Azure Active Directory Identity Blog articles https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity Azure Active Directory Identity Blog articles Sun, 24 Oct 2021 16:31:43 GMT Identity 2021-10-24T16:31:43Z Microsoft recognized by the IDC MarketScape as a Leader in Worldwide Advanced Authentication for AAD https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/microsoft-recognized-by-the-idc-marketscape-as-a-leader-in/ba-p/2464411 <P>Microsoft has been named a leader in the IDC MarketScape: Worldwide Advanced Authentication for Identity Security 2021 Vendor Assessment (doc #US46178720, July 2021) report.</P> <P>&nbsp;</P> <P>The IDC MarketScape analyzed companies’ identity security capabilities and strategies and Microsoft was one of seven companies recognized as a leader. Read the <A href="#" target="_blank" rel="noopener">report excerpt</A> to learn more.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="IDC.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/315419iE57516325D86E712/image-size/large?v=v2&amp;px=999" role="button" title="IDC.png" alt="IDC.png" /></span></P> <P><EM style="font-family: inherit;">PLEASE NOTE: Manipulation or editing of the graphic or accompanying language is not permitted. Translation of this document into other languages, or a license to provide this document to other parties for redistribution, requires an additional IDC contract.&nbsp;</EM></P> <P>&nbsp;</P> <P>IDC MarketScape vendor analysis model is designed to provide an overview of the competitive fitness of ICT suppliers in a given market. The research methodology utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each vendor’s position within a given market. The Capabilities score measures vendor product, go-to-market and business execution in the short-term. The Strategy score measures alignment of vendor strategies with customer requirements in a 3-5-year timeframe. Vendor market share is represented by the size of the icons.</P> <P>&nbsp;</P> <P><EM>Source:&nbsp; "IDC MarketScape: Worldwide Advanced Authentication for Identity Security 2021 Vendor Assessment", By: Jay Bretzmann, July 2021, IDC # US46178720</EM></P> <P>&nbsp;</P> <P>In the report, Program Director of Cybersecurity Research Jay Bretzmann writes, “Microsoft Active Directory and Microsoft Azure Active Directory are the repositories for more user identities than all other combined directory services providers. Its identity ecosystem continues to expand, offering advanced authentication capabilities that can meet most use cases on Windows and, increasingly, non-Windows environments.” The report also highlights Microsoft capabilities in Azure Active Directory for identity protection, Conditional Access, continuous access evaluation, and verifiable credentials.</P> <P>&nbsp;</P> <P>Identity security is a top priority for us to deliver to our customers, so we’re extremely honored that our efforts have been recognized by the IDC MarketScape. We prioritize security principles when developing our products and innovating new solutions. We believe they validate our vision to provide identity-driven security and effortless user experiences to our customers.</P> <P>&nbsp;</P> <P>The IDC MarketScpae’s guidance aligns with Microsoft’s security principles:</P> <UL> <LI><STRONG>Enable multifactor authentication (MFA)</STRONG>: The report states, “IDC believes IT buyers should already have MFA solutions included within their present year security software budgets; if not, include such next year. This is a must-do security thing … MFA can be effectively delivered as a SaaS offering and really ought to be for your business or organization.”</LI> <LI><STRONG>Go Passwordless</STRONG>: According to the report, “The day is coming where true Passwordless solutions will understand who we are based on what we do, but that day won't be in 2021 (or even 2022). As a technology buyer, should you wait? IDC thinks not; the current benefits exceed the downside. … hopefully [companies have] headlights toward a Passwordless future.”</LI> <LI><STRONG>Use conditional access policies: </STRONG>IT can set if-then statements that require that users meet certain specific conditions in order to gain access to a resource.</LI> <LI><STRONG>Apply identity protection: </STRONG>Continuous access evaluation terminates active user sessions to Exchange and Microsoft Teams in real time on changes like account disable, password reset, and admin-initiated user revocation.</LI> </UL> <P>&nbsp;</P> <P>The report also explores industry trends and the leading cause of security breaches, and offers recommendations on choosing security solutions.</P> <P>&nbsp;</P> <P>Read the <A href="#" target="_blank" rel="noopener">report excerpt</A> for details.</P> <P>&nbsp;&nbsp;</P> <P>Microsoft’s inclusion in the IDC MarketScape vendor assessment is the most recent example of industry validation of recent efforts to help companies be more secure. Check out our <A href="#" target="_blank" rel="noopener">leadership recognition</A> across Microsoft Security.