Академический Документы
Профессиональный Документы
Культура Документы
Identity Protection is a tool that allows organizations to accomplish three key tasks:
Automate the detection and remediation of identity-based risks.
Investigate risks using data in the portal.
Export risk detection data to third-party utilities for further analysis.
Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure AD,
the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses
6.5 trillion signals per day to identify and protect customers from threats.
The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to
make access decisions, or fed back to a security information and event management (SIEM ) tool for further
investigation based on your organization's enforced policies.
Each day, our machine learning and heuristic systems provide risk scores for 18 billion login attempts for over
800 million distinct accounts, 300 million of which are discernibly done by adversaries (entities like: criminal
actors, hackers).
At Ignite last year, I spoke about the top 3 attacks on our identity systems. Here is the recent volume of these
attacks
Breach replay: 4.6BN attacks detected in May 2018
Password spray: 350k in April 2018
Phishing: This is hard to quantify exactly, but we saw 23M risk events in March 2018, many of which are
phish related
Atypical travel Sign in from an atypical location based on the user’s recent
sign-ins.
Unfamiliar sign-in properties Sign in with properties we‘ve not seen recently for the given
user.
Leaked Credentials This risk detection indicates that the user's valid credentials
have been leaked
Azure AD threat intelligence Microsoft’s internal and external threat intelligence sources
have identified a known attack pattern
More detail on these risks and how/when they are calculated can be found in the article, What is risk.
The risk signals can trigger remediation efforts such as requiring users to: perform Azure Multi-Factor
Authentication, reset their password using self-service password reset, or blocking until an administrator takes
action.
Risk investigation
Administrators can review detections and take manual action on them if needed. There are three key reports that
administrators use for investigations in Identity Protection:
Risky users
Risky sign-ins
Risk detections
More information can be found in the article, How To: Investigate risk.
Permissions
Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader,
or Global Administrator in order to access.
License requirements
Using this feature requires an Azure AD Premium P2 license. To find the right license for your requirements,
see Comparing generally available features of the Free, Basic, and Premium editions.
Security reports Risky users Full access Limited Information Limited Information
Security reports Risky sign-ins Full access Limited Information Limited Information
Next steps
Security overview
What is risk
Policies available to mitigate risks
Azure Active Directory Identity Protection - Security
overview
11/22/2019 • 2 minutes to read • Edit Online
The Security overview in the Azure portal gives you an insight into your organization’s security posture. It helps
identify potential attacks and understand the effectiveness of your policies.
The ‘Security overview’ is broadly divided into two sections:
Trends, on the left, provide a timeline of risk in your organization.
Tiles, on the right, highlight the key ongoing issues in your organization and suggest how to quickly take action.
Trends
New risky users detected
This chart shows the number of new risky users that were detected over the chosen time period. You can filter the
view of this chart by user risk level (low, medium, high). Hover over the UTC date increments to see the number of
risky users detected for that day. A click on this chart will bring you to the ‘Risky users’ report. To remediate users
that are at risk, consider changing their password.
New risky sign-ins detected
This chart shows the number of risky sign-ins detected over the chosen time period. You can filter the view of this
chart by the sign-in risk type (real-time or aggregate) and the sign-in risk level (low, medium, high). Unprotected
sign-ins are successful real-time risk sign-ins that were not MFA challenged. (Note: Sign-ins that are risky because
of offline detections cannot be protected in real-time by sign-in risk policies). Hover over the UTC date increments
to see the number of sign-ins detected at risk for that day. A click on this chart will bring you to the ‘Risky sign-ins’
report.
Tiles
High risk users
The ‘High risk users’ tile shows the latest count of users with high probability of identity compromise. These
should be a top priority for investigation. A click on the ‘High risk users’ tile will redirect to a filtered view of the
‘Risky users’ report showing only users with a risk level of high. Using this report, you can learn more and
remediate these users with a password reset.
Next steps
What is risk
Policies available to mitigate risks
What is risk?
10/24/2019 • 4 minutes to read • Edit Online
Risk detections in Azure AD Identity Protection include any identified suspicious actions related to user accounts
in the directory.
Identity Protection provides organizations access to powerful resources to see and respond quickly to these
suspicious actions.
Leaked credentials This risk detection type indicates that the user’s valid
credentials have been leaked. When cybercriminals
compromise valid passwords of legitimate users, they often
share those credentials. This sharing is typically done by
posting publicly on the dark web, paste sites, or by trading
and selling the credentials on the black market. When the
Microsoft leaked credentials service acquires user credentials
from the dark web, paste sites, or other sources, they are
checked against Azure AD users' current valid credentials to
find valid matches.
Azure AD threat intelligence This risk detection type indicates user activity that is unusual
for the given user or is consistent with known attack patterns
based on Microsoft’s internal and external threat intelligence
sources.
Sign-in risk
A sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner.
These risks can be calculated in real-time or calculated offline using Microsoft’s internal and external threat
intelligence sources including security researchers, law enforcement professionals, security teams at Microsoft,
and other trusted sources.
Malware linked IP address Offline This risk detection type indicates sign-
ins from IP addresses infected with
malware that is known to actively
communicate with a bot server. This
detection is determined by correlating
IP addresses of the user’s device
against IP addresses that were in
contact with a bot server while the bot
server was active.
Unfamiliar sign-in properties Real-time This risk detection type considers past
sign-in history (IP, Latitude / Longitude
and ASN) to look for anomalous sign-
ins. The system stores information
about previous locations used by a
user, and considers these “familiar”
locations. The risk detection is triggered
when the sign-in occurs from a location
that's not already in the list of familiar
locations. Newly created users will be in
“learning mode” for a period of time in
which unfamiliar sign-in properties risk
detections will be turned off while our
algorithms learn the user’s behavior.
The learning mode duration is dynamic
and depends on how much time it
takes the algorithm to gather enough
information about the user’s sign-in
patterns. The minimum duration is five
days. A user can go back into learning
mode after a long period of inactivity.
The system also ignores sign-ins from
familiar devices, and locations that are
geographically close to a familiar
location.
Admin confirmed user compromised Offline This detection indicates an admin has
selected ‘Confirm user compromised’ in
the Risky users UI or using riskyUsers
API. To see which admin has confirmed
this user compromised, check the user’s
risk history (via UI or API).
Additional risk detected Real-time or Offline This detection indicates that one of the
above premium detections was
detected. Since the premium detections
are visible only to Azure AD Premium
P2 customers, they are titled "additional
risk detected" for customers without
Azure AD Premium P2 licenses.
Next steps
Policies available to mitigate risks
Security overview
Identity Protection policies
10/24/2019 • 2 minutes to read • Edit Online
Azure Active Directory Identity Protection includes three default policies that administrators can choose to enable.
These policies include limited customization but are applicable to most organizations. All of the policies allow for
excluding users such as your emergency access or break-glass administrator accounts.
NOTE
Users must have previously registered for Azure Multi-Factor Authentication before triggering the sign-in risk policy.
Custom Conditional Access policy
Administrators can also choose to create a custom Conditional Access policy including sign-in risk as an
assignment condition. More information about Conditional Access can be found in the article, What is Conditional
Access?
NOTE
Users must have previously registered for self-service password reset before triggering the user risk policy.
