info@zappsec.com

Working: 8:00 - 0:00 EST

Book Meeting

Identity Protection in Azure AD B2C: A Comprehensive Guide for Infrastructure Planning

Home / Identity Protection in Azure AD B2C
Business-Blog

Introduction and Context

Today, it is important to protect user identities when it comes to dealing with protecting the applications and making applications comply with standards for security purposes. Azure AD B2C Identity Protection helps to identify and mitigate user identity risks, employing advanced security controls and mitigates the risk of threats such as compromised accounts, atypical user behavior, and malicious sign-ins.

This blog is a comprehensive overview of Identity Protection in Azure AD B2C, outlining its benefits, advantages, disadvantages, licensing requirements, key use cases, and why it is a necessity to consider during user migration.

What is Identity Protection in Azure AD B2C?

Azure AD B2C Identity Protection helps organizations discover, investigate, and remediate identity-based risks in their customer identity environments. It works by analyzing user risk (probability that an identity is compromised) and sign-in risk (probability of a malicious authentication attempt).

Benefits of Identity Protection

  1. Enhanced Security and Risk Detection
    • Automatically identifies threats like sign-ins from malware-linked IPs, anonymous proxies, or unfamiliar locations.
    • It proactively mitigates identity-based risks before they escalate into breaches.
  2. Simplifies Threat Investigation
    • Administrators can view detailed reports to understand the nature and context of risks.
    • Offers filtering and export capabilities for seamless integration with external tools like Power BI or Microsoft Sentinel.
  3. Supports Risk-Based Access Control
    • Identity Protection works seamlessly with Conditional Access policies to enforce actions like MFA or block access based on risk levels.
  4. Automation of Risk Mitigation
    • Reduces operational overhead with automated workflows to remediate compromised accounts (e.g., password reset prompts).
Business-Blog

Licensing Requirements, Costs

To use Identity Protection in Azure AD B2C, organizations need the following licenses:

  • Azure AD Premium P1: Includes basic Identity Protection features like Risky Users Reports with moderate visibility.
  • Azure AD Premium P2: Adds advanced features like Risk Detections Reports and advanced visibility.

Example Pricing

Pricing Structure

  1. Free Tier:
    • The first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features.
  2. Beyond the Free Tier:
    • Premium P1 Features: After the initial 50,000 free MAUs, each additional MAU is billed at $0.0028.
    • Premium P2 Features: Similarly, beyond the free tier, each additional MAU is charged at $0.016425.
  3. Multi-Factor Authentication (MFA):
    • SMS/Phone-based MFA incurs a separate charge of $0.03 per authentication attempt.
  4. Azure AD Premium P1:
    • Does not include automated risk-based remediation.
    • Conditional Access policies can be configured to require MFA or block access based on pre-defined conditions, but these policies are not dynamically adjusted based on real-time risk assessments.
    • No risk-based Conditional Access. Security responses are static and do not adapt to evolving risk levels.
  5. Azure AD Premium P2:
    • Includes full Identity Protection capabilities, including risk-based Conditional Access.
    • Automatically enforces security actions based on real-time risk analysis, such as:
    • Blocking high-risk sign-ins.
    • Enforcing MFA or password resets for suspicious activity.
    • Detecting and mitigating compromised accounts using AI-driven risk signals.
    • Continuously refines risk scoring based on behavioral patterns, past threats, and Microsoft's global security intelligence.

Identity Protection Reports

Azure AD Identity Protection provides security insights through primary reports, which vary by licensing tier:

  1. Risky Users Report:
    • Identifies users flagged for potential compromise based on detected anomalies.
    • P1: Basic visibility with limited insights.
    • P2: Risky Users Report Details Includes detailed risk history, trends, and remediation options.
    • P1 & P2: Risky Users Report Remediation
  2. Risk Detections Report:
    • Breaks down individual risk events (e.g., unfamiliar locations, malware activity, credential stuffing attacks).
    • P1: Shows some detection data but lacks deep insights.
    • P2: Risk Detection Report Details Includes detailed event forensics, timestamps, and recommended mitigation actions.
    • P1 & P2: Report downloads, and MS Graph API Access

Key Takeaways

P1 provides basic security monitoring but lacks automated remediation and risk-based Conditional Access.
P2 dynamically adjusts security policies using AI-driven risk assessments and provides full automation.
P2 offers deeper reporting with full risk history and event forensics, helping organizations proactively detect threats.