</P> <P>&nbsp;</P> <P>See also our<A href="#" target="_blank" rel="noopener"> 5 steps to securing your identity infrastructure</A> to see the top things you can do in Azure AD to improve your security posture.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 07 Oct 2021 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/microsoft-recognized-by-the-idc-marketscape-as-a-leader-in/ba-p/2464411 Alex Simons (AZURE) 2021-10-07T16:00:00Z Integration guidance helps partners deliver Zero Trust solutions https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/integration-guidance-helps-partners-deliver-zero-trust-solutions/ba-p/2810650 <P>Building a great product means listening to what our customers need, and we’ve heard loud and clear from our customers that Zero Trust adoption is more important than ever. In the 2021 <A href="#" target="_blank">Zero Trust Adoption Report</A>, we learned that 96% of security decision-makers state that Zero Trust is critical to their organization’s success, and 76% of organizations have at least started implementing a Zero Trust strategy. In the next couple years, Zero Trust strategy is expected to remain the top security priority and organizations anticipate increasing their investment.</P> <P>&nbsp;</P> <P>Zero Trust adoption has been accelerated by the U.S. government as well. In May 2021, the White House signed <A href="#" target="_blank">an executive order</A> calling for improvement to the nation’s cybersecurity, including advancing towards a Zero Trust architecture. More recently, the Office of Management and Budget released a <A href="#" target="_blank">draft federal strategy</A> for moving towards Zero Trust architecture, with key goals to be achieved by 2024. Microsoft has <A href="#" target="_blank">published customer guidance and resources for meeting Executive Order objectives</A>.</P> <P>&nbsp;</P> <P>These government and industry imperatives create a huge opportunity for Microsoft and our partners to enhance support for our customers as they move towards an end-to-end Zero Trust security posture. At Microsoft, we strive to make it easy for partners, such as independent software vendors, to integrate with us so customers can easily adopt the most comprehensive security solutions. We recognize that customers take varied paths on their journey to Zero Trust and have multiple security solutions in their environment. When we work together to meet these needs, we build stronger protections for our companies and nations.&nbsp; &nbsp;</P> <P>&nbsp;</P> <P>To support partner integration and Zero Trust readiness, we recently released <A href="#" target="_blank">partner integration guidance</A> at our Zero Trust Guidance Center. This guidance is organized across the pillars of Zero Trust, supporting integrations across a wide variety of products and partners. Examples include:</P> <UL> <LI><A href="#" target="_blank">Integrating your solution with Azure Active Directory</A> to share risk signals, increase customer trust, and support advanced solution scenarios.</LI> <LI>Using <A href="#" target="_blank">Microsoft Endpoint Manager</A> APIs to ensure compliance on the devices employees are using.</LI> <LI>Enhancing customer visibility across their entire digital estate with <A href="#" target="_blank">integrations with Azure Sentinel</A>.</LI> </UL> <P>&nbsp;</P> <P>We applaud those who are embracing a Zero Trust approach for security solutions. We will close out with a few examples of how ISV partners, F5 and Yubico, have benefited from this integration guidance in the Zero Trust Guidance Center.</P> <P><STRONG>&nbsp;</STRONG></P> <H4><STRONG>F5 and Microsoft rescue a county from malware&nbsp;</STRONG></H4> <P>&nbsp;</P> <P><STRONG>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="F5.png" style="width: 99px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/315104i4CA014D169BB6A1A/image-size/large?v=v2&amp;px=999" role="button" title="F5.png" alt="F5.png" /></span></STRONG></P> <P>Many companies rely line-of-business applications that were developed before adoption of the latest authentication protocols like SAML and OIDC. This means organization must manage multiple ways to authenticate users, which complicates user experience and increases costs.</P> <P><A href="#" target="_blank">BIG-IP Access Policy Manager (APM)</A> is F5’s access management proxy solution that centralizes access to apps, APIs and data. BIG-IP APM integrated with Microsoft Azure AD to provide conditional access to the BIG-IP APM user interface.</P> <P>&nbsp;</P> <P>Last year, <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/durham-county-enhances-security-across-a-hybrid-environment-with/ba-p/1633530" target="_blank">Durham County enhanced security across a hybrid environment with Azure AD and F5 BIG-IP APM</A> in the wake of a serious cybersecurity incident. F5 BIG-IP APM gave employees the unified solution they needed to access legacy on-premises apps. F5 used Azure AD to apply security controls to all their apps, enforce multifactor authentication, and use finetuned policies based on circumstances like employee login location. In addition, self-service password reset powered by the solution reduced help desk calls for passwords by 80%.