News

Multifactor Authentication for All at Heart of Azure AD Changes

• By Kurt Mackie
• November 06, 2019

Microsoft is opening its Microsoft Authenticator service to users of the free Azure Active Directory plan, the company announced at Ignite this week among other Azure AD enhancements.

The expanded ability to use the Microsoft Authenticator App for Android or iOS mobile devices with the free Azure AD plan was perhaps the most wide-ranging enhancement on the security side. This licensing enhancement will allow organizations to more broadly enforce multifactor authentication identity verification when users attempt to access applications. The Authenticator App can be used to verify identities when accessing Microsoft apps or non-Microsoft apps, according to this scheme.

Use of the Authenticator App with the free Azure AD plan was described as being available now.

In addition, new tenants using various Microsoft cloud-based services will be getting multifactor authentication, and it'll be turned on by default, which will take effect sometime this month.

"Starting later this month, MFA will be enabled as a security default in all new Azure Active Directory tenants for Microsoft 365, Office 365, Dynamics, and Azure," stated Alex Simons, corporate vice president of program management at the Microsoft Identity Division, in the announcement.

Microsoft credits multifactor authentication, where another means besides a password is used to verify a user's identity, as being the single best approach to warding off phishing and other attacks.

Azure AD Cloud Provisioning Solution
Microsoft plans to add a new capability for organizations with complex environments to help synchronize Azure AD users. This new Azure AD Cloud Provisioning capability will be arriving at the end of this month. Here's what it will do:

Cloud provisioning can sync user identities from Windows Server AD forests and Azure AD regardless of where the AD forest is located by using a light-weight agent. These agents are deployed to each forest instance and can sync users into a single, consolidated Azure AD tenant. And multiple agents can be deployed per forest for redundancy and high availability. For our customers with complex organizations this can really help employees to collaborate without barriers.

Support for Moving Legacy Authentication Apps
Microsoft is previewing the use of an Azure Active Directory Domain Services "resource forest," which is designed to help organizations that are trying to move applications dependent on legacy authentication methods to the cloud. The resource forest "eliminates the need to sync password hashes to Domain Services," Microsoft explained.

Microsoft also added various improvements to Azure AD Domain Services, "including additional availability zones, improved load balancer, Azure workbooks, audit logs, and a new set up experience."

Microsoft also has a "Secure Hybrid Access" program for Azure AD that has its own landing page. It's designed to provide identity and access support for applications that depend on older "legacy" authentication methods, including "Kerberos, NTLM, Remote Desktop Protocol (RDP), LDAP, SSH, and header- and form-based authentication," according to Microsoft's description. The program now includes partners "Akamai, Citrix, F5 and Zscaler" to help better secure access to these legacy apps.

Groups Admin Role GA
Microsoft announced on Monday that the Groups Admin role for Azure AD users is now at the "general availability" (GA) commercial-release stage. It allows IT pros to carry out management tasks for groups without having Global Administrator privileges.

"This new Azure Active Directory role [Groups Admin] enables you to perform group management tasks for and Azure AD security groups without requiring Global administrator permissions," the announcement explained.

The new role has a few known limitations right now, such as mainly applying to Office 365 groups, lacking Exchange PowerShell access, and being unable to manage "audit logs, access reports, or guest settings."

Simons also noted that a new "Global Reader role along with 15 other roles" were released as previews last month." The Global Reader role permits the viewing of admin settings, without permitting changes.

Azure AD Entitlement Management GA
Microsoft announced that Azure AD Entitlement Management is now at the GA stage. Entitlement Management permits IT pros to set up resource access scenarios, and even delegate access controls in some cases.

Entitlement Management involves scenarios where "access packages" get created, which define resources (such as applications and data) that can be accessed by end users, both within the organization and by outside parties. IT departments can control which users can request access to these packages, and they can set various policies. There's an approval process for gaining access, and access can be assigned for a specific period of time, if wanted.

Microsoft deems Entitlement Management as being "an important addition to Privileged Identity Management (PIM), Terms of use, and Access reviews to deliver core cloud-based Identity Governance capabilities" for organizations that are sharing resource access with outside parties. The use of Entitlement Management requires having an Azure AD Premium P2 license for each user.

Conditional Access Report-Only
Microsoft added a way for IT pros to detect the effects of conditional access policies on end users, even before activating the policies. This feature is known as the "Report-Only" capability, a new Conditional Access policy that's currently at the public preview stage.

Microsoft also claimed to have added improved APIs and enhanced signals harvesting with its Azure AD ID Protection service, which detects identity-associated risks. Use of this service requires having an Azure AD Premium P2 license.

Workspaces for My Apps Portal Preview
IT pros can show only the apps that are accessible to end users in the My Apps portal, which is at the preview stage. My Apps is a browser extension that can be used in Google Chrome, Microsoft Edge and Mozilla Firefox browsers.

This collection of apps in My Apps, which gets filtered by organizations, is known as a "workspace," according to Microsoft's documentation. Organizations can set up these workspaces for end users if they have "an Azure AD Premium P1 or P2 license," according to Microsoft.

Microsoft also announced that using Google as an identity provider with the Azure AD Business to Business (B2B) service is now at the GA stage.

FIDO2 for Hybrid Environments
Microsoft is aiming to avoid the use of passwords altogether. Measures to that end include the Windows Hello biometric authentication solution in Windows 10, which can verify a person's face, as well as FIDO2-based physical security keys (the use of cards, dongles and USB thumb drives).

In July, Microsoft had announced a preview of FIDO2 keys for accessing Azure AD-connected apps, but mentioned at that time that support also would be coming for FIDO2 access to Active Directory premises-based apps. On Tuesday, Microsoft announced that FIDO2 support for these so-called "hybrid" computing environments (premises plus cloud) is "expected to launch early 2020."

Other Azure AD Additions
If all of that weren't enough, Microsoft last month announced a preview of the ability to switch from identity and access solutions that use federation to connect to Microsoft's Azure AD service. This capability is called "staged rollout to cloud authentication." It avoids cutover migrations of an organization's entire domain, according to Simons.

"This feature allows you to migrate your users' authentication from federation -- via AD FS, Ping Federate, Okta, or any other federation on-premises system -- to cloud authentication in a staged and controlled manner," he added.

Also last month, Microsoft rolled out a preview of Azure AD My Sign-Ins. It's a "new feature that allows enterprise users to review their sign-in history to check for any unusual activity," Microsoft explained, in an October announcement.

Microsoft also added Azure AD perks for developers by releasing "Microsoft Authentication Libraries (MSAL) for Android, iOS and macOS," which reached the GA stage, according to an October announcement.

Decentralized Identities Proof of Concept
Microsoft is still working on a collaborative effort to use blockchain technology to enable decentralized identities, where end users have control over their identity information. The decentralized identities effort was described back in May with a preview of an Identity Overlay Network.

Now there's a proof-of-concept demo of decentralized identities that's "sponsored by the National Health Service (NHS) in the U.K.," Microsoft announced. It was described in this Ignite session.