Active Directory (Anglais)

Explore the key benefits of Microsoft Entra Private Access

Microsoft Entra Blog -

The traditional network security models are becoming increasingly ineffective in a world where remote work and cloud services are the norm. Conventional technologies like VPNs, while popular, offer limited protection in a boundary-less landscape, typically granting users excessive network access and posing significant risks. If compromised, these can lead to unauthorized access and potentially lateral movement within corporate networks, exposing sensitive data and resources. Microsoft Entra Private Access is at the forefront of addressing these challenges by effectively integrating identity and network access controls.

 

Microsoft Entra Private Access

 

In July we announced general availability of Microsoft Entra Suite, which brings together identity and network access controls to secure access to any cloud or on-premises application or resource from any location. We also announced Microsoft’s Security Service Edge (SSE) solution general availability. Microsoft Entra Private Access, a core component of Microsoft’s SSE solution, allows you to replace your VPN with an identity-centric Zero Trust Network Access (ZTNA) solution to securely connect users to any private resource and application without exposing full network access to all resources. It’s built on Zero Trust principles to protect against cyber threats and mitigate lateral movement. Through Microsoft’s global private network, give your users a fast, seamless, edge-accelerated access experience that balances security with productivity.

 

Figure 1: Secure access to all private applications, for users anywhere, with an identity centric ZTNA

 

Modernize access to private applications

 

Despite the cloud’s growing dominance, you may still rely on on-premises infrastructure and use legacy VPNs to enable your remote workforce. Legacy VPNs typically grant excessive access to the entire network by making the remote user’s device part of your network.

 

Figure 2: Legacy VPNs typically grant excessive access to the entire network

 

Microsoft Entra Private Access helps you easily start retiring your legacy VPN and level up to an identity-centric ZTNA solution that helps reduce your attack surface, mitigates lateral threat movement, and removes unnecessary operational complexity for your IT teams. Unlike traditional VPNs, Microsoft Entra Private Access protects access to your network for all your users— whether they are remote or local, and accessing any legacy, custom, modern, or private apps that are on-premises or on any cloud.

 

Figure 3: Replace legacy VPN with an identity centric ZTNA solution

 

For example, Microsoft Entra Private Access enhances security for Remote Desktop Protocol (RDP) sessions by enabling access without direct network connectivity. It leverages Conditional Access policies, including multifactor authentication (MFA), to validate both device and user identities. This ensures that only authenticated users with compliant devices can establish an RDP session on your network, providing a secure and seamless remote access experience. By integrating with Microsoft Entra ID, Microsoft Entra Private Access validates access tokens and connects users to the appropriate private server, reinforcing the security posture without the need for traditional VPN solutions.

 

 

Accelerate your journey to Zero Trust with Microsoft Entra Private Access

 

Microsoft Entra Private Access helps you accelerate your journey to ZTNA and meets this need by offering a streamlined approach to help enforce least privilege access to on-premises or private applications, reinforcing the importance of extending Zero Trust principles to any private app(s) or resource(s), regardless of their location — on-premises or any cloud.

 

Figure 5: Accelerate your ZTNA journey with Microsoft Entra Private Access

 

Here, in more detail, are the key capabilities that help you move from legacy VPNs to ZTNA:

 

QuickAccess policy simplifies transitioning from legacy VPNs to easily onboard with Microsoft Entra Private Access. It allows you to create network segments that can include multiple apps and resources.

 

Figure 6: Fast and easy migration from legacy VPNs with Quick Access policy

 

Over time, Private Application Discovery enables you to discover all your private apps, onboard them to enable segmented access, and simplify enabling the creation of Conditional Access policies for groups of apps based on business impact levels.

 

Figure 7: Automatic private application discovery and onboarding

 

Enforce Conditional Access across all private resources

 

To enhance your security posture and minimize the attack surface, it’s crucial to implement robust Conditional Access controls, such as MFA (biometric and/or phish resistant), across all private resources and applications including legacy or proprietary applications that may not support modern identity.

 

The familiar Conditional Access policies used today can now be extended to all private apps, including legacy apps and non-web resources, such as RDP, SSH, SMB, SAP, or any other TCP- or UDP-based private application, resource, or network endpoint.

 

Figure 8: Enforce Conditional Access across all private resources

 

Conditional Access is applied to every network flow, ensuring comprehensive security coverage across all your private apps and resources—including MFA, location-based security, advanced segmentation, and adaptive least-privilege access policies—without making any changes to your apps or resources.

 

 

Deliver seamless access to private apps and resources with single sign-on

 

Single sign-on (SSO) simplifies the user experience by eliminating the need to sign in to each private application individually. By enabling SSO, users gain seamless access to all necessary private applications, whether located on-premises or across various clouds, without the need for repeated authentication or modifications to existing apps.

 

Microsoft Entra Private Access further streamlines this process by providing SSO for on-premises resources, utilizing Kerberos for secure, ticket-based authentication. For an even more integrated experience, you can opt to implement Windows Hello for Business with cloud Kerberos trust, offering a modern, passwordless sign-on option for users. This cohesive approach to SSO, supported by Microsoft Entra Private Access, ensures a secure and efficient access management system for private resources across the enterprise landscape.

 

Deploy across various platforms, ports, and protocols

 

Enable secure connectivity to private resources from Windows and Android, with support for iOS and MacOS coming later this year, and Linux support to follow. This service spans all operating systems and accommodates any port and protocol, including SMB, RDP, FTP, SSH, SAP, printing, and all other TCP/UDP-based protocols. For security teams already using an Application Proxy, you can seamlessly and confidently transition to Microsoft Entra Private Access knowing that all existing use cases and access to existing private web applications will keep working with no disruption.

 

 

Securing just-in-time access to sensitive resources

 

Microsoft Entra Private Access tightly integrated with Privileged Identity Management (PIM), a service within Microsoft Entra ID Governance, helps you secure just-in-time access to private resources for privileged users. This integration ensures that privileged access is granted only when necessary, aligning with the Zero Trust principle of least privilege access. It allows for the enforcement of robust Conditional Access controls such as MFA, to ensure that only eligible and validated users can access sensitive resources. This approach not only enhances security but also supports compliance and auditing requirements by providing detailed tracking and logging of privileged access requests.

 

Secure access to Azure managed services with Microsoft Entra Private Access

 

Azure offers many managed services, such as Azure SQL, Azure Storage, and Azure ML, among others. Microsoft Entra Private Access ensures a secure, private connection to Azure services while enforcing security policies and posture during access, allowing you enforce Conditional Access controls such as MFA and IP-based access controls. With comprehensive enforcement of identity and network access controls, Microsoft Entra Private Access ensures that managed services are accessed securely. Here are two key scenarios:

 

  • Secure Azure managed services access: Typically, Azure services are accessed over the internet. However, for security reasons, it’s preferable to keep the traffic between users or applications and Azure services private, avoiding exposure to the internet. This can be achieved through Microsoft Entra Private Access, where services like Azure Storage can be connected to a virtual network (vNet) using Private Link. This ensures that all traffic remains private, while additional identity and network access controls are enforced.

Figure 11: Enable secure access to Azure Storage with Private Access through Private Link

 

  • Service endpoint for controlled access: In contrast to Private Link, the service endpoint method does not integrate services into a vNet. Instead, it restricts incoming traffic to connections from specified connector IP addresses through Microsoft Entra Private Access. This approach helps secure access to Azure services by permitting access solely through an approved path, where additional security measures like MFA and device posture can be enforced.

Figure 12: Ensures a single, secure path to the Azure managed services through Microsoft Entra Private Access

 

Simplify Microsoft Entra private network connector  deployment for your private workloads

 

In addition to Microsoft Entra admin center, private network connector is now available on Azure Marketplace and AWS Marketplace in preview. This will allow users to easily deploy a virtual machine with a pre-installed Private Access Connector through a streamlined managed model for Azure and AWS Workloads. The Marketplace offerings automate the installation and registration process, simplifying authentication setup, thus enhancing user experience.

 

Figure 13: Microsoft Entra private network connector on Microsoft Azure Marketplace

 

Figure 14: Microsoft Entra private network connector on AWS Marketplace

 

The Microsoft Entra private network connector is a required software component to enable Microsoft Entra Private Access. It sits alongside customers’ private applications in customer network and is designed to provide secure and convenient access to them from any device and location. It acts as a bridge between Microsoft’s SSE edge and application servers, facilitating the authentication, authorization, and encryption of traffic.

 

Enable edge accelerated Zero Trust private domain name resolution

 

Microsoft Entra Private Access enhances your organization’s domain name resolution (DNS) capabilities and simplifies the process of accessing IP-based app segments and private resources using FQDNs, allowing your users to access private resources with single label names or hostnames without complex configurations. With accelerated DNS at Microsoft’s SSE edge , DNS responses are cached, leading to significantly faster resolution times and enhanced performance. Moreover, the integration of DNS with Conditional Access adds an extra layer of identity-centric security controls, allowing for more granular control over access to private resources.

 

For instance, with Private DNS support, you can provide your domain suffixes to simplify Zero Trust access to private apps using FQDNs, streamlining the connection process to internal resources, while using your existing DNS deployments. This is particularly beneficial in scenarios where your users need to seamlessly access private resources without the need for VPNs or domain-joined devices, while offering a more secure and efficient way to manage access.

 

Simplify access and improve end user experience at a global scale

 

Enhance user productivity by leveraging Microsoft’s vast global edge presence, providing fast and easy access to private apps and resources—located on-premises, on private data centers, and across any cloud. Users benefit from optimized traffic routing through the closest worldwide Point of Presence (PoP), reducing latency for a consistently swift hybrid work experience.

 

Deploy side-by-side with third-party network access solutions

 

A distinctive feature of Microsoft’s SSE solution is its built-in compatibility with third-party network access solutions where it allows you only acquire the traffic you need to send to Microsoft’s SSE edges. Leverage Microsoft and third-party network access solutions in a unified environment to harness a robust set of capabilities from both solutions to accelerate your Zero Trust journey. The flexible deployment options by Microsoft’s SSE solution empowers you with enhanced security and seamless connectivity for optimal user experience.

 

Conclusion

 

Simplifying and securing access for your hybrid workforce is crucial in a landscape where traditional boundaries have dissolved. Enforcing least-privilege access and minimizing reliance on legacy tools like VPNs are essential steps in reducing risk and mitigating sophisticated cyberattacks.

 

Microsoft Entra Private Access helps you secure access to all your private apps and resources for users anywhere with an identity-centric ZTNA solution. It allows you to replace your legacy VPN with ZTNA to securely connect users to any private resource and application without exposing full network access to all resources.

 

The unified approach across identity and network access within Microsoft’s SSE solution signifies a new era of network security. This approach ensures that only authorized users are authenticated, and their devices are compliant before accessing private resources.

 

Learn More

 

To get started, begin a trial to explore Microsoft Entra Private Access general availability. You can also sign up for an Entra suite trial, which includes Microsoft Entra Private Access. For further help contact a Microsoft sales representative and share your feedback to help us make this solution even better.

 

Ashish Jain, Principal Group Product Manager

Abdi Saeedabadi, Senior Product Marketing Manager

 

Read more on this topic

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Join us at the Microsoft Entra Suite Showcase!

Microsoft Entra Blog -

This fall, we are bringing the Microsoft Entra Suite Showcase to cities worldwide. Join us to explore how our latest advancements in secure identity and access management can help safeguard your organization's digital assets.

 

Announced earlier this year, the Microsoft Entra Suite unifies identity and network access security—a novel and necessary approach for Zero Trust security. It provides everything you need to verify users, prevent overprivileged permissions, improve detections, and enforce granular access controls for all users and resources.

 

 

Register now to join us for a half-day event in the following locations:

 

September 23

Mexico City, Mexico

Registration Full

September 25 

São Paulo, Brazil 

Registration Full 

September 30 

Amsterdam, Netherlands 

Register Here 

October 1 

London, England 

Register Here 

October 8 

Dallas, TX, USA 

Register Here 

October 8 

Johannesburg, South Africa 

Register Here  

October 9 

Sydney, Australia 

Register Here 

October 10 

Atlanta, GA, USA 

Register Here 

October 14 

Berlin, Germany 

Register Here 

October 16 

Singapore, Singapore

Register Here 

October 21 

Silicon Valley, CA, USA 

Register Here 

November 6 

Dubai, UAE 

Register Here 

November 12 

Mumbai, India 

Registration coming soon 

November 14 

Paris, France 

Registration coming soon 

November 14 

Bangalore, India 

Registration coming soon 

December 4 

New York, NY, USA 

Register Here 

December 10 

Chicago, IL, USA 

Register Here 

 

To learn more about Microsoft Entra Suite: 

 

We look forward to seeing you there!

Microsoft Entra Internet Access now generally available

Microsoft Entra Blog -

With the rise of hybrid work, identity and network security professionals are now at the forefront of protecting their organizations. Traditional network security tools fall short in meeting the integration, complexity, and scale requirements of anywhere access, leaving organizations exposed to security risks and poor user experiences. To address this, network security and identity must function as a unified force in defense. Only when identity and network controls deeply integrate into secure access, can we fully deliver on the core Zero Trust principles, where trust is never implicit and access is granted on a need-to-know and least-privileged basis across all users, devices, and applications.

 

Microsoft Entra Internet Access

 

On July 11th, 2024, we announced general availability (GA) of Microsoft Entra Suite, which includes Microsoft Entra Internet Access, part of the Security Service Edge (SSE) solution. Internet Access secures access to all internet and SaaS applications and resources with an identity-centric secure web gateway (SWG) solution, unifying identity and network access controls through a single Zero Trust policy engine to close security gaps and minimize the risk of cyberthreats. Our solution integrates seamlessly with Microsoft Entra ID, eliminating the need to manage users, groups, and apps in multiple locations. It protects users, devices, and resources with capabilities such as universal Conditional Access, context aware network security, and web content filtering, so you no longer need to manage multiple disconnected network security tools.