Next steps
Enable Azure AD self-service password reset
Enable Azure Multi-Factor Authentication
Enable Azure Multi-Factor Authentication registration policy
Enable sign-in and user risk policies
User experiences with Azure AD Identity Protection
10/24/2019 • 2 minutes to read • Edit Online
2. Complete the guided steps to register for Azure Multi-Factor Authentication and complete your sign-in.
Risky sign-in remediation
When an administrator has configured a policy for sign-in risks, the affected users are notified when they try to
sign in and trigger the policies risk level.
Risky sign-in self-remediation
1. The user is informed that something unusual was detected about their sign-in, such as signing in from a
new location, device, or app.
2. The user is required to prove their identity by completing Azure MFA with one of their previously registered
methods.
Risky sign-in administrator unblock
Administrators can choose to block users upon sign-in depending on their risk level. To get unblocked, end users
must contact their IT staff, or they can try signing in from a familiar location or device. Self-remediation by
performing multi-factor authentication is not an option in this case.
IT staff can follow the instructions in the section Unblocking users to allow users to sign back in.
2. The user is required to prove their identity by completing Azure MFA with one of their previously registered
methods.
3. Finally, the user is forced to change their password using self-service password reset since someone else
may have had access to their account.
See also
Remediate risks and unblock users
Azure Active Directory Identity Protection
Identity Protection and B2B users
10/24/2019 • 2 minutes to read • Edit Online
With Azure AD B2B collaboration, organizations can enforce risk-based policies for B2B users using Identity
Protection. These policies be configured in two ways:
Administrators can configure the built-in Identity Protection risk-based policies, that apply to all apps, that
include guest users.
Administrators can configure their Conditional Access policies, using sign-in risk as a condition, that includes
guest users.
Next steps
See the following articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
Azure Active Directory Identity Protection
notifications
11/22/2019 • 2 minutes to read • Edit Online
Azure AD Identity Protection sends two types of automated notification emails to help you manage user risk and
risk detections:
Users at risk detected email
Weekly digest email
This article provides you with an overview of both notification emails.
By default, recipients include all Global Admins. Global Admins can also add other Global Admins, Security
Admins, Security Readers as recipients.
Configure weekly digest email
As an administrator, you can switch sending a weekly digest email on or off and choose the users assigned to
receive the email.
Configure the weekly digest email in the Azure portal under Azure Active Directory > Security > Identity
Protection > Weekly digest.
See also
Azure Active Directory Identity Protection
How To: Configure the Azure Multi-Factor
Authentication registration policy
11/22/2019 • 2 minutes to read • Edit Online
Azure AD Identity Protection helps you manage the roll-out of Azure Multi-Factor Authentication (MFA)
registration by configuring a Conditional Access policy to require MFA registration no matter what modern
authentication app you are signing in to.
Policy configuration
1. Navigate to the Azure portal.
2. Browse to Azure Active Directory > Security > Identity Protection > MFA registration policy.
a. Under Assignments
a. Users - Choose All users or Select individuals and groups if limiting your rollout.
a. Optionally you can choose to exclude users from the policy.
b. Under Controls
a. Ensure the checkbox Require Azure MFA registration is checked and choose Select.
c. Enforce Policy - On
d. Save
User experience
Azure Active Directory Identity Protection will prompt your users to register the next time they sign in interactively
and they will have 14 days to complete registration. During this 14-day period, they can bypass registration but at
the end of the period they will be required to register before they can complete the sign-in process.
For an overview of the related user experience, see:
Sign-in experiences with Azure AD Identity Protection.
Next steps
Enable sign-in and user risk policies
Enable Azure AD self-service password reset
Enable Azure Multi-Factor Authentication
How To: Configure and enable risk policies
11/22/2019 • 2 minutes to read • Edit Online
As we learned in the previous article, Identity Protection policies we have two risk policies that we can enable in
our directory.
Sign-in risk policy
User risk policy
Both policies work to automate the response to risk detections in your environment and allow users to self-
remediate when risk is detected.
Prerequisites
If your organization wants to allow users to self-remediate when risks are detected, users must be registered for
both self-service password reset and Azure Multi-Factor Authentication. We recommend enabling the combined
security information registration experience for the best experience. Allowing users to self-remediate gets them
back to a productive state more quickly without requiring administrator intervention. Administrators can still see
these events and investigate them after the fact.
Exclusions
All of the policies allow for excluding users such as your emergency access or break-glass administrator accounts.
Organizations may determine they need to exclude other accounts from specific policies based on the way the
accounts are used. All exclusions should be reviewed regularly to see if they are still applicable.
Enable policies
To enable the user risk and sign-in risk policies complete the following steps.
1. Navigate to the Azure portal.
2. Browse to Azure Active Directory > Security > Identity Protection > Overview.
3. Select Configure user risk policy.
a. Under Assignments
a. Users - Choose All users or Select individuals and groups if limiting your rollout.
a. Optionally you can choose to exclude users from the policy.
b. Conditions - User risk Microsoft's recommendation is to set this option to High.
b. Under Controls
a. Access - Microsoft's recommendation is to Allow access and Require password change.
c. Enforce Policy - On
d. Save - This action will return you to the Overview page.
4. Select Configure sign-in risk policy.
a. Under Assignments
a. Users - Choose All users or Select individuals and groups if limiting your rollout.
a. Optionally you can choose to exclude users from the policy.
b. Conditions - Sign-in risk Microsoft's recommendation is to set this option to Medium and
above.
b. Under Controls
a. Access - Microsoft's recommendation is to Allow access and Require multi-factor
authentication.
c. Enforce Policy - On
d. Save
Next steps
Enable Azure Multi-Factor Authentication registration policy
What is risk
Investigate risk detections
Simulate risk detections
Simulating risk detections in Identity Protection
10/24/2019 • 4 minutes to read • Edit Online
Administrators may want to simulate risk in their environment in order to accomplish the following items:
Populate data in the Identity Protection environment by simulating risk detections and vulnerabilities.
Set up risk-based Conditional Access policies and test the impact of these policies.
This article provides you with steps for simulating the following risk detection types:
Anonymous IP address (easy)
Unfamiliar sign-in properties (moderate)
Atypical travel (difficult)
Other risk detections cannot be simulated in a secure manner.
More information about each risk detection can be found in the article, What is risk.
Anonymous IP address
Completing the following procedure requires you to use:
The Tor Browser to simulate anonymous IP addresses. You might need to use a virtual machine if your
organization restricts using the Tor browser.
A test account that is not yet registered for Azure Multi-Factor Authentication.
To simulate a sign-in from an anonymous IP, perform the following steps:
1. Using the Tor Browser, navigate to https://myapps.microsoft.com.
2. Enter the credentials of the account you want to appear in the Sign-ins from anonymous IP addresses
report.
The sign-in shows up on the Identity Protection dashboard within 10 - 15 minutes.
Atypical travel
Simulating the atypical travel condition is difficult because the algorithm uses machine learning to weed out false-
positives such as atypical travel from familiar devices, or sign-ins from VPNs that are used by other users in the
directory. Additionally, the algorithm requires a sign-in history of 14 days and 10 logins of the user before it
begins generating risk detections. Because of the complex machine learning models and above rules, there is a
chance that the following steps will not lead to a risk detection. You might want to replicate these steps for multiple
Azure AD accounts to simulate this detection.
