Microsoft Entra Blog

Update to security defaults

As part of the Secure Future Initiative, we’ve evolved our security approach to align with three security principles: secure by design, secure by default, and secure operations. Secure by default means security protections are enabled and enforced by default. In Microsoft Entra, security defaults are an example demonstrating our secure by default approach. Security defaults are enabled for every new tenant. This provides a baseline level of protection for your Entra identities and resources. To make sure that organizations relying on security defaults are well protected, we’re updating a requirement for authentication method to help improve your security posture.

 

We’re removing the option to skip multifactor authentication (MFA) registration for 14 days when security defaults are enabled. This means all users will be required to register for MFA on their first login after security defaults are turned on. This will help reduce the risk of account compromise during the 14-day window, as MFA can block over 99.2% of identity-based attacks. This change affects newly created tenants starting on December 2nd, 2024 and will be rolled out to existing tenants starting in January 2025.

 

This update is part of our ongoing effort to provide you with a secure and reliable identity service. We recommend that you enable security defaults for your organization if you’ are not using Conditional Access, as security defaults offer a simple and effective way to protect your users and resources from common threats. 

 

To learn more about these upcoming updates and how you can best prepare your user, please review our documentation.

 

Nitika Gupta

Group Product Manager, Identity

 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

Meet Microsoft Entra at Ignite 2024: November 18-22

Microsoft Ignite is just around the corner, taking place from Monday, November 18, 2024 through Friday, November 22, 2024, in Chicago, Illinois and digitally. This event is the ultimate gathering for IT and Security professionals, developers, and business leaders from every corner of the world. During Ignite, dive into the latest AI innovations for AI transformation to learn from the brightest minds in the industry. Plus, discover solutions to help modernize and manage intelligent apps, protect your data, supercharge productivity, and expand your services. You’ll also have endless opportunities to network with partners and grow your community or business. While in-person passes are sold out, you can still register to participate online.

 

This year, we're thrilled about our sessions on Microsoft Entra. These breakouts are your all-access pass to not only hear about the cutting-edge advancements in identity and access management (IAM), but also to engage with Microsoft Entra experts and team members behind these innovations. Whether you're curious about advancing your Zero Trust architecture with identity and network, delving into the latest advancements in generative AI for securing access, or exploring our unified approach to identity and network access controls, we've got you covered!

 

Your complete guide to Microsoft Entra at Ignite:

 

 

Breakout sessions

Secure access for any identity to any resource with Microsoft Entra

BRK313 – Wednesday, November 20 | 11:00 AM – 11:45 AM CDT

https://aka.ms/Ignite2024/BRK313 

 

Dive deep into the newest innovations and announcements for identity and network security solutions to establish Zero Trust access controls, secure access for employees, customers, and partners, and secure access in any cloud. Plus, see how generative AI and admin center tools boost efficiency and scale for your team.

 

Speakers: Alex Simons, Nichole Peterson

 

Secure access for your workforce with the new Microsoft Entra Suite

BRK314 – Wednesday, November 20 | 1:15 PM – 2:00 PM CDT

https://aka.ms/Ignite2024/BRK314 

 

Identity is your first line of defense. But when identity and network access solutions operate in isolation and not in tandem, they can lead to increased complexity and inconsistent policies. Join us to learn how unifying Conditional Access across identities and network can help simplify your Zero Trust architecture. Find out how Microsoft Entra Suite can streamline employee onboarding, modernize remote access, and secure access to on-premises applications and internet resources.

 

Speakers: Irina Nechaeva, Jef Kazimer

 

Note for Microsoft partners: We are also hosting session BRK332 on Thursday, November 21st for you to learn about Microsoft Entra Suite and relevant business opportunities.

 

Accelerate your Zero Trust journey: Unify Identity and Network Access

BRK326 – Thursday, November 21 | 9:45 AM – 10:30 AM CDT

https://aka.ms/Ignite2024/BRK326 

 

Discover how to accelerate your Zero Trust journey with a unified approach across identity and network. We will explore how Microsoft’s identity-centric Security Service Edge (SSE) solution can help you secure access to all private, on-premises, internet, and SaaS applications and resources from anywhere. Join us to learn about Microsoft’s technology partnerships, where you can further enhance your organization’s security posture.

 

Speakers: Sinead O’Donovan, John Savill, Abdi Saeedadabi

 

Theater sessions

Bring passkey into your passwordless journey with Microsoft Entra ID

THR659 – Thursday, November 21 | 5:15 PM – 5:45 PM CDT

https://aka.ms/Ignite2024/THR659

 

Many of our customers are either already deploying passwordless credentials or planning to do so in the next few years. Meanwhile, the industry is buzzing with excitement about passkeys. But what exactly are passkeys, and what do they mean for your organization’s passwordless journey? Join the Microsoft Entra ID product team as we explore the impact of passkeys on the passwordless ecosystem and share insights from Microsoft's own passkey implementation and customer experiences.

 

Speaker: Nitika Gupta

 

Security Copilot + Microsoft Entra: Secure access at the speed of AI 

THR556 – Wednesday, November 20 | 4:15 PM – 4:30 PM CDT

https://aka.ms/Ignite2024/THR556

 

Discover how Security Copilot and Microsoft Entra revolutionize identity and access management using GenAI to strengthen Zero Trust. Accelerate tasks like troubleshooting and policy management to reduce downtime. Elevate security teams by bridging skill gaps, improving decision-making, and guiding complex tasks, ensuring a strong security posture in an evolving threat landscape. Scale with AI by automating insights and streamlining security operations.

 

Speakers: Sarah Scott, Mitch Muro

 

Lab session

Secure access to privileged apps and resources with Microsoft Entra ID

LAB546 – Wednesday, November 20 | 6:30 PM – 7:45 PM, Thursday, November 21 | 1:15 PM – 2:30 PM CDT

https://aka.ms/Ignite2024/LAB456  

 

Enable your organization to confidently deploy privileged apps in alignment with Zero Trust. In this hands-on session, you'll learn to prevent identity-based attacks and secure access to resources with Microsoft Entra ID (formerly Azure AD). You’ll enable passkeys, phishing-resistant authentication, and Conditional Access, as well as implement access management, enable continuous access evaluation, and more, using labs from SC-300: Microsoft Identity and Access Administrator Associate.

 

Speakers: Robert Stewart, Danielle Augustin

 

Community Roundtable: Microsoft Entra Suite: Secure access for your employees

 

Join us for an engaging community table conversation, COM1053 about the Microsoft Entra Suite. Whether you're just beginning or looking to enhance your knowledge, this discussion will provide actionable insights and foster a collaborative environment for sharing experiences and strategies to help you further your Zero Trust user access security. You won't want to miss this opportunity to learn from peers and experts alike!

 

Expert meetup

 

Want to connect with Microsoft Entra experts and team members in-person while at Ignite? Visit the Expert meetup stations in the Microsoft Hub to ask questions and view demos. 

 

Catch us at the Secure the Night party

 

Join Microsoft Security’s “Secure the Night” party on November 20 for an evening of exciting entertainment, food and refreshments, and the opportunity to connect informally with our Microsoft Security teams. 

 

Make sure to bring your Microsoft Ignite Badge for entry.

 

Registration is OPEN and is required to attend.  

 

The entire team looks forward to meeting you at Microsoft Ignite, whether in Chicago or in the chat rooms for our breakout sessions. Your feedback and partnership are essential to the continuous development of Microsoft Entra innovations.

 

Don't miss this opportunity to connect, learn, and grow at Microsoft Ignite 2024! 

 

Irina Nechaeva

General Manager, Microsoft Entra

 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

Manage Microsoft Entra ID role assignments with Microsoft Entra ID Governance

I’m excited to announce that we now support Microsoft Entra role assignments in Microsoft Entra ID Governance's Entitlement Management feature! 

 

To ensure least privilege, many of you are using Privileged Identity Management to provide IT administrators just-in-time (JIT) access to the least privileged role assigned. This approach allows you to minimize the attack surface in your organization by reducing the number of permissions IT administrators have. However, some admins in your organization may require long-standing permissions coupled with other resources, like specific applications.  

 

Now, you can use Microsoft Entra ID Governance to assign Microsoft Entra roles to users and groups through Entitlement Management access packages. This helps you: 

 

  1. Minimize impact of security breaches by setting eligibility for privileged roles in Privileged Identity Management and reducing unnecessary access. 
  2. Ensure that the right people have access to the right resources and roles with periodic access reviews. 
  3. Scale role assignments as your organization grows using self-service access request processes. 
  4. Enable business functions by combining assignment of tools or applications with the Microsoft Entra roles required to use them for increased visibility and ease of management. 

 

We’ve seen customers use this capability in scenarios such as: 

 

  • IT helpdesk: Reduce administrator fatigue by delegating IT support tasks to helpdesk employees. 
  • Application administration: Ensure regulatory compliance by managing access to sensitive applications. 
  • Operations: Empower security operations center analysts with monitoring tools and the ability to read logs. 