 

Figure 1: Secure access to all internet and SaaS applications and resources, with an identity-centric SWG.

 

 

Unified identity and network security

 

Our deep integration with Entra ID enables Conditional Access, and later continuous access evaluation (CAE), to be extended to any external destination, internet resource, and cloud application, even if they’re not integrated or federated with Entra ID. This integration with Conditional Access enables you to enforce granular controls, leveraging device, user, location, and risk conditions by applying network security policies tailored to the requirements of your enterprise. Additionally, Microsoft Entra Internet Access provides enhanced security capabilities, such as token replay protection and data exfiltration controls, for Entra ID federated applications.

 

Figure 2: Rich user, device, location, and risk awareness of Conditional Access for network security policy enforcement

 

 

Protect your users with context aware network security

 

With Microsoft Entra Internet Access you now can link your network security policies to Conditional Access, providing a versatile tool that can adapt to various scenarios for your SWG policy enforcement. Now with web category filtering, you can easily allow or block a vast range of internet destinations based on pre-populated web categories. For more granular control, you can use fully qualified domain name (FQDN) filtering to establish policies for specific endpoints or override general web category policies effortlessly.

 

For instance, you can create a policy that allows your finance team access to critical finance applications, while restricting access for the rest of your organization. Furthermore, you can add risk-based filtering policies that dynamically adapt to a user’s risk level with Entra ID protection to restrict access to these destinations for members whose user risk is elevated, providing additional protection for your organization. Another great example is just-in-time access to Dropbox, while blocking all other external storage sites, to leverage deep integrations between Microsoft Entra Internet Access, Conditional Access and Entra ID Governance workflows.

 

In the coming months, we’ll be adding new capabilities such as TLS inspection and URL filtering to provide even more granular control for your web filtering policies. Plus, we’ll be adding Threat Intelligence (TI) filtering to prevent users from accessing known malicious internet destinations.

 

 

Provide defense in depth against token replay attacks with Compliant Network check

 

With the addition of the new Compliant Network control, you can prevent token replay attacks across authentication plane by extending Compliant Network check with Conditional Access for any Entra ID federated internet application, including Microsoft 365 applications. This feature also ensures that users cannot bypass the SSE security stack while accessing applications. Compliant network eliminates inherent disadvantages of source IP based location enforcement – that of cumbersome IP management and traffic hair pinning of remote users through branch networks.

 

 

Protect against data exfiltration by enabling universal tenant restrictions (TRv2) controls

 

With Microsoft Entra Internet Access you can enable Universal Tenant Restriction controls across all managed devices and network branches, agnostic of OS and browser platform. Tenant Restriction v2 is a strong data exfiltration control enabling you to manage external access risks from your managed devices and networks by curating a granular allow or deny list of foreign identities and applications that can or cannot be accessed.

 

Figure 5: Universal tenant restrictions

 

Avoid obfuscating original user source IP

 

Traditional third-party SSE solutions hide the original source IP of users, only showing the proxy IP address, which degrades your Entra ID log fidelity and Conditional Access controls. Our solution proactively restores original end-user source IP context for Entra ID activity logs and risk assessment. It also maintains backward compatibility for source IP based location checks in your Conditional Access policies.

 

 

Deliver fast and consistent access at a global scale

 

Our globally distributed proxy, with multiple points of presence close to your user, eliminates extra hops to optimize traffic routing to the internet. You can connect remote workers and branch offices through our global secure edge that’s only milliseconds away from users. We have thousands of peering connections with internet providers and SaaS services, and for services like Microsoft 365 and Azure, you avoid performance penalties through additional hops and improve overall user experience by sending the traffic directly to Microsoft WAN infrastructure.

 

Figure 7: Microsoft's global Wide Area Network (WAN)

 

Attain deep insights and network analytics using in-product dashboards:

 

Our comprehensive in-product reports and dashboards are designed to be easy to digest and share a complete holistic view of your entire ecosystem within your organization. You can monitor deployment status, identify emerging threats through comprehensive network and policy monitoring logging, and address problems quickly. Our dashboard delivers an overview of the users, devices, and destinations connected through Microsoft’s SSE solution. We show cross-tenant access within your enterprise, as well as the top network destinations in use and other policy analytics.

 

Figure 8: In-product dashboard

 

Microsoft Entra Internet Access architecture overview

 

Microsoft’s SSE architecture for client and branch connectivity streamlines network access and security. Global Secure Access standalone client on the endpoint is currently available for Windows and Android; MacOS and IOS are coming soon. Branch connectivity relies on site-to-site connections from network devices to Microsoft’s SSE edge services; Microsoft traffic is now available, with Internet Access Traffic being added soon. Traffic from both client and branch connectivity models is secured and tunneled through Microsoft’s SSE edges. Additionally,  we have partnered with HPE Aruba and Versa to integrate our SSE solution with their SD-WAN offerings, with additional SD-WAN partners coming soon.

 

Side-by-side interoperability with third-party SSE solutions

 

One of the unique advantages of Microsoft’s SSE solution is its built-in compatibility with third-party SSE solutions where it allows you to acquire only the traffic you need to send to Microsoft’s SSE edges. For example, you can enable the Microsoft Traffic profile to manage Microsoft 365 and Entra ID traffic and optimize performance for your Microsoft applications while using other providers for remaining traffic. Configuring traffic forwarding profiles is straightforward, allowing for precise control over traffic for internet and SaaS traffic, including Microsoft 365. Traffic profiles are also user aware and can be directed to specific groups in your enterprise as appropriate.

 

Figure 9: Flexible deployment options

 

Conclusion

 

Microsoft Entra Internet Access offers a robust, identity-centric SWG solution that secures access to internet and SaaS applications. By unifying Conditional Access policies across identity, endpoint, and network, it ensures every access point is safeguarded, adapting to the needs of a hybrid workforce and mitigating sophisticated cyberattacks. This strategic shift not only enhances security but also optimizes user experience, demonstrating Microsoft's commitment to leading the transition to cloud-first environments.

 

Learn more and get started 

 

Stay tuned for more Microsoft Entra Internet Access blogs and for a deeper dive into Microsoft Entra Private Access. For more information, watch our recent Tech Accelerator product deep dives.

 

To get started, contact a Microsoft sales representative, begin a trial, and explore Microsoft Entra Internet Access and Microsoft Entra Private Access general availability. Share your feedback to help us make this solution even better. 

 

Anupma Sharma, Principal Group Product Manager

 

 

Read more on this topic

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Omdia’s perspective on Microsoft’s SSE solution

Microsoft Entra Blog -

In July, we announced the general availability of the Microsoft Entra Suite and Microsoft’s Security Service Edge (SSE) solution which includes Microsoft Entra Internet Access and Microsoft Entra Private Access.  

 

Microsoft’s vision for SSE

 

Microsoft’s SSE solution aims to revolutionize the way organizations secure access to any cloud or on-premises applications. It unifies identity and network access through Conditional Access, the Zero Trust policy engine, helping to eliminate security loopholes and bolster your organization’s security stance against threats. Delivered from one of the largest global private networks, the solution ensures a fast and consistent hybrid work experience. With flexible deployment options across other SSE and networking solutions, you can choose to route specific traffic profiles through Microsoft’s SSE solution.

 

Omdia's perspective

 

According to Omdia, a leading research and consulting firm, Microsoft’s entry into the SASE/SSE space is poised to disrupt the market. Omdia highlights that Microsoft’s focus is on an identity-centric SASE framework, which helps consolidate technologies from different vendors by extending identity controls to your network and enhancing team collaboration. A key strength for Microsoft, according to Omdia, is its ability to introduce Microsoft Entra Internet Access and Microsoft Entra Private Access seamlessly into existing identity management conversations—a strength that could lead to broader adoption of network access services as part of the same platform.

 

Conclusion

 

As you navigate the complexities of securing network access, Microsoft’s Security Service Edge solution helps you transform your security posture and improve user experience. It simplifies collaboration between identity and network security teams by consolidating access policies across identities, endpoints and network, all managed in a single portal - the Microsoft Entra admin center. Microsoft’s SSE solution provides a new pathway to implement zero trust access controls more effectively, enabling your organization to enhance its security posture while leveraging existing Microsoft investments.

 

To learn more about Omdia’s perspective on Microsoft’s SSE solution, read Omdia’s report, Microsoft announces general availability of its SASE/SSE offering.

 

Learn more and get started 

 

Stay tuned for more Security Service Edge blogs. For a deeper dive into Microsoft Entra Internet access and Microsoft Entra Private Access, watch our recent Tech Accelerator product deep dives.

 

To get started, contact a Microsoft sales representative, begin a trial, and explore Microsoft Entra Internet Access and Microsoft Entra Private Access general availability. Share your feedback to help us make this solution even better. 

 

Nupur Goyal, Director, Identity and Network Access Product Marketing 

 

 

Read more on this topic

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

 

MFA enforcement for Microsoft Entra admin center sign-in coming soon

Microsoft Entra Blog -

As cyberattacks become increasingly frequent, sophisticated, and damaging, safeguarding your digital assets has never been more critical. In October 2024, Microsoft will begin enforcing mandatory multifactor authentication (MFA) for the Microsoft Entra admin center, Microsoft Azure portal, and the Microsoft Intune admin center. 

 

We published a Message Center post (MC862873) to all Microsoft Entra ID customers in August. We’ve included it below:

 

Take action: Enable multifactor authentication for your tenant before October 15, 2024

 

Starting on or after October 15, 2024, to further increase your security, Microsoft will require admins to use multifactor authentication (MFA) when signing into the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. 

 

Note: This requirement will also apply to any services accessed through the Intune admin center, such as Windows 365 Cloud PC. To take advantage of the extra layer of protection MFA offers, we recommend enabling MFA as soon as possible. To learn more, review Planning for mandatory multifactor authentication for Azure and admin portals.

 

How this will affect your organization:

 

MFA will need to be enabled for your tenant to ensure admins are able to sign into the Azure portal, Microsoft Entra admin center, and Intune admin center after this change.

 

What to do to prepare:

  • If you have not already, set up MFA before October 15, 2024, to ensure your admins can access the Azure portal, Microsoft Entra admin center, and Intune admin center.
  • If you are unable to set up MFA before this date, you can apply to postpone the enforcement date.
  • If MFA has not been set up before the enforcement starts, admins will be prompted to register for MFA before they can access the Azure portal, Microsoft Entra admin center, or Intune admin center on their next sign-in. 

 

For more information, refer to: Planning for mandatory multifactor authentication for Azure and admin portals.

 

Jarred Boone

Senior Product Marketing Manager, Identity Security

 

 

Read more on this topic 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

Face Check is now generally available

Microsoft Entra Blog -

Earlier this year we announced the public preview of Face Check with Microsoft Entra Verified ID – a privacy-respecting facial matching feature for high-assurance identity verifications and the first premium capability of Microsoft Entra Verified ID. Today I’m excited to announce that Face Check with Microsoft Entra Verified ID is generally available. It is offered both by itself and as part of the Microsoft Entra Suite, a complete identity solution that delivers Zero Trust access by combining network access, identity protection, governance, and identity verification capabilities.

 

 

  Unlocking high-assurance verifications at scale


There’s a growing risk of impersonation and account takeover. Bad actors use insecure credentials in 66% of attack paths. For example, impersonators may use a compromised password to fraudulently log in to a system. With advancements in generative AI, complex impersonation tactics such as deepfakes are growing as well. Many organizations regularly onboard new employees remotely and offer a remote help desk. Without strong identity verification, how can organizations know who is on the other side of these digital interactions? Impersonators can easily bypass common verification methods such as counting bicycles on a CAPTCHA or asking which street you grew up on. As fraud skyrockets for businesses and consumers, and impersonation tactics have become increasingly complex, identity verification has never been more important.


Microsoft Entra Verified ID is based on open standards, enabling organizations to verify the widest variety of credentials using a simple API. Verified ID integrates with some of the leading verification partners to verify identity attributes for individuals (for example, a driver’s license and a liveness match) across 192 countries. Today, hundreds of organizations rely on Verified ID to remotely onboard new users and reduce fraud when providing self-service recovery. For example, using Verified ID, Skype has reduced fraudulent cases of registering Skype Phone Numbers in Japan by 90%.

 

Face Check with Microsoft Entra Verified ID


Powered by Azure AI services, Face Check adds a critical layer of trust by matching a user’s real-time selfie and the photo on their Verified ID, which is usually from a trusted source such as a passport or driver’s license. By sharing only match results and not any sensitive identity data, Face Check strengthens an organization’s identity verification while protecting user privacy. It can detect and reject various spoofing techniques, including deepfakes, to fully protect your users’ identities.


BEMO, a security solution provider for SMBs, integrated Face Check into its help desk to increase verification accuracy, reduce verification time, and lower costs. The company used Face Check with Microsoft Entra Verified ID to protect its most sensitive accounts which belong to C-level executives and IT administrators.


Face Check not only helps BEMO improve customer security and strengthen user data privacy, but it also created a 90% efficiency improvement in addressing customer issues. BEMO’s help desk now completes a manual identity verification in 30 minutes, down from 5.5 hours before implementing Face Check.


“Security is always great when you apply it in layers, and this verification is an additional layer that we’ll be able to provide to our customers. It’s one more way we can help them feel secure.” – Jose Castelan, Support and Managed Services Team Lead, BEMO

 

Check out the video below to learn more about how your organization can use Face Check with Microsoft Entra Verified ID:

 

 

  Jumpstart with partners


Our partners specialize in implementing Face Check with Microsoft Entra Verified ID in specific use cases or verifying certain identity attributes such as employment status, education, or government-issued IDs (with partners like LexisNexis® Risk Solutions, Au10tix, and IDEMIA). These partners extend Verified ID’s capabilities to provide a variety of verification solutions that will work for your business’s specific needs.