To simulate an atypical travel risk detection, perform the following steps:
1. Using your standard browser, navigate to https://myapps.microsoft.com.
2. Enter the credentials of the account you want to generate an atypical travel risk detection for.
3. Change your user agent. You can change user agent in Microsoft Edge from Developer Tools (F12).
4. Change your IP address. You can change your IP address by using a VPN, a Tor add-on, or creating a new
virtual machine in Azure in a different data center.
5. Sign-in to https://myapps.microsoft.com using the same credentials as before and within a few minutes after
the previous sign-in.
The sign-in shows up in the Identity Protection dashboard within 2-4 hours.
Next steps
What is risk?
How To: Configure and enable risk policies
Azure Active Directory Identity Protection
How To: Investigate risk
11/22/2019 • 2 minutes to read • Edit Online
Identity Protection provides organizations with three reports they can use to investigate identity risks in their
environment. These reports are the risky users, risky sign-ins, and risk detections. Investigation of events is key
to better understanding and identifying any weak points in your security strategy.
All three reports allow for downloading of events in .CSV format for further analysis outside of the Azure portal.
The risky users and risky sign-ins reports allow for downloading the most recent 2500 entries, while the risk
detections report allows for downloading the most recent 5000 records.
Organizations can take advantage of the Microsoft Graph API integrations to aggregate data with other sources
they may have access to as an organization.
The three reports are found in the Azure portal > Azure Active Directory > Security.
Risky sign-ins
The risky sign-ins report contains filterable data for up to the past 30 days (1 month).
With the information provided by the risky sign-ins report, administrators can find:
Which sign-ins are classified as at risk, confirmed compromised, confirmed safe, dismissed, or remediated.
Real-time and aggregate risk levels associated with sign-in attempts.
Detection types triggered
Conditional Access policies applied
MFA details
Device information
Application information
Location information
Administrators can then choose to take action on these events. Administrators can choose to:
Confirm sign-in compromise
Confirm sign-in safe
Risk detections
The risk detections report contains filterable data for up to the past 90 days (3 months).
With the information provided by the risk detections report, administrators can find:
Information about each risk detection including type.
Other risks triggered at the same time
Sign-in attempt location
Link out to more detail from Microsoft Cloud App Security (MCAS ).
Administrators can then choose to return to the user's risk or sign-ins report to take actions based on information
gathered.
Next steps
Policies available to mitigate risks
Enable sign-in and user risk policies
Remediate risks and unblock users
11/22/2019 • 4 minutes to read • Edit Online
After completing your investigation, you will want to take action to remediate the risk or unblock users.
Organizations also have the option to enable automated remediation using their risk policies. Organizations
should try to close all risk detections that they are presented with in a time period your organization is comfortable
with. Microsoft recommends closing events as soon as possible because time matters when working with risk.
Remediation
All active risk detections contribute to the calculation of a value called user risk level. The user risk level is an
indicator (low, medium, high) for the probability that an account has been compromised. As an administrator, you
want to get all risk detections closed, so that the affected users are no longer at risk.
Some risks detections may be marked by Identity Protection as "Closed (system)" because the events were no
longer determined to be risky.
Administrators have the following options to remediate:
Self-remediation with risk policy
Manual password reset
Dismiss user risk
Close individual risk detections manually
Self-remediation with risk policy
If you allow users to self-remediate, with Azure Multi-Factor Authentication (MFA) and self-service password reset
(SSPR ) in your risk policies, they can unblock themselves when risk is detected. These detections are then
considered closed. Users must have previously registered for Azure MFA and SSPR in order to use when risk is
detected.
Some detections may not raise risk to the level where a user self-remediation would be required but
administrators should still evaluate these detections. Administrators may determine that additional measures are
necessary like blocking access from locations or lowering the acceptable risk in their policies.
Manual password reset
If requiring a password reset using a user risk policy is not an option, administrators can close all risk detections
for a user with a manual password reset.
Administrators are given two options when resetting a password for their users:
Generate a temporary password - By generating a temporary password, you can immediately bring an
identity back into a safe state. This method requires contacting the affected users because they need to
know what the temporary password is. Because the password is temporary, the user is prompted to change
the password to something new during the next sign-in.
Require the user to reset password - Requiring the users to reset passwords enables self-recovery
without contacting help desk or an administrator. This method only applies to users that are registered for
Azure MFA and SSPR. For users that have not been registered, this option isn't available.
Dismiss user risk
If a password reset is not an option for you, because for example the user has been deleted, you can choose to
dismiss user risk detections.
When you click Dismiss user risk, all events are closed and the affected user is no longer at risk. However,
because this method doesn't have an impact on the existing password, it doesn't bring the related identity back into
a safe state.
Close individual risk detections manually
You can close individual risk detections manually. By closing risk detections manually, you can lower the user risk
level. Typically, risk detections are closed manually in response to a related investigation. For example, when
talking to a user reveals that an active risk detection is not required anymore.
When closing risk detections manually, you can choose to take any of the following actions to change the status of
a risk detection:
Confirm user compromised
Dismiss user risk
Confirm sign-in safe
Confirm sign-in compromised
Unblocking users
An administrator may choose to block a sign-in based on their risk policy or investigations. A block may occur
based on either sign-in or user risk.
Unblocking based on user risk
To unblock an account blocked due to user risk, administrators have the following options:
1. Reset password - You can reset the user's password.
2. Dismiss user risk - The user risk policy blocks a user if the configured user risk level for blocking access has
been reached. You can reduce a user's risk level by dismissing user risk or manually closing reported risk
detections.
3. Exclude the user from policy - If you think that the current configuration of your sign-in policy is causing
issues for specific users, you can exclude the users from it. For more information, see the section Exclusions in
the article How To: Configure and enable risk policies.
4. Disable policy - If you think that your policy configuration is causing issues for all your users, you can disable
the policy. For more information, see the article How To: Configure and enable risk policies.
Unblocking based on sign-in risk
To unblock an account based on sign-in risk, administrators have the following options:
1. Sign in from a familiar location or device - A common reason for blocked suspicious sign-ins are sign-in
attempts from unfamiliar locations or devices. Your users can quickly determine whether this reason is the
blocking reason by trying to sign-in from a familiar location or device.
2. Exclude the user from policy - If you think that the current configuration of your sign-in policy is causing
issues for specific users, you can exclude the users from it. For more information, see the section Exclusions in
the article How To: Configure and enable risk policies.
3. Disable policy - If you think that your policy configuration is causing issues for all your users, you can disable
the policy. For more information, see the article How To: Configure and enable risk policies.
Next steps
To get an overview of Azure AD Identity Protection, see the Azure AD Identity Protection overview.