 

Managing assignment of Microsoft Entra ID roles through access package policies enables control of the full role assignment lifecycle from request, to approval, to provisioning of that role.  

 

Let’s explore how you can leverage Microsoft Entra ID Governance to manage the role assignment lifecycle. 

 

Scenario: Automate Microsoft Entra role assignments with self-service processes

 

Imagine your organization's Support department is expanding by hiring 50 new IT helpdesk staff. Manually assigning Microsoft Entra roles to each user is neither efficient nor repeatable by Identity Access Management (IAM) team to meet compliance and audit requirements.

 

Tenant administrators can streamline this by creating an access package with the necessary roles, allowing IT staff to request access via the My Access portal and delegating approvals to the Helpdesk department managers. This frees up the IAM team to focus on security by utilizing Microsoft Entra ID Governance policies and user self-service capabilities. 

 

To limit standing access for the Helpdesk Administrator role, you can set eligibility in the access package, requiring users to just-in-time activate the role through Privileged Identity Management (PIM) when needed. 

 

Here’s how you can do it in three easy steps: 

 

1. Create an access package and add the Helpdesk Administrator Microsoft Entra role as “Eligible member” and Service Support Administrator as “Active member”. 

 

Figure 1: How to add Microsoft Entra roles as resources of an access package.

 

2. Allow members of the IT Helpdesk group to request access and configure approval settings.

 

Figure 2: Policy configuration targeting the IT Helpdesk group as users who can request access.

 

 

Figure 3: Approval settings.

You can set up periodic access reviews to remove role assignments when access is no longer required.

 

3. In the Lifecycle tab, configure expiration and require access reviews. You can select the review frequency and specify who will conduct the reviews. 

 

Figure 4: Access review configuration for the access package.

 

  

By applying these governance processes, you can ensure least privileged access for all your IT administrators, reducing the risk of unnecessary access and potential misuse. Combining this new feature with other governance features like Lifecycle workflows ensures that role assignments are removed automatically when those IT administrators leave the organizations or change roles. This enables your organization to operate more smoothly and securely.

 

Give it a try 

 

We’re excited about this new capability, and we'd love for you to try it out! If you’ve already got Microsoft Entra ID Governance, you’re ready to go! If you don’t, but already have Microsoft Entra ID Premium, you have two ways to enable this feature:  

 

You can set up a trial of Microsoft Entra ID Governance or upgrade to Microsoft Entra ID Governance by purchasing licenses online via our licensing partners or directly from Microsoft if they work with a Microsoft account team. 

 

You can also set up a trial of Microsoft Entra Suite, which includes Microsoft Entra ID Governance.

 

Joseph Dadzie

 

 

Read more on this topic 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

The latest enhancements in Microsoft Authenticator

Hi folks,

 

I'm thrilled to announce three major Microsoft Entra ID advancements that will help you protect your users with phishing-resistant authentication:

  • Public preview refresh: Device-bound passkey support in Microsoft Authenticator
  • Public preview: Support for FIDO2 security keys on native brokered applications, such as Outlook and Teams, on Android 14
  • General availability: FIPS compliance for Microsoft Authenticator on Android

 

These advancements are crucial, not only for adhering to the US Executive Order 14028 on Improving the Nation's Cybersecurity, but also for safeguarding all organizations and users who rely on secure digital identities. Let’s dig deeper!

 

Public preview refresh: Device-bound passkey support in Microsoft Authenticator

 

During World Password Day in May, we announced the public preview of device-bound passkey support in Microsoft Authenticator for iOS and Android, tailored for organizations with higher security assurance requirements. We’re now refreshing this feature with some exciting new capabilities! 

 

During public preview, we received valuable feedback from customers that the registration experience for passkeys can be cumbersome and error-prone. Some users, when registering from their laptops, encountered as many as 19 steps, missed essential prerequisites like enabling Bluetooth on their device, or inadvertently set up their passkey with an unsupported provider. Based on this feedback, we’ve improved the registration flow to provide a more tailored experience to ensure users are successful when registering their passkey. We've also optimized the registration process by initially directing users to sign into the Authenticator app. This approach provides a seamless experience, guiding users through prerequisites, while significantly reducing contextual switches between devices.

 

In addition to enhancing the user experience, we’ve also strengthened the security posture by introducing attestation support. When configured, we leverage Android and iOS APIs to verify the legitimacy of the Microsoft Authenticator app on the user's device prior to registering the passkey.

 

Figure 1: Passkey in Microsoft Authenticator

 

 

These two capabilities are now in preview, and we highly encourage you to start piloting these features in your organization and share your feedback with us as we prepare for general availability coming soon. 

 

To get started, please refer to our documentation. To learn more about passkey support in Microsoft Entra ID, please read our original announcement, Public preview: Expanding passkey support in Microsoft Entra ID.

 

Public preview: Passkey (FIDO2) authentication in brokered Microsoft applications on Android

 

In conjunction to the public preview refresh of passkey support in Microsoft Authenticator, we’re also introducing public preview support for passkey (FIDO2) authentication within brokered Microsoft applications on Android. Users can now use a FIDO2 security key or passkey in the Microsoft Authenticator app to sign into Microsoft apps, such as Teams and Outlook, when either the Microsoft Authenticator app or Microsoft Intune Company Portal app is installed as the authentication broker on an Android 14+ device.

 

Support for FIDO2 security key sign-in to brokered Microsoft apps on Android 13 will be coming in the following months.

 

General availability: FIPS compliance for Microsoft Authenticator on Android

 

Microsoft Authenticator on both iOS and Android is now FIPS 140 compliant. While iOS Authenticator app has been FIPS 140 compliant since December 2022, we released the FIPS 140 compliant version of the Android Authenticator app in September 2024. 

 

FIPS 140 compliance for Microsoft Authenticator helps federal agencies meet the requirements of Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity” and healthcare organizations with Electronic Prescriptions for Controlled Substances (EPCS).   

 

All authentications in Microsoft Entra ID with Authenticator including passkeys, passwordless phone sign-in, multifactor authentication (MFA), and one-time password codes are considered FIPS compliant.  No changes in configuration are required in Microsoft Authenticator or Microsoft Entra ID admin center to enable this capability. Users on Microsoft Authenticator version 6.2408.5807 and higher on Android will be FIPS 140 compliant by default for Microsoft Entra ID authentication. 

 

Microsoft Authenticator on Android uses WolfSSL Inc.’s wolfCrypt module to achieve FIPS 140-3 Level 1 compliance. For additional details on the certification being used, refer to Cryptographic Module Validation Program information.

 

With these releases, we’ve significantly upleveled the user experience and security posture of Microsoft Authenticator, making it easier for you to achieve your phishing-resistance goals. If you haven't considered phishing-resistance yet, we highly recommend doing so. You can use our updated passwordless deployment guide to get started on this journey.

 

We look forward to you trying out these improvements and sharing your feedback. 

 

Thank you,

Nitika Gupta

 

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

 

Microsoft Security announcements and demos at Authenticate 2024

The Microsoft Security team is excited to connect with you next week at Authenticate 2024 Conference, taking place October 14 to 16 in Carlsbad, CA! With the rise in identity attacks targeting passwords and MFA credentials, it’s becoming increasingly clear that phishing resistant authentication is critical to counteract these attacks. As the world shifts towards stronger, modern authentication methods, Microsoft is proud to reaffirm our commitment to passwordless authentication and to expanding our support for passkeys across products like Microsoft Entra, Microsoft Windows, and Microsoft consumer accounts (MSA). 

 

To enhance security for both consumers and enterprise customers, we’re excited to showcase some of our latest innovations at this event: 

 

 

We look forward to demonstrating these new advancements and discussing how to take a comprehensive approach to modern authentication at Authenticate Conference 2024. 

 

 Where to find Microsoft Security at Authenticate 2024 Conference   

Please stop by our booth to chat with our product team or join us at the following sessions:  

  

Session Title  

Session Description  

 Time 

Passkeys on Windows: Paving the way to a frictionless future! 

UX Fundamentals

 

Discover the future of passkey authentication on Windows. Explore our enhanced UX, powered by Microsoft AI and designed for seamless experiences across platforms. Join us as we pave the way towards a passwordless world. 

 

Speakers: 

Sushma K. Principal Program Manager, Microsoft 

Ritesh Kumar Software Engineer, Microsoft 

October 14th  

 

12:00 - 12:25 PM 

Passkeys on Windows: New platform features 

Technical Fundamentals and Features

 

This is an exciting year for us as we’re bringing some great passkey features to Windows users. In this session, I’ll discuss our new capabilities for synced passkeys protected by Windows Hello, and I’ll walk through a plugin model for third-party passkey providers to integrate with our Windows experience. Taken together, these features make passkeys more readily available wherever users need them, with the experience, flexibility, and durability that users should expect when using their passkeys on Windows.  