Explore our partner gallery to learn more about our partners and how they can help you get started with Verified ID.

 

Start using Face Check with Microsoft Entra Verified ID


Face Check is a premium feature of Verified ID. After you set up your Verified ID tenant, there are two purchase options to enable Face Check and start verifying:


1. Begin the Entra Suite free trial, which includes 8 Face Check verifications per user per month.
2. Enable Face Check within Verified ID and pay $0.25 per verification.

 

Visit the Microsoft Entra pricing page for more details.

 

What’s Next?


Learn more about how Microsoft Entra Verified ID works and how organizations are using it today, and join us for the Microsoft Entra Suite Tech Accelerator on August 14 to learn about the latest identity management and end-to-end security innovations.

 

Ankur Patel, Head of Product for Microsoft Entra Verified ID

 

 

Read more on this topic 

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Public preview: Microsoft Entra ID FIDO2 provisioning APIs

Microsoft Entra Blog -

Today I'm excited to announce a great new way to onboard employees with admin provisioning of FIDO2 security keys (passkeys) on behalf of users.

 

Our customers love passkeys as a phishing-resistant method for their users, but some were concerned that registration was limited to users registering their own security keys. Today we’re announcing the new Microsoft Entra ID FIDO2 provisioning APIs that empowers organizations to handle this provisioning for their users, providing secure and seamless authentication from day one.

 

While customers can still deploy security keys in their default configuration to their users, or allow users to bring their own security keys which requires self-service registration by a user, the APIs allow keys to be pre-provisioned for users, so users have an easier experience on first use.

 

Adopting phishing-resistant authentication is critical - attackers have increased their use of Adversary-in-the-Middle (AitM) phishing and social engineering attacks to target MFA-enabled users. Phishing-resistant authentication methods, including passkeys, certificate-based authentication (CBA), and Windows Hello for Business, are the best ways to protect from these attacks.

 

Phishing-resistant authentication is also a key requirement of Executive Order 14028 which requires phishing-resistant authentication for all agency staff, contractors, and partners.  While most federal customers use preexisting smartcard systems to achieve compliance, passkeys provide a secure alternative for their users looking for improved ways to securely sign in. With today’s release of admin provisioning, they also have a simplified onboarding process for users.

 

With the Microsoft Entra ID FIDO2 provisioning APIs organizations can build their own admin provisioning clients, or partner with one of the many leading credential management system (CMS) providers who have integrated our APIs in their offerings.

 

Tim Larson, Senior Product Manager on Microsoft Entra, will now walk you through this new capability that will help in your transition towards phishing-resistant multifactor authentication (MFA).    

 

Thanks, and please let us know your thoughts!

 

Alex Weinert

 

--

 

Hello everyone,

 

Tim here from the Microsoft Entra product management team. I’m excited to share with you our new passkey (FIDO2) provisioning capabilities in Entra ID!

 

Back in May we shared how we’re expanding passkey support in Microsoft Entra ID with the addition of device-bound passkey support in Microsoft Authenticator. As part of our commitment to provide more passkey capabilities we’ve enhanced our passkey (FIDO2) credential APIs to make onboarding security keys for users more convenient.

 

How does it work?

 

With the enhancements made to our passkey (FIDO2) credential APIs you can now request WebAuthn creation options from Entra ID and use the returned data to create and register passkey credential on behalf of a user.

 

To simplify this process, three (3) main steps are required to register a security key on behalf of a user.

 

 

 

  1. Request creationOptions for a user: Entra ID will return the necessary data for your client to provision a passkey (FIDO2) credential. This includes information like user information, relying party, credential policy requirements, algorithms, and more.
  2. Provision the passkey (FIDO2) credential with the creationOptions: Using the creationOptions utilize a client or script which supports the Client to Authenticator Protocol (CTAP), to provision the credential. During this step you’ll need to insert a security key and set a PIN.
  3. Register the provisioned credential with Entra ID: Utilizing the output from the provisioning process, provide Entra ID with the necessary data to register the passkey (FIDO2) credential for the targeted user.

 

Build your own app or use a CMS vendor offering

 

In addition to providing the tools above, Microsoft has also collaborated with 10 leading vendors in the CMS space to integrate the new FIDO2 provisioning APIs. These vendors have rigorously tested and are fully knowledgeable in the new APIs, and are available to help you in your provisioning journey if creating your own integration isn’t something you want to do.

 

This partnership underscores our commitment to delivering a secure and interoperable ecosystem for our customers. These vendors represent a diverse range of CMS solutions, each bringing unique insights and expertise to the table. Their involvement has been instrumental in ensuring that the APIs are robust, versatile, and ready for real-world challenges.

 

As we roll out the public preview, we are proud to announce that these vendors have pledged their support, integrating the APIs into their platforms. This collaboration not only enhances the security landscape but also paves the way for seamless adoption across various industries.

 

 

 

What’s next?

 

This public preview is the next step in our passkey journey and we’re gearing up for even more passkey (FIDO2) provisioning features. We’re looking forward to building provisioning capabilities into the Entra admin center which will empower help desk and other admins the ability to directly provision FIDO2 security keys for users.

 

To learn more about everything discussed here, check out how to enable passkeys (FIDO2) for your organization and review our Microsoft Graph API documentation. Reach out to your preferred CMS provider to learn more about their integrations with the Microsoft Entra ID FIDO2 Provisioning APIs.

 

Thanks,

Tim Larson

 

 

Read more on this topic 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

 

Migrate ADAL apps to MSAL with enhanced insights

Microsoft Entra Blog -

We’re pleased to announce significant updates to the Sign-ins workbook in the Microsoft Entra admin center, a crucial tool for organizations transitioning from Azure Active Directory Authentication Libraries (ADAL) to Microsoft Authentication Libraries (MSAL). These updates aim to streamline the ADAL migration process by providing comprehensive insights into your ADAL-application-related data.

 

Why is this Important?

 

We announced ADAL end of life in June 2020 and stopped supporting any security updates as of June 2023—which means applications using ADAL can’t utilize the latest security features, leaving them vulnerable to future security threats.   We strongly recommend migrating any application using ADAL to MSAL to improve the security posture and resilience of authentication and authorization of your client applications.

 

MSAL supports the latest security features for Microsoft Entra ID like managed identity, Continuous Access Evaluation (CAE), passkeys, and many more. The updated Sign-ins workbook is an essential tool in this transition, providing the necessary insights and data to make informed decisions to execute migration.

 

What's new in the Sign-ins workbook?

 

The Sign-ins workbook is redesigned for admins needing a centralized and more detailed view of applications using ADAL within their tenant. These additional insights can help them identify, investigate, and validate the ADAL applications to successfully migrate to MSAL.   

 

Here’s what you can expect with the latest enhancements:

 

  1. Comprehensive sign-in log aggregation: The workbook now consolidates logs from various types of sign-in events, including interactive, non-interactive, and service principal sign-ins.
  2. Enhanced data visualization: We updated the report with new aggregated metrics to enable an all-up view of sign-ins across ADAL applications. To aid in your specific analytical needs, the workbook supports the application of custom filters and queries. This flexibility enables you to focus on the information that matters most to your ADAL migration efforts.
  3. Integration with Microsoft Entra recommendations: You can now directly access this Sign-Ins workbook from the ADAL to MSAL recommendation page to dive deep into the list of ADAL applications listed on the recommendation details page. To use the workbooks for Microsoft Entra ID, you need a Microsoft Entra ID tenant with a P1 license.

 

Figure 1: ADAL apps sign-in data

 

Figure 2: Apps sign-in data

 

Plan to update your application

 

Get started by accessing the workbook to get a list of all ADAL applications and the details associated with them. Our migration guide walks you through all the steps to transition applications from using ADAL to using MSAL.

 

Neha Goel 

Senior Product Manager, Microsoft  

LinkedIn

 

 

Read more on this topic 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

Microsoft Entra Suite now generally available

Microsoft Entra Blog -

Today we announced the general availability of Microsoft Entra Suite - the industry’s most comprehensive secure access solution for the workforce. The Microsoft Entra Suite delivers the most comprehensive Zero Trust user access solution and enables organizations to converge access policy engine across identities, endpoints, and private and public networks.  

 

What is Microsoft Entra Suite? 

The Microsoft Entra Suite delivers a complete cloud-based solution for workforce access. It brings together identity and network access that secures employee access to any cloud or on-premises application and resource from any location, consistently enforces least privilege access, and improves the employee experience.​  

 

This new offering advances our vision for the Microsoft Entra product line that can serve as a universal trust fabric for the era of AI, securely connecting any trustworthy identity with anything, from anywhere. In a recent blog post we also shared the four stages of creating such trust fabric for your organization, starting with foundational Zero Trust controls, and extending it to protecting access for your workforce, protecting access for your customers and partners, and protecting access in any cloud. The Microsoft Entra Suite delivers the complete toolset for the second stage of this journey – secure access for your workforce.  

 

The Microsoft Entra Suite includes the following products:  

 

 

 

 

  • Microsoft Entra Private Access – an identity-centric Zero Trust Network Access that secures access to private apps and resources and reduces operational complexity and cost by replacing legacy VPNs. 
  • Microsoft Entra Internet Access – an identity-centric Secure Web Gateway (SWG) for SaaS apps and internet traffic that protects against malicious internet traffic, unsafe or non-compliant content, and other threats from the open internet. 
  • Microsoft Entra ID Governance – a complete identity governance and administration solution that automates identity and access lifecycle to ensure that the right people have the right access to the right apps and services at the right time. 
  • Microsoft Entra ID Protection – an advanced identity solution that blocks identity compromise in real time using high-assurance authentication methods, automated risk and threat assessment, and adaptive access policies powered by advanced machine learning (also included in Microsoft Entra ID P2).  
  • Microsoft Entra Verified ID - a managed verifiable credentials service based on open standards that enables real-time identity verification in a secure and privacy respecting way. Included in the Microsoft Entra Suite are premium Verified ID capabilities, starting with Face Check.  
  Microsoft Entra Suite enables you to: 
  • Unify Conditional Access policies for identities and networks. 
  • Ensure least privilege access for all users accessing all resources and apps. 
  • Improve the user experience for both in-office and remote workers. 
  • Reduce the complexity and cost of managing security tools from multiple vendors. 

 

Check out the Microsoft Entra Suite introductory video below:

 

 

Unify Conditional Access policies for identities and networks 

You only have to manage one set of policies in one portal to configure access controls for both identities and networks. Conditional Access evaluates any access request, no matter where it’s coming from, performing real-time risk assessment to strengthen protection against unauthorized access.  

 

Ensure least privilege access for all users accessing all resources and apps 

You can automate the access lifecycle from the day a new employee joins your organization, through all their role changes, until the time of their exit. No matter how long or multifaceted an employee’s journey, Microsoft Entra ID Governance ensures that your employees have the right access to just the applications and resources they need, helping prevent an adversary’s lateral movement in case of a breach.  

 

Improve the user experience for both in-office and remote workers 

You can ensure that employees enjoy a faster and easier onboarding experience, faster and more secure sign-in via passwordless authentication, single sign-on for all applications, and superior performance. Using a self-service portal, your employees can request access to relevant packages, manage approvals and access reviews, and view request and approval history. Face Check with Microsoft Entra Verified ID enables real-time verification of your employee's identity, which streamlines remote onboarding and self-service recovery of passwordless accounts.  

 

Reduce the complexity and cost of managing security tools from multiple vendors 

Since traditional on-premises security solutions don’t scale to the needs of modern cloud-first, AI-first environments, organizations are seeking ways to secure and manage their assets from the cloud. With the Microsoft Entra Suite, you can retire multiple on-premises security tools, such as traditional Virtual Private Networks (VPNs), on-premises Secure Web Gateways (SWGs), and on-premises identity governance. 

 

Microsoft Entra Suite is currently priced at $12 per user per month. Microsoft Entra P1 is a licensing and technical prerequisite. Please refer to the Microsoft Entra Suite pricing page for more detail. 

 

 

Join us for upcoming events! 

We encourage you to watch the Zero Trust spotlight on demand, where Microsoft experts and thought leaders dove deeper into these and other announcements, including the general availability of Entra Internet Access and Entra Private Access, which is part of the Microsoft Entra Suite.  

 

Additionally, register for the Tech Accelerator to join us on August 14, 2024, for a deep dive into the Microsoft Entra Suite, and Private Access and Internet Access products. 

 

 

Learn More 

The availability of the Microsoft Entra Suite marks a key milestone in our commitment to continue to provide a more seamless and robust secure access experience that will empower the workforce anywhere and everywhere. Learn more from the official announcement

 

Visit the Microsoft Entra Suite trial page to get started. 

 

Irina Nechaeva, General Manager, Identity and Network Access Product Marketing 

 

 

Read more on this topic 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

Microsoft Security Service Edge now generally available

Microsoft Entra Blog -

Today, we announced the general availability of the Microsoft Entra Suite which brings together identity and network access controls to secure access to any cloud or on-premises application or resource from any location. It consistently enforces least privilege access to achieve your governance requirements while improving your employee experience.

 

Companies today have good reason to focus on security. On one hand, we’re reaping the advantages of increased scalability, efficiency, and cost reductions, including all the benefits gained from generative AI’s large language models. However, these advantages also make it possible for malicious actors to exploit advanced technologies to create malware, target network vulnerabilities, and generate phishing attacks that put organizations’ data and reputations at higher risk. 

 

When identity and network access solutions operate in isolation and not in tandem, they can lead to increased complexity, inconsistent policies, and a lack of unified context across standalone solutions. This can unintentionally result in a fragmented security posture and vulnerabilities that malicious actors could exploit, potentially disrupting business continuity and compromising the user experience.

 

Neither identity nor network security controls alone can protect all your access scenarios, highlighting the need for you to adopt a holistic strategy to counteract evolving threats and protect your critical assets—no matter where the users and resources are located. 