Get started with Azure Active Directory Identity
Protection and Microsoft Graph
11/20/2019 • 5 minutes to read • Edit Online
Microsoft Graph is the Microsoft unified API endpoint and the home of Azure Active Directory Identity Protection
APIs. There are four APIs that expose information about risky users and sign-ins. The first API, riskDetection,
allows you to query Microsoft Graph for a list of both user and sign-in linked risk detections and associated
information about the detection. The second API, riskyUsers, allows you to query Microsoft Graph for information
about users Identity Protection detected as risk. The third API, signIn, allows you to query Microsoft Graph for
information on Azure AD sign-ins with specific properties related to risk state, detail, and level. The fourth API,
identityRiskEvents, allows you to query Microsoft Graph for a list of risk detections and associated information.
The identityRiskEvents API will be deprecated on January 10, 2020; we suggest you use the riskDetections API
instead. This article gets you started with connecting to the Microsoft Graph and querying these APIs. For an in-
depth introduction, full documentation, and access to the Graph Explorer, see the Microsoft Graph site or the
specific reference documentation for these APIs:
riskDetection API
riskyUsers API
signIn API
identityRiskEvents API Will be deprecated January 10, 2020
2. On the Required permissions page, in the toolbar on the top, click Add.
4. On the Select an API page, select Microsoft Graph, and then click Select.
5. On the Add API access page, click Select permissions.
6. On the Enable Access page, click Read all identity risk information, and then click Select.
a. In the Key description textbox, type a description (for example, Azure AD Risk Detection).
b. As Duration, select In 1 year.
c. Click Save.
d. Copy the key value, and then paste it into a safe location.
NOTE
If you lose this key, you will have to return to this section and create a new key. Keep this key a secret: anyone who
has it can access your data.
`Authorization`="<token_type> <access_token>"
When authenticating, you can find the token type and access token in the returned token.
Send this header as a request to the following API URL: https://graph.microsoft.com/beta/identityRiskEvents
The response, if successful, is a collection of identity risk detections and associated data in the OData JSON format,
which can be parsed and handled as you see fit.
Here’s sample code for authenticating and calling the API using PowerShell.
Just add your client ID, the secret key, and the tenant domain.
$ClientID = "<your client ID here>" # Should be a ~36 hex character string; insert your info
here
$ClientSecret = "<your client secret here>" # Should be a ~44 character string; insert your info here
$tenantdomain = "<your tenant domain here>" # For example, contoso.onmicrosoft.com
$loginURL = "https://login.microsoft.com"
$resource = "https://graph.microsoft.com"
$body =
@{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -
Body $body
Write-Output $oauth
$url = "https://graph.microsoft.com/beta/identityRiskEvents"
Write-Output $url
} else {
Write-Host "ERROR: No Access Token"
}
Get all of the users who successfully passed an MFA challenge triggered by risky sign-ins policy (riskyUsers API )
To understand the impact Identity Protection risk-based policies have on your organization, you can query all of
the users who successfully passed an MFA challenge triggered by a risky sign-ins policy. This information can help
you understand which users Identity Protection may have falsely detected at as risk and which of your legitimate
users may be performing actions that the AI deems risky.
Get all the risky sign-ins for a specific user (signIn API )
When you believe a user may have been compromised, you can better understand the state of their risk by
retrieving all of their risky sign-ins.
https://graph.microsoft.com/beta/identityRiskEvents?`$filter=userID eq '<userID>' and riskState eq 'atRisk'
Next steps
Congratulations, you just made your first call to Microsoft Graph!
Now you can query identity risk detections and use the data however you see fit.
To learn more about Microsoft Graph and how to build applications using the Graph API, check out the
documentation and much more on the Microsoft Graph site.
For related information, see:
Azure Active Directory Identity Protection
Types of risk detections detected by Azure Active Directory Identity Protection
Microsoft Graph
Overview of Microsoft Graph
Azure AD Identity Protection Service Root
How To: Give risk feedback in Azure AD Identity
Protection
11/22/2019 • 4 minutes to read • Edit Online
Azure AD Identity Protection allows you to give feedback on its risk assessment. The following document lists the
scenarios where you would like to give feedback on Azure AD Identity Protection’s risk assessment and how we
incorporate it.
What is a detection?
An Identity Protection detection is an indicator of suspicious activity from an identity risk perspective. These
suspicious activities are called risk detections. These identity-based detections can be based on heuristics, machine
learning or can come from partner products. These detections are used to determine sign-in risk and user risk,
User risk represents the probability an identity is compromised.
Sign-in risk represents the probability a sign-in is compromised (for example, the sign-in is not authorized by
the identity owner).
How should I give risk feedback and what happens under the hood?
Here are the scenarios and mechanisms to give risk feedback to Azure AD.
WHAT HAPPENS UNDER THE
SCENARIO HOW TO GIVE FEEDBACK ? HOOD? NOTES
Sign-in not compromised Select the sign-in and click Azure AD will move the sign- Currently, the ‘Confirm sign-
(False positive) on ‘Confirm sign-in safe’. in’s aggregate risk to none in safe’ option is only
‘Risky sign-ins’ report shows [Risk state = Confirmed safe; available in ‘Risky sign-ins’
an at-risk sign-in [Risk state Risk level (Aggregate) = -] report.
= At risk] but that sign-in and will reverse its impact on
was not compromised. the user risk.
Sign-in compromised Select the sign-in and click Azure AD will move the sign- Currently, the ‘Confirm sign-
(True positive) on ‘Confirm sign-in in’s aggregate risk and the in compromised’ option is
‘Risky sign-ins’ report shows compromised’. user risk to High [Risk state only available in ‘Risky sign-
an at-risk sign-in [Risk state = Confirmed compromised; ins’ report.
= At risk] with low risk [Risk Risk level = High].
level (Aggregate) = Low] and
that sign-in was indeed
compromised.
User compromised (True Select the user and click on Azure AD will move the user Currently, the ‘Confirm user
positive) ‘Confirm user compromised’. risk to High [Risk state = compromised’ option is only
‘Risky users’ report shows an Confirmed compromised; available in ‘Risky users’
at-risk user [Risk state = At Risk level = High] and will report.
risk] with low risk [Risk level add a new detection ‘Admin The detection ‘Admin
= Low] and that user was confirmed user confirmed user
indeed compromised. compromised’. compromised’ is shown in
the tab ‘Risk detections not
linked to a sign-in’ in the
‘Risky users’ report.
User remediated outside 1. Select the user and click Azure AD moves the user Clicking ‘Dismiss user risk’
of Azure AD Identity ‘Confirm user compromised’. risk to none [Risk state = will close all risk on the user
Protection (True positive (This process confirms to Dismissed; Risk level = -] and and past sign-ins. This action
+ Remediated) Azure AD that the user was closes the risk on all existing cannot be undone.
‘Risky users’ report shows an indeed compromised.) sign-ins having active risk.
at-risk user and I have 2. Wait for the user’s ‘Risk
subsequently remediated level’ to go to High. (This
the user outside of Azure AD time gives Azure AD the
Identity Protection. needed time to take the
above feedback to the risk
engine.)
3. Select the user and click
‘Dismiss user risk’. (This
process confirms to Azure
AD that the user is no
longer compromised.)
User not compromised Select the user and click Azure AD moves the user Clicking ‘Dismiss user risk’
(False positive) ‘Dismiss user risk’. (This risk to none [Risk state = will close all risk on the user
‘Risky users’ report shows at process confirms to Azure Dismissed; Risk level = -]. and past sign-ins. This action
at-risk user but the user is AD that the user is not cannot be undone.
not compromised. compromised.)