 

Speaker: 

Bob Gilbert Software Engineering Manager, Microsoft 

October 14th 

 

2:30 - 2:55 PM 

We love passkeys - but how can we convince a billion users? 

Keynote

 

It’s clear that passkeys will be core component of a passwordless future. The useability and security advantages are clear. What isn’t as clear is how we actually convince billions of users to step away from a decades-long relationship with passwords and move to something new. Join us as we share insights on how to accelerate adoption when users, platforms, and applications needs are constantly evolving. We will share practical UX patterns and practices, including messaging, security implications,  

and how going passwordless changes the concept of account recovery.  

 

Speakers:  

Scott Bingham Principal Product Manager, Microsoft  

Sangeeta Ranjit Group Product Manager, Microsoft 

  October 14th 

 

5:05 – 5:25 PM 

  

Stop by our booth #402 to speak with our product team in person!  

  

Stop counting actors... Start describing authentication events 

Vision and Future  

 

We began deploying multifactor authentication because passwords provided insufficient security. More factors equal more security, right? Yes, but we continue to see authentication attacks such as credential stuffing and phishing! The identity industry needs to stop thinking in the quantity of authentication factors and start thinking about the properties of the authentication event. As we transition into the era of passkeys, it’s time to consider how we describe the properties of our authentication event. In this talk, we’ll demonstrate how identity providers and relying parties can communicate a consistent, composable collection of authentication properties. To raise the security bar and provide accountability, these properties must communicate not only about the authentication event, but about the security primitives underlying the event itself. These properties can be used to drive authentication and authorization decisions in standalone and federated environments, enabling clear, consistent application of security controls.  

 

Speakers: 

Pamela Dingle Director of Identity Standards, Microsoft  

Dean H. Saxe Principal Engineer, Office of the CTO, Beyond Identity 

October 16th 

 

10:00 – 10:25 AM 

Bringing passkeys into your passwordless journey 

Passkeys in the Enterprise

 

Most of our enterprise customers are deploying some form of passwordless credential or planning to in the next few years, however, the industry is all abuzz with excitement about passkeys. What do passkeys mean for your organization’s passwordless journey? Join the Microsoft Entra ID product team as we explore the impact of passkeys on the passwordless ecosystem, share insights from Microsoft's own passkey implementation and customer experiences.

 

Speakers: 

Tim Larson – Senior Product Manager, Identity Network and Access, Security, Microsoft 

Micheal Epping – Senior Product Manager, Microsoft 

 October 16th 

11:00 – 11:25 AM 

 

We can’t wait to see you in Carlsbad, CA for Authenticate 2024 Conference   

  

 Jarred Boone, Senior Product Marketing Manager, Identity Security  

 

 

Read more on this topic 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

What's new in Microsoft Entra - September 2024

We’re excited to announce the general availability of Microsoft Entra Suite—one of the industry’s most comprehensive secure access solutions for the workforce. With 66% of digital attack paths involving insecure credentials1, Microsoft Entra Suite helps prevent security breaches by enabling secure access to cloud and on-premises apps with least privilege, inside and outside the corporate perimeter. It unifies network access, identity protection, governance, and verification to streamline onboarding, modernize remote access, and ensure secure access to apps and resources. Get started with a Microsoft Entra Suite trial.

 

Last November, we launched the Secure Future Initiative (SFI) at Microsoft to combat the increasing scale of cyberattacks. Security now drives every decision we make, as detailed in the September 2024 SFI Progress Report. Today, we’re sharing new security improvements and innovations across Microsoft Entra from July to September 2024, organized by product to help you quickly find what’s relevant to your deployment.

 

Watch the video "What's New in Microsoft Entra" for a quick overview of product updates and visit the What's New blade in the Microsoft Entra Admin Center for detailed information.

 

 

Microsoft Entra ID

 

New releases

 

Change announcements

 

Security improvements

 

Upcoming MFA enforcement on Microsoft Entra admin center

[Action may be required]

 

As part of our commitment to providing our customers with the highest level of security, we previously announced that Microsoft will require multifactor authentication (MFA) for users signing into Azure. We’d like to share an update that the scope of MFA enforcement includes Microsoft Entra admin center in addition to the Azure portal and Intune admin center. This change will be rolled out in phases, allowing organizations time to plan their implementation:

 

Phase 1: Starting on or after October 15, 2024, MFA will be required to sign into the Entra admin center, Azure portal, and Intune admin center. The enforcement will gradually roll out to all tenants worldwide. This phase will not impact other Azure clients such as the Azure Command Line Interface, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools.

 

Phase 2: Beginning in early 2025, gradual enforcement of MFA at sign-in for the Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools will commence.

 

Microsoft will send a 60-day advance notice to all Entra global admins by email and through Azure Service Health Notifications to notify them of the start date of enforcement and required actions. Additional notifications will be sent through the Azure portal, Entra admin center, and the M365 message center.

 

We understand that some customers may need additional time to prepare for this MFA requirement. Therefore, Microsoft will allow extended time for customers with complex environments or technical barriers. The notification from us will also include details about how customers can postpone the start date of enforcement for their tenants, the duration of the postponement, and a link to apply. To learn more, read the blog, “MFA enforcement for Microsoft Entra admin center sign-in coming soon.”

 

Date change announcement: Deprecation of keychain-backed device identity for Apple devices

[Action may be required]

 

Earlier this year, we announced the upcoming deprecation of keychain-backed device identity for Apple devices on the Microsoft Entra ID platform. The previously announced deprecation date of June 2026 has been accelerated to June 2025 as part of our commitment to secure design and defaults. This change is being made to enhance device security and better protect your data.

 

Once in effect, this deprecation will ensure that newly registered Apple devices managed by Microsoft Entra ID use strong, hardware-bound cryptographic secrets, backed by Apple’s Secure Enclave. To learn more, we encourage you to review our updated documentation on this deprecation. We advise both consumers and vendors of applications to test their software for compatibility with this new datastore.

 

Upgrade to the latest version of Microsoft Entra Connect by April 2, 2025

[Action may be required]

 

In early October 2024, we will release a new version of Microsoft Entra Connect Sync that contains a back-end service change that further hardens our services. To avoid service disruptions, customers are required to upgrade to that version (2.4.XX.0) by early April 2025 (exact deadline to be announced upon version release).

 

Review our roadmap for a timeline of upcoming releases, so that you can plan your upgrade accordingly. We will auto-upgrade customers where supported, alongside an early 2025 release of Connect Sync. For customers who wish to be auto-upgraded, ensure that you have auto-upgrade configured.

 

For a list of minimum requirements and expected impacts of the service change, please refer to this article. For upgrade-related guidance, check out our docs.

 

New Certificate Authorities (CAs) for login.microsoftonline.com: Action required from customers who only trust DigiCert certificates

[Action may be required]

 

Microsoft Entra ID is introducing new Certificate Authorities (CAs) for server certificates for the domain login.microsoftonline.com. Currently, connections to login.microsoftonline.com are exclusively presented with DigiCert certificates. Starting on October 1, 2024, you may also encounter certificates issued by Microsoft Azure CAs. This update is designed to enhance security and improve the resilience of Entra ID. This could impact customers who do not trust Microsoft Azure CAs or have pinned client-side to DigiCert certificates, as they may experience authentication failures.

 

Recommended Action:

To prevent potential issues, we recommend trusting all Root and Subordinate CAs listed in the Azure Certificate public documentation. This documentation has included Microsoft Azure CAs for over a year. If you are an Entra ID user who uses the login.microsoftonline.com domain, it’s crucial to remove any client-side pinning to DigiCert and trust the new Azure CAs for a seamless transition. For more details on how to ensure uninterrupted and secure service, please read the Client Compatibility for public PKIs documentation.

 

Microsoft Copilot update to enterprise data protection

[No action is required]

 

Last month, we made several updates to the free Microsoft Copilot service for users with a Microsoft Entra account to enhance data security, privacy, and compliance and simplify the user experience. For users signed in with an Entra account, Microsoft Copilot will offer enterprise data protection (EDP) and redirect users to a new simplified, ad-free user interface designed for work and education. 

 

With EDP in Microsoft Copilot, your data is private, it isn’t used to train foundation models, and we help protect it at rest and in transit with encryption. For more details on EDP, please review our documentation.

 

If you or your users have a Microsoft 365 subscription in addition to an Entra account, you can enable in-app access by pinning Microsoft Copilot. If you elect to pin Microsoft Copilot for your users, it will appear in the Microsoft 365 app starting mid-September, and it will be coming soon to Microsoft Teams and Outlook. Additional functionality in Microsoft Copilot like chat history is also available for users with a Microsoft 365 subscription.

 

For additional information about these changes, whether you or your users have a Microsoft 365 subscription or not, please visit our blog and FAQ.