 

The case for unified security: A strategic imperative

 

Along with the Microsoft Entra Suite general availability, we also announced Microsoft’s Security Service Edge (SSE) solution general availability, Microsoft Entra Private Access and Microsoft Entra Internet Access. These two products coupled with our SaaS security-focused CASB—Microsoft Defender for Cloud apps—comprise Microsoft's Security Service Edge solution, a cloud-delivered, identity-centric networking model that transforms the way you secure access.

 

Microsoft’s SSE solution is all about helping you eliminate security gaps in your defenses, extending Conditional Access and continuous access evaluation to all your applications and resources, whether they’re on-premises or in any cloud.

 

Figure 1: Secure access to any app or resource, from anywhere, with an identity-centric Security Service Edge (SSE) solution.

 

Here, in more detail, are the key advantages of Microsoft’s SSE solution to your organization.

 

Eliminate security loopholes caused by identity and network access silos

 

Microsoft’s SSE Solution ensures that your identity and network access solutions work together. By unifying these separate elements, your security teams can bolster your organization’s security stance in the face of emerging threats. No more deciding which tool works for each app or how to bridge the policies your identity and network teams created. Now you can secure access with an easy-to-manage, unified, identity-centric approach to any application, resource, or destination—and not sacrifice user productivity due to complex, disjointed security controls.

 

Simplify access and improve end user experience at a global scale

 

Microsoft’s SSE solution is delivered from one of the largest global private networks: Microsoft’s Global Wide Area Network. The network connects Microsoft data centers across 61 Azure regions with more than 185 global network POPs and a vast array of growing SSE edge locations strategically placed around the world. This helps you optimally connect your users and devices to public and private resources seamlessly and securely, improving performance and boosting productivity by offering your people a fast, consistent, hybrid work experience.

 

Activate side-by-side, flexible deployment options with other SSE and networking solutions

 

Microsoft Entra Private Access and Microsoft Entra Internet Access can be deployed standalone or side-by-side with other SSE solutions. Global Secure Access client allows control over network traffic at the user endpoint device, giving you the ability to route specific traffic profiles through Microsoft’s SSE solution. The client for Windows and Android operating systems are now in general availability, and for iOS and Mac operating systems, in public preview. With flexible deployment options, the Global Secure Access client could acquire traffic based on the traffic forwarding profiles you configure for Private Access, Internet Access, and Microsoft traffic.  

 

For example, you can configure Private Access profiles anywhere you replace your third-party legacy VPNs—with an identity-centric Zero Trust Network Access (ZTNA) solution. You can also configure your Microsoft profile to enable improved performance for Microsoft applications, while you keep your private and internet traffic protected with the SSE solution of your choice. 

 

A closer look at Microsoft Entra Private Access

 

Microsoft Entra Private Access is an identity-centric ZTNA solution that helps you secure access to all private apps and resources for your users—located anywhere. Private Access allows you to replace your legacy VPN with ZTNA to securely connect your users to any private resource and application—without providing full network access to all private resources. This solution embraces Zero Trust principles to protect against cyber threats and to mitigate lateral movement, while enforcing advanced app segmentation and adaptive least-privilege access policies. Using Microsoft’s global private network, you can give your users a fast, seamless access experience that balances security with productivity.

 

Figure 2: Secure access to all private apps and resources, for users anywhere, with an identity-centric Zero Trust Network Access (ZTNA).

 

Here, in more detail, are the key use cases of Microsoft Entra Private Access.

 

Replace legacy VPNs with an identity-centric ZTNA solution

 

With Microsoft Entra Private Access, easily start retiring your legacy VPN and level up to an identity-centric ZTNA solution that helps you reduce your attack surface, mitigate lateral threat movement, and remove unnecessary operational complexity for your IT teams. Unlike traditional VPNs, Microsoft Entra Private Access protects access by granting least privilege access to your network for all your hybrid users— whether they are remote or local—and, accessing any legacy, custom, modern, or private apps that are on-premises or on any cloud. 

 

Enforce Conditional Access across all private resources

 

To enhance your security posture and minimize the attack surface, it’s crucial to implement robust Conditional Access controls—without making any changes to your private applications and resources such as multifactor authentication (MFA). You can also seamlessly enable single sign-on (SSO) across all private resources and applications, including legacy or proprietary applications that may not support modern authorization.  

 

Deliver fast and easy access at global scale

 

Enhance your workforce’s productivity by leveraging Microsoft’s vast global edge presence, providing fast and easy access to private apps and resources, whether on-premises or on private data centers, and across any cloud. Users benefit from optimized traffic routing through the closest worldwide points-of-presence (POP), reducing latency for a consistently swift hybrid work experience. 

 

A closer look at Microsoft Entra Internet Access

 

Microsoft Entra Internet Access is an identity-centric Secure Web Gateway (SWG) for SaaS apps and internet traffic. It’s the industry’s first truly identity-centric SWG solution capable of converging all enterprise access controls in one place. This advantage eliminates the security loopholes created by using multiple security solutions, while it also protects your enterprise from malicious internet traffic, unsafe or non-compliant content, and other threats from the open internet. Working alongside Microsoft Entra Private Access and the rest of the Microsoft Entra identity stack, it unifies your access policies across all internet resources and SaaS apps.

 

Figure 3: Secure access to all internet and SaaS apps and resources with an identity-centric Secure Web Gateway (SWG).

 

Protect your organization against internet threats

 

Microsoft Entra Internet Access provides robust web content filtering options to restrict enterprise users from accessing undesirable online content. With web category filtering, you can easily allow or block a vast range of internet destinations based on pre-populated web categories, which include liability, high bandwidth, productivity loss, general browsing, and security threat (malware, compromised websites, spam sites, etc.) sites. For more granular control, you can use fully qualified domain name (FQDN) filtering to establish policies that allow or block specific endpoints or to override general web category policies effortlessly. 

 

Extend Conditional Access context richness to internet security

 

Modern businesses require versatile filtering policies that adjust to different scenarios. Microsoft Entra Internet Access gives you the ability to apply Conditional Access controls to your SWG policies leveraging the user, device, risk, and location signals to allow or block access to relevant internet destinations. Internet Access consolidates network and identity access controls into one policy engine and allows you to extend Conditional Access (and in future Continuous Access Evaluation) to cover all external destinations and cloud services, even those not federated with Microsoft Entra ID. Additionally, our deep integrations with Entra ID include valuable features like token theft protection, source IP restoration, and data exfiltration safeguards through Universal Tenant Restriction.  

 

Deliver fast and consistent access at global scale

 

Enhance your users' productivity by providing swift and smooth access through a global network edge, with POPs located near the user and private WAN. Utilize numerous peering agreements with internet providers to deliver top performance and reliability. Minimize additional hops and streamline traffic routing for all Microsoft services. Implement optimal traffic management for Microsoft applications in conjunction with solutions from third-party SSE providers using side-by-side access models.

 

Conclusion

 

Organizations need an easier, more agile approach to protect access to all their applications and resources. This action safeguards your critical assets no matter where they are located. Today’s general availability of our Microsoft Entra Internet and Private Access products—our Microsoft’s SSE solution—does just that. It makes it harder for bad actors to gain access to your sensitive data—even if they successfully infiltrate your network—by extending identity security controls and access governance to your network. 

 

Now, you can benefit from a streamlined security environment where your users have access to only the necessary resources, simplifying their work. With Conditional Access, granular identity and network access policies are now unified, closing critical security gaps and reducing operational complexity. The global, private, wide area network provided by Microsoft ensures a seamless, efficient hybrid work experience. And integration with Microsoft’s extensive security portfolio and partner ecosystem supports the implementation of Zero Trust principles throughout the entire security landscape, enhancing your overall protection. 

 

Be sure to register for the Zero Trust spotlight on July 31, 2024, where Microsoft experts and thought leaders will dive deeper into these announcements. Also, stay tuned for product deep dive blogs and our upcoming Tech Accelerator product deep dive sessions on Aug 14, 2024. We'll expand on how our SSE solution and its two core products, Microsoft Entra Private Access and Microsoft Entra Internet Access can uniquely and successfully provide a secure approach to access across your organization’s entire digital estate. 

 

To get started, contact a Microsoft sales representative, begin a trial, and explore Microsoft Entra Private Access and Microsoft Entra Internet Access general availability. Share your feedback to help us make this solution even better.  

 

Sinead O’Donovan

Vice President of Product Management, Identity and Network Access at Microsoft

 

 

Read more on this topic

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

Microsoft Entra certificate-based authentication enhancements

Microsoft Entra Blog -

Howdy, folks! Today I'm excited to share the latest enhancements for Microsoft Entra certificate-based authentication (CBA). CBA is a phishing-resistant, password less, and convenient way to authenticate users with X.509 certificates, such as PIV/CAC cards, without relying on on-premises federation infrastructure, such as Active Directory Federated Service (AD FS). CBA is particularly critical for federal government organizations that are already using PIV/CAC cards and are looking to comply with Executive Order 14028, which requires phishing-resistant authentication. 

 

Today we're announcing the general availability of many improvements we introduced earlier this year – username bindings, affinity bindings, policy rules, and advanced CBA options in Conditional Access are all GA! I am also excited to announce the public preview of an exciting new capability - issuer hints. The issuer hints feature greatly improves user experience by helping users to easily identify the right certificate for authentication.

 

Vimala Ranganathan, Principal Product Manager on Microsoft Entra, will now walk you through these new features that will help you in your journey toward phishing-resistant multifactor authentication (MFA).    

 

Thanks, and please let us know your thoughts!    

Alex Weinert   

 

--  

 

Hello everyone, 

 

I’m Vimala from the Microsoft Entra PM team, and I’m excited to walk you through the new issuer hints feature, as well as the features that will go into general availability.   

 

The issuer hints feature improves user experience by helping users to easily identify the right certificate for authentication. When enabled by tenant admin, Entra will send back Trusted CA Indication as part of the TLS handshake. The trusted Certificate Authority (CA) list will be set to subject of the Certificate Authorities (CAs) uploaded by the tenant in the Entra trust store. The client or native application client will use the hints sent back by server to filter the certificates shown in certificate picker and will show only the client authentication certificates issued by the CAs in the trust store. 

 

Figure 1: Enhanced certificate Picker with issuer hints enabled

 

We’re also thrilled to announce the features below are going to be in general availability. You can read more about each of the features in detail in our public preview blog: Enhancements to Microsoft Entra certificate-based authentication - Microsoft Community Hub.

 

CBA username bindings, which CBA added support for three remaining username bindings and is now at parity with on-premises Active Directory. The three bindings that are being added are: IssuerAndSerialNumber, IssuerAndSubject, and Subject. More at Configure Username binding policy.   

 

CBA Affinity Binding allows admins to set affinity binding at the tenant level, as well as create custom rules to use high affinity or low affinity mapping for covering many potential scenarios our customers have in use today. More at CBA Affinity Bindings.    

 

CBA Authentication policy rules help determine the strength of authentication as either single-factor or multifactor. Multiple custom authentication binding rules can be created to assign default protection level for certificates based on the certificate attributes (Issuer or Policy Object Identifiers (OID) or by combining the Issuer and OID). More at Configure authentication binding policy.    

 

Advanced CBA options in Conditional Access allow access to specific resources based on the certificate Issuer or Policy OIDs properties. More at authentication strength advanced options.   

 

You can learn more about Microsoft Entra CBA here and Microsoft’s commitment to Executive Order 14028.    

 

What’s next     

 

Over the last year, we’ve seen many federal and regulated industry customers migrate off AD FS to Microsoft Entra ID seamlessly by leveraging staged migration and providing end users a familiar sign-in experience with CBA. In fact, in the last 12 months, we’ve seen an over 1400% increase in phishing-resistant authentication for United States government customers. 

 

Keep your feedback coming at Microsoft Entra Community! We’re working diligently to bring more enhancements like the removal of limits on Certificate Revocation List (CRL), new certificate authority trust store, CBA support on the resource tenant for B2B external guest users, and iOS UX enhancements, to name just a few! 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

What’s new in Microsoft Entra – June 2024

Microsoft Entra Blog -

Have you explored the What's New in Microsoft Entra hub in the Microsoft Entra admin center? It's a centralized view of our roadmap and change announcements across the Microsoft Entra identity and network access portfolio so you can stay informed with the latest updates and actionable insights to strengthen your security posture.

 

Here in the Microsoft Entra blog, we share feature release information and change announcements every quarter. Today’s post covers April – June 2024. It’s organized by Microsoft Entra products, so you can quickly scan what’s relevant for your deployment. 

 

  • Microsoft Entra ID 
  • Microsoft Entra ID Governance 
  • Microsoft Entra External ID 
  • Microsoft Entra Permissions Management 
  • Microsoft Entra Verified ID 

 

New releases

 

 

Change announcements

 

Security update to Entra ID affecting clients which are running old, unpatched builds of Windows

[Action may be required]

 

We're making a security update to Entra ID such that use of older unpatched version of Windows which still use the less secure Key Derivation Function v1 (KDFv1) will no longer be supported.  Once the update is rolled out, unsupported and unpatched Windows 10 and 11 clients will no longer be able to sign in to Entra ID. Globally, more than 99% of Windows clients signing in to Entra ID have the required security patches.

 

Action required:

If your Windows devices have Security Patches after July 2021 no action is required.

 

If your Windows devices do not have security updates after July 2021, update Windows to the latest build of your currently supported Windows version to maintain access to Entra ID. 

 

All currently supported versions of Windows have the required patch. 

 

We recommend you keep Windows up to date with Security Updates.

 

Background: 

A Security Update to Windows CVE-2021-33781 was issued in July 2021 to address a vulnerability where Primary Refresh Tokens were not stored sufficiently securely in the client.  Once patched, Windows clients used the stronger KDFv2 algorithm.  All versions of Windows released since that time have the update and handle the token securely.

