Who is Your Company's Riskiest User?

Chris Nicholas • August 11, 2017

Wouldn’t it be great if we could detect when our user accounts were being used in places it would have been impossible for us to travel to? How protected would you feel if you knew users exhibiting risky, anomalous behavior were automatically challenged for a second layer of authentication? Maybe we should run a system to alert administrators when these kinds of things were going on!

If you haven't guessed it so far, my cheesy delivery is failing. We can do all of that today.

Azure Active Directory Identity Protection is the very same security Microsoft uses to protect its own internal identities. It incorporates machine learning algorithms and heuristics to detect, assess and if configured, take action on suspicious behavior.

The automatic responses to risky situations means we can impose tougher security when it is called for, situationally. The user benefits because normal behavior is rewarded with a less authentication challenged experience. Automatic responses include multi-factor authentication enforcement or even a password reset. It can be tuned to be extremely sensitive to risk, or take action only when very obvious malicious activity is occurring.

We can report on the riskiest user accounts, review security posture recommendations and look at all of that on pretty dashboards.

I've included a few of the more interesting screenshots and the link to the Microsoft documentation on this technology.

Identity Protection capabilities

Detecting vulnerabilities and risky accounts:

Providing custom recommendations to improve overall security posture by highlighting vulnerabilities
Calculating sign-in risk levels
Calculating user risk levels

Investigating risk events:

Sending notifications for risk events
Investigating risk events using relevant and contextual information
Providing basic workflows to track investigations
Providing easy access to remediation actions such as password reset

Risk-based conditional access policies:

Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges.
Policy to block or secure risky user accounts
Policy to require users to register for multi-factor authentication

Identity Protection dashboard.

The dashboard gives you access to:

Reports such as Users flagged for risk, Risk events and Vulnerabilities
Settings such as the configuration of your Security Policies, Notifications and multi-factor authentication registration

Users flagged for risk dashboard

User risk levels

Review sign-ins from anonymous networks

It goes on, and alas I have brevity requirements to observe! If you want to know more about getting this enabled, the best practices surrounding these features or how you can utilize Azure Active Directory, a conversation would be a great starting point!

< Older Post

Newer Post >

AWS stumbled this morning. Here’s why multi‑cloud keeps you moving.

By Shawn Akins • October 20, 2025

October 20, 2025 — Early today, Amazon Web Services experienced a major incident centered in its US‑EAST‑1 (N. Virginia) region. AWS reports the event began around 12:11 a.m. PT and tied back to DNS resolution affecting DynamoDB , with mitigation within a couple of hours and recovery continuing thereafter. As the outage rippled, popular services like Snapchat, Venmo, Ring, Roblox, Fortnite , and even some Amazon properties saw disruptions before recovering. If your apps or data are anchored to a single cloud, a morning like this can turn into a help‑desk fire drill. A multi‑cloud or cloud‑smart approach helps you ride through these moments with minimal end‑user impact. What happened (and why it matters) Single‑region fragility: US‑EAST‑1 is massive—and when it sneezes, the internet catches a cold. Incidents here have a history of wide blast radius. Shared dependencies: DNS issues to core services (like DynamoDB endpoints) can cascade across workloads that never directly “touch” that service. Multi‑cloud: practical resilience, not buzzwords For mid‑sized orgs, schools, and local government, multi‑cloud doesn’t have to mean “every app in every cloud.” It means thoughtful redundancy where it counts : Multi‑region or multi‑provider failover for critical apps Run active/standby across AWS and Azure (or another provider), or at least across two AWS regions with automated failover. Start with citizen‑facing portals, SIS/LMS access, emergency comms, and payment gateways. Portable platforms Use Kubernetes and containers, keep state externalized, and standardize infra with Terraform/Ansible so you can redeploy fast when a region (or a provider) wobbles. (Today’s DNS hiccup is exactly the kind of scenario this protects against.) Resilient data layers Replicate data asynchronously across clouds/regions; choose databases with cross‑region failover and test RPO/RTO quarterly. If you rely on a managed database tied to one region, design an escape hatch. Traffic and identity that float Use global traffic managers/DNS to shift users automatically; keep identity (MFA/SSO) highly available and not hard‑wired to a single provider’s control plane. Run the playbook Document health checks, automated cutover, and comms templates. Then practice —tabletops and live failovers. Many services today recovered within hours, but only teams with rehearsed playbooks avoided user‑visible downtime. The bottom line Cloud concentration risk is real. Outages will happen—what matters is whether your constituents, students, and staff feel it. A pragmatic multi‑cloud stance limits the blast radius and keeps your mission‑critical services online when one provider has a bad day. Need a resilience check? Akins IT can help you prioritize which systems should be multi‑cloud, design the right level of redundancy, and validate your failover plan—without overspending. Let’s start with a quick, 30‑minute review of your most critical services and RPO/RTO targets. (No slideware, just actionable next steps.)