</P> <P>&nbsp;</P> <P><LI-VIDEO vid="https://www.youtube.com/watch?v=jokwi85vVTA" align="center" size="large" width="600" height="338" uploading="false" thumbnail="https://i.ytimg.com/vi/jokwi85vVTA/hqdefault.jpg" external="url"></LI-VIDEO></P> <P><STRONG>&nbsp;</STRONG></P> <H4><STRONG><BR />Government of Nunavut turns to Yubico and Microsoft to build phishing resistance following ransomware attack</STRONG></H4> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kuchinski_1-1633383236951.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/315102iDA0CDAC864636B8B/image-size/medium?v=v2&amp;px=400" role="button" title="kuchinski_1-1633383236951.png" alt="kuchinski_1-1633383236951.png" /></span></P> <P>&nbsp;</P> <P>In 2019, the Canadian government of Nunavut experienced a spear phishing attack that took down critical IT resources for the territory. In the wake of the attack, protecting identities and applications was a top priority.</P> <P>&nbsp;</P> <P>Together, Azure AD and YubiKey offered a solution that upgraded the security of the Government of Nunavut and fit their unique needs. The Government of Nunavut wanted to implement a phishing-resistant authentication solution. In addition, the government agencies used a variety of Windows-based systems, and, because of their remote locations, had inconsistent network access. To address these needs, they adopted YubiKeys, which are a hardware device that can be used for multi-factor authentication with no network, power source, or client software. You can read the <A href="#" target="_blank">full story from Yubico</A> and learn more from the video below.</P> <P>&nbsp;</P> <P><LI-VIDEO vid="https://www.youtube.com/watch?v=BmdlVrepPhg" align="center" size="large" width="600" height="338" uploading="false" thumbnail="https://i.ytimg.com/vi/BmdlVrepPhg/hqdefault.jpg" external="url"></LI-VIDEO></P> <P><STRONG>&nbsp;</STRONG></P> <H4><STRONG>Learn more</STRONG></H4> <P>We are incredibly proud of the work our partners are doing to provide customers with critical cybersecurity solutions using the principles of Zero Trust. Check out our newly published <A href="#" target="_blank">partner integration guidance</A><SPAN> for Zero Trust readiness</SPAN> to learn more about opportunities.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Related Articles: <A href="#" target="_blank">Identity integration guidance ebook</A></EM></LI> <LI><EM>Return to the&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener">Azure Active Directory Identity blog home</A></EM></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Wed, 06 Oct 2021 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/integration-guidance-helps-partners-deliver-zero-trust-solutions/ba-p/2810650 Sue Bohn 2021-10-06T16:00:00Z CloudKnox acquisition: what’s available now and what’s coming soon https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/cloudknox-acquisition-what-s-available-now-and-what-s-coming/ba-p/2464367 <P>Howdy Folks,</P> <P>&nbsp;</P> <P>It’s been a couple of months since we announced the <A href="#" target="_blank" rel="noopener">acquisition of CloudKnox Security</A> and our teams have been hard at work integrating the CloudKnox technology. I am thrilled to see the excitement and the interest this news has generated. Many of you have reached out with questions so I’ll share an update on our progress and answer some of these questions.</P> <P>&nbsp;</P> <H4><STRONG>I’m a current CloudKnox customer. Can I keep using the product?</STRONG></H4> <P>Absolutely! All current CloudKnox customers will continue to receive sales, engineering, and service support from Microsoft. CloudKnox customers can use the CloudKnox product without interruption of service or a pricing change. Microsoft sales and support will keep delivering and supporting all CloudKnox services to meet your multi-cloud permissions management needs.</P> <P>&nbsp;</P> <H4><STRONG>Is it possible to try out and/or buy the CloudKnox product now?</STRONG></H4> <P>Yes, we are expanding our sales and support staff to assist existing and new customers with CloudKnox. If you are a CloudKnox customer or thinking about becoming one, contact your CloudKnox or Microsoft representatives today to learn more about how we can help you with multi-cloud permissions management. You can also ask for a <A href="#" target="_blank" rel="noopener">free permission risk assessment</A> of your IT environment or <A href="#" target="_blank" rel="noopener">request we contact you</A>.</P> <P>&nbsp;</P> <H4><STRONG>Now that CloudKnox is part of Microsoft, does that mean it will only support Microsoft Azure and no longer be multi-cloud?</STRONG></H4> <P>&nbsp;We know that for many of our enterprise customers have a multi-cloud strategy and they need tools and services that are optimized for managing security and compliance across their entire cloud estate.