 

We hope you are as excited as we are about these updates to Microsoft Copilot. If you would like to try Microsoft Copilot updated with enterprise data protection prior to mid-September, a private preview is available (space limited). To apply, please fill out our form.

 

Enable Browser Access (EBA) by default for all Android users

[No action is required]

 

As part of ongoing security hardening, we are deprecating the Enable Browser Access (EBA) user interface in the Android Authenticator and Company Portal apps. Consequently, browser access will be enabled by default for all Android users. This change will occur automatically, so no action is required from admins or Android users.

 

Restricted permissions on Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Cloud Sync

[No action is required]

 

As part of ongoing security hardening, we’ve removed unused permissions from the privileged "Directory Synchronization Accounts" role. This role is exclusively used by Connect Sync and Cloud Sync to synchronize Active Directory objects with Entra ID. There is no action required by customers to benefit from this hardening. Please refer to the documentation for details on the revised role permissions.

 

Upcoming improvements to the SSO enrollment dialog

[No action is required]

 

We’re making some improvements to the end user experience when users add their account to a Windows device. We've refined the messaging in the SSO enrollment dialog (consent) to make it easier for end users to understand the choice(s) they can make and the impact of their choice(s). The changes also include a 'Learn more' link on the screen. The link points to a Microsoft Learn article that provides users with more information that will further enable them to make informed choice(s). The new SSO enrollment dialog will be gradually introduced starting in October 2024. Please check here for more details.

 

Identity modernization

 

Important Update: Azure AD Graph Retirement

[Action may be required]

 

The retirement of the Azure AD Graph API service began on 1 September 2024, and will eventually impact both new and existing applications. As we deploy the phase starting over the coming weeks, new applications will not be able to use Azure AD Graph APIs unless they are configured for extended access. Microsoft Graph is the replacement for Azure AD Graph APIs, and we strongly recommend immediately migrating use of Azure AD Graph APIs to Microsoft Graph and limiting any further development using Azure AD Graph APIs.

 

Timeline for incremental retirement of Azure AD Graph API service  

 

Phase start date  

Impact to existing apps  

Impact to new apps  

1 September  2024  

None.  

New apps are blocked from using Azure AD Graph APIs, unless the app is configured to allow extended Azure AD Graph access by setting blockAzureAdGraphAccess to false.   Any new apps must use Microsoft Graph  

1 February 2025   

Application is unable make requests to Azure AD Graph APIs unless it is configured to allow extended Azure AD Graph access by setting blockAzureAdGraphAccess to false.    

1 July 2025  

Azure AD Graph is fully retired. No Azure AD Graph API requests will function.  

Action required:

 

To avoid service disruptions, please follow our instructions to migrate applications to Microsoft Graph APIs.

If you need to extend Azure AD Graph access for an app to July 2025

 

If you have not fully completed app migrations to Microsoft Graph, you can extend this retirement. If you set the blockAzureADGraphAccess attribute to false in the application’s authenticationBehaviors configuration, the application will be able to use Azure AD Graph APIs through June 30, 2025. Further documentation can be found here.  

 

New applications will receive a 403 error when attempting to access Azure AD Graph APIs unless this setting is set to false. For existing applications that will not complete migration to Microsoft Graph in 2024, you should plan to set this configuration now. 

 

If you need to find Applications in your tenant using Azure AD Graph APIs 

 

The Microsoft Entra recommendations feature provides recommendations to put your tenant in a secure and healthy state, while also helping you maximize the value of the features available in Entra ID.    

 

We’ve provided two Entra recommendations that show information about applications and service principals that are actively using Azure AD Graph APIs in your tenant. These new recommendations can support your efforts to identify and migrate the impacted applications and service principals to Microsoft Graph. 

 

References:

 

Important Update: AzureAD PowerShell and MSOnline PowerShell retirement

[Action may be required]

 

As of March 30, 2024, the legacy Azure AD PowerShell, Azure AD PowerShell Preview, and MS Online modules are deprecated. These modules will continue to function through March 30, 2025, after which they will be retired and stop functioning. Microsoft Graph PowerShell SDK is the replacement for these modules and you should migrate your scripts to Microsoft Graph PowerShell SDK as soon as possible. 

 

To help you identify usage of Azure AD PowerShell in your tenant, you can use the Entra Recommendation titled Migrate Service Principals from the retiring Azure AD Graph APIs to Microsoft Graph. This recommendation will show vendor applications that are using Azure AD Graph APIs in your tenant, including AzureAD PowerShell. 

 

We are making substantial new and future investments in the PowerShell experience for managing Entra, with the recent Public Preview launch of the Microsoft Entra PowerShell module. This new module builds upon the Microsoft Graph PowerShell SDK and brings scenario-focused cmdlets. It’s fully interoperable with all cmdlets in the Microsoft Graph PowerShell SDK, enabling you to perform complex operations with simple, well documented commands. The module also offers a backward compatibility option to simplify migration from the deprecated AzureAD Module.

 

Microsoft Graph APIs were recently made available to read and configure Per-user MFA settings for users, and availability in Microsoft Graph PowerShell SDK cmdlets is soon to follow.

 

License assignment modifications will no longer be supported in the Microsoft Entra Admin Center

[Action may be required]

 

This is a courtesy reminder that, in mid-September, we rolled out a change that no longer supports the modification of user and group license assignments in the Microsoft Entra Admin Center and the Microsoft Azure Admin Portal. Moving forward, you will have read-only access to license assignments in these portals. If you wish to modify user and group license assignments via the user interface, you will need to visit the Microsoft 365 Admin Center. Please note that this change does not impact the API or PowerShell modules. If you experience any issues with license assignment, please reach out to Microsoft 365 support. To learn more, click here.

 

Dynamic type versioning in Bicep templates for Microsoft Graph

[Action may be required]

 

In October 2024, we're introducing an update to the Bicep templates for Microsoft Graph public preview. The dynamic types feature enables semantic versioning for Microsoft Graph Bicep types for both beta and v1.0. During Bicep file authoring, you specify a Microsoft Graph Bicep type version referenced from the Microsoft artifact registry, instead of using a built-in Nuget package which is the current experience. Using dynamic types will allow for future breaking changes in existing Microsoft Graph Bicep resource types without impacting deployment of your existing Bicep files that use older versions of those resource types. 

 

Built-in types are deprecated and will be retired on January 24, 2025. Until the retirement date, built-in types will coexist with the new dynamic types. Any Microsoft Graph Bicep type changes will only be available through new versions of the dynamic types.

 

Action required:

 

Switch to the new dynamic types before 24th January 2025 to avoid Bicep template deployment failures. The switch will involve making some minor updates to your bicepconfig.json and main Bicep files. Additionally, to take advantage of any updated or new Microsoft Graph resource types, you will need to update the type version that your Bicep files use. For next steps, click here.

 

Retirement of legacy user authentication methods management experience in Entra Portal

[No action is required]

 

Starting October 31st, 2024, we will retire the ability to manage user authentication methods in the Entra Portal via the legacy user interface (UI). Instead, we will only surface the modern UI which has full parity with the legacy experience in addition to the ability to manage modern methods (e.g. Temporary Access Pass, Passkeys, QR+Pin, etc.) and settings. This will not impact how end users can manage their own authentication methods or their ability to sign-in to Entra. Learn more at Manage user authentication methods for Microsoft Entra multifactor authentication.

 

Deprecating Enable Browser Access (EBA) UI

[No action is required]

 

EBA is a feature in Android broker apps (such as Company Portal and Authenticator) that enables duplicating the Entra ID device registration certificate to a global keychain location on the Android device. This allows browsers that are not integrated with brokers, such as Chrome, to access the certificate for device authentication, which is required to comply with Entra device compliance policies.

 

As part of our overall security hardening efforts, we're migrating Entra ID device registration certificates and Android device identities to be hardware-bound. This will enable token protection policies in the future and protect against bypassing device compliance policies. Since the device identity will be hardware-bound, the EBA UI will no longer be able to duplicate and export keys on demand. We plan to deprecate the Enable Browser Access (EBA) UI in the Authenticator and Company Portal apps, and browser access (e.g., Chrome) will automatically be enabled during device registration.

 

This capability already exists for Intune MDM users. The change extends it to non-Intune users, such as those using VMWare and Jamf mobile device management (MDM) software. This will apply to all customers in the first half of the 2025 calendar year. No action is required from customers at this time.

 

Deferred changes to My Groups admin controls

[No action is required]

 

In October 2023 we shared that starting June 2024 the existing Self Service Group Management setting in the Microsoft Entra Admin Center that states "restrict user ability to access groups features in My Groups" would be retired. These changes are under review and will not take place as originally planned. A new deprecation date will be announced in the future.