 

A small percentage of Windows devices have not yet been updated and are still using the older v1 key derivation function. To improve security of the system, unpatched devices using the KDFv1 algorithm will no longer be able to sign in to Entra ID using Primary Refresh Tokens.

 

What is the user experience on unsupported Windows devices when this change is rolled out?  

Users of Windows devices which haven’t been updated with patches since July 2021 may experience sign in failures with their Entra ID user accounts on joined or hybrid joined Windows device.

 

How do I diagnose this situation?

The error code, which will show in sign in logs, is 'AADSTS5000611: Symmetric Key Derivation Function version 'KDFV1' is invalid. Update the device for the latest updates.'

 

Enhancing the security of Apple devices in the enterprise with hardware bound device identity – 2-year notice

[Action may be required]

 

Device identity is one of the fundamental Entra ID concepts that enables multiple Entra ID and MDM/MAM security features like device compliance policiesapp protection policies, or PRT-based SSO.  To enhance security, Entra ID has now done work to support the binding of device identity keys to Apple’s Secure Enclave hardware, which will replace previous Keychain-based mechanism.

 

Starting in June 2026, all new Entra ID registrations will be bound to the Secure Enclave. As a result, all customers will need to adopt the Microsoft Enterprise SSO plug-in and some of the apps may need to make code changes to adopt the new Secure Enclave based device identity.

 

Opt-in, provide feedback

Before Entra enables Secure Enclave by default for all new registrations, we encourage tenants to perform early testing using the documentation provided on learn.microsoft.com. This will help to identify any compatibility issues, where you may need to request code changes from app or MDM vendors. 

 

To report issues, raise questions, or voice concerns please open a support ticket or reach out to your Microsoft account team. 

 

Upgrade to the latest version of Microsoft Entra Connect by September 23, 2024 

[Action may be required]

 

Since September 2023, we have been auto-upgrading Microsoft Entra Connect Sync and Microsoft Entra Connect Health to an updated build as part of a precautionary security-related service change. For customers who have previously opted out of auto-upgrade or for whom auto-upgrade failed, we strongly recommend that you upgrade to the latest versions by September 23, 2024.

 

When you upgrade to the latest versions by that date, you ensure that when the service changes take effect, you avoid disruption for the following capabilities:

 

Service

Recommended Version

Features Impacted by Service Change

Microsoft Entra Connect Sync

2.3.2.0 or higher

Auto-upgrade will stop working. Synchronization isn’t impacted

Microsoft Entra Connect Health agent for Sync

4.5.2487.0 or higher

A subset of alerts will be impacted:

·        Connection to Microsoft Entra ID failed due to authentication failure

·        High CPU usage detected

·        High Memory Consumption Detected

·        Password Hash Synchronization has stopped working

·        Export to Microsoft Entra ID was Stopped. Accidental delete threshold was reached

·        Password Hash Synchronization heartbeat was skipped in the last 120 minutes

·        Microsoft Entra Sync service cannot start due to invalid encryption keys

·        Microsoft Entra Sync service not running: Windows Service account Creds Expired

Microsoft Entra Connect Health agent for ADDS

4.5.2487.0 or higher

All alerts will be impacted

Microsoft Entra Connect Health agent for ADFS

4.5.2487.0 or higher

All alerts will be impacted

 

Note: If you cannot upgrade by September 23, 2024, you can still regain full functionality for the above features after that date. You would do so by manually upgrading to the recommended builds at your earliest convenience.

 

For upgrade-related guidance, please refer to our docs.

 

Important Update: Azure AD Graph Retirement

[Action may be required]

 

As of June 2023, the Azure AD Graph API service is in a retirement cycle and will be retired (shut down) in incremental stages. In the first stage of this retirement cycle, newly created applications will receive an error (HTTP 403) for any requests to Azure AD Graph APIs (https://graph.windows.net). We are revising the da20te for this first stage from June 30 to August 31, so only applications created after August 31, 2024, will be impacted. The second stage of the Azure AD Graph service retirement cycle will begin after January 31, 2025. At this point, all applications that are using Azure AD Graph APIs will receive an error when making requests to the AAD Graph service. Azure AD Graph will be completely retired (and stop working) after June 30, 2025.

 

We understand that some apps may not have fully completed migration to Microsoft Graph. We are providing an optional configuration (through the authenticationBehaviors setting) that will allow an application to continue use of Azure AD Graph APIs through March 30, 2025.  If you develop or distribute software that still uses Azure AD Graph APIs, you must act now to avoid interruption. You will either need to migrate your applications to Microsoft Graph (highly recommended) or configure the application for an extension, and ensure that your customers are prepared for the change. 

 

To identify applications that are using Azure AD Graph APIs, we have provided two Entra recommendations with information about applications and service principals that are actively using Azure AD Graph APIs in your tenant.  

 

For more information, see the following references:  

 

 

Important Update: AzureAD and MSOnline PowerShell retirement 

[Action may be required]

 

As of March 30, 2024, the legacy Azure AD PowerShell, Azure AD PowerShell Preview, and MS Online modules are deprecated. These modules will continue to function through March 30, 2025, when they are retired and stop functioning. Microsoft Graph PowerShell SDK is the replacement for these modules and you should migrate your scripts to Microsoft Graph PowerShell SDK as soon as possible.  

 

Note: as indicated in our April update, MS Online with “Legacy Auth” will stop functioning in the weeks after June 30, 2024. Legacy Auth is typically associated with versions before 1.1.166.0, and involves use of MS Online PowerShell with the Microsoft Online Sign-In Assistant package installed. If you are using MS Online versions before 1.1.166.0 or MS Online with Legacy Auth, you should immediately migrate to Microsoft Graph PowerShell SDK or update the MS Online version to the latest version (1.1.183.81).  

 

To help you identify usage of Azure AD PowerShell in your tenant, you can use the Entra Recommendation titled Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph. This recommendation will show vendor applications that are using Azure AD Graph APIs in your tenant, including AzureAD PowerShell.  

 

We are making substantial new and future investments in the PowerShell experience for managing Entra, with the recent Public Preview launch of the Microsoft Entra PowerShell module. This new module builds upon and is part of the Microsoft Graph PowerShell SDK. It’s fully interoperable with all cmdlets in the Microsoft Graph PowerShell SDK, enabling you to perform complex operations with simple, well documented commands. The module also offers a backward compatibility option to simplify migraiton from the deprecated AzureAD Module. Additionally, we are aware that some of our customers were unable to fully migrate to scripts that managed Per-user MFA from MSOnline to Microsoft Graph PowerShell. Microsoft Graph APIs were recently made available to read and configure Per-user MFA settings for users, and availability in Microsoft Graph PowerShell SDK cmdlets is soon to follow.

 

Private Preview – QR code sign-in, a new authentication method for Frontline Workers

[Action may be required]

 

We are introducing a new simple way for Frontline Workers to authenticate in Microsoft Entra ID with a QR code and PIN, eliminating the need to enter long UPNs and alphanumeric passwords multiple times during their shift.

 

With the private preview release of this feature in August 2024, all users in your tenant will see a new link ‘Sign in with QR code’ on navigating to https://login.microsoftonline.com > ‘Sign-in options’ > ‘Sign in to an organization’ page. This new link, ‘Sign in with QR code’, will be visible only on mobile devices (Android/iOS/iPadOS). If you are not participating in the private preview, users from your tenant will not be able to sign-in through this method while we are still in private preview. They will receive an error message if they try to sign-in.

 

The feature will have a ‘preview’ tag until it is generally available. Your organization needs to be enabled to test this feature. Broad testing will be available in public preview, which we will announce later.  

 

While the feature is in private preview, no technical support will be provided. Please learn more about support during previews here Microsoft Entra ID preview program information - Microsoft Entra | Microsoft Learn

 

Changes to phone call settings: custom greetings and caller ID

[Action may be required]

 

Starting September 2024, phone call settings (custom greetings and caller ID) under Entra's multifactor authentication blade will be moved under the voice authentication method in the authentication method policy. Instead of accessing these settings through the Entra ID or Azure portal, they will be accessible through MS Graph API. If your organization is using custom greetings and/or caller ID, please make sure to check the public documentation once we release the new experience to learn how to manage these settings through MS Graph.

 

MS Graph API support for per-user MFA

[Action may be required]

 

Starting June 2024, we are releasing the capability to manage user status (Enforced, Enabled, Disabled) for per-user MFA through MS Graph API. This will replace the legacy MS Online PowerShell module that is being retired. Please be aware that the recommended approach to protect users with Microsoft Entra MFA is Conditional Access (for licensed organizations) and security defaults (for unlicensed organizations). The public documentation will be updated once we release the new experience.

 

Azure Multi-Factor Authentication Server - 3-month notice                         

[Action may be required]


Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service MFA requests, which could cause authentications to fail for your organization. MFA Server will have limited SLA and MFA Activity Report in the Azure Portal will no longer be available. To ensure uninterrupted authentication services and to remain in a supported state, organizations should migrate their users’ authentication data to the cloud-based Azure MFA service using the latest Migration Utility included in the most recent Azure MFA Server update. Learn more at Azure MFA Server Migration.

 

Decommissioning of Group Writeback V2 (Public Preview) in Entra Connect Sync - Reminder

[Action may be required]

 

The public preview of Group Writeback V2 (GWB) in Entra Connect Sync is no longer available and Connect Sync will no longer support provisioning cloud security groups to Active Directory.

 

Another similar functionality is offered in Entra Cloud Sync, called “Group Provision to AD”, that maybe used instead of GWB V2 for provisioning cloud security groups to AD. Enhanced functionality in Cloud Sync, along with other new features, are being developed.

 

Customers who use this preview feature in Connect Sync should switch their configuration from Connect Sync to Cloud Sync. Customers can choose to move all their hybrid sync to Cloud Sync (if it supports their needs) or Cloud Sync can be run side-by-side and move only cloud security group provisioning to AD onto Cloud Sync. Customers who provision Microsoft 365 groups to AD can continue using GWB V1 for this capability.

 

Visual enhancements to the per-user MFA admin configuration experience

[No action is required]

 

As part of ongoing service improvements, we are making updates to the per-user MFA admin configuration experience to align with the look and feel of Entra ID. This change does not include any changes to the core functionality and will only include visual improvements. Starting in August 2024, you will be redirected to the new experience both from the Entra admin center and Azure portal. There will be a banner presented for the first 30 days to switch back to the old experience, after which you can only use the new experience. The public documentation will be updated once we release the new experience.

 

Updates to “Target resources” in Microsoft Entra Conditional Access

[No action is required]

 

Starting in September 2024, the Microsoft Entra Conditional Access 'Target resources' assignment will consolidate the "Cloud apps" and "Global Secure Access" options under a new name "Resources".  

 

Customers will be able to target "All internet resources with Global Secure Access", "All resources (formerly 'all cloud apps') or select specific resources (formerly "select apps"). Some of the Global Secure Access attributes in the Conditional Access API will be deprecated. 

 

This change will start in September 2024 and will occur automatically, admins won’t need to take any action. There are no changes in the behavior of existing Conditional Access policies. To learn more, click here

 

Upcoming Improvements to Entra ID device code flow

[No action is required]

 

As part of our ongoing commitment to security, we are announcing upcoming enhancements to the Entra ID device code flow. These improvements aim to provide a more secure and efficient authentication experience.

 

We've refined the messaging and included app details within the device code flow to ensure a more secure and precise user experience. Specifically, we've adjusted headers and calls to action to help your users recognize and respond to security threats more effectively. These changes are designed to help your users make more informed decisions and prevent phishing attacks.

 

These changes will be gradually introduced starting in July 2024 and are expected to be fully implemented by August 30, 2024. No action required from you.

 

Microsoft Entra ID Governance

New releases

 

Microsoft Entra External ID

New releases

 

Microsoft Entra Permissions Management

New releases

 

Microsoft Entra Verified ID

New releases

 

 

Add to Favorites: What’s New in Microsoft Entra

Stay informed about Entra product updates and actionable insights with What’s New in Microsoft Entra.  This new hub in the Microsoft Entra admin center offers you a centralized view of our roadmap and change announcements across the Microsoft Entra identity and network access portfolio.

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

 

 

 

 

 

 

June 2024 update on Azure AD Graph API retirement

Microsoft Entra Blog -

One year ago, we shared an update on the completion of a three-year notice period for the deprecation of the Azure AD Graph API service. This service is now in the retirement cycle and retirement (shut down) will occur in incremental stages. In the first stage of this retirement cycle, newly created applications will receive an error (HTTP 403) for any requests to Azure AD Graph APIs. We’re revising the date for this first stage from June 30 to August 31, and only applications created after August 31, 2024 will be impacted. After January 31, 2025, all applications – both new and existing – will receive an error when making requests to Azure AD Graph APIs, unless they’re configured to allow extended Azure AD Graph access.  

 

We understand that some apps may not have fully completed migration to Microsoft Graph. We’re providing an optional configuration through the authenticationBehaviors property, which will allow an application to use Azure AD Graph APIs through June 30, 2025. Azure AD Graph will be fully retired after June 30, 2025, and no API requests will function at this point, regardless of the application’s configuration. 

 

If you develop or distribute software that still uses Azure AD Graph APIs, you must act now to avoid interruption. You’ll either need to migrate your applications to Microsoft Graph (highly recommended) or configure the application for an extension, as described below, and ensure that your customers are prepared for the change. If you’re using applications supplied by a vendor that use Azure AD Graph APIs, work with the software vendor to update to a version that has migrated to Microsoft Graph APIs.  

 

How do I find Applications in my tenant using Azure AD Graph APIs? 

 

The Microsoft Entra recommendations feature provides recommendations to ensure your tenant is in a secure and healthy state, while also helping you maximize the value of the features available in Entra ID.  

