The password isn’t the only protection for the accounts. “We look at over 90 attributes of context for that user when you log in. If you gave the right username and password but the context you use is wrong - if you're coming from a machine we've never seen and you’re coming from a Tor network, you are not going to be able to log into the service.”
Microsoft also collaborates with services like Google and Facebook to make it easier to spot attacks or compromised accounts across different services (because an attacker who has cracked an account on one service will often be targeting that user on other systems where they might reuse their password, and because one account is often secured by using another account as a way to reset the password).
Plus, its work to help stop botnets means it now controls ten of the largest botnets in the world. It leaves the command and control servers running so it can track which IP addresses are infected with malware when they report in to the servers. Azure Active Directory customers can see if any of their own IP addresses are infected, but Microsoft can also use that in Azure B2C to protect you against infected customers trying to log in to your services.
Protect yourself from partners
The other set of external identities many companies have to deal with is those that give your partners access to your network. As repeated breaches have proved - from banks infected with SQL Slammer by their partners to the HVAC business through which hackers breached Target's network - that's very difficult to get right.
“Traditionally, businesses have followed two models, and both have failed,” Simons says. “The federation model is expensive and from the compliance point of view it's a nightmare. I'm just going to have a token show up from someone. The other model that's also failed is to run a separate directory with partner identities – so now they have different identities to deal with, and I have to have a service they can call to reset passwords, and then when an employee leaves their company I don't know that.”
One alternative is the new, free Azure B2B service for collaborating with other companies. “You can set up trust relationships between tenants in the cloud so you can share applications and documents between companies,” Simons says. This uses the free Azure AD tenant that any business can set up (and many companies already have one because of the widespread adoptions of Azure and Office 365. “When you invite a partner, if they have a tenant we use that and if not we invisibly create the tenant. You can invite specific users, so you have visibility of the relationship in your tenant. You can see your partners and manage them in the sense of adding them to groups for access. If an employee leaves my partner's tenant, they get removed automatically.”
Sign up for Computerworld eNewsletters.