 

My Security Info Add Sign-In Method picker user interface update

[No action is required]

 

This is a courtesy reminder that, starting in August 2024, the "Add Sign-In Method" dialog on the My Security Info page was updated with improved sign-in method descriptions and a modern look and feel. With this change, when users click "Add Sign-In Method," they will initially be recommended to register the strongest method available to them, as allowed by the organization's authentication method policy. Users will also have the option to select "Show More Options" and choose from all available sign-in methods permitted by their policy. No admin action is required.

 

Provisioning UX modernization

[No action is required]

 

We’re modernizing the current application/HR provisioning and cross-tenant sync UX. This includes a new overview page, user experience to configure connectivity to your application, scoping, and attribute mappings experience. The new experience includes all functionality available to customers today, and no customer action required. The new experience will start rolling out at the end of October 2024, but customers can still use the existing experience through January 2024. 

 

Enhancing user experience

 

Moving from a browse-based to a search-based solution for access package discovery

[Action may be required]

 

We're excited to introduce a new feature in My Access: a curated list of recommended access packages. This will allow users to quickly view the most relevant access packages without scrolling through a long list.  The final tab will be a complete, searchable list of all visible access packages in the tenant. We’ll deploy this to all customers as an opt-in preview by the end of October, with in-product messaging to highlight the change. By the end of November, it will transition to an opt-out preview, with general availability planned for December.

 

Microsoft Entra ID Governance 

New releases

 

Microsoft Entra External ID 

New releases

 

Microsoft Entra Verified ID 

New releases 

 

Microsoft Entra Internet Access 

New releases 

 

Microsoft Entra Private Access 

New releases 

 

Global Secure Access: Microsoft Entra Internet and Microsoft Entra Private Access

 

Change announcements

 

Upcoming license enforcement for Microsoft Entra Internet Access and Microsoft Entra Private Access

[Action may be required]

 

Starting early October 2024, license enforcement will begin in the Microsoft Entra admin center for Microsoft Entra Internet Access and Microsoft Entra Private Access. This is following a 90-day notification period, starting with the general availability of Microsoft Entra Internet Access and Microsoft Entra Private Access, which began in July 2024. Learn more about Global Secure Access

 

30-day trials are available for both licenses. Learn more on pricing. 

 

Best Regards,

Shobhit Sahay

 

 

What’s New in Microsoft Entra 

Stay informed about Entra product updates and actionable insights with What’s New in Microsoft Entra.  This new hub in the Microsoft Entra admin center offers you a centralized view of our roadmap and change announcements across the Microsoft Entra identity and network access portfolio. 

 

Learn more about Microsoft Entra 

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

Explore the key benefits of Microsoft Entra Private Access

The traditional network security models are becoming increasingly ineffective in a world where remote work and cloud services are the norm. Conventional technologies like VPNs, while popular, offer limited protection in a boundary-less landscape, typically granting users excessive network access and posing significant risks. If compromised, these can lead to unauthorized access and potentially lateral movement within corporate networks, exposing sensitive data and resources. Microsoft Entra Private Access is at the forefront of addressing these challenges by effectively integrating identity and network access controls.

 

Microsoft Entra Private Access

 

In July we announced general availability of Microsoft Entra Suite, which brings together identity and network access controls to secure access to any cloud or on-premises application or resource from any location. We also announced Microsoft’s Security Service Edge (SSE) solution general availability. Microsoft Entra Private Access, a core component of Microsoft’s SSE solution, allows you to replace your VPN with an identity-centric Zero Trust Network Access (ZTNA) solution to securely connect users to any private resource and application without exposing full network access to all resources. It’s built on Zero Trust principles to protect against cyber threats and mitigate lateral movement. Through Microsoft’s global private network, give your users a fast, seamless, edge-accelerated access experience that balances security with productivity.

 

Figure 1: Secure access to all private applications, for users anywhere, with an identity centric ZTNA

 

Modernize access to private applications

 

Despite the cloud’s growing dominance, you may still rely on on-premises infrastructure and use legacy VPNs to enable your remote workforce. Legacy VPNs typically grant excessive access to the entire network by making the remote user’s device part of your network.

 

Figure 2: Legacy VPNs typically grant excessive access to the entire network

 

Microsoft Entra Private Access helps you easily start retiring your legacy VPN and level up to an identity-centric ZTNA solution that helps reduce your attack surface, mitigates lateral threat movement, and removes unnecessary operational complexity for your IT teams. Unlike traditional VPNs, Microsoft Entra Private Access protects access to your network for all your users— whether they are remote or local, and accessing any legacy, custom, modern, or private apps that are on-premises or on any cloud.

 

Figure 3: Replace legacy VPN with an identity centric ZTNA solution

 

For example, Microsoft Entra Private Access enhances security for Remote Desktop Protocol (RDP) sessions by enabling access without direct network connectivity. It leverages Conditional Access policies, including multifactor authentication (MFA), to validate both device and user identities. This ensures that only authenticated users with compliant devices can establish an RDP session on your network, providing a secure and seamless remote access experience. By integrating with Microsoft Entra ID, Microsoft Entra Private Access validates access tokens and connects users to the appropriate private server, reinforcing the security posture without the need for traditional VPN solutions.

 

 

Accelerate your journey to Zero Trust with Microsoft Entra Private Access

 

Microsoft Entra Private Access helps you accelerate your journey to ZTNA and meets this need by offering a streamlined approach to help enforce least privilege access to on-premises or private applications, reinforcing the importance of extending Zero Trust principles to any private app(s) or resource(s), regardless of their location — on-premises or any cloud.

 

Figure 5: Accelerate your ZTNA journey with Microsoft Entra Private Access

 

Here, in more detail, are the key capabilities that help you move from legacy VPNs to ZTNA:

 

QuickAccess policy simplifies transitioning from legacy VPNs to easily onboard with Microsoft Entra Private Access. It allows you to create network segments that can include multiple apps and resources.

 

Figure 6: Fast and easy migration from legacy VPNs with Quick Access policy

 

Over time, Private Application Discovery enables you to discover all your private apps, onboard them to enable segmented access, and simplify enabling the creation of Conditional Access policies for groups of apps based on business impact levels.

 

Figure 7: Automatic private application discovery and onboarding

 

Enforce Conditional Access across all private resources

 

To enhance your security posture and minimize the attack surface, it’s crucial to implement robust Conditional Access controls, such as MFA (biometric and/or phish resistant), across all private resources and applications including legacy or proprietary applications that may not support modern identity.

 

The familiar Conditional Access policies used today can now be extended to all private apps, including legacy apps and non-web resources, such as RDP, SSH, SMB, SAP, or any other TCP- or UDP-based private application, resource, or network endpoint.

 

Figure 8: Enforce Conditional Access across all private resources

 

Conditional Access is applied to every network flow, ensuring comprehensive security coverage across all your private apps and resources—including MFA, location-based security, advanced segmentation, and adaptive least-privilege access policies—without making any changes to your apps or resources.

 

 

Deliver seamless access to private apps and resources with single sign-on

 

Single sign-on (SSO) simplifies the user experience by eliminating the need to sign in to each private application individually. By enabling SSO, users gain seamless access to all necessary private applications, whether located on-premises or across various clouds, without the need for repeated authentication or modifications to existing apps.

 

Microsoft Entra Private Access further streamlines this process by providing SSO for on-premises resources, utilizing Kerberos for secure, ticket-based authentication. For an even more integrated experience, you can opt to implement Windows Hello for Business with cloud Kerberos trust, offering a modern, passwordless sign-on option for users. This cohesive approach to SSO, supported by Microsoft Entra Private Access, ensures a secure and efficient access management system for private resources across the enterprise landscape.

 

Deploy across various platforms, ports, and protocols

 

Enable secure connectivity to private resources from Windows and Android, with support for iOS and MacOS coming later this year, and Linux support to follow. This service spans all operating systems and accommodates any port and protocol, including SMB, RDP, FTP, SSH, SAP, printing, and all other TCP/UDP-based protocols. For security teams already using an Application Proxy, you can seamlessly and confidently transition to Microsoft Entra Private Access knowing that all existing use cases and access to existing private web applications will keep working with no disruption.

 

 

Securing just-in-time access to sensitive resources

 

Microsoft Entra Private Access tightly integrated with Privileged Identity Management (PIM), a service within Microsoft Entra ID Governance, helps you secure just-in-time access to private resources for privileged users. This integration ensures that privileged access is granted only when necessary, aligning with the Zero Trust principle of least privilege access. It allows for the enforcement of robust Conditional Access controls such as MFA, to ensure that only eligible and validated users can access sensitive resources. This approach not only enhances security but also supports compliance and auditing requirements by providing detailed tracking and logging of privileged access requests.

