50.480000 --> 0:06:56.020000 if I wanted everyone to have to use multi-factor authentication, I could 0:06:56.020000 --> 0:07:02.080000 just turn this on and require MFA registration. 0:07:02.080000 --> 0:07:06.240000 I would at least require them to register, not necessarily use, but I'm 0:07:06.240000 --> 0:07:09.500000 going to turn that off. 0:07:09.500000 --> 0:07:13.340000 And then the next thing after MFA is where we get to our policies. 0:07:13.340000 --> 0:07:17.460000 And these are really the key components of Azure AD Identity Protection, 0:07:17.460000 --> 0:07:19.680000 User Risk and Sign-In Risk. 0:07:19.680000 --> 0:07:23.200000 And I'm going to go through these and they're relatively straightforward. 0:07:23.200000 --> 0:07:25.820000 First of all, I can choose who this applies to. 0:07:25.820000 --> 0:07:29.960000 And I have the ability to both include and then exclude users. 0:07:29.960000 --> 0:07:32.140000 By default, it's all users. 0:07:32.140000 --> 0:07:37.660000 I can also go to individual groups, users, individual and groups, excuse 0:07:37.660000 --> 0:07:43.840000 me. And I could go and select users or groups that are part of this tenant. 0:07:43.840000 --> 0:07:45.140000 But I'm not going to do that. 0:07:45.140000 --> 0:07:47.760000 I'm going to leave that as everyone. 0:07:47.760000 --> 0:07:49.120000 That's the users. 0:07:49.120000 --> 0:07:54.340000 Now, conditions, under what condition do I want to apply the User Risk 0:07:54.340000 --> 0:07:59.820000 Policy? And I can choose, I want this essentially for everybody, low and 0:07:59.820000 --> 0:08:03.980000 above, or I only want it for medium and above, or I only want to apply 0:08:03.980000 --> 0:08:06.460000 the policy for high risk users. 0:08:06.460000 --> 0:08:12.100000 So you have that ability there, and I'm going to leave that as everyone. 0:08:12.100000 --> 0:08:16.540000 And then finally, controls. 0:08:16.540000 --> 0:08:19.540000 And I have the option because of blocking access. 0:08:19.540000 --> 0:08:22.340000 So I wouldn't want to go with this right now because I have everybody, 0:08:22.340000 --> 0:08:25.280000 and this would block everybody's access. 0:08:25.280000 --> 0:08:27.820000 But I can say, OK, I'm going to allow access, but I'm going to require 0:08:27.820000 --> 0:08:29.240000 you to change your password. 0:08:29.240000 --> 0:08:35.800000 And that really is the action that you can enforce for User Risk. 0:08:35.800000 --> 0:08:41.140000 So User Risk, if somebody is flagged at whatever level you want, you're 0:08:41.140000 --> 0:08:44.320000 going to require password change in this case, which I'm not going to 0:08:44.320000 --> 0:08:50.280000 do. And then I can go and review who would be impacted. 0:08:50.280000 --> 0:08:54.920000 And right now nobody's impacted because I'm not enforcing the policy. 0:08:54.920000 --> 0:08:57.380000 And then I have sign-in risk. 0:08:57.380000 --> 0:08:58.320000 So we looked at User Risk. 0:08:58.320000 --> 0:09:00.120000 Now I'm going to look at sign-in risk. 0:09:00.120000 --> 0:09:02.200000 OK, the assignments are the same. 0:09:02.200000 --> 0:09:04.480000 The conditions are the same. 0:09:04.480000 --> 0:09:05.700000 I select a risk level. 0:09:05.700000 --> 0:09:11.760000 So that's all identical to what I have for the User Risk policy. 0:09:11.760000 --> 0:09:14.280000 And the controls are similar. 0:09:14.280000 --> 0:09:16.140000 I've got block access or allow. 0:09:16.140000 --> 0:09:20.740000 And if I allow access, I'm going to require multi-factor authentication. 0:09:20.740000 --> 0:09:24.160000 That's it. Pretty cool stuff as far as policy. 0:09:24.160000 --> 0:09:25.160000 Easy to implement. 0:09:25.160000 --> 0:09:27.880000 Again, I can enforce or not enforce the policies. 0:09:27.880000 --> 0:09:34.980000 Once you have identity protection active, then you can start to investigate. 0:09:34.980000 --> 0:09:39.760000 I can look, for example, for any users who are currently flagged for risk. 0:09:39.760000 --> 0:09:42.700000 I can see what they are, but I don't have any. 0:09:42.700000 --> 0:09:46.520000 I can look at any risk events that have occurred. 