&nbsp; We are 100% committed to delivering customers an amazing multi-cloud set of Cloud Infrastructure Entitlement Management, Identity, and Governance capabilities no matter which clouds they use. In fact, the #1 reason Microsoft purchased CloudKnox was to accelerate our ability to help customers manage their AWS and Google Cloud Platform, and VMware deployments.</P> <P>&nbsp;</P> <H4><STRONG>What’s next for CloudKnox? </STRONG></H4> <P>Look forward to hearing more about the product roadmap, and enhancements in the coming months. Microsoft Ignite is also right around the corner. Expect a peek at what the Microsoft and CloudKnox teams have been working on.</P> <P>&nbsp;</P> <P>I hope you found this short update informative and helpful. As always, we welcome your comments and feedback.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Alex</P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 30 Sep 2021 17:24:17 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/cloudknox-acquisition-what-s-available-now-and-what-s-coming/ba-p/2464367 Alex Simons (AZURE) 2021-09-30T17:24:17Z Announcing Improved Identity Protection Signal Quality and Visibility https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/announcing-improved-identity-protection-signal-quality-and/ba-p/2464410 <P><SPAN data-contrast="none">Howdy folks,</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">I’m excited to share&nbsp;our&nbsp;recent improvements&nbsp;in&nbsp;risk evaluation and reporting visibility for Identity Protection.&nbsp;These&nbsp;changes are a step forward&nbsp;in our ability to detect emerging attack vectors&nbsp;and&nbsp;help you focus on the most critical alerts.&nbsp;We&nbsp;improved signal quality and reduced&nbsp;alert volume&nbsp;for low-risk sign-ins&nbsp;by more than 60%,&nbsp;introduced unfamiliar sign-in properties for session cookies, and added visibility into non-interactive risky sign-ins.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Sarah Handler, Senior Program&nbsp;Manager</SPAN><SPAN data-contrast="none">,</SPAN><SPAN data-contrast="none">&nbsp;and&nbsp;Feifan</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">Jian</SPAN><SPAN data-contrast="none">,&nbsp;</SPAN><SPAN data-contrast="none">Data&nbsp;Scientist, both&nbsp;from our Identity Security team</SPAN><SPAN data-contrast="none">,</SPAN><SPAN data-contrast="none">&nbsp;will&nbsp;take you through these improvements and the data science behind&nbsp;the scenes</SPAN><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Best Regards,</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Alex Simons (<A href="#" target="_self">@Alex_A_Simons</A>)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Corporate Vice President Program Management</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Microsoft Identity Division</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">------------------------------------------------------</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Hi&nbsp;everyone –</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">We’re excited to share with you how these&nbsp;changes can better protect your organization’s identities and improve your investigative experience!&nbsp;Identity</SPAN><SPAN data-contrast="none">-</SPAN><SPAN data-contrast="none">based attacks&nbsp;have evolved and expanded</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">over&nbsp;the last year. In response,&nbsp;our&nbsp;team has</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">expanded&nbsp;our&nbsp;detection&nbsp;surface area and&nbsp;improved our systems to&nbsp;ensure that we’re surfacing high fidelity alerts</SPAN><SPAN data-contrast="none">—&nbsp;</SPAN><SPAN data-contrast="none">so&nbsp;that&nbsp;you can focus on what matters&nbsp;most</SPAN><SPAN data-contrast="none">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">First, we</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">expanded&nbsp;where we detect unfamiliar sign-in properties&nbsp;to include&nbsp;non-interactive sign-ins. Unfamiliar sign-in properties&nbsp;evaluates in real-time&nbsp;the</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">amount</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">a</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">user’s&nbsp;current&nbsp;sign-in</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">deviates from the user’s past sign-in behavior.&nbsp;This detection&nbsp;was previously&nbsp;available for interactive sign-ins, but now we also&nbsp;evaluate session cookies.