 

Secure access to Azure managed services with Microsoft Entra Private Access

 

Azure offers many managed services, such as Azure SQL, Azure Storage, and Azure ML, among others. Microsoft Entra Private Access ensures a secure, private connection to Azure services while enforcing security policies and posture during access, allowing you enforce Conditional Access controls such as MFA and IP-based access controls. With comprehensive enforcement of identity and network access controls, Microsoft Entra Private Access ensures that managed services are accessed securely. Here are two key scenarios:

 

  • Secure Azure managed services access: Typically, Azure services are accessed over the internet. However, for security reasons, it’s preferable to keep the traffic between users or applications and Azure services private, avoiding exposure to the internet. This can be achieved through Microsoft Entra Private Access, where services like Azure Storage can be connected to a virtual network (vNet) using Private Link. This ensures that all traffic remains private, while additional identity and network access controls are enforced.

Figure 11: Enable secure access to Azure Storage with Private Access through Private Link

 

  • Service endpoint for controlled access: In contrast to Private Link, the service endpoint method does not integrate services into a vNet. Instead, it restricts incoming traffic to connections from specified connector IP addresses through Microsoft Entra Private Access. This approach helps secure access to Azure services by permitting access solely through an approved path, where additional security measures like MFA and device posture can be enforced.

Figure 12: Ensures a single, secure path to the Azure managed services through Microsoft Entra Private Access

 

Simplify Microsoft Entra private network connector  deployment for your private workloads

 

In addition to Microsoft Entra admin center, private network connector is now available on Azure Marketplace and AWS Marketplace in preview. This will allow users to easily deploy a virtual machine with a pre-installed Private Access Connector through a streamlined managed model for Azure and AWS Workloads. The Marketplace offerings automate the installation and registration process, simplifying authentication setup, thus enhancing user experience.

 

Figure 13: Microsoft Entra private network connector on Microsoft Azure Marketplace

 

Figure 14: Microsoft Entra private network connector on AWS Marketplace

 

The Microsoft Entra private network connector is a required software component to enable Microsoft Entra Private Access. It sits alongside customers’ private applications in customer network and is designed to provide secure and convenient access to them from any device and location. It acts as a bridge between Microsoft’s SSE edge and application servers, facilitating the authentication, authorization, and encryption of traffic.

 

Enable edge accelerated Zero Trust private domain name resolution

 

Microsoft Entra Private Access enhances your organization’s domain name resolution (DNS) capabilities and simplifies the process of accessing IP-based app segments and private resources using FQDNs, allowing your users to access private resources with single label names or hostnames without complex configurations. With accelerated DNS at Microsoft’s SSE edge , DNS responses are cached, leading to significantly faster resolution times and enhanced performance. Moreover, the integration of DNS with Conditional Access adds an extra layer of identity-centric security controls, allowing for more granular control over access to private resources.

 

For instance, with Private DNS support, you can provide your domain suffixes to simplify Zero Trust access to private apps using FQDNs, streamlining the connection process to internal resources, while using your existing DNS deployments. This is particularly beneficial in scenarios where your users need to seamlessly access private resources without the need for VPNs or domain-joined devices, while offering a more secure and efficient way to manage access.

 

Simplify access and improve end user experience at a global scale

 

Enhance user productivity by leveraging Microsoft’s vast global edge presence, providing fast and easy access to private apps and resources—located on-premises, on private data centers, and across any cloud. Users benefit from optimized traffic routing through the closest worldwide Point of Presence (PoP), reducing latency for a consistently swift hybrid work experience.

 

Deploy side-by-side with third-party network access solutions

 

A distinctive feature of Microsoft’s SSE solution is its built-in compatibility with third-party network access solutions where it allows you only acquire the traffic you need to send to Microsoft’s SSE edges. Leverage Microsoft and third-party network access solutions in a unified environment to harness a robust set of capabilities from both solutions to accelerate your Zero Trust journey. The flexible deployment options by Microsoft’s SSE solution empowers you with enhanced security and seamless connectivity for optimal user experience.

 

Conclusion

 

Simplifying and securing access for your hybrid workforce is crucial in a landscape where traditional boundaries have dissolved. Enforcing least-privilege access and minimizing reliance on legacy tools like VPNs are essential steps in reducing risk and mitigating sophisticated cyberattacks.

 

Microsoft Entra Private Access helps you secure access to all your private apps and resources for users anywhere with an identity-centric ZTNA solution. It allows you to replace your legacy VPN with ZTNA to securely connect users to any private resource and application without exposing full network access to all resources.

 

The unified approach across identity and network access within Microsoft’s SSE solution signifies a new era of network security. This approach ensures that only authorized users are authenticated, and their devices are compliant before accessing private resources.

 

Learn More

 

To get started, begin a trial to explore Microsoft Entra Private Access general availability. You can also sign up for an Entra suite trial, which includes Microsoft Entra Private Access. For further help contact a Microsoft sales representative and share your feedback to help us make this solution even better.

 

Ashish Jain, Principal Group Product Manager

Abdi Saeedabadi, Senior Product Marketing Manager

 

Read more on this topic

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Join us at the Microsoft Entra Suite Showcase!

This fall, we are bringing the Microsoft Entra Suite Showcase to cities worldwide. Join us to explore how our latest advancements in secure identity and access management can help safeguard your organization's digital assets.

 

Announced earlier this year, the Microsoft Entra Suite unifies identity and network access security—a novel and necessary approach for Zero Trust security. It provides everything you need to verify users, prevent overprivileged permissions, improve detections, and enforce granular access controls for all users and resources.

 

 

Register now to join us for a half-day event in the following locations:

 

September 23

Mexico City, Mexico

Registration Full

September 25 

São Paulo, Brazil 

Registration Full 

September 30 

Amsterdam, Netherlands 

Register Here 

October 1 

London, England 

Register Here 

October 8 

Dallas, TX, USA 

Register Here 

October 8 

Johannesburg, South Africa 

Register Here  

October 9 

Sydney, Australia 

Register Here 

October 10 

Atlanta, GA, USA 

Register Here 

October 14 

Berlin, Germany 

Register Here 

October 16 

Singapore, Singapore

Register Here 

October 21 

Silicon Valley, CA, USA 

Register Here 

November 6 

Dubai, UAE 

Register Here 

November 12 

Mumbai, India 

Registration coming soon 

November 14 

Paris, France 

Registration coming soon 

November 14 

Bangalore, India 

Registration coming soon 

December 4 

New York, NY, USA 

Register Here 

December 10 

Chicago, IL, USA 

Register Here 

 

To learn more about Microsoft Entra Suite: 

 

We look forward to seeing you there!

Microsoft Entra Internet Access now generally available

With the rise of hybrid work, identity and network security professionals are now at the forefront of protecting their organizations. Traditional network security tools fall short in meeting the integration, complexity, and scale requirements of anywhere access, leaving organizations exposed to security risks and poor user experiences. To address this, network security and identity must function as a unified force in defense. Only when identity and network controls deeply integrate into secure access, can we fully deliver on the core Zero Trust principles, where trust is never implicit and access is granted on a need-to-know and least-privileged basis across all users, devices, and applications.

 

Microsoft Entra Internet Access

 

On July 11th, 2024, we announced general availability (GA) of Microsoft Entra Suite, which includes Microsoft Entra Internet Access, part of the Security Service Edge (SSE) solution. Internet Access secures access to all internet and SaaS applications and resources with an identity-centric secure web gateway (SWG) solution, unifying identity and network access controls through a single Zero Trust policy engine to close security gaps and minimize the risk of cyberthreats. Our solution integrates seamlessly with Microsoft Entra ID, eliminating the need to manage users, groups, and apps in multiple locations. It protects users, devices, and resources with capabilities such as universal Conditional Access, context aware network security, and web content filtering, so you no longer need to manage multiple disconnected network security tools.

 

Figure 1: Secure access to all internet and SaaS applications and resources, with an identity-centric SWG.

 

 

Unified identity and network security

 

Our deep integration with Entra ID enables Conditional Access, and later continuous access evaluation (CAE), to be extended to any external destination, internet resource, and cloud application, even if they’re not integrated or federated with Entra ID. This integration with Conditional Access enables you to enforce granular controls, leveraging device, user, location, and risk conditions by applying network security policies tailored to the requirements of your enterprise. Additionally, Microsoft Entra Internet Access provides enhanced security capabilities, such as token replay protection and data exfiltration controls, for Entra ID federated applications.

 

Figure 2: Rich user, device, location, and risk awareness of Conditional Access for network security policy enforcement

 

 

Protect your users with context aware network security

 

With Microsoft Entra Internet Access you now can link your network security policies to Conditional Access, providing a versatile tool that can adapt to various scenarios for your SWG policy enforcement. Now with web category filtering, you can easily allow or block a vast range of internet destinations based on pre-populated web categories. For more granular control, you can use fully qualified domain name (FQDN) filtering to establish policies for specific endpoints or override general web category policies effortlessly.

 

For instance, you can create a policy that allows your finance team access to critical finance applications, while restricting access for the rest of your organization. Furthermore, you can add risk-based filtering policies that dynamically adapt to a user’s risk level with Entra ID protection to restrict access to these destinations for members whose user risk is elevated, providing additional protection for your organization. Another great example is just-in-time access to Dropbox, while blocking all other external storage sites, to leverage deep integrations between Microsoft Entra Internet Access, Conditional Access and Entra ID Governance workflows.

