Microsoft highlighted a few Azure Active Directory improvements during last week’s Ignite event.
The details were presented by Joy Chick, corporate vice president of Microsoft’s Identity Division, in an Azure AD “Roadmap” Ignite session that’s currently available on demand. No actual roadmap was shown during the session. Instead, some past and emerging progress items were noted on things like Conditional Access (with multiple demos), password spray attack detection and support for remote work scenarios.
In general, Microsoft has been using an improved machine learning model with the Azure AD service that “now examines over 300 aspects of each authentication request, including behavior and IP reputation,” Chick said. Microsoft catches “over 80 million attacks every single day, with 98 percent precision,” she added.
End users help improve the accuracy of this machine learning capability when they use the My Sign-Ins portal for Office 365 users, Chick noted. My Sign-Ins is a portal that shows password log-in attempts, permitting end users to report when someone else is attempting to access their accounts. Microsoft commercially released the My Sign-ins portal back in August.
The Password Protection capability of Azure AD, commercially released last year, was highlighted as a valuable safeguard against password spray attacks, in which commonly used passwords get tried against multiple users in an organization to gain a foothold. A banned password list is used with the Password Protection feature to prevent end users from creating such insecure passwords.
Insecure Protocols and Legacy Authentication
Microsoft is making it easier for organizations using Azure AD to spot “policy gaps” when using the Azure AD Conditional Access service, Chick said. Moreover, the service “now blocks any insecure protocols by default,” she added. Microsoft had highlighted this capability back in August when it was explained that the insecure protocols to block included things like “POP, SMTP, IMAP, and MAPI.” Those protocols just rely on passwords and don’t have support for “multifactor authentication,” a secondary identity verification process recommended by Microsoft.
Microsoft is also going to help organizations using Web apps that depend on using so-called “legacy” authentication methods. Chick said that the Azure AD Application Proxy service “will soon support header-based authentication, which is the most popular legacy authentication protocol.” It’ll be possible to “apply the same granular security controls for remote access to legacy applications,” she added. To that end, Microsoft has expanded its partnerships enabling such “secure hybrid access” by adding Cisco AnyConnect, Fortinet, Kemp, Palo Alto Networks and Strata. The header-based authentication capability in the Azure AD Application Proxy service is expected to appear as a preview sometime this month, according an announcement last week by Chick.
The Conditional Access API is now generally available in the Microsoft Graph, as announced back in August. It’s key for adding automation to zero trust policies, Chick indicated. In addition, PowerShell can be used for custom code. “And to get you started, we’re giving you predefined PowerShell scripts and code samples, which is available on GitHub,” Chick said.
Also highlighted was the public preview of Conditional Access identity-protection support in Azure AD B2C (Business to Consumer). “Now you can set up intelligent access policies for your customers to reduce friction and make them even more secure,” Chick said.
The talk also included a demo featuring Microsoft’s work on an open source decentralized identity scheme, which was described back in June. The demo involved sharing military service records electronically for college enrollment purposes. Microsoft sees decentralized identifiers and verifiable credentials as making it easier to share such information digitally.
“This [decentralized identity approach] is a community effort, built on new open standards, and it will easily integrate with your existing identity systems,” Chick said. “And it uses an open source blockchain solution that is designed so that no single organization owns or controls it, including Microsoft.”