 

We’ve provided two Entra recommendations that show information about applications and service principals that are actively using Azure AD Graph APIs in your tenant. These new recommendations can support your efforts to identify and migrate the impacted applications and service principals to Microsoft Graph.

 

Figure 1: Microsoft Entra Recommendations for Azure AD Graph migration

 

For more information, reference Recommendation to migrate to Microsoft Graph API

 

Configuring an application for an extension of Azure AD Graph access

 

To allow an application created to have an extension for access to Azure AD Graph APIs through June 30, 2025, you must make a configuration change on the application after it’s created. This configuration change is done through the AuthenticationBehaviors interface. By setting the blockAzureADGraphAccess flag to false, the newly created application will be able to continue to use Azure AD Graph APIs until further in the retirement cycle.

 

Note: In this first stage, only Applications created after August 31, 2024 will be impacted. Existing applications will be able to continue to use Azure AD Graph APIs even if the authenticationBehaviors property is not configured. Once this change is rolled out, you may also choose to set blockAzureADGraphAccess to true for testing or to prevent an existing application from using Azure AD Graph APIs. 

 

Microsoft Graph REST API examples

 

Read the authenticationBehaviors property for a single application:

GET https://graph.microsoft.com/beta/applications/afe88638-df6f-4d2a-905e-40f2a2d451bf/authenticationBehaviors 

 

Set the authenticationBehaviors property to allow extended Azure AD Graph access for a new Application:

PATCH https://graph.microsoft.com/beta/applications/afe88638-df6f-4d2a-905e-40f2a2d451bf/authenticationBehaviors 

Content-Type: application/json

{

    "blockAzureADGraphAccess": false

}

 

Microsoft Graph PowerShell examples

 

Read the authenticationBehaviors property for a single application:

Import-Module Microsoft.Graph.Beta.Applications

Connect-MgGraph -Scopes "Application.Read.All"

 

Get-MgBetaApplication -ApplicationId afe88638-df6f-4d2a-905e-40f2a2d451bf -Property "id,displayName,appId,authenticationBehaviors"

 

Set the authenticationBehaviors property to allow extended Azure AD Graph access for a new Application:

Import-Module Microsoft.Graph.Beta.Applications 
Connect-MgGraph -Scopes "Application.ReadWrite.All" 

$params = @{ 

authenticationBehaviors = @{ 

blockAzureADGraphAccess = $false 

Update-MgBetaApplication -ApplicationId $applicationId -BodyParameter $params 

 

What happens to applications using Azure AD Graph after August 31, 2024? 

 

  • Any existing applications that use Azure AD Graph APIs and were created before this date will not be impacted at this stage of the retirement cycle.
  • Any applications created after August 31, 2024 will encounter errors when making requests to Azure AD Graph APIs, unless the blockAzureADGraphAccess attribute has been set to false in the authenticationBehaviors configuration for the application. 

 

What happens to applications using Azure AD Graph after January 31, 2025? 

 

  • After January 31, 2025, all applications – new and existing - will encounter errors when making requests to Azure AD Graph APIs, unless the blockAzureADGraphAccess attribute has been set to false in the authenticationBehaviors property for the application.

 

What happens to applications using Azure AD Graph after June 30, 2025? 

 

  • Azure AD Graph APIs will no longer be available to any applications after this point, and any requests to Azure AD Graph APIs will receive an error, regardless of the authenticationBehaviors configuration for the application. 

 

Current support for Azure AD Graph

 

Azure AD Graph APIs are in the retirement cycle and have no SLA or maintenance commitment beyond security-related fixes.

 

About Microsoft Graph

 

Microsoft Graph represents our best-in-breed API surface. It offers a single unified endpoint to access Entra and Microsoft 365 services such as Microsoft Teams and Microsoft Intune. All new functionalities will only be available through Microsoft Graph. Microsoft Graph is also more secure and resilient than Azure AD Graph.

 

Microsoft Graph has all the capabilities that have been available in Azure AD Graph and new APIs like identity protection and authentication methods. Its client libraries offer built-in support for features like retry handling, secure redirects, transparent authentication, and payload compression.

 

What about Azure AD and Microsoft Online PowerShell modules?

 

As of March 30, 2024, AzureAD, AzureAD-Preview, and Microsoft Online (MSOL) PowerShell modules are deprecated and will only be supported for security fixes. These modules will be retired and stop working after March 30, 2025. You should migrate these to Microsoft Graph PowerShell. Please reference this update for more information. 

 

Available tools

 

 

Kristopher Bash 

Product Manager, Microsoft Graph 

LinkedIn 

 

 

Learn more about Microsoft Entra 

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Evolve your CIAM strategy with External ID

Microsoft Entra Blog -

Last month we announced the general availability of our next generation customer identity and access management solution, Microsoft Entra External ID. External ID makes Customer Identity & Access Management (CIAM) secure and simple by enabling you to:  

 

  • Secure all external identities: Managing several disparate solutions can overcomplicate your security strategy. By adopting External ID as your CIAM solution, you can secure all identity types within your Microsoft Entra admin center, safeguarding all external identities with industry-leading security, including our own conditional access engine, verifiable credentials, and built-in identity governance.  
  • Create frictionless user experiences: The rise of fraud, GenAI, and identity attacks has increased end-user fear when it comes to security risks online. With External ID, you can build frictionless, branded, user centric interfaces into your web and mobile applications to increase brand awareness, build user trust and drive user engagement. Check out an example in the WoodGrove Groceries demo! 
  • Streamline secure collaboration: Collaborating with external users and ensuring they have the right access at the right time is complex. Simplify collaboration by inviting business guests with External ID and defining what internal resources they can access across SharePoint, Teams, and OneDrive.  
  • Accelerate the development of secure applications: Integrating robust and extensive user flows into apps can take developers months. Shorten development time to minutes by leveraging External ID’s rich set of APIs, SDKs, and integrations with developer tools, such as Visual Studio Code, to build secure and branded identity experiences into external-facing web and mobile apps. 
  • Best in class value at scale: Managing several security stacks can be costly. External ID brings innovative CIAM features at a cost-effective value for any growing customer without compromising on scalable, end-to-end security. For example, this approach helps us bring best-in-class identity verification like Face Check with Verified ID to reduce help desk costs for combatting fraud. Learn more about External ID pricing here. 

 

Our goal is to provide best in class protection from bot attacks, sign in and signup fraud and ability to audit every step of external user’s journeys

 

Ask Me Anything (AMA) on July 16 for a deep dive into External ID!  

 

Since our GA announcement, we’ve received lots of interest from customers who want to get started with External ID. Don't miss our live Ask Me Anything webinar on July 16, 2024, at 9am PST! Register online to join our product experts as they showcase live demos to show how External ID shortens the implementation of secure end-to-end identity experiences into external-facing apps from months to minutes.   

 

In our AMA event, we’ll also reserve time to address any FAQs you may have about External ID, Azure AD B2C, Azure AD B2B, and more. You can find most of these questions in public documentation and in your tenant administration portal. We also collected some here for convenience: 

 

I am currently using Azure AD B2C, how can I take advantage of the innovation in Microsoft Entra External ID?  

By building new applications with Microsoft Entra External ID, admins and developers can lean on familiar Microsoft Entra ID experiences while avoiding the overhead of building specific skills in Azure AD B2C technology. Powered by open standards, External ID is built to be interoperable with any Identity solution to provide enterprise-grade security without sacrificing end user experiences. Learn more. 

 

While Azure AD B2C is powerful in the flexibility of experiences it enables, External ID is designed for ease of adoption and speed of innovation as it’s converged into the Entra ID technical stack and organically benefits from all Entra ID innovation, extending Microsoft Entra industry-leading security and governance to external users.   

 

Will there be any changes in Azure AD B2C support and how can I migrate my existing Azure AD B2C applications to Microsoft Entra External ID? 

Current Azure AD B2C customers can continue using the Azure AD B2C with no service disruptions, including creating new tenants. You can continue to operate your existing B2C applications with confidence and we'll continue supporting you until at least May 2030. 

 

We’re currently developing a seamless migration journey so you can move your existing Azure AD B2C applications to External ID without disrupting your end users and will share more information when ready. If you’d like to participate in early previews, your account team can help enroll you. You may choose to migrate your existing applications when the next-generation platform meets your feature requirements, and migration is right for your business. Learn more in our FAQ. 

 

I am currently using Azure AD B2B collaboration and B2B direct connect, have these experiences changed? 

Azure AD B2B collaboration and B2B direct connect are now part of Microsoft Entra External ID as External ID B2B collaboration and B2B direct connect. There are no changes to your product experience, B2B collaboration features remain in the same location in the Microsoft Entra admin center within the workforce tenant, allowing you to secure all business guests, streamline collaboration, and limit access risks extending ID Governance to external users.   

 

Get started with External ID! 

 

We’re excited to share the new External ID platform with you and help you deliver seamless and secure experiences to your end-users. If you are interested in learning more about External ID and how it can help secure your applications, visit aka.ms/External_ID to get started. You can try External ID for free and only pay for what you use, learn more about pricing here.  

 

 

 

  

 

Ankur Patel runs Growth for Identity @ Microsoft. In recent times, he drove the effort for connecting LinkedIn, the world’s leading professional graph and Office 365, the world’s leading productivity graph. Currently, Ankur leads Microsoft’s efforts for Entra Verified ID & External ID to improve security and compliance without compromising on privacy.  

 

 

Read more on this topic 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

Introducing the Microsoft Entra PowerShell module

Microsoft Entra Blog -

We’re thrilled to announce the public preview of the Microsoft Entra PowerShell module, a new high-quality and scenario-focused PowerShell module designed to streamline management and automation for the Microsoft Entra product family. In 2021, we announced that all our future PowerShell investments would be in the Microsoft Graph PowerShell SDK. Today, we’re launching the next major step on this journey. The Microsoft Entra PowerShell module (Microsoft.Graph.Entra) is a part of our ongoing commitment and increased investment in Microsoft Graph PowerShell SDK to improve your experience and empower automation with Microsoft Entra.

 

We’re grateful for the substantial feedback we’ve heard from Microsoft Entra customers about our PowerShell experiences, and we’re excited to hear your thoughts after evaluating this preview module. We plan to build on our investment in the Microsoft Entra PowerShell module going forward and expand its coverage of resources and scenarios. 

 

What is Microsoft Entra PowerShell?

 

The Microsoft Entra PowerShell module is a command-line tool that allows administrators to manage and automate Microsoft Entra resources programmatically. This includes efficiently managing users, groups, applications, service principals, policies, and more. The module builds upon and is part of the Microsoft Graph PowerShell SDK. It’s fully interoperable with all cmdlets in the Microsoft Graph PowerShell SDK, enabling you to perform complex operations with simple, well-documented commands. The module also offers a backward compatibility option with the deprecated AzureAD module to accelerate migration. Microsoft Entra PowerShell supports PowerShell version 5.1 and version 7+. We recommend using PowerShell version 7 or higher with the Microsoft Entra PowerShell module on all platforms, including Windows, Linux, and macOS.

 

Benefits of Microsoft Entra PowerShell

 

  • Focus on usability and quality: Microsoft Entra PowerShell offers human-readable parameters, deliberate parameter set specification, inline documentation, and core PowerShell fundamentals like pipelining.
  • Backward compatibility with AzureAD module: Microsoft Entra PowerShell accelerates migration from the recently announced AzureAD module deprecation.
  • Flexible and granular authorization: Consistent with Microsoft Graph PowerShell SDK, Microsoft Entra PowerShell enables administrative consent for the permissions you want to grant to the application and supports specifying your own application identity for maximum granularity in app permission assignment. You can also use certificate, Service Principal, or Managed Identity authentication patterns.
  • Open source: The Microsoft Entra PowerShell module is open source, allowing contributions from the community to create great PowerShell experiences and share them with everyone. Open source promotes collaboration and facilitates the development of innovative business solutions. You can view Microsoft's customizations and adapt them to meet your needs.

 

Next steps

 

Installation: Install Microsoft Entra PowerShell, which uses the “/v1.0” API version to manage Microsoft Graph resources, from the PowerShell Gallery by running this command:

 

Install-Module Microsoft.Graph.Entra -AllowPrerelease -Repository PSGallery -Force

 

Or install the Beta module, which manages Microsoft Graph resources using the "/beta" API version, by running this command:

 

Install-Module Microsoft.Graph.Entra.Beta -AllowPrerelease -Repository PSGallery -Force

 

Authentication: Use the Connect-Entra command to sign in to Microsoft Entra ID with delegated access (interactive) or application-only access (noninteractive).

 

Connect-Entra -TenantId 'your-tenant-id' -Scopes 'User.Read.All'

 

To see more examples for using your own registered application, Service Principal, Managed Identity, and other authentication methods, see the Connect-Entra command documentation.

 

Find all available commands: You can list all available commands in the Microsoft Entra PowerShell module by using the command:

 

Get-Command -Module Microsoft.Graph.Entra

 

Get Help: The Get-Help command shows detailed information about specific commands, such as syntax, parameters, cmdlet description, and usage examples. For example, to learn more about the Get-EntraUser command, run:

 

Get-Help Get-EntraUser -Full

 

Migrating from AzureAD PowerShell module: You can run your existing AzureAD PowerShell scripts with minimal modifications using Microsoft Entra PowerShell by using the Enable-EntraAzureADAlias command. For example:

 

Import-Module -Name Microsoft.Graph.Entra

Connect-Entra #Replaces Connect-AzureAD for auth

Enable-EntraAzureADAlias #enable aliasing 

Get-AzureADUser -Top 1

 

Frequently Asked Questions (FAQs)

 

What is the difference between the Microsoft Graph PowerShell SDK and Microsoft Entra PowerShell modules?