 

In the coming months, we’ll be adding new capabilities such as TLS inspection and URL filtering to provide even more granular control for your web filtering policies. Plus, we’ll be adding Threat Intelligence (TI) filtering to prevent users from accessing known malicious internet destinations.

 

 

Provide defense in depth against token replay attacks with Compliant Network check

 

With the addition of the new Compliant Network control, you can prevent token replay attacks across authentication plane by extending Compliant Network check with Conditional Access for any Entra ID federated internet application, including Microsoft 365 applications. This feature also ensures that users cannot bypass the SSE security stack while accessing applications. Compliant network eliminates inherent disadvantages of source IP based location enforcement – that of cumbersome IP management and traffic hair pinning of remote users through branch networks.

 

 

Protect against data exfiltration by enabling universal tenant restrictions (TRv2) controls

 

With Microsoft Entra Internet Access you can enable Universal Tenant Restriction controls across all managed devices and network branches, agnostic of OS and browser platform. Tenant Restriction v2 is a strong data exfiltration control enabling you to manage external access risks from your managed devices and networks by curating a granular allow or deny list of foreign identities and applications that can or cannot be accessed.

 

Figure 5: Universal tenant restrictions

 

Avoid obfuscating original user source IP

 

Traditional third-party SSE solutions hide the original source IP of users, only showing the proxy IP address, which degrades your Entra ID log fidelity and Conditional Access controls. Our solution proactively restores original end-user source IP context for Entra ID activity logs and risk assessment. It also maintains backward compatibility for source IP based location checks in your Conditional Access policies.

 

 

Deliver fast and consistent access at a global scale

 

Our globally distributed proxy, with multiple points of presence close to your user, eliminates extra hops to optimize traffic routing to the internet. You can connect remote workers and branch offices through our global secure edge that’s only milliseconds away from users. We have thousands of peering connections with internet providers and SaaS services, and for services like Microsoft 365 and Azure, you avoid performance penalties through additional hops and improve overall user experience by sending the traffic directly to Microsoft WAN infrastructure.

 

Figure 7: Microsoft's global Wide Area Network (WAN)

 

Attain deep insights and network analytics using in-product dashboards:

 

Our comprehensive in-product reports and dashboards are designed to be easy to digest and share a complete holistic view of your entire ecosystem within your organization. You can monitor deployment status, identify emerging threats through comprehensive network and policy monitoring logging, and address problems quickly. Our dashboard delivers an overview of the users, devices, and destinations connected through Microsoft’s SSE solution. We show cross-tenant access within your enterprise, as well as the top network destinations in use and other policy analytics.

 

Figure 8: In-product dashboard

 

Microsoft Entra Internet Access architecture overview

 

Microsoft’s SSE architecture for client and branch connectivity streamlines network access and security. Global Secure Access standalone client on the endpoint is currently available for Windows and Android; MacOS and IOS are coming soon. Branch connectivity relies on site-to-site connections from network devices to Microsoft’s SSE edge services; Microsoft traffic is now available, with Internet Access Traffic being added soon. Traffic from both client and branch connectivity models is secured and tunneled through Microsoft’s SSE edges. Additionally,  we have partnered with HPE Aruba and Versa to integrate our SSE solution with their SD-WAN offerings, with additional SD-WAN partners coming soon.

 

Side-by-side interoperability with third-party SSE solutions

 

One of the unique advantages of Microsoft’s SSE solution is its built-in compatibility with third-party SSE solutions where it allows you to acquire only the traffic you need to send to Microsoft’s SSE edges. For example, you can enable the Microsoft Traffic profile to manage Microsoft 365 and Entra ID traffic and optimize performance for your Microsoft applications while using other providers for remaining traffic. Configuring traffic forwarding profiles is straightforward, allowing for precise control over traffic for internet and SaaS traffic, including Microsoft 365. Traffic profiles are also user aware and can be directed to specific groups in your enterprise as appropriate.

 

Figure 9: Flexible deployment options

 

Conclusion

 

Microsoft Entra Internet Access offers a robust, identity-centric SWG solution that secures access to internet and SaaS applications. By unifying Conditional Access policies across identity, endpoint, and network, it ensures every access point is safeguarded, adapting to the needs of a hybrid workforce and mitigating sophisticated cyberattacks. This strategic shift not only enhances security but also optimizes user experience, demonstrating Microsoft's commitment to leading the transition to cloud-first environments.

 

Learn more and get started 

 

Stay tuned for more Microsoft Entra Internet Access blogs and for a deeper dive into Microsoft Entra Private Access. For more information, watch our recent Tech Accelerator product deep dives.

 

To get started, contact a Microsoft sales representative, begin a trial, and explore Microsoft Entra Internet Access and Microsoft Entra Private Access general availability. Share your feedback to help us make this solution even better. 

 

Anupma Sharma, Principal Group Product Manager

 

 

Read more on this topic

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Omdia’s perspective on Microsoft’s SSE solution

In July, we announced the general availability of the Microsoft Entra Suite and Microsoft’s Security Service Edge (SSE) solution which includes Microsoft Entra Internet Access and Microsoft Entra Private Access.  

 

Microsoft’s vision for SSE

 

Microsoft’s SSE solution aims to revolutionize the way organizations secure access to any cloud or on-premises applications. It unifies identity and network access through Conditional Access, the Zero Trust policy engine, helping to eliminate security loopholes and bolster your organization’s security stance against threats. Delivered from one of the largest global private networks, the solution ensures a fast and consistent hybrid work experience. With flexible deployment options across other SSE and networking solutions, you can choose to route specific traffic profiles through Microsoft’s SSE solution.

 

Omdia's perspective

 

According to Omdia, a leading research and consulting firm, Microsoft’s entry into the SASE/SSE space is poised to disrupt the market. Omdia highlights that Microsoft’s focus is on an identity-centric SASE framework, which helps consolidate technologies from different vendors by extending identity controls to your network and enhancing team collaboration. A key strength for Microsoft, according to Omdia, is its ability to introduce Microsoft Entra Internet Access and Microsoft Entra Private Access seamlessly into existing identity management conversations—a strength that could lead to broader adoption of network access services as part of the same platform.

 

Conclusion

 

As you navigate the complexities of securing network access, Microsoft’s Security Service Edge solution helps you transform your security posture and improve user experience. It simplifies collaboration between identity and network security teams by consolidating access policies across identities, endpoints and network, all managed in a single portal - the Microsoft Entra admin center. Microsoft’s SSE solution provides a new pathway to implement zero trust access controls more effectively, enabling your organization to enhance its security posture while leveraging existing Microsoft investments.

 

To learn more about Omdia’s perspective on Microsoft’s SSE solution, read Omdia’s report, Microsoft announces general availability of its SASE/SSE offering.

 

Learn more and get started 

 

Stay tuned for more Security Service Edge blogs. For a deeper dive into Microsoft Entra Internet access and Microsoft Entra Private Access, watch our recent Tech Accelerator product deep dives.

 

To get started, contact a Microsoft sales representative, begin a trial, and explore Microsoft Entra Internet Access and Microsoft Entra Private Access general availability. Share your feedback to help us make this solution even better. 

 

Nupur Goyal, Director, Identity and Network Access Product Marketing 

 

 

Read more on this topic

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

 

MFA enforcement for Microsoft Entra admin center sign-in coming soon

As cyberattacks become increasingly frequent, sophisticated, and damaging, safeguarding your digital assets has never been more critical. In October 2024, Microsoft will begin enforcing mandatory multifactor authentication (MFA) for the Microsoft Entra admin center, Microsoft Azure portal, and the Microsoft Intune admin center. 

 

We published a Message Center post (MC862873) to all Microsoft Entra ID customers in August. We’ve included it below:

 

Take action: Enable multifactor authentication for your tenant before October 15, 2024

 

Starting on or after October 15, 2024, to further increase your security, Microsoft will require admins to use multifactor authentication (MFA) when signing into the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. 

 

Note: This requirement will also apply to any services accessed through the Intune admin center, such as Windows 365 Cloud PC. To take advantage of the extra layer of protection MFA offers, we recommend enabling MFA as soon as possible. To learn more, review Planning for mandatory multifactor authentication for Azure and admin portals.

 

How this will affect your organization:

 

MFA will need to be enabled for your tenant to ensure admins are able to sign into the Azure portal, Microsoft Entra admin center, and Intune admin center after this change.

 

What to do to prepare:

  • If you have not already, set up MFA before October 15, 2024, to ensure your admins can access the Azure portal, Microsoft Entra admin center, and Intune admin center.
  • If you are unable to set up MFA before this date, you can apply to postpone the enforcement date.
  • If MFA has not been set up before the enforcement starts, admins will be prompted to register for MFA before they can access the Azure portal, Microsoft Entra admin center, or Intune admin center on their next sign-in. 