Gotchas to Consider

Azure AD B2C does not follow per-user licensing like Azure AD (Entra ID). Instead, it uses a Monthly Active Users (MAU) pricing model.
External (guest) users are counted as MAUs and are subject to the same billing rules.
The first 50,000 MAUs per month are free under both Premium P1 and P2 tiers.
Premium P1 does NOT include full Identity Protection capabilities. It provides basic Conditional Access but lacks automated risk-based remediation.
Premium P2 is required for comprehensive risk-based policies, including automatic mitigation actions like blocking, password resets, and advanced risk analysis.
Costs can scale quickly for large user bases, making it essential to evaluate ROI.

Advantages of Identity Protection

Real-Time Risk Detection: Proactively identify threats like password spray or compromised accounts.
Integration with Conditional Access: Strengthens security by enforcing policies based on risk assessments.
Automated Remediation: Reduces manual intervention and streamlines identity management workflows.

Disadvantages of Identity Protection

Cost Implications: Premium licenses can be expensive for larger organizations.
Complex Licensing Structure: Understanding and managing licenses across B2C tenants can be challenging.

When to Use Identity Protection

User Migration: During migration, compromised accounts can pose risks to the new environment. Setting up Identity Protection ensures risks are flagged and remediated early.
For High-Security Applications: Industries like finance, healthcare, or e-commerce that handle sensitive data should prioritize Identity Protection.

Key Considerations for Infrastructure Planning

Licensing Costs: Calculate the total cost of P1 or P2 licenses based on the user base and assess affordability.
Integration with Existing Tools: Leverage Identity Protection data in Log Analytics, Power BI, or Microsoft Sentinel to maximize insights.
Conditional Access: Ensure Conditional Access policies are configured to enforce the appropriate security actions for flagged risks.
Scalability: Consider the impact of Identity Protection on user growth and scaling needs.

Why Considering Identity Protection Matters Before User Migration

User migration introduces new risks, especially if your existing user base has compromised or high-risk accounts. Implementing Identity Protection before migration ensures the following:

Proactive Risk Mitigation: Detects and addresses vulnerabilities before/during/after moving users to the new environment.
Improved Security Posture: Establish a baseline for account security in the new system.
Seamless Transition: Reduce operational disruptions caused by flagged accounts or security incidents during migration.

Conclusion

Identity Protection in Azure AD B2C provides a robust solution for customer identity protection and risk mitigation. Although specific licensing comes with a cost, all things considered, the addition of security and scalability is of more importance to organizations concerned with such issues.

Before diving into user migrations or adopting new customer identity solutions, Identity Protection serves as an essential tool for ensuring a robust security foundation. For organizations of all sizes, it's worth evaluating whether the investment aligns with your infrastructure and security goals.

Share:

Lets Connect

Contents
Recent Posts
Blog_post
6 Feb, 2025
Simplify Global Network with Zappsec
Blog_post
15 Jan, 2025
AWS Shared Responsibility Model
Blog_post
15 Jan, 2025
Scalable AWS VPC Architecture
Blog_post
15 Jan, 2025
AWS Control Tower Strategies
Popular Tags
Azure AzureAD B2C Identity Cloud Security MFA Cyber Security Microsoft Data Protection IAM Authentication DigitalTransformation Migration Security Posture Risk Detection Conditional Access Identity Protection Technology Threat Transformation
Business_logo
Need Help? We Are Here To Help You
Contact Us