0:09:46.520000 --> 0:09:51.420000 And right now that's the last 90 days, I can filter that a little bit. 0:09:51.420000 --> 0:09:53.980000 I have vulnerabilities. 0:09:53.980000 --> 0:09:57.260000 So this is looking at any vulnerabilities that it finds. 0:09:57.260000 --> 0:09:57.980000 Pretty cool stuff. 0:09:57.980000 --> 0:10:00.360000 So I've got these investigative tools. 0:10:00.360000 --> 0:10:02.920000 And I realize I just blew through these. 0:10:02.920000 --> 0:10:07.860000 But I definitely recommend that this becomes part of, if you're going 0:10:07.860000 --> 0:10:17.060000 to use identity protection, that these become part of your routine administrative 0:10:17.060000 --> 0:10:20.300000 tasks, reviewing these. 0:10:20.300000 --> 0:10:25.000000 In addition to that, I've got alerts and I can configure alerts. 0:10:25.000000 --> 0:10:27.340000 And you would absolutely want to do this. 0:10:27.340000 --> 0:10:29.820000 Alert on user risk level. 0:10:29.820000 --> 0:10:34.100000 And so I can say, okay, any one medium or above, I want to alert and I 0:10:34.100000 --> 0:10:40.000000 want to send an email to say me. 0:10:40.000000 --> 0:10:42.980000 And I can add other emails as well. 0:10:42.980000 --> 0:10:44.300000 And then I can save that. 0:10:44.300000 --> 0:10:47.600000 But I'm going to discard that because I don't want to accidentally get 0:10:47.600000 --> 0:10:51.940000 that. Now, I mentioned the fact that you should routinely review what's 0:10:51.940000 --> 0:10:54.940000 going on. They actually make it really easy. 0:10:54.940000 --> 0:10:58.820000 I can cheat. I've got a weekly email digest. 0:10:58.820000 --> 0:11:02.440000 It's going to give me a weekly summary of what's going on. 0:11:02.440000 --> 0:11:05.940000 And I can very simply add users to that. 0:11:05.940000 --> 0:11:08.780000 I'm going to add myself to that. 0:11:08.780000 --> 0:11:10.140000 And I will save that. 0:11:10.140000 --> 0:11:14.920000 That way, if I forget to turn this off at some point, I will be notified. 0:11:14.920000 --> 0:11:16.000000 I can pin it to the dashboard. 0:11:16.000000 --> 0:11:18.340000 We'll go and do that and take a look at that. 0:11:18.340000 --> 0:11:22.300000 That's pretty simple. 0:11:22.300000 --> 0:11:26.360000 That is, let's see. 0:11:26.360000 --> 0:11:30.720000 Okay. Well, didn't quite pin to the dashboard the way I'd hoped. 0:11:30.720000 --> 0:11:33.480000 Let's go back there. 0:11:33.480000 --> 0:11:40.120000 Now, the other thing that you will need to do that I skipped over a bit 0:11:40.120000 --> 0:11:44.300000 is you will need to onboard. 0:11:44.300000 --> 0:11:48.300000 And it's actually not listed here anymore because I have already onboarded. 0:11:48.300000 --> 0:11:53.320000 And this is something that may change when you start actually working 0:11:53.320000 --> 0:11:57.040000 with this. And I say that because it's currently in flux. 0:11:57.040000 --> 0:12:02.880000 In fact, as I was going through for this, some of the terms that I was 0:12:02.880000 --> 0:12:04.920000 used to looking for have changed a little bit. 0:12:04.920000 --> 0:12:07.380000 Not a big deal. Azure is always evolving. 0:12:07.380000 --> 0:12:08.520000 But just be aware of that. 0:12:08.520000 --> 0:12:12.120000 Right now, you have this concept of onboarding. 0:12:12.120000 --> 0:12:16.480000 And so for many of the services, particularly services associated with, 0:12:16.480000 --> 0:12:21.500000 it seems to be Azure AD premium, you have to onboard them. 0:12:21.500000 --> 0:12:22.820000 It's really very easy to do. 0:12:22.820000 --> 0:12:25.600000 It's just a step that you need to be aware of. 0:12:25.600000 --> 0:12:30.940000 And at this point, we've really covered the Azure AD identity protection. 0:12:30.940000 --> 0:12:33.880000 As you can see, it's very easy to use. 0:12:33.880000 --> 0:12:35.880000 And it's really important. 0:12:35.880000 --> 0:12:42.560000 It does cost money in as much as it requires the Azure AD premium P2. 0:12:42.560000 --> 0:12:47.100000 I will tell you though, for me, that would be the only reason not to use 0:12:47.100000 --> 0:12:51.040000 Azure AD identity protection is if you've got budgetary restrictions that 0:12:51.040000 --> 0:12:55.660000 are not going to allow you to implement the Azure AD premium P2.