WHAT HAPPENS UNDER THE
SCENARIO HOW TO GIVE FEEDBACK ? HOOD? NOTES
I want to close the user risk Select the user and click Azure AD moves the user Clicking ‘Dismiss user risk’
but I am not sure whether ‘Dismiss user risk’. (This risk to none [Risk state = will close all risk on the user
the user is compromised / process confirms to Azure Dismissed; Risk level = -]. and past sign-ins. This action
safe. AD that the user is no cannot be undone. We
longer compromised.) recommend you remediate
the user by clicking on ‘Reset
password’ or request the
user to securely
reset/change their
credentials.
Feedback on user risk detections in Identity Protection is processed offline and may take some time to update. The
risk processing state column will provide the current state of feedback processing.
Next steps
Azure Active Directory Identity Protection risk detections reference
Frequently asked questions Identity Protection in
Azure Active Directory
10/24/2019 • 3 minutes to read • Edit Online
Confirm safe (on a sign-in) – Informs Azure AD Identity Protection that the sign-in was performed by the identity
owner and does not indicate a compromise.
Upon receiving this feedback, we move the sign-in (not the user) risk state to Confirmed safe and the risk
level to -.
In addition, we provide the information to our machine learning systems for future improvements in risk
assessment.
NOTE
If you believe the user is not compromised, use Dismiss user risk on the user level instead of using Confirmed safe
on the sign-in level. A Dismiss user risk on the user level closes the user risk and all past risky sign-ins and risk
detections.
Why am I seeing a user with a low (or above ) risk score, even if no risky sign-ins or risk detections are shown in
Identity Protection?
Given the user risk is cumulative in nature and does not expire, a user may have a user risk of low or above even if
there are no recent risky sign-ins or risk detections shown in Identity Protection. This situation could happen if the
only malicious activity on a user took place beyond the timeframe for which we store the details of risky sign-ins
and risk detections. We do not expire user risk because bad actors have been known to stay in customers'
environment over 140 days behind a compromised identity before ramping up their attack. Customers can review
the user's risk timeline to understand why a user is at risk by going to:
Azure Portal > Azure Active Directory > Risky users’ report > Click on an at-risk user > Details’ drawer > Risk
history tab
Why does a sign-in have a “sign-in risk (aggregate )” score of High when the detections associated with it are of
low or medium risk?
The high aggregate risk score could be based on other features of the sign-in, or the fact that more than one
detection fired for that sign-in. And conversely, a sign-in may have a sign-in risk (aggregate) of Medium even if the
detections associated with the sign-in are of High risk.
Azure Active Directory Identity Protection Glossary
11/19/2019 • 6 minutes to read • Edit Online
At risk (User)
A user with one or more active risk detections.
Atypical sign-in location
A sign-in from a geographic location that is not typical for the specific user, similar users, or the tenant.
Azure AD Identity Protection
A security module of Azure Active Directory that provides a consolidated view into risk detections and potential
vulnerabilities affecting an organization’s identities.
Conditional Access
A policy for securing access to resources. Conditional Access rules are stored in the Azure Active Directory and are
evaluated by Azure AD before granting access to the resource. Example rules include restricting access based on
user location, device health, or user authentication method.
Credentials
Information that includes identification and proof of identification that is used to gain access to local and network
resources. Examples of credentials are user names and passwords, smart cards, and certificates.
Event
A record of an activity in Azure Active Directory.
False -positive (risk detection)
A risk detection status set manually by an Identity Protection user, indicating that the risk detection was
investigated and was incorrectly flagged as a risk detection.
Identity
A person or entity that must be verified by means of authentication, based on criteria such as password or a
certificate.
Identity risk detection
Azure AD event that was flagged as anomalous by Identity Protection, and may indicate that an identity has been
compromised.
Ignored (risk detection)
A risk detection status set manually by an Identity Protection user, indicating that the risk detection is closed
without taking a remediation action.
Impossible travel from atypical locations
A risk detection triggered when two sign-ins for the same user are detected, where at least one of them is from an
atypical sign-in location, and where the time between the sign-ins is shorter than the minimum time it would take
to physically travel between these locations.
Investigation
The process of reviewing the activities, logs, and other relevant information related to a risk detection to decide
whether remediation or mitigation steps are necessary, understand if and how the identity was compromised, and
understand how the compromised identity was used.
Leaked credentials
A risk detection triggered when current user credentials (user name and password) are found posted publicly in the
Dark web by our researchers.
Mitigation
An action to limit or eliminate the ability of an attacker to exploit a compromised identity or device without
restoring the identity or device to a safe state. A mitigation does not resolve previous risk detections associated
with the identity or device.
Multi-factor authentication
An authentication method that requires two or more authentication methods, which may include something the
user has, such a certificate; something the user knows, such as user names, passwords, or pass phrases; physical
attributes, such as a thumbprint; and personal attributes, such as a personal signature.
Offline detection
The detection of anomalies and evaluation of the risk of an event such as sign-in attempt after the fact, for an event
that has already happened.
Policy condition
A part of a security policy, which defines the entities (groups, users, apps, device platforms, Device states, IP ranges,
client types) included in the policy or excluded from it.
Policy rule
The part of a security policy that describes the circumstances that would trigger the policy, and the actions taken
when the policy is triggered.
Prevention
An action to prevent damage to the organization through abuse of an identity or device suspected or know to be
compromised. A prevention action does not secure the device or identity, and does not resolve previous risk
detections.
Privileged (user)
A user that at the time of a risk detection, had permanent or temporary admin permissions to one or more
resources in Azure Active Directory, such as a Global Administrator, Billing Administrator, Service Administrator,
User administrator, and Password Administrator.
Real-time
See Real-time detection.
Real-time detection
The detection of anomalies and evaluation of the risk of an event such as sign-in attempt before the event is
allowed to proceed.
Remediated (risk detection)
A risk detection status set automatically by Identity Protection, indicating that the risk detection was remediated
using the standard remediation action for this type of risk detection. For example, when the user password is reset,
many risk detections that indicate that the previous password was compromised are automatically remediated.
Remediation
An action to secure an identity or a device that were previously suspected or known to be compromised. A
remediation action restores the identity or device to a safe state, and resolves previous risk detections associated
with the identity or device.
Resolved (risk detection)
A risk detection status set manually by an Identity Protection user, indicating that the user took an appropriate
remediation action outside Identity Protection, and that the risk detection should be considered closed.
Risk detection status
A property of a risk detection, indicating whether the event is active, and if closed, the reason for closing it.
Risk detection type
A category for the risk detection, indicating the type of anomaly that caused the event to be considered risky.
Risk level (risk detection)
An indication (High, Medium, or Low ) of the severity of the risk detection to help Identity Protection users prioritize
the actions they take to reduce the risk to their organization.
Risk level (sign-in)
An indication (High, Medium, or Low ) of the likelihood that for a specific sign-in, someone else is attempting to use
the user’s identity.
Risk level (user compromise )
An indication (High, Medium, or Low ) of the likelihood that an identity has been compromised.
Risk level (vulnerability)
An indication (High, Medium, or Low ) of the severity of the vulnerability to help Identity Protection users prioritize
the actions they take to reduce the risk to their organization.
