Latest Microsoft Entra advancements strengthen identity security

If you read behind the attention-grabbing headlines, most novel techniques rely on compromised identities.1 In fact, of all the ways an attacker can get into your digital estate, identity compromise is still the most common.2 This makes identity your first line of defense.

In many organizations, however, too many identities not only lack fundamental protections, but also end up with too many access permissions that they keep for too long. Our new State of Cloud Permissions Risks Report reveals some sobering statistics that drive home the importance of carefully protecting and managing your identities to reduce both risk and opportunities for cybercriminals.

Across multicloud, more than half of all identities are admin and workload identities that have all access rights and all permissions to cloud resources. This is dangerous because overall, identities are using only 1 percent of the permissions granted to them. Some don’t use their permissions at all. In fact, more than 60 percent of all identities with permissions to cloud resources are completely inactive. At 80 percent, the proportion of inactive workload identities is even higher—and workload identities outnumber human identities 10 to 1.

While this report summarizes issues with cloud permissions, we see similar issues for business users.

At the recent Microsoft Secure event, I shared ways to strengthen your identity defenses using the latest innovations we’re delivering in Microsoft Entra. These include new governance controls and real-time access protections to help you secure identities and the resources they access.

A new, faster way to onboard with Microsoft Entra Identity Governance and Microsoft Entra Verified ID

Good identity practices start during onboarding, a process that often frustrates IT admins and users alike.

The goal of onboarding is to give new users the right access to the right resources for the right amount of time—adhering to the Zero Trust principle of “least privilege access”—on day one. However, traditional onboarding still requires loads of redundant paperwork and online forms that require manual review and approval before new users can start work and get access to resources. This can delay hiring and increase ramp-up time.

Eighty-two percent of organizations Microsoft surveyed want a better—and less manual—way to do identity verification, and now they have one.3 Microsoft Entra Identity Governance and Microsoft Entra Verified ID now work together to simplify onboarding. Instead of spending weeks collecting and verifying pre-hire documentation such as education and industry certifications, organizations can validate everything digitally using Verified ID credentials issued by trusted authorities.

When you use entitlement management in Identity Governance to create an access package with specific applications and expiration settings, you can now require a Verified ID as part of the approval workflow.4 With entitlement management, you can make the onboarding process completely digital and self-serve—no admin required.5 New users get an automated welcome email with a link to the My Access portal. Once they share the required Verified ID and their manager approves their access request, they get all their workplace access permissions at once. When their permissions expire, they can easily prove their identity again using their Verified ID without going through a lengthy renewal process.

This streamlined onboarding process is faster, safer, and less resource intensive. Organizations will spend less time validating credentials on paper and approving access requests manually, and more time collaborating and innovating. Plus, other Identity Governance features, such as automation of routine joiner, leaver, and mover tasks, help keep permissions the right size over time.

New protections to help secure access

Once a new user is on board, then Microsoft Entra helps you secure their access. This starts with proactive controls such as enforcing multifactor authentication.

Strong sign-in defenses make you less attractive—and less vulnerable—to most attackers, who don’t have the technical prowess, funding, or resources of more sophisticated groups. Credential attacks are the most common because they cost relatively little to perform, but you can interrupt them with multifactor authentication.6 Our data shows that more than 99.9 percent of compromised accounts don’t have multifactor authentication enabled.

However, sophisticated attackers are trying to work around multifactor authentication with techniques such as SIM jacking and multifactor authentication fatigue attacks. To counter these techniques, Microsoft Entra supports phishing-resistant multifactor authentication methods. These include passwordless options such as Windows Hello for Business and FIDO2 security keys. Certificate-based authentication is also available for organizations standardized on it.

When you enable multifactor authentication, by all means, adopt the strongest methods. Older methods, such as SMS and voice calls, are simply less secure.

Phishing-resistant features in Microsoft Authenticator further strengthen your multifactor authentication defenses.7 Number Matching requires users to enter a number displayed on the sign-in screen, making it harder to accidentally approve a request. To help users confirm that they’re approving an access request they (and not an attacker) made, application context shows them which application they’re signing into, while location context displays their sign-in location based on the IP address of their device.

