Enhance security, simplify access and set smart policies with a single identity platform
Azure Active Directory Premium P2
Azure Active Directory Microsoft’s multi-tenant cloud based directory and identity management service provides an easy to use solution to give your staff a single sign-on access to thousands of cloud applications from Microsoft and other software vendors. Azure Active Directory Premium P2 (AADP P2), the most fully featured version of Azure AD, includes all the functions of P1 and the two services, as described below.
Azure AD Identity Protection – provides you:
- A consolidated view into risk events and potential vulnerabilities affecting your organisation’s identities
- An ability to automatically block or offer adaptive remediation actions
Azure AD Privileged Identity Management – enables you to know:
- Which users are Azure AD administrators
- Enable “just-in-time” administrative access to Office 365 & Intune
- Get reports about administrator access history & changes to administrator assignments
- Get alerts about access to a privileged role
Why use it?
These days, businesses are moving away from traditional IT deployments and towards cloud deployments, with an increase in mobile applications. This means that traditional defence mechanisms, which are designed with traditional IT setups in mind, may no longer be suitable and may not provide enough security.
A typical modern-day IT environment allows users to access data on any device and on any network, to share data with who they want and how they want and to use cloud-based applications each with its own means of authentication and authorisation. Taking all this into account, IT teams can have little-to-no visibility/control over how end users carry out their day-to-day work.
With no clear edge to a network, traditional firewalls and intrusion detection systems are not much use. Instead, security services need to be dynamic and adapt to the ever-changing IT environment.
How do these services help protect your organisation?
Microsoft has access to a vast amount of data sources, such as web indexes/crawls, emails, authentications, and many more. They have combined all these sources to create what they call the Intelligent Security Graph. This graph forms the basis of the two security services offered by AADP P2.
Identity Protection uses the graph to:
- Gain insights – It can see and gather data from the internet to identify trends very early on.
- Make remediation recommendations – It can learn a user’s ‘normal’ behaviour so that potential issues can be identified and dealt with before they even happen.
- Assign risk-severity calculations – It can spot the use of leaked credentials, user lock-out events and sign-ins from infected devices, unfamiliar locations and anonymous/suspicious IP addresses.
- Grant risk-based conditional access – It can detect suspicious logins and compromised credentials and can act by applying your risk-based policies, including multi-factor authentication challenges for risky logins, change of bad credentials and blocking attacks.
Identity Protection doesn’t just rely on being monitored. It actively gives notifications, data extractions and gives access to reporting APIs which can feed back into your existing Security Information and Event Management (SIEM) systems, monitoring tools and even Microsoft PowerBI.
Privileged Identity Management
Helps by allowing protection to be added for your most important users. For example, those with access to the business’ most important/sensitive systems and/or data. It can allow ‘just-in-time’ or ‘time-limited’ activation of privileged roles as and when needed.
There is an automated workflow with Privileged Identity Management where users can be granted elevated access for tasks when required, using multi-factor authentication. Privileges are then revoked after a pre-determined amount of time.
Privileged Identity Management is based on how Microsoft run their own systems, such as Outlook.com, Xbox, Office 365 and Azure. Microsoft use this ‘time-limited’ procedure themselves when they need to gain access to their customers’ Office 365 subscriptions. Now they are giving their customers access to this service in order to provide them with the same identity security capabilities as they have, even with non-Microsoft services and software.