Secure (identity)
Take remediation action such as a password change or machine reimaging to restore a potentially compromised
identity to an uncompromised state.
Security policy
A collection of policy rules and condition. A policy can be applied to entities such as users, groups, apps, devices,
device platforms, device states, IP ranges, and Auth2.0 client types. When a policy is enabled, it is evaluated
whenever an entity included in the policy is issued a token for a resource.
Sign in (v)
To authenticate to an identity in Azure Active Directory.
Sign-in (n)
The process or action of authenticating an identity in Azure Active Directory, and the event that captures this
operation.
Sign in from anonymous IP address
A risk detection triggered after a successful sign-in from IP address that has been identified as an anonymous
proxy IP address.
Sign in from infected device
A risk detection triggered when a sign-in originates from an IP address, which is known to be used by one or more
compromised devices, which are actively attempting to communicate with a bot server.
Sign in from IP address with suspicious activity
A risk detection triggered after a successful sign-in from an IP address with a high number of failed login attempts
across multiple user accounts over a short period of time.
Sign in from unfamiliar location
A risk detection triggered when a user successfully signs in from a new location (IP, Latitude/Longitude, and ASN ).
Sign-in risk
See Risk level (sign-in)
Sign-in risk policy
A Conditional Access policy that evaluates the risk to a specific sign-in and applies mitigations based on predefined
conditions and rules.
User compromise risk
See Risk level (user compromise)
User risk
See Risk level (user compromise).
User risk policy
A Conditional Access policy that considers the sign-in and applies mitigations based on predefined conditions and
rules.
Users flagged for risk
Users that have risk detections, which are either active or remediated
Vulnerability
A configuration or condition in Azure Active Directory, which makes the directory susceptible to exploits or threats.
See also
Azure Active Directory Identity Protection
What's new in Azure Active Directory?
11/20/2019 • 38 minutes to read • Edit Online
Get notified about when to revisit this page for updates by copying and pasting this URL:
https://docs.microsoft.com/api/search/rss?search=%22release+notes+for+azure+AD%22&locale=en-us into your
feed reader.
Azure AD receives improvements on an ongoing basis. To stay up-to-date with the most recent developments, this
article provides you with information about:
The latest releases
Known issues
Bug fixes
Deprecated functionality
Plans for changes
This page is updated monthly, so revisit it regularly. If you're looking for items that are older than six months, you
can find them in the Archive for What's new in Azure Active Directory.
October 2019
Deprecation of the identityRiskEvent API for Azure AD Identity Protection risk detections
Type: Plan for change
Service category: Identity Protection
Product capability: Identity Security & Protection
In response to developer feedback, Azure AD Premium P2 subscribers can now perform complex queries on Azure
AD Identity Protection’s risk detection data by using the new riskDetection API for Microsoft Graph. The existing
identityRiskEvent API beta version will stop returning data around January 10, 2020. If your organization is using
the identityRiskEvent API, you should transition to the new riskDetection API.
For more information about the new riskDetection API, see the Risk detection API reference documentation.
For more information about the Application Proxy cookie settings, see Cookie settings for accessing on-premises
applications in Azure Active Directory.
App registrations (legacy) and converged app management from the Application Registration Portal
(apps.dev.microsoft.com) will no longer be available
Type: Plan for change
Service category: N/A
Product capability: Developer Experience
In the near future, users with Azure AD accounts will no longer be able to register and manage converged
applications using the Application Registration Portal (apps.dev.microsoft.com), or register and manage
applications in the App registrations (legacy) experience in the Azure portal.
To learn more about the new App registrations experience, see the App registrations in the Azure portal training
guide.
Users are no longer required to re -register during migration from per-user MFA to Conditional Access-based
MFA
Type: Fixed
Service category: MFA
Product capability: Identity Security & Protection
We've fixed a known issue whereby when users were required to re-register if they were disabled for per-user
Multi-Factor Authentication (MFA) and then enabled for MFA through a Conditional Access policy.
To require users to re-register, you can select the Required re-register MFA option from the user's authentication
methods in the Azure AD portal. For more information about migrating users from per-user MFA to Conditional
Access-based MFA, see Convert users from per-user MFA to Conditional Access based MFA.
Migration of Azure AD Domain Services (Azure AD DS ) from classic to Azure Resource Manager virtual
networks
Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services
To our customers who have been stuck on classic virtual networks -- we have great news for you! You can now
perform a one-time migration from a classic virtual network to an existing Resource Manager virtual network.
After moving to the Resource Manager virtual network, you'll be able to take advantage of the additional and
upgraded features such as, fine-grained password policies, email notifications, and audit logs.
For more information, see Preview - Migrate Azure AD Domain Services from the Classic virtual network model to
Resource Manager.
Update to the My Apps page along with new Workspaces (Public preview)
Type: New feature
Service category: My Apps
Product capability: Access Control
You can now customize the way your organization's users view and access the brand-new My Apps experience,
including using the new Workspaces feature to make it easier for them to find apps. The new Workspaces
functionality acts as a filter for the apps your organization's users already have access to.
For more information on rolling out the new My Apps experience and creating Workspaces, see Create workspaces
on the My Apps (preview ) portal.
Support for the monthly active user-based billing model (General availability)
Type: New feature
Service category: B2C - Consumer Identity Management
Product capability: B2B/B2C
Azure AD B2C now supports monthly active users (MAU ) billing. MAU billing is based on the number of unique
users with authentication activity during a calendar month. Existing customers can switch to this new billing
method at any time.
Starting on November 1, 2019, all new customers will automatically be billed using this method. This billing
method benefits customers through cost benefits and the ability to plan ahead.
For more information, see Upgrade to monthly active users billing model.
My Profile is renaming and integrating with the Microsoft Office account page
Type: Plan for change
Service category: My Profile/Account
Product capability: Collaboration
Starting in October, the My Profile experience will become My Account. As part of that change, everywhere that
currently says, My Profile will change to My Account. On top of the naming change and some design
improvements, the updated experience will offer additional integration with the Microsoft Office account page.
Specifically, you'll be able to access Office installations and subscriptions from the Overview Account page, along
with Office-related contact preferences from the Privacy page.
For more information about the My Profile (preview ) experience, see My Profile (preview ) portal overview .
Bulk manage groups and members using CSV files in the Azure AD portal (Public Preview)
Type: New feature
Service category: Group Management
Product capability: Collaboration
We're pleased to announce public preview availability of the bulk group management experiences in the Azure AD
portal. You can now use a CSV file and the Azure AD portal to manage groups and member lists, including:
Adding or removing members from a group.
Downloading the list of groups from the directory.
Downloading the list of group members for a specific group.
For more information, see Bulk add members, Bulk remove members, Bulk download members list, and Bulk
download groups list.
NOTE
At the start of public preview, the Global Reader role won't work with: SharePoint, Privileged Access Management, Customer
Lockbox, sensitivity labels, Teams Lifecycle, Teams Reporting & Call Analytics, Teams IP Phone Device Management, and
Teams App Catalog. All of these services are intended to work with the role in the future.
For more information, see Administrator role permissions in Azure Active Directory.
