Microsoft Improves Azure Active Directory ID Preview
This week Microsoft pushed through some improvements and new capabilities for its Azure Active Directory Identity Protection preview.
It was updated with two new conditional access capabilities for handling federated identities, Microsoft announced on Thursday. Having federated identities makes it easier for end users to access applications under management by an organization, including Azure solutions, Office 365 applications and third-party solutions.
The Azure AD Identity Protection service now tracks all "risk event types," Microsoft announced this week.
"Now you can tell if botnet infections, TOR networks, or location anomalies are present in your federated sign-ins," explained Salah Ahmed, a program manager in the identity security and protection team at Microsoft's Identity Division.
Microsoft first announced the release of this preview in March, but the preview apparently didn't track all risk types back then. The Azure AD Identity Protection service is designed to check for six different identity risks:
- Users with leaked credentials
- Irregular sign-in activity
- Sign-ins from possibly infected devices
- Sign-ins from unfamiliar locations
- Sign-ins from IP addresses with suspicious activity
- Sign-ins from impossible travel
The second new capability included in this updated preview is the ability to block or enforce multifactor authentication for federated identities.
"What this means it that your federated identities have an extra layer of protection when they try to access cloud services such as Office 365, Azure, or *any* apps configured for Single Sign-On with Azure Active Directory!," Ahmed added.
If risk is detected during a sign-in attempt and multifactor authentication is enforced through policy, then end users will see a special log-in screen along with a challenge to prove their identity. Multifactor authentication is a secondary verification scheme on top of the usual password sign-in attempt.
Microsoft's announcement explained that organizations can either use Azure Active Directory to enforce multifactor authentication from their Azure tenant or they can configure multifactor authentication to work on premises using Windows Active Directory Federation Server. The on-premises setup requires the use of a PowerShell cmdlet to get it to work, Microsoft's announcement noted.
The updated preview is now "available in all U.S. tenants," according to Ahmed. It's not clear when Microsoft will commercially release this service. Costs and software licensing haven't been clarified either.
IT pros testing the preview can simulate risk events when using Azure AD Identity Protection service. That's described at this Microsoft Azure documentation page.
Dynamic Password Checking
In other Azure Active Directory news, Microsoft published its progress in securing passwords with its Microsoft Account service via a "dynamic password" list that blocks the use of passwords known to be compromised through hacker leaks. This work is relevant in an Azure AD context because the approach is on Microsoft's roadmap for integration into the Azure AD Protection service, according to Alex Weinert of Microsoft's identity protection team, who made that comment in this Azure Directory team blog post.
In addition, Weinert suggested that this password filtering approach could eventually come to on-premises AD environments.
"We are looking at providing a password filter for AD which can check with Azure AD for cases where the password is set on prem."
Microsoft currently enforces multifactor authentication in its consumer Microsoft Account service, and Weinert generally recommended that security approach until the industry gets to the point of bypassing passwords altogether. The industry is moving toward the use of "TPM [Trusted Platform Module] based certs, specific to a device, and unlocked with a bio or a PIN," Weinert explained. Microsoft and other companies are spearheading this future approach via the FIDO Alliance, he added.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.