&nbsp;For most tenants, this will not lead to a significant increase in unfamiliar sign-in properties detections</SPAN><SPAN data-contrast="none">;</SPAN><SPAN data-contrast="none">&nbsp;but non-interactive sign-ins that&nbsp;</SPAN><STRONG><SPAN data-contrast="none">do</SPAN></STRONG><SPAN data-contrast="none">&nbsp;get flagged for unfamiliar sign-in properties deserve increased scrutiny due to the possibility of&nbsp;a token replay attack</SPAN><SPAN data-contrast="none">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">You&nbsp;can</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">see these&nbsp;non-interactive unfamiliar sign-in properties&nbsp;detections in&nbsp;the&nbsp;Risk detections report and&nbsp;in&nbsp;the Risky sign-ins report, which were updated to support non-interactive sign-ins. The&nbsp;Risky sign-ins&nbsp;report&nbsp;now&nbsp;defaults to showing you both interactive and non-interactive risky sign-ins. You&nbsp;can toggle this using the “sign-in type” filter.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Identity Protection.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312251iE6D3C700387B0E6A/image-size/large?v=v2&amp;px=999" role="button" title="Identity Protection.png" alt="Identity Protection.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">Additionally, we&nbsp;have&nbsp;significantly&nbsp;improved the signal</SPAN><SPAN data-contrast="none">-</SPAN><SPAN data-contrast="none">to</SPAN><SPAN data-contrast="none">-</SPAN><SPAN data-contrast="none">noise ratio for&nbsp;low-risk&nbsp;risky&nbsp;sign-ins</SPAN><SPAN data-contrast="none">.&nbsp;</SPAN><SPAN data-contrast="none">We heard&nbsp;your feedback that for many organizations there were simply too many low-risk sign-ins to investigate.&nbsp;We want&nbsp;your admins and&nbsp;security professionals&nbsp;to focus on the most important&nbsp;detections and to trust the fidelity of our signal, so we&nbsp;tuned our</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">detections and have</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">reduced the number of low</SPAN><SPAN data-contrast="none">-</SPAN><SPAN data-contrast="none">risk&nbsp;Risky&nbsp;sign-ins by&nbsp;</SPAN><STRONG><SPAN data-contrast="none">more than</SPAN></STRONG><STRONG><SPAN data-contrast="none">&nbsp;</SPAN></STRONG><STRONG><SPAN data-contrast="none">60%&nbsp;while also significantly improving precision</SPAN></STRONG><STRONG><SPAN data-contrast="none">!</SPAN></STRONG><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Let’s hear from</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">Fefian&nbsp;Jian, the data scientist behind these changes,&nbsp;on</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">how we&nbsp;did&nbsp;it.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <H4 aria-level="2"><STRONG>Under the hood: the data science behind our&nbsp;changes&nbsp;</STRONG></H4> <P><SPAN data-contrast="none">Identity Protection’s&nbsp;detection systems run both&nbsp;in real-time (during authentication) and offline&nbsp;(post authentication) to understand whether&nbsp;sign-ins and users are compromised.&nbsp;Our&nbsp;offline machine learning model,&nbsp;which&nbsp;runs post authentication,&nbsp;scores&nbsp;sign-ins&nbsp;with different features and algorithms&nbsp;to determine whether a sign-in was compromised. The&nbsp;output of the&nbsp;model&nbsp;is the&nbsp;aggregate sign-in&nbsp;risk level, which represents our most recent evaluation of whether that sign-in was compromised.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">We made&nbsp;a change&nbsp;to our&nbsp;offline&nbsp;machine learning&nbsp;model&nbsp;to&nbsp;improve its accuracy, allowing us to&nbsp;reduce the noise</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">for low-risk&nbsp;risky&nbsp;sign-ins</SPAN><SPAN data-contrast="none">.&nbsp;</SPAN><SPAN data-contrast="none">Since this change,&nbsp;the</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><STRONG><SPAN data-contrast="none">volume of&nbsp;sign-ins with low aggregate risk</SPAN></STRONG><STRONG><SPAN data-contrast="none">&nbsp;</SPAN></STRONG><STRONG><SPAN data-contrast="none">dropped by more than 60%</SPAN></STRONG><STRONG><SPAN data-contrast="none">,</SPAN></STRONG><SPAN data-contrast="none">&nbsp;and the precision, which means the quality of alerts,&nbsp;</SPAN><STRONG><SPAN data-contrast="none">improved by 100%</SPAN></STRONG><STRONG><SPAN data-contrast="none">.</SPAN></STRONG><SPAN data-contrast="none">&nbsp;This means you will get fewer, but higher quality, low</SPAN><SPAN data-contrast="none">-</SPAN><SPAN data-contrast="none">risk&nbsp;risky sign-ins in your environment!</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H4 aria-level="2"><STRONG>Use&nbsp;these improved features today!&nbsp;</STRONG></H4> <P><SPAN data-contrast="auto">These improvements have automatically rolled out&nbsp;in&nbsp;Identity Protection,&nbsp;and you can start using these improved features today!&nbsp;To best protect your environment and benefit from our risk evaluation, make sure you&nbsp;also&nbsp;set up conditional access policies to&nbsp;automatically&nbsp;mitigate risky sign-ins and risky users in your organization. To learn more, read&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">how to configure risk policies</SPAN></A><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Stay secure!