Access an on-premises Report Server from your Power BI Mobile app using Azure Active Directory Application
Proxy
Type: New feature
Service category: App Proxy
Product capability: Access Control
New integration between the Power BI mobile app and Azure AD Application Proxy allows you to securely sign in
to the Power BI mobile app and view any of your organization's reports hosted on the on-premises Power BI
Report Server.
For information about the Power BI Mobile app, including where to download the app, see the Power BI site. For
more information about how to set up the Power BI mobile app with Azure AD Application Proxy, see Enable
remote access to Power BI Mobile with Azure AD Application Proxy.
August 2019
Enhanced search, filtering, and sorting for groups is available in the Azure AD portal (Public Preview)
Type: New feature
Service category: Group Management
Product capability: Collaboration
We're pleased to announce public preview availability of the enhanced groups-related experiences in the Azure AD
portal. These enhancements help you better manage groups and member lists, by providing:
Advanced search capabilities, such as substring search on groups lists.
Advanced filtering and sorting options on member and owner lists.
New search capabilities for member and owner lists.
More accurate group counts for large groups.
For more information, see Manage groups in the Azure portal.
New custom roles are available for app registration management (Public Preview)
Type: New feature
Service category: RBAC
Product capability: Access Control
Custom roles (available with an Azure AD P1 or P2 subscription) can now help provide you with fine-grained
access, by letting you create role definitions with specific permissions and then to assign those roles to specific
resources. Currently, you create custom roles by using permissions for managing app registrations and then
assigning the role to a specific app. For more information about custom roles, see Custom administrator roles in
Azure Active Directory (preview ).
If you need additional permissions or resources supported, which you don’t currently see, you can send feedback
to our Azure feedback site and we’ll add your request to our update road map.
New provisioning logs can help you monitor and troubleshoot your app provisioning deployment (Public
Preview)
Type: New feature
Service category: App Provisioning
Product capability: Identity Lifecycle Management
New provisioning logs are available to help you monitor and troubleshoot the user and group provisioning
deployment. These new log files include information about:
What groups were successfully created in ServiceNow
What roles were imported from Amazon Web Services (AWS )
What employees weren't imported from Workday
For more information, see Provisioning reports in the Azure Active Directory portal (preview ) .
User-assigned managed identity is available for Virtual Machines and Virtual Machine Scale Sets (General
Availability)
Type: New feature
Service category: Managed identities for Azure resources
Product capability: Developer Experience
User-assigned managed identities are now generally available for Virtual Machines and Virtual Machine Scale
Sets. As part of this, Azure can create an identity in the Azure AD tenant that's trusted by the subscription in use,
and can be assigned to one or more Azure service instances. For more information about user-assigned managed
identities, see What is managed identities for Azure resources?.
Users can reset their passwords using a mobile app or hardware token (General Availability)
Type: Changed feature
Service category: Self Service Password Reset
Product capability: User Authentication
Users who have registered a mobile app with your organization can now reset their own password by approving a
notification from the Microsoft Authenticator app or by entering a code from their mobile app or hardware token.
For more information, see How it works: Azure AD self-service password reset. For more information about the
user experience, see Reset your own work or school password overview.
New versions of the AzureAD PowerShell and AzureADPreview PowerShell modules are available
Type: Changed feature
Service category: Other
Product capability: Directory
New updates to the AzureAD and AzureAD Preview PowerShell modules are available:
A new -Filter parameter was added to the Get-AzureADDirectoryRole parameter in the AzureAD module.
This parameter helps you filter on the directory roles returned by the cmdlet.
New cmdlets were added to the AzureADPreview module, to help define and assign custom roles in Azure
AD, including:
Get-AzureADMSRoleAssignment
Get-AzureADMSRoleDefinition
New-AzureADMSRoleAssignment
New-AzureADMSRoleDefinition
Remove-AzureADMSRoleAssignment
Remove-AzureADMSRoleDefinition
Set-AzureADMSRoleDefinition
Improvements to the UI of the dynamic group rule builder in the Azure portal
Type: Changed feature
Service category: Group Management
Product capability: Collaboration
We've made some UI improvements to the dynamic group rule builder, available in the Azure portal, to help you
more easily set up a new rule, or change existing rules. This design improvement allows you to create rules with up
to five expressions, instead of just one. We've also updated the device property list to remove deprecated device
properties.
For more information, see Manage dynamic membership rules.
New Microsoft Graph app permission available for use with access reviews
Type: Changed feature
Service category: Access Reviews
Product capability: Identity Governance
We've introduced a new Microsoft Graph app permission, AccessReview.ReadWrite.Membership , which allows apps
to automatically create and retrieve access reviews for group memberships and app assignments. This permission
can be used by your scheduled jobs or as part of your automation, without requiring a logged-in user context.
For more information, see the Example how to create Azure AD access reviews using Microsoft Graph app
permissions with PowerShell blog.
Azure AD activity logs are now available for government cloud instances in Azure Monitor
Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting
We're excited to announce that Azure AD activity logs are now available for government cloud instances in Azure
Monitor. You can now send Azure AD logs to your storage account or to an event hub to integrate with your SIEM
tools, like Sumologic, Splunk, and ArcSight.
For more information about setting up Azure Monitor, see Azure AD activity logs in Azure Monitor.
IMPORTANT
If you don't complete these steps before September 25, 2019, your Azure Active Directory tenant will be automatically
enabled for the enhanced experience. If you have questions, please contact us at registrationpreview@microsoft.com.
July 2019
Plan for change: Application Proxy service update to support only TLS 1.2
Type: Plan for change
Service category: App Proxy
Product capability: Access Control
To help provide you with our strongest encryption, we're going to begin limiting Application Proxy service access
to only TLS 1.2 protocols. This limitation will initially be rolled out to customers who are already using TLS 1.2
protocols, so you won't see the impact. Complete deprecation of the TLS 1.0 and TLS 1.1 protocols will be
complete on August 31, 2019. Customers still using TLS 1.0 and TLS 1.1 will receive advanced notice to prepare
for this change.
To maintain the connection to the Application Proxy service throughout this change, we recommend that you make
sure your client-server and browser-server combinations are updated to use TLS 1.2. We also recommend that you
make sure to include any client systems used by your employees to access apps published through the Application
Proxy service.
For more information, see Add an on-premises application for remote access through Application Proxy in Azure
Active Directory.
Plan for change: Design updates are coming for the Application Gallery
Type: Plan for change
Service category: Enterprise Apps
Product capability: SSO
New user interface changes are coming to the design of the Add from the gallery area of the Add an
application blade. These changes will help you more easily find your apps that support automatic provisioning,
OpenID Connect, Security Assertion Markup Language (SAML ), and Password single sign-on (SSO ).
Plan for change: Removal of the MFA server IP address from the Office 365 IP address
Type: Plan for change
Service category: MFA
Product capability: Identity Security & Protection
We're removing the MFA server IP address from the Office 365 IP Address and URL Web service. If you currently
rely on these pages to update your firewall settings, you must make sure you're also including the list of IP
addresses documented in the Azure Multi-Factor Authentication Server firewall requirements section of the
Getting started with the Azure Multi-Factor Authentication Server article.