 

Microsoft Entra PowerShell is a part of our increased investment in Microsoft Graph PowerShell SDK. It brings high-quality and scenario-optimized Entra resource management to the Microsoft Graph PowerShell SDK. Still, it keeps all the benefits of Microsoft Graph PowerShell SDK for authorization, connection management, error handling, and (low-level) API coverage. As Microsoft Entra PowerShell builds on the Microsoft Graph PowerShell SDK, it is completely interoperable.

 

Is the Microsoft Entra PowerShell module compatible with Microsoft Graph PowerShell?

 

Yes. You don't need to switch if you’ve already used the Microsoft Graph PowerShell module. Both modules work well together, and whether you use Entra module cmdlets or Microsoft Graph PowerShell SDK cmdlets for Entra resources is a matter of preference.

 

I need to migrate from the deprecated AzureAD or MSOnline modules. Should I wait for Microsoft Entra PowerShell?

 

No. One of our goals with Microsoft Entra PowerShell is to help you migrate from Azure AD PowerShell more quickly by setting Enable-EntraAzureADAlias. Microsoft Entra PowerShell supports simplified migration for scripts that were using AzureAD PowerShell, with over 98% compatibility. However, the legacy AzureAD and MSOnline PowerShell modules are deprecated and will be retired (stop working) after March 30, 2025. We recommend that you act now to begin migrating your MSOnline and AzureAD PowerShell scripts. 

 

Both modules use the latest Microsoft Graph APIs. For test environments and non-production systems, you can migrate to Microsoft Entra PowerShell. We recommend migrating to this module for production systems only after it reaches general availability. If you migrate scripts to Microsoft Graph PowerShell SDK now, there is no need to update them again with Microsoft Entra PowerShell, as it enhances and will not replace Microsoft Graph PowerShell SDK.

 

Should I update Microsoft Graph PowerShell scripts to Microsoft Entra PowerShell?

 

This is not necessary but a matter of preference. Microsoft Entra PowerShell is part of the Microsoft Graph PowerShell solution, and the two modules are interoperable. You can install both modules side-by-side.

 

Will Microsoft Entra PowerShell add support for more resources in the future?

 

Yes, it is a long-term investment. We will continue to expand support for more resources and scenarios over time. Expect new cmdlets for Privileged Identity Management (PIM), Entitlement Management, Tenant Configuration settings, Per-User multifactor authentication (MFA), and more. We'll also enhance existing cmdlets with additional parameters, detailed help, and intuitive names. Check out GitHub repo for ongoing updates.

 

Will Microsoft Entra PowerShell use a pre-consented app like AzureAD or MSOnline modules?

 

No. Microsoft Entra PowerShell permissions aren't preauthorized, and users must request the specific app permissions needed. This granularity ensures that the application has only the necessary permissions, providing granular control over resource management. For maximum flexibility and granularity in application permissions, we recommend using your own application identity with Entra PowerShell. By creating different applications for different uses of PowerShell in your tenant, you can have exacting control over application permissions granted for specific scenarios. To use your own application identity with Microsoft Entra PowerShell, you can use the Connect-Entra cmdlet:

 

Connect-Entra -ClientId 'YOUR_APP_ID' -TenantId 'YOUR_TENANT_ID' 

 

I am new to Microsoft Entra PowerShell; where do I start?

 

Explore our public documentation to learn how to install the Microsoft Entra PowerShell module, authenticate, discover which cmdlet to use for a particular scenario, read how-to guides, and more. Our best practice guide will help you start on a secure foundation.

 

How can I provide feedback?

 

You can provide feedback by visiting our GitHub repository issues section. Create a new issue with your feedback, suggestions, or any problems you've encountered. Our team actively monitors and responds to feedback to improve the module. 

 

How can I contribute?

 

We welcome contributions from the community, whether it's through submitting bug reports, suggesting new features, or contributing scenario and example improvements. To get started, visit the GitHub repository, check out our contribution guidelines, and create a pull request with your changes.

 

Learn more about Microsoft Entra PowerShell module

 

Explore our public documentation, to learn how to install the Microsoft Entra PowerShell module, the authentication methods available, which cmdlet to use for a particular scenario, how-to guides, and more.

 

Try It Today

 

Try out the new version and let us know what you think on GitHub! Your insights are invaluable as we continue to improve and enhance the module to better meet your needs.

 

Thank you!

 

We want to thank all the community members who helped us improve this release by reporting issues on GitHub during the private preview! Please keep them coming!

 

Steve Mutungi

Product Manager, Microsoft Entra PowerShell

 

 

Read more on this topic

 

Learn more about Microsoft Entra 

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Move to cloud authentication with the AD FS migration tool!

Microsoft Entra Blog -

We’re excited to announce that the migration tool for Active Directory Federation Service (AD FS) customers to move their apps to Microsoft Entra ID is now generally available! Existing customers can begin updating their identity management with more extensive monitoring and security infrastructure by quickly identifying which applications are capable of being migrated and assessing all their AD FS applications for compatibility. If you don't have an Entra ID account, you can still access the Migrate AD FS to Microsoft Entra ID guide to see what a migration would look like for your organization.

 

In November we announced AD FS Application Migration would be moving to public preview, and the response from our partners and customers has been overwhelmingly positive. For some, transitioning to cloud-based security is a daunting task, but the tool has proven to dramatically streamline the process of moving to Microsoft Entra ID. 

 

A simplified workflow, reduced need for manual intervention, and minimized downtime (for applications and end users) have reduced stress for hassle-free migrations. The tool not only checks the compatibility of your applications with Entra ID, but it can also suggest how to resolve any issues. It then monitors the migration progress and reflects the latest changes in your applications. Watch the demo to see the tool in action.

Moving from AD FS to a more agile and responsive, cloud-native solution helps overcome some of the inherent limitations of the old way of managing identities.

 

In addition to more robust security, organizations count greater visibility and control with a centralized, intuitive admin center and reduced server costs as transformative benefits of moving to a modern identity management. Moreover, Entra ID features can help organizations achieve better security and compliance with multifactor authentication (MFA) and conditional access policies—both of which provide a critical foundation for Zero Trust strategy.  

 

More Entra ID features include:

 

Want to learn more about Microsoft Entra? Get the datasheet and take a tour here. Ready to get started? Visit Microsoft Learn and explore our detailed AD FS Application Migration guide. 

 

Have any questions or feedback? Let us know here.  

 

Melanie Maynes

Director of Product Marketing

 

 

For a comprehensive overview of the migration tool and its capabilities, check out these other resources:

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

User insights: Analyze customer identity data

Microsoft Entra Blog -

Today, we're excited to announce the general availability of user insights in Microsoft Entra External ID.

 

User insights, which was launched in public preview in October 2023, is a powerful tool that enables admins and developers to gain deeper insights into their customers’ behavior, preferences, and challenges. It provides key metrics such as monthly active users (MAU), daily active users (DAU), new users added, requests over time, authentications over time, multi-factor authentication (MFA) usage by type, and MFA success versus failure rates. You can also filter and segment the data by time range, operating system, country, and application id. With user insights, you can:

 

  • Analyze the trends and patterns of your customers’ application login and registration activity and discover new opportunities for growth and improvement.
  • Optimize user experience and identity management strategies for your customers and make data-driven decisions that align with your business goals and user needs.
  • Build customized dashboards in tools like Power BI using user insights from Microsoft Graph APIs, allowing more flexibility and control of your customer identity data. 

 

To access user insights, you need to have a Microsoft Entra External ID external tenant. Once you have your tenant ready, you can access the dashboards on the Microsoft admin center or access raw data via Microsoft Graph APIs. The features we’re announcing today provide significant value and are based on direct feedback from our preview customers. Sign up for your free trial here.

 

Export data to Excel for offline analysis

 

The ‘export to Microsoft Excel’ feature is a convenient way to access raw data from the dashboards to suit different user preferences and use cases. You will now be able to export data in comma-separated values (CSV) format to facilitate the seamless importation and manipulation of data with Excel, or any other preferred CSV editor. This allows customers to use data offline for their own customized analysis and manipulation.

 

Figure 1: Export authentications data to Microsoft Excel

 

Tailor and optimize your identity management solution for different user segments 

 

You can filter data by language and identity provider to get more insights into the preferences and behavior of your users. For example, you can see which languages are most popular among your users and how they vary across applications and regions. You can also see which identity providers are used the most for authentication and how they may affect the user experience and retention. These filters help you tailor and optimize your identity management solution for different user segments.

 

Figure 2: Analyze authentications data by identity provider or language customization

 

Improving user experience and security with MFA failure insights

 

The MFA failure chart shows the number of sign-in attempts that failed due to MFA issues and why they failed. You can see the breakdown by three categories:  

 

  • Bad request: the sign-in request was malformed or invalid.
  • MFA denied: the user entered the wrong verification code or declined the MFA request.
  • MFA incomplete: the user did not complete the MFA request within the time limit.     

 

This breakdown can help you understand the common causes of MFA failures so you can target your resources and improve the user experience and security of your applications. 

 

Figure 3: Monthly MFA failures insights

 

Identify potential issues with user retention, engagement, and satisfaction

 

Inactive users are users who have not signed in over a certain period. You can see the number of daily and monthly inactive users in your applications, as well as the trend over time. This metric can help you monitor user engagement and identify areas where you can improve your user experience or offer incentives to re-engage your users. 

 

Figure 4: Active, inactive, and new user trends over time

 

Get started today

 

To access and view data from user insights, you must have a Microsoft Entra External ID external tenant with registered applications that have customer sign-in or sign-up data. Use our quickstart guide to create a trial tenant and access user insights on the Microsoft admin center or access the raw data via Microsoft Graph APIs. Visit our docs to learn more about how to access this new feature and how to view, query, and analyze user activity.

 

To learn more or test out other features in the Microsoft Entra portfolio, visit our developer center. Sign up for email updates on the Identity blog for more insights and to keep up with the latest on all things Identity, and follow us on YouTube for video overviews, tutorials, and deep dives.

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

How to break the token theft cyber-attack chain

Microsoft Entra Blog -

We’ve written a lot about how attackers try to break passwords. The solution to password attacks—still the most common attack vector for compromising identities—is to turn on multifactor authentication (MFA).

 

But as more customers do the right thing with MFA, actors are going beyond password-only attacks. So, we’re going to publish a series of articles on how to defeat more advanced attacks, starting with token theft. In this article, we’ll start with some basics on how tokens work, describe a token theft attack, and then explain what you can do to prevent and mitigate token theft now. 

 

Tokens 101 

 

Before we get too deep into the token theft conversation, let’s quickly review the mechanics of tokens.

 

A token is an authentication artifact that grants you access to resources. You get a token by signing into an identity provider (IDP), such as Microsoft Entra ID, using a set of credentials. The IDP responds to a successful sign-in by issuing a token that describes who you are and what you have permission to do. When you want to access an application or service (we’ll just say app from here), you get permission to talk to that resource by presenting a token that’s correctly signed by an issuer it trusts. The software on the client device you’re using takes care of all token handling behind the scenes.

 

Figure 1: Basic token flow

 

 

The first token you get, called a session token, shows that you successfully signed into the IDP, and how you signed in. When you sign into an app, it can exchange that session token for an access token, which gives you access to a specific resource for a certain amount of time without having to reauthenticate. To use an analogy, think of an amusement park. The IDP is the ticket office, which issues a park pass that provides credits for different rides. If you want to go on the roller coaster, you go to the ticket office, show your season park pass, and receive a ticket for that ride.

 

Just as you might be able to buy a day pass, season pass, or lifetime pass to the park, each token has a lifetime, usually between one and 24 hours. And just as a 12-month season pass may get you a one-day pass to a specific ride, session tokens can have different—and usually much longer—lifetimes than access tokens. Moreover, access token lifetimes can differ, so the roller coaster pass may last an hour while the Ferris wheel pass is good for an entire day.

 

Traditionally, longer lifetimes are more convenient for users and more resilient against potential IDP outages (they save round trips to the IDP and associated latency) but riskier, while shorter lifetimes are safer (the IDP checks the integrity of the request more often). Technologies such as continuous access evaluation provide continuous assessment, so a shorter token lifetime isn’t a benefit when these are in place. When a token expires or continuous access evaluation reports heightened risk, the client goes back to the IDP and requests a refresh. This process is typically invisible to users, but if a risk condition has changed, and your organization policy requires it, then you may have to reauthenticate and get a new token. One last thing to note: while it’s a bummer to lose your roller coaster ticket, it’s really bad to lose your season park pass. An attacker can use your roller coaster ticket to get on a single ride for a short while, but with your season park pass, they can get on any ride for as long as they want. It’s similar with which, if stolen, give an actor a lasting ability to get access tokens.

 

How token theft works

 

Attackers steal tokens so they can impersonate you and access your data for as long as that stolen token lives. To do this, they get access to where a token is stored (on the client, in proxy servers, or in some cases in application or network logs) to acquire it and replay it from somewhere else.

 

Figure 2: Token theft cyberattack

 

 

 

Identity provider

Ticket office

Session token

Season park pass

Access token

Individual ride ticket

 

When an attacker steals your session token, it’s like picking your pocket after you’ve purchased your all-access season park pass at the fair’s ticket office. Because a token is digital, token theft is like stealing the pass from your pocket, making a photocopy, and then putting the original back in your pocket. The attacker can use their copy of your session token to get unlimited new access tokens to keep stealing your data, just as they can show a copy of a valid park pass to keep getting on rides without paying.

 

An attacker stealing your access token is comparable to someone stealing your ride ticket as you stand in line. They do the same copy-and-replace trick, using their copy of your token to access the resource, just as they could show a copy of a valid ticket to get on an individual ride without paying.

 

And because in both cases the attacker puts the original pass or ticket back in your pocket, you don’t even know an attacker is riding the rides in your name. Your token seems fine, even though an attacker is using an illegitimate copy of it, and it may take a while to determine that anything is amiss—if you ever do.