</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Sarah Handler (<A href="#" target="_self">@sarahhandler</A>)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Senior Program Manager </SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Microsoft Identity Security and Protection Team </SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Feifan&nbsp;Jian</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Data Scientist II</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Microsoft Identity Security and Protection Team </SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 23 Sep 2021 21:38:33 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/announcing-improved-identity-protection-signal-quality-and/ba-p/2464410 Alex Simons (AZURE) 2021-09-23T21:38:33Z Introducing password removal for Microsoft Accounts https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/introducing-password-removal-for-microsoft-accounts/ba-p/2747280 <P>Common attacks such as phishing, password spray, and credential stuffing rely on one unchanging truth: when it comes to passwords, human behavior is predictable. Armed with this predictability, bad actors still succeed most of time when attempting these types of attacks, even though the tools they’re using are 30 years old.</P> <P>&nbsp;</P> <P>Starting today, we’re excited to announce that anyone using a consumer Microsoft account can go completely passwordless! You can now delete your password from your Microsoft account—or set up a new account with no password—and sign-in using other more secure and convenient authentication methods such as the Microsoft Authenticator app, Windows Hello, or physical security keys.</P> <P>&nbsp;</P> <P>All it takes is three easy steps: Visit <A href="#" target="_blank" rel="noopener">Advanced Security Options</A> for your Microsoft account, select <STRONG>Passwordless Account</STRONG>, then follow the on-screen prompts. That’s it! Once you’ve removed your password, you can sign in to your account by approving a notification from the Microsoft Authenticator app.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Successful password removal.JPG" style="width: 703px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/310420iD86DBCA0D75F0D58/image-size/large?v=v2&amp;px=999" role="button" title="Successful password removal.JPG" alt="Successful password removal.JPG" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Passwordless1.JPG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/310421iF4509477F683BDE3/image-size/large?v=v2&amp;px=999" role="button" title="Passwordless1.JPG" alt="Passwordless1.JPG" /></span></P> <P>&nbsp;</P> <P>In <A href="#" target="_self">The passwordless future is here</A> post, Vasu Jakkal explains in detail why signing in without a password is faster, easier, and more secure. Best of all, once your password is gone, you can finally forget it for good!</P> <P>&nbsp;</P> <H3><STRONG>Passwords leave enterprises vulnerable </STRONG></H3> <P>Since attackers only need a single password to breach an account and start infiltrating an organization, it’s alarming that one in 100 people “protect” a critical account with easily guessed passwords. The most common passwords from 2011, such as <EM>123456</EM>, <EM>abc123</EM>, and <EM>iloveyou</EM>, are <EM>still</EM> on the list of top 20 (worst) passwords!</P> <P>&nbsp;</P> <P>In the past decade, the industry has championed two-step verification, which can reduce the risk of compromise by 99.9%. Verifying identity with a password plus an additional factor has helped, but hackers are already starting to <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/all-your-creds-are-belong-to-us/ba-p/855124#:~:text=All%20Authenticators%20Are%20Vulnerable%20%20%20Credential%20,indicates%20approva%20...%20%2013%20more%20rows%20" target="_blank" rel="noopener">bypass the second step</A>. As long as passwords are still part of the equation, they’re vulnerable.</P> <P>&nbsp;</P> <H3><STRONG>Bringing passwordless technology to you</STRONG></H3> <P>A couple of years ago, we shared a four-step approach to ending the era of passwords for organizations:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bringing passwordless technology to you.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/310145i1D1B5BA0869BCF63/image-size/large?v=v2&amp;px=999" role="button" title="Bringing passwordless technology to you.png" alt="Bringing passwordless technology to you.png" /></span></P> <P>&nbsp;</P> <P>Our identity product team has been singularly focused on this goal, collaborating with product teams across Microsoft and with the standards community toward eliminating passwords from the directory. And we’ve made <A href="#" target="_blank" rel="noopener">tremendous progress</A>.</P> <P>&nbsp;</P> <P>Join us on October 13th for <A href="#" target="_blank" rel="noopener">Your Passwordless Future Starts Now</A> digital event, where Vasu, members of my team, and experts across Microsoft will share insights and best practices for building a passwordless future. It's 90 minutes you won't want to miss!