App-only tokens now require the client app to exist in the resource tenant
Type: Fixed
Service category: Authentications (Logins)
Product capability: User Authentication
On July 26, 2019, we changed how we provide app-only tokens through the client credentials grant. Previously,
apps could get tokens to call other apps, regardless of whether the client app was in the tenant. We've updated this
behavior so single-tenant resources, sometimes called Web APIs, can only be called by client apps that exist in the
resource tenant.
If your app isn't located in the resource tenant, you'll get an error message that says,
The service principal named <app_name> was not found in the tenant named <tenant_name>. This can happen if the
application has not been installed by the administrator of the tenant.
To fix this problem, you must create the client app service principal in the tenant, using either the admin consent
endpoint or through PowerShell, which ensures your tenant has given the app permission to operate within the
tenant.
For more information, see What's new for authentication?.
NOTE
Existing consent between the client and the API continues to not be required. Apps should still be doing their own
authorization checks.
Automate user account provisioning for these newly supported SaaS apps
Type: New feature
Service category: Enterprise Apps
Product capability: Monitoring & Reporting
You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
Dialpad
Federated Directory
Figma
Leapsome
Peakon
Smartsheet
For more information about how to better secure your organization by using automated user account provisioning,
see Automate user provisioning to SaaS applications with Azure AD
New Azure AD Domain Services service tag for Network Security Group
Type: New feature
Service category: Azure AD Domain Services
Product capability: Azure AD Domain Services
If you're tired of managing long lists of IP addresses and ranges, you can use the new
AzureActiveDirectoryDomainServices network service tag in your Azure network security group to help secure
inbound traffic to your Azure AD Domain Services virtual network subnet.
For more information about this new service tag, see Network Security Groups for Azure AD Domain Services.
New security reports are available for all Azure AD administrators (Public Preview)
Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection
All Azure AD administrators can now select the banner at the top of existing security reports, such as the Users
flagged for risk report, to start using the new security experience as shown in the Risky users and the Risky
sign-ins reports. Over time, all of the security reports will move from the older versions to the new versions, with
the new reports providing you the following additional capabilities:
Advanced filtering and sorting
Bulk actions, such as dismissing user risk
Confirmation of compromised or safe entities
Risk state, covering: At risk, Dismissed, Remediated, and Confirmed compromised
For more information, see Risky users report and Risky sign-ins report.
Automate user account provisioning for these newly supported SaaS apps
Type: New feature
Service category: Enterprise Apps
Product capability: Monitoring & Reporting
You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
Dialpad
Federated Directory
Figma
Leapsome
Peakon
Smartsheet
For more information about how to better secure your organization by using automated user account provisioning,
see Automate user provisioning to SaaS applications with Azure AD.
June 2019
New riskDetections API for Microsoft Graph (Public preview)
Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection
We're pleased to announce the new riskDetections API for Microsoft Graph is now in public preview. You can use
this new API to view a list of your organization's Identity Protection-related user and sign-in risk detections. You
can also use this API to more efficiently query your risk detections, including details about the detection type,
status, level, and more.
For more information, see the Risk detection API reference documentation.
Automate user account provisioning for these newly supported SaaS apps
Type: New feature
Service category: Enterprise Apps
Product capability: Monitoring & Reporting
You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
Zoom
Envoy
Proxyclick
4me
For more information about how to better secure your organization by using automated user account provisioning,
see Automate user provisioning to SaaS applications with Azure AD
Azure Multi-Factor Authentication (MFA ) Server is no longer available for new deployments
Type: Deprecated
Service category: MFA
Product capability: Identity Security & Protection
As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who want to
require multi-factor authentication in their organization must now use cloud-based Azure Multi-Factor
Authentication. Customers who activated MFA Server prior to July 1 won't see a change. You'll still be able to
download the latest version, get future updates, and generate activation credentials.
For more information, see Getting started with the Azure Multi-Factor Authentication Server. For more
information about cloud-based Azure Multi-Factor Authentication, see Planning a cloud-based Azure Multi-Factor
Authentication deployment.
May 2019
Service change: Future support for only TLS 1.2 protocols on the Application Proxy service
Type: Plan for change
Service category: App Proxy
Product capability: Access Control
To help provide best-in-class encryption for our customers, we're limiting access to only TLS 1.2 protocols on the
Application Proxy service. This change is gradually being rolled out to customers who are already only using TLS
1.2 protocols, so you shouldn't see any changes.
Deprecation of TLS 1.0 and TLS 1.1 happens on August 31, 2019, but we'll provide additional advanced notice, so
you'll have time to prepare for this change. To prepare for this change make sure your client-server and browser-
server combinations, including any clients your users use to access apps published through Application Proxy, are
updated to use the TLS 1.2 protocol to maintain the connection to the Application Proxy service. For more
information, see Add an on-premises application for remote access through Application Proxy in Azure Active
Directory.
Use the usage and insights report to view your app-related sign-in data
Type: New feature
Service category: Enterprise Apps
Product capability: Monitoring & Reporting
You can now use the usage and insights report, located in the Enterprise applications area of the Azure portal, to
get an application-centric view of your sign-in data, including info about:
Top used apps for your organization
Apps with the most failed sign-ins
Top sign-in errors for each app
For more information about this feature, see Usage and insights report in the Azure Active Directory portal
New capabilities available in the Risky Users API for Identity Protection
Type: New feature
Service category: Identity Protection
Product capability: Identity Security & Protection
We're pleased to announce that you can now use the Risky Users API to retrieve users' risk history, dismiss risky
users, and to confirm users as compromised. This change helps you to more efficiently update the risk status of
your users and understand their risk history.
For more information, see the Risky Users API reference documentation.
Configure a naming policy for Office 365 groups in Azure AD portal (General availability)
Type: Changed feature
Service category: Group Management
Product capability: Collaboration
Administrators can now configure a naming policy for Office 365 groups, using the Azure AD portal. This change
helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your
organization.
You can configure naming policy for Office 365 groups in two different ways:
Define prefixes or suffixes, which are automatically added to a group name.
Upload a customized set of blocked words for your organization, which are not allowed in group names (for
example, “CEO, Payroll, HR”).
For more information, see Enforce a Naming Policy for Office 365 groups.
Microsoft Graph API endpoints are now available for Azure AD activity logs (General availability)
Type: Changed feature
Service category: Reporting
Product capability: Monitoring & Reporting
We're happy to announce general availability of Microsoft Graph API endpoints support for Azure AD activity logs.
With this release, you can now use Version 1.0 of both the Azure AD audit logs, as well as the sign-in logs APIs.
For more information, see Azure AD audit log API overview.
Administrators can now use Conditional Access for the combined registration process (Public preview)
Type: New feature
Service category: Conditional Access
Product capability: Identity Security & Protection
Administrators can now create Conditional Access policies for use by the combined registration page. This includes
applying policies to allow registration if:
Users are on a trusted network.
Users are a low sign-in risk.
Users are on a managed device.
Users agree to the organization’s terms of use (TOU ).
For more information about Conditional Access and password reset, you can see the Conditional Access for the
Azure AD combined MFA and password reset registration experience blog post. For more information about
Conditional Access policies for the combined registration process, see Conditional Access policies for combined
registration. For more information about the Azure AD terms of use feature, see Azure Active Directory terms of
use feature.