 

Here’s an example:

 

Contoso stores all their documents in a secure cloud storage service and requires all employees to verify their identity using MFA before accessing it.

 

One day, after starting their workday by signing into Contoso's cloud storage service, a user inadvertently installed malware on their device by clicking on a malicious 'phishing' link sent to them via email. The malicious code copied the user's session token and sent it to the attacker.

 

The attacker then used the stolen and MFA-validated session token, now copied to their machine, to gain access to Contoso's environment.

 

The attacker then downloaded as many documents as they could access, including a bunch of confidential reports, and leaked them on the internet.

 

Use of malware on the client to acquire the token is one common, easy method for attackers. Other tactics used to steal tokens include:

  • Copying tokens from the network as they pass through a proxy or router that the attacker controls.
  • Extracting tokens from unsecured server logs of the relying party.

 

While token theft still constitutes fewer than 5% of all identity compromises, incidents are growing. alone, we detected 147,000 token replay attacks, a 111% increase year-over-year.

 

Protecting tokens

 

IDPs and clients should handle tokens as securely as possible by only transmitting them over encrypted channels and not storing them in the open. But if an attacker infiltrates the device or network channel as in the example above, they can steal tokens and use them until they expire.

 

Ideally, a token would only work when used from the device to which it was issued. That is, if replayed from a different device, such as one an attacker controls, they would be rejected. 

 

A key part of Microsoft’s protections against token theft is the use of tokens that are cryptographically tied to the device they own. This is often called token binding, but may also be called sender constrained tokens, or token proof of possession. Token protection makes it harder to execute the main types of attacks designed to steal tokens, including network-based attacks and those using malware on the device by restricting use of the stolen token from devices they weren't issued to.

 

In Microsoft Entra, token protection binds tokens to cryptographic keys specific to the device and ties them to the device registration. Once developers enable their applications to use protected tokens, you can enforce an Entra Conditional Access policy that requires client applications to use protected tokens to access a service. This policy rejects tokens which are not cryptographically tied to the device they were issued to. In the theme park analogy, this is like the ticket office taking your picture and printing it on your ride ticket and requiring ride operators to match the picture to your face before letting you ride.

 

Figure 3: Token protection in Microsoft Entra

 

 

This is a large project, spanning operating system platforms, native and web applications, all our cloud services, and the full range of different tokens in use for each case. It will be released in stages for specific scenarios. The first stage, in public preview now, protects the sign-in session tokens that native applications on Windows devices use when accessing Exchange, SharePoint and Teams services.

 

Token protection policy is available for Windows clients today. We’ll support Azure management scenarios and web applications that access Microsoft 365 resources and extend our cross-platform capabilities to Mac, iOS, Android, and other clients over the next year.

 

Practical steps for countering token theft

 

Token protection will offer the strongest protection against token theft; however, it will take the industry time to update all applications to use bound tokens. The good news is that Microsoft offers compelling countermeasures against attacks involving token theft that you can use today to reduce their risk and impact. We recommend a systematic defense-in-depth approach:

 

  1. Reduce the risk of successful token theft.
  2. Prevent malicious use of stolen tokens.
  3. Be prepared to detect and investigate attacks that use stolen tokens.

 

Reduce the risk of successful token theft

 

The first line of defense is to reduce the chances of attackers stealing tokens in the first place, and below are some well-established techniques for building it. It’s the equivalent of keeping your ride tickets and park passes safe from pickpockets while you’re in the theme park.

 

Require managed and compliant devices. Use device management and define Conditional Access policies to require that users access resources from a compliant device. Compliance policies we recommend to reduce the risk of successful token theft from devices include:

 

  1. To help prevent accidental infection with token-stealing malware, require users running on Windows to run as standard users rather than with device admin rights and require that all devices run up to date anti-malware and virus tools.
  2. Use storage encryption to protect device content, including tokens, in case someone steals the device itself.
  3. Enable Local Security Authority (LSA) protection to help protect Entra ID tokens in LSA memory. LSA protection is on by default for new devices and can be enabled for other devices via Intune.
  4. Use jailbreak or rooting detection for mobile devices. Jailbroken devices are more likely to expose tokens and cryptographic secrets to potential attacks.

 

Find step-by-step instructions for enabling credential guard in our documentation.

 

Turn on Credential Guard for your Windows users. If your users are running Windows 10 or later, you can prevent theft of Active Directory credentials by configuring Credential Guard, which uses virtualization-based security (VBS) to isolate local and cached credentials so that only privileged system software—and not malware—can access them. Starting in Windows 11, version 22H2, Credential Guard is on by default for devices that meet requirements. This also helps protect cloud applications and resources when hybrid-joined devices using Active Directory authentication initiate a session to access cloud applications.

 

Find step-by-step instructions for enabling credential guard in our documentation.

 

Prevent malicious use of stolen tokens

 

While device management and strong credentials certainly reduce the risk of token theft, not everyone has them, and they’re still not completely foolproof. The next layer of defense is to prevent attackers from using stolen tokens for ongoing access by configuring policies to reject them wherever possible, and by detecting attempted use and responding automatically.

 

Require token protection in Conditional Access, and where possible, choose apps and services that use token protection. Microsoft is updating our apps, identity provider, and operating systems to support token protection, so if you’re using our apps and platforms, be sure to use the latest versions. Then configure Conditional Access to require token protection for sign-in sessions so only applications and devices using bound sign in session tokens, which can’t be used if they’ve been stolen and moved to another device.

 

Find step-by-step instructions for creating a Conditional Access policy that requires token binding in our documentation

 

Create a risk policy to disrupt token theft in your environment automatically. When a user initiates a session or attempts to access an application, ID Protection will examine user and session risk factors to see if any have changed. Configure Conditional Access policies to protect both medium and high-risk sessions by either challenging users with MFA or by requiring reauthentication. This will make it difficult or impossible for an attacker to initiate a session using a stolen session token.

 

Wherever available, Continuous Access Evaluation (CAE) can automatically invalidate tokens when ID Protection raises the risk for a user or a service principal. This triggers the risk-based Conditional Access policies to mitigate in real-time, requiring re-authentication.

 

Find step-by-step instructions for creating risk-based Conditional Access policies in our documentation.

 

Reduce the risk of token reuse by restricting sessions for use within network boundaries. Most attackers use stolen tokens from untrusted IP addresses. You can establish network boundaries with policies that prevent users from accessing your resources if they’re coming from unknown locations or from known bad locations.

 

Restrict networks with Entra Conditional Access: Conditional Access includes controls that will block requests from outside a network compliance boundary that you define. This will prevent an attacker from refreshing a stolen Entra token, restricting its use to the lifetime of the token.

 

Find step-by-step instructions for defining a network compliance boundary with Conditional Access in our documentation.

 

Enhance network controls with Microsoft’s Security Service Edge (SSE) solution: To prevent the attacker from using a token outside of a trusted network at all, Entra Internet Access and Entra Private access use agents installed on endpoints and a compliant network check (enforced in real-time via CAE) to verify whether a user is connecting from a trusted network. Find step-by-step instructions for enabling compliant network check with Conditional Access in our documentation.

 

CAE-capable applications and services such as Teams, Exchange Online, and SharePoint Online will continuously enforce the IP-based named location Conditional Access policies and compliant network policies to ensure that tokens can be used only from trusted networks to access services. CAE offers a strict location enforcement mode to maximize protection. Find the step-by-step instructions for enabling this in our documentation.

 

Revoke tokens using Continuous Access Evaluation

 

In addition to ensuring that the supported services can only be accessed from trusted locations, CAE can revoke tokens when admins (or users themselves) take action in response to detecting an account compromise or token theft. These include disabling accounts, changing passwords, and revoking refresh tokens. Learn more about Continuous Access Evaluation in our documentation.

 

Be prepared to detect and investigate attacks that use stolen tokens

 

Use Entra ID Protection and Microsoft Defender to monitor for token theft. When a threat actor replays a token, their sign-in event can trigger detections such as ‘anomalous token’ and ‘unfamiliar sign-in properties’ from both Entra ID Protection and Microsoft Defender for Cloud Apps. Premium detections recognize abnormal characteristics such as an unusual token lifetime, a token played from an unfamiliar location, or token attributes that are unusual or match known attacker patterns. Signals from Microsoft Defender for Endpoint (MDE) can indicate a possible attempt to access the Primary Refresh Token.

 

Find step-by-step instructions for investigating token theft in our documentation.

 

Pull all your data into one Security Information and Event Management (SIEM), such as Microsoft Sentinel, to investigate potential token theft. If you receive an alert for an event that may indicate token theft, you can investigate it in the Microsoft Sentinel portal or in another SIEM. Microsoft Sentinel gives you important details about a specific incident, such as its severity, when it occurred, how many entities were involved, which events triggered it, and whether it reflects any MITRE ATT&CK tactics or techniques. You can then view the investigation map to understand the scope and root cause of the potential security threat.

 

Find step-by-step instructions for investigating incidents using Sentinel in our documentation.

 

Reduce the risk of successful token theft Prevent malicious use of stolen tokens Be prepared to detect and investigate attacks that use stole tokens

Require managed and compliant devices.

 

Turn on Credential Guard for your Windows users.

 

Require token protection in Conditional Access and where possible, choose apps and services that use token protection.

 

Create a risk policy to disrupt token theft in your environment automatically.

 

Reduce the risk of token reuse by restricting sessions for use within network boundaries.

 

Revoke tokens using Continuous Access Evaluation

Use Entra ID Protection and Microsoft Defender to monitor for token theft.

 

Pull all your data into one SIEM, such as Microsoft Sentinel, to investigate potential token theft.

 

As defenders building defenses to help everyone strengthen cybersecurity, Microsoft is in a big strategic fight against token theft. We’ll keep you updated on any advancements you can use to counter attacks that use token theft. In the meantime, to help defend your environment, configure your Conditional Access policies to take advantage of token protection wherever you can and employ the countermeasures we’ve described here.

 

Stay safe out there,

Alex Weinert

 

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

 

Microsoft Entra ID Governance licensing clarifications

Microsoft Entra Blog -

In the past few weeks, we’ve announced the general availability of Microsoft Entra External ID and Microsoft Entra ID multi-tenant collaboration. We’ve received requests for more detail from some of you regarding licensing, so I’d like to provide additional clarity for both of these scenarios.

 

One person, one license

 

Included in the first announcement of more multi-tenant organization (MTO) features to enhance collaboration between users, we stated that only one Microsoft Entra ID P1 license is required per employee per multi-tenant organization. Expanding on that, the term “multi-tenant organization” has two descriptions: an organization that owns and operates more than one tenant; and a set of features that enhance the collaboration experience for users between these tenants. However, your organization doesn’t have to deploy those capabilities to take advantage of the one person, one license philosophy. An organization that owns and operates multiple tenants only needs one Entra ID license per employee across those tenants. The same philosophy applies to Entra ID Governance: the organization only needs one license per person to govern the identities of these users across these tenants.

 

Note that this philosophy includes administrative accounts. In some organizations, administrators use standard user accounts for day to day tasks, and separate administrator accounts for privileged access. A person with a standard user account and an administrator account only needs one Entra ID Governance license for both identities to be governed. Of course, they could also leverage Entra ID Governance’s Privileged Identity Management (PIM) to temporarily elevate the access rights of a single account, instead of maintaining two accounts.

 

To illustrate this scenario, let’s consider an organization called Contoso, which owns ZT Tires and Tailspin Toys. Mallory is hired by Contoso, which uses Lifecycle Workflows in Entra ID Governance to onboard her user account and grant her access to the resources she needs for her job. Her account receives an access package with an entitlement to ZT Tires’ ERP app, and she requests access to Tailspin Toys inventory management app. Because Mallory has an Entra ID Governance license in the Contoso tenant, her identity can be governed in the ZT Tires and Tailspin Toys tenants with no additional governance licenses – one person, one license.

 

Diego is an identity administrator whose user account is in the ZT Tires tenant. He uses a separate administrator account for privileged access tasks in Contoso, Tailspin Toys, and ZT Tires tenants. Because Diego has an Entra ID Governance license in the ZT Tires tenant, both his user and administrator identities can be governed in all three tenants with no additional governance licenses – again, one person, one license.

 

Entra ID Governance in Microsoft Entra External ID

 

The other announcement covered Entra External ID, Microsoft’s solution to secure customer and business collaborator access to applications. In November, I blogged about the licensing model to govern the identities of business guests in the B2B scenario for Entra External ID and shared that pricing would be $0.75 per actively governed identity per month. Because metered, usage-based pricing to govern the identities of business guests is a different model than the existing, licensed-based pricing model to govern the identities of employees, I’d like to share more detail.

 

A business guest identity in Entra External ID will accrue a single $0.75 charge in any month in which that identity is actively governed, no matter how many governance actions are taken on that identity. For example: 

 

A Contoso employee named Gerhart collaborates with Pradeep of Woodgrove Bank to produce Contoso’s quarterly financial statements. Contoso has deployed Entra External ID for its business partners such as Woodgrove Bank. In April, Pradeep accesses Contoso’s Microsoft Teams where Gerhart stores his quarterly reporting documents, but his Entra External ID has no identity governance actions taken on them, so it doesn’t accrue any charges.

 

In May, Pradeep receives an access package with an entitlement to Contoso’s accounting system, and Gerhart reviews Pradeep’s existing access to Contoso’s inventory management database, as well as to the Teams with the quarterly reporting documents. Because Pradeep’s identity in Entra External ID had identity governance actions taken on it, Contoso will accrue a $0.75 charge. Note that the charge is applied once, even though there were three identity governance actions taken during the month. Once that Entra External ID identity was governed in May, additional identity governance actions do not generate additional charges for that identity in May.

 

To learn more about Microsoft Entra ID Governance licensing, visit the Licensing Fundamentals page.

 

 

Read more on this topic 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

 

S'abonner à Philippe BARTH agrégateur - Active Directory (Anglais)