</P> <P>&nbsp;</P> <H3><STRONG>What’s next</STRONG></H3> <P>We’re continually innovating to bring passwordless options to more customers. In addition to building new and exciting ways to sign in without a password, we’ll soon start the development work necessary to eliminate passwords for Azure AD accounts. Administrators will be able to choose whether passwords are required, allowed, or simply don’t exist for a set of users. Users will be able to choose not to set a password when creating an account or to remove their password from an existing account.</P> <P>&nbsp;</P> <P>As we continue to build a passwordless future, your feedback will be invaluable. Please share your questions and comments at answers.microsoft.com.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Wed, 15 Sep 2021 15:20:12 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/introducing-password-removal-for-microsoft-accounts/ba-p/2747280 Joy_Chik 2021-09-15T15:20:12Z Onboard partners more easily with new Azure AD entitlement management features https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/onboard-partners-more-easily-with-new-azure-ad-entitlement/ba-p/2466924 <P>Onboarding partners cleanly and efficiently is now easier because of two recently introduced entitlement management features in Azure Active Directory – <A href="#" target="_self">custom questions</A>&nbsp;and <A href="#" target="_self">attribute collection</A>. Today, we’re highlighting how these features work and sharing how they help with processes like partner onboarding. These additions enhance Azure AD identity governance, which helps organizations balance the need for security and productivity with consistent processes and visibility.</P> <P>&nbsp;</P> <P>Partner onboarding processes often involve collecting information about a partner to guide decisions about whether to grant access as well as set up their account properly for the apps and resources they’ll use. Before granting a partner access to a particular Teams, for instance, you might want them to share their role in their organization, so the approver knows whether the Teams is right for them. Or, you may need to set the location attribute for partner guests, the same way you do with employees, because they’ll be using an inventory app.</P> <P>&nbsp;</P> <P>Previously, companies may have built custom forms to gather this information before setting up partner guests and granting access, but those forms were expensive to build and hard to maintain. Entitlement management’s new built-in capabilities automatically provide your approvers and apps with the information they need.</P> <P>&nbsp;</P> <P>Let’s explore these two new features.</P> <P>&nbsp;</P> <P><STRONG>Configure custom questions</STRONG></P> <P>The <A href="#" target="_self">custom questions feature in entitlement management access packages</A> allows the access package creator to configure questions that the reviewer will answer as part of the request process. This feature, now generally available, supports different types of questions, including free form text or &nbsp;multiple choice, which you can localize for partners in different locales.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="New access package.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307358i7625C83C90BBFFCF/image-size/large?v=v2&amp;px=999" role="button" title="New access package.png" alt="New access package.png" /></span></P> <P>&nbsp;</P> <P>When a partner requests an access package that has custom questions configured, they’ll answer those questions as part of the request process. The approver can then evaluate those answers as they decide whether to approve the request.</P> <P>&nbsp;</P> <P><STRONG>Specify built-in attributes</STRONG></P> <P>If you need to save partner information from requests for later use, you can now specify built in or custom attributes that will be persisted on the requestor’s user object itself. The <A href="#" target="_self">attribute collection feature</A>, just released to public preview, can be especially useful if an app requires the information to function properly, such as with an inventory app that needs the user’s region.</P> <P>Configuring attributes is a similar experience to that of configuring questions, but it’s surfaced on the resources in the catalog – in this case, on the inventory app – rather than on individual access packages.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="corso inventory.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307359i6FB4EEC03326EF16/image-size/large?v=v2&amp;px=999" role="button" title="corso inventory.png" alt="corso inventory.png" /></span></P> <P>&nbsp;</P> <P>When an access package includes a resource configured for attribute collection, the partner is automatically asked for those values in addition to any custom questions specified for the access package itself. The information supplied for these attributes is also