 

For more information, refer to: Planning for mandatory multifactor authentication for Azure and admin portals.

 

Jarred Boone

Senior Product Marketing Manager, Identity Security

 

 

Read more on this topic 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

Face Check is now generally available

Earlier this year we announced the public preview of Face Check with Microsoft Entra Verified ID – a privacy-respecting facial matching feature for high-assurance identity verifications and the first premium capability of Microsoft Entra Verified ID. Today I’m excited to announce that Face Check with Microsoft Entra Verified ID is generally available. It is offered both by itself and as part of the Microsoft Entra Suite, a complete identity solution that delivers Zero Trust access by combining network access, identity protection, governance, and identity verification capabilities.

 

 

  Unlocking high-assurance verifications at scale


There’s a growing risk of impersonation and account takeover. Bad actors use insecure credentials in 66% of attack paths. For example, impersonators may use a compromised password to fraudulently log in to a system. With advancements in generative AI, complex impersonation tactics such as deepfakes are growing as well. Many organizations regularly onboard new employees remotely and offer a remote help desk. Without strong identity verification, how can organizations know who is on the other side of these digital interactions? Impersonators can easily bypass common verification methods such as counting bicycles on a CAPTCHA or asking which street you grew up on. As fraud skyrockets for businesses and consumers, and impersonation tactics have become increasingly complex, identity verification has never been more important.


Microsoft Entra Verified ID is based on open standards, enabling organizations to verify the widest variety of credentials using a simple API. Verified ID integrates with some of the leading verification partners to verify identity attributes for individuals (for example, a driver’s license and a liveness match) across 192 countries. Today, hundreds of organizations rely on Verified ID to remotely onboard new users and reduce fraud when providing self-service recovery. For example, using Verified ID, Skype has reduced fraudulent cases of registering Skype Phone Numbers in Japan by 90%.

 

Face Check with Microsoft Entra Verified ID


Powered by Azure AI services, Face Check adds a critical layer of trust by matching a user’s real-time selfie and the photo on their Verified ID, which is usually from a trusted source such as a passport or driver’s license. By sharing only match results and not any sensitive identity data, Face Check strengthens an organization’s identity verification while protecting user privacy. It can detect and reject various spoofing techniques, including deepfakes, to fully protect your users’ identities.


BEMO, a security solution provider for SMBs, integrated Face Check into its help desk to increase verification accuracy, reduce verification time, and lower costs. The company used Face Check with Microsoft Entra Verified ID to protect its most sensitive accounts which belong to C-level executives and IT administrators.


Face Check not only helps BEMO improve customer security and strengthen user data privacy, but it also created a 90% efficiency improvement in addressing customer issues. BEMO’s help desk now completes a manual identity verification in 30 minutes, down from 5.5 hours before implementing Face Check.


“Security is always great when you apply it in layers, and this verification is an additional layer that we’ll be able to provide to our customers. It’s one more way we can help them feel secure.” – Jose Castelan, Support and Managed Services Team Lead, BEMO

 

Check out the video below to learn more about how your organization can use Face Check with Microsoft Entra Verified ID:

 

 

  Jumpstart with partners


Our partners specialize in implementing Face Check with Microsoft Entra Verified ID in specific use cases or verifying certain identity attributes such as employment status, education, or government-issued IDs (with partners like LexisNexis® Risk Solutions, Au10tix, and IDEMIA). These partners extend Verified ID’s capabilities to provide a variety of verification solutions that will work for your business’s specific needs.


Explore our partner gallery to learn more about our partners and how they can help you get started with Verified ID.

 

Start using Face Check with Microsoft Entra Verified ID


Face Check is a premium feature of Verified ID. After you set up your Verified ID tenant, there are two purchase options to enable Face Check and start verifying:


1. Begin the Entra Suite free trial, which includes 8 Face Check verifications per user per month.
2. Enable Face Check within Verified ID and pay $0.25 per verification.

 

Visit the Microsoft Entra pricing page for more details.

 

What’s Next?


Learn more about how Microsoft Entra Verified ID works and how organizations are using it today, and join us for the Microsoft Entra Suite Tech Accelerator on August 14 to learn about the latest identity management and end-to-end security innovations.

 

Ankur Patel, Head of Product for Microsoft Entra Verified ID

 

 

Read more on this topic 

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Public preview: Microsoft Entra ID FIDO2 provisioning APIs

Today I'm excited to announce a great new way to onboard employees with admin provisioning of FIDO2 security keys (passkeys) on behalf of users.

 

Our customers love passkeys as a phishing-resistant method for their users, but some were concerned that registration was limited to users registering their own security keys. Today we’re announcing the new Microsoft Entra ID FIDO2 provisioning APIs that empowers organizations to handle this provisioning for their users, providing secure and seamless authentication from day one.

 

While customers can still deploy security keys in their default configuration to their users, or allow users to bring their own security keys which requires self-service registration by a user, the APIs allow keys to be pre-provisioned for users, so users have an easier experience on first use.

 

Adopting phishing-resistant authentication is critical - attackers have increased their use of Adversary-in-the-Middle (AitM) phishing and social engineering attacks to target MFA-enabled users. Phishing-resistant authentication methods, including passkeys, certificate-based authentication (CBA), and Windows Hello for Business, are the best ways to protect from these attacks.

 

Phishing-resistant authentication is also a key requirement of Executive Order 14028 which requires phishing-resistant authentication for all agency staff, contractors, and partners.  While most federal customers use preexisting smartcard systems to achieve compliance, passkeys provide a secure alternative for their users looking for improved ways to securely sign in. With today’s release of admin provisioning, they also have a simplified onboarding process for users.

 

With the Microsoft Entra ID FIDO2 provisioning APIs organizations can build their own admin provisioning clients, or partner with one of the many leading credential management system (CMS) providers who have integrated our APIs in their offerings.

 

Tim Larson, Senior Product Manager on Microsoft Entra, will now walk you through this new capability that will help in your transition towards phishing-resistant multifactor authentication (MFA).    

 

Thanks, and please let us know your thoughts!

 

Alex Weinert

 

--

 

Hello everyone,

 

Tim here from the Microsoft Entra product management team. I’m excited to share with you our new passkey (FIDO2) provisioning capabilities in Entra ID!

 

Back in May we shared how we’re expanding passkey support in Microsoft Entra ID with the addition of device-bound passkey support in Microsoft Authenticator. As part of our commitment to provide more passkey capabilities we’ve enhanced our passkey (FIDO2) credential APIs to make onboarding security keys for users more convenient.

 

How does it work?

 

With the enhancements made to our passkey (FIDO2) credential APIs you can now request WebAuthn creation options from Entra ID and use the returned data to create and register passkey credential on behalf of a user.

 

To simplify this process, three (3) main steps are required to register a security key on behalf of a user.

 

 

 

  1. Request creationOptions for a user: Entra ID will return the necessary data for your client to provision a passkey (FIDO2) credential. This includes information like user information, relying party, credential policy requirements, algorithms, and more.
  2. Provision the passkey (FIDO2) credential with the creationOptions: Using the creationOptions utilize a client or script which supports the Client to Authenticator Protocol (CTAP), to provision the credential. During this step you’ll need to insert a security key and set a PIN.
  3. Register the provisioned credential with Entra ID: Utilizing the output from the provisioning process, provide Entra ID with the necessary data to register the passkey (FIDO2) credential for the targeted user.

 

Build your own app or use a CMS vendor offering

 

In addition to providing the tools above, Microsoft has also collaborated with 10 leading vendors in the CMS space to integrate the new FIDO2 provisioning APIs. These vendors have rigorously tested and are fully knowledgeable in the new APIs, and are available to help you in your provisioning journey if creating your own integration isn’t something you want to do.

 

This partnership underscores our commitment to delivering a secure and interoperable ecosystem for our customers. These vendors represent a diverse range of CMS solutions, each bringing unique insights and expertise to the table. Their involvement has been instrumental in ensuring that the APIs are robust, versatile, and ready for real-world challenges.

 

As we roll out the public preview, we are proud to announce that these vendors have pledged their support, integrating the APIs into their platforms. This collaboration not only enhances the security landscape but also paves the way for seamless adoption across various industries.

 

 

 

What’s next?

 

This public preview is the next step in our passkey journey and we’re gearing up for even more passkey (FIDO2) provisioning features. We’re looking forward to building provisioning capabilities into the Entra admin center which will empower help desk and other admins the ability to directly provision FIDO2 security keys for users.

 

To learn more about everything discussed here, check out how to enable passkeys (FIDO2) for your organization and review our Microsoft Graph API documentation. Reach out to your preferred CMS provider to learn more about their integrations with the Microsoft Entra ID FIDO2 Provisioning APIs.

 

Thanks,

Tim Larson

 

 

Read more on this topic 

 

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.