And now, with Conditional Access authentication strengths, admins can set policy on the strength of multifactor authentication required—and base that policy on the sensitivity of the apps and resources a user is trying to access.8 In tandem, we’re extending phishing-resistant multifactor authentication to more scenarios. For example, you can require phishing-resistant multifactor authentication for Microsoft Azure virtual machines to protect remote sign-ins and to provide end-to-end coverage for dev, testing, and production environments. You can also require it for external users and for users who have to move between different Microsoft cloud instances to collaborate, for example, between government and commercial clouds.9

In addition, with Conditional Access for high-risk actions, you can now require phishing-resistant multifactor authentication for sensitive actions, such as modifying access policies, and coming soon, adding a new credential to an application or changing federated trust configuration. You can also restrict high-risk actions based on device compliance or location.

New countermeasures to help prevent lateral movement

Once a new user has signed in, Microsoft Entra helps you take a proactive “assume breach” stance to protect their credentials and prevent lateral movement. This is essential because post-authentication attacks, such as token theft through malware, mining poorly configured logs, and compromising routing infrastructure, are on the rise.10

Attackers replay stolen tokens to impersonate an authenticated user. Just as thieves copy a credit card number or read its RFID code and then go on a shopping spree until the bank notices and freezes the card, attackers steal tokens to access your digital resources—and cause a lot of damage—until that token expires.

Two new capabilities in Microsoft Entra are closing the token replay window.

First, strict enforcement of location policies lets resource providers use continuous access evaluation (CAE) to immediately revoke tokens that run afoul of location policies. Until now, a stolen token could stay valid for an hour or more, even if an attacker tried to replay it outside of the location range that policy allows.

Exchange Online, SharePoint, and Microsoft Graph can now respond to network change events by revoking tokens in near real-time. Since CAE is part of the Microsoft identity platform, hundreds of apps have adopted it to benefit from the enforcement of location policies and other CAE events. This includes Microsoft 365 apps such as Outlook, Microsoft Teams, and OneDrive, as well as the built-in Mail app on Mac, iPhone, and iPads. Third-party apps can adopt CAE through Microsoft Services Authentication Library.11

While closing the token replay window is a big step forward, we’re also working to make sure it never opens in the first place through a new capability called Token Protection.12 This adds a cryptographic key to issued tokens that blocks attackers from replaying them on a different device, which is like having a credit card that instantly deactivates if someone steals it from your wallet.

As a first step, we’re adding this capability for sign-in sessions on Windows (version 10 or later). Next, we’ll extend this capability to other platforms and address more Windows scenarios, such as app sessions and workload cookies.

A new dashboard to help close policy gaps

The new identity protections described above are just part of what’s available for creating granular Conditional Access policies. To help you find vulnerable areas in your environment, we’re adding an overview dashboard to the Microsoft Azure Active Directory Conditional Access blade that summarizes your policy posture, identifies unprotected users and apps, provides insights and recommendations on Conditional Access coverage based on sign-in activity, and helps you investigate the impact of individual policies. This will help you more quickly identify where you need to better enforce Zero Trust principles, so you can strengthen your defenses.

Good permissions governance and protecting against identity compromise are essential strategies for keeping your people and resources safe.

Learn more

Learn more about Microsoft Entra.

To learn more about the new governance and identity protection capabilities described in this blog post, check out these Microsoft Secure sessions. To review all the new innovations announced at Microsoft Secure, read Vasu Jakkal’s blog post.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

12023 identity security trends and solutions from Microsoft, Alex Weinert. January 26, 2023.

2Verizon 2022 Data Breach Investigations Report. 2022.

3Microsoft survey of 3,000 United States-based companies with more than 500 users. 2021.

4Add a Verified ID requirement (Preview), Microsoft Learn. January 24, 2023.

5What is entitlement management? Microsoft Learn. March 9, 2023.

6Navigating the ever-evolving authentication landscape, Pamela Dingle. January 10, 2023.

7Defend your users from MFA fatigue attacks, Alex Weinert. September 28, 2022.

8Conditional Access authentication strength, Microsoft Learn. January 29, 2023.

9Configure Microsoft cloud settings for B2B collaboration, Microsoft Learn. March 9, 2023.

10Token tactics: How to prevent, detect, and respond to cloud token theft, Microsoft Security Experts and Microsoft Incident Response. November 16, 2022.

11How to use Continuous Access Evaluation enabled APIs in your applications, Microsoft Learn. March 2, 2023.

12Conditional Access: Token protection, Microsoft Learn. March 8, 2023.