Azure AD Access reviews and the power of Machine learning

The above pic is AI based illustration for Access reviews and AI, it sure looks like it. It uses the same theme than many others but still it’s unique.

AI has been in the news after OpenAI has created some friction, in good and bad.

Power of quantity

Did you know that many Microsoft features and solutions use Machine learning and Artificial intelligence to provide the best automated protection and prepopulated choices for different scenarios.

The amount of traffic Microsoft oversees inside their products is at insane levels, the following picture is from Microsoft’s Digital Defense Report 2022

Read the full report from here,

One of the solutions you could use to connect the dots is the API called.

Graph Security API

The Microsoft Graph security API allows developers to access a variety of security-related information and services from multiple Microsoft Graph security providers using a single, unified interface. This makes it easier for developers to integrate security features into their applications, as they only need to interact with a single API instead of multiple security providers.

The security API provides access to various types of security-related information and services, including:

  • Threat intelligence data
  • Security alerts and notifications
  • Security configuration information
  • Security policy management capabilities

By using the Microsoft Graph security API, developers can build applications that can help organizations monitor and manage their security posture, detect and respond to threats, and take preventive actions to protect against potential security vulnerabilities.

Defender for Endpoint and EDR


Let’s say you organization have bought a third-party Antivirus solution for what ever reason. Yes, there could be real reason to do say instead of using full Defender for Windows capabilities.

So let’s assume this one, you install the management consoles, you install the clients and it keeps dropping those bad actors from your devices.

But one day there is a new variant that isn’t known to it and it let’s it through. The bad actor install itself to run inside your devices and hides itself from being seen.

See more here on why you should enable the integration.

When EDR in Block mode kicks in

First we have to understand that EDR in Block mode works only when Defender for Windows antivirus functionality is disabled.

So you have that third-party antivirus solution running and Microsoft Defender Antivirus is running in Passive mode.

The requirements

PermissionsYou must have either the Global Administrator or Security Administrator role assigned in Azure Active Directory. For more information, see Basic permissions.
Operating systemDevices must be running one of the following versions of Windows: Windows 11 Windows 10 (all releases) Windows Server 2019 or later Windows Server, version 1803 or later Windows Server 2016 and Windows Server 2012 R2 (with the new unified client solution)
Microsoft Defender for EndpointDevices must be onboarded to Defender for Endpoint. See the following articles:
– Minimum requirements for Microsoft Defender for Endpoint
– Onboard devices and configure Microsoft Defender for Endpoint capabilities
– Onboard Windows servers to the Defender for Endpoint service
– New Windows Server 2012 R2 and 2016 functionality in the modern unified solution (Preview)
Microsoft Defender AntivirusDevices must have Microsoft Defender Antivirus installed and running in either active mode or passive mode. Confirm Microsoft Defender Antivirus is in active or passive mode.
Cloud-delivered protectionMicrosoft Defender Antivirus must be configured such that cloud-delivered protection is enabled.
Microsoft Defender Antivirus platformDevices must be up to date. To confirm, using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator. In the AMProductVersion line, you should see 4.18.2001.10 or above.To learn more, see Manage Microsoft Defender Antivirus updates and apply baselines.
Microsoft Defender Antivirus engineDevices must be up to date. To confirm, using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator. In the AMEngineVersion line, you should see 1.1.16700.2 or above.To learn more, see Manage Microsoft Defender Antivirus updates and apply baselines.

Check that Microsoft Defender for antivirus is disabled.

PowerShell1. Select the Start menu, begin typing PowerShell, and then open Windows PowerShell in the results.

2. Type Get-MpComputerStatus.

3. In the list of results, in the AMRunningMode row, look for one of the following values:
– Normal
– Passive Mode

To learn more, see Get-MpComputerStatus.
Command PromptSelect the Start menu, begin typing Command Prompt, and then open Windows Command Prompt in the results.Type sc query windefend.In the list of results, in the STATE row, confirm that the service is running.

How do we enable it?

You can do it with portal.

Check that it’s enabled

NanoCore RAT attack and EDR

I won’t do any demo for this post as Microsoft has a perfect example on this in their Techcommunity post.

So as we can see, you don’t always have to use full Defender capabilities for make your devices safe. With EDR in block mode, you can achieve a rich protection after antivirus protection even when using third-party solution.

Defender for Endpoint and AI

This year at Ignite Microsoft released network level protection for Endpoints. It will use Microsoft’s own AI and your tenant scoring to determinate what to block before it reaches any critical components.

This is an perfect example of the analytics that is done automatically by Microsoft.

And this is a perfect segue (yes, segue not Segway) to the following topic.

Access Reviews and AI

The controls for helping decision making are simple and clear, if you are using Multi-stage reviews, you can also can hints from previous stages.

More on decision helpers.

User-to-Group Affiliation (preview)

Which also use Machine learning to achieve what is does. Basically the idea as that User-to-Group Affiliation is a relationship between a user and a group in which the user is a member of the group. This means that the user is associated with the group and has certain privileges or permissions within the group, such as the ability to access certain resources or information, or to participate in group discussions or activities. User-to-Group Affiliation is often used in computer systems and online platforms to manage access to resources and to enable collaboration and communication among members of a group.

And Microsoft has a perfect organizational diagram to display this.

In this diagram the guy on the right doesn’t have any affiliation with others, so if they are all added to group, Machine learning will suggest Phil to be denied.

See more here.


Adding to the topic mentioned in the beginning, in example we could ask AI.

And it will answer with the steps that needs to be done. Just need to validate what are the steps correct and write the working flows and settings.

AI cannot be completely trusted with this kind of advices but as decision helpers they are working nicely. But good that we have other MVP’s to provide the correct steps for different things.

Like Pim’s series on Azure AD Lifecycle Workflows

And Jan’s posting about the same area.

Be sure to follow both gents if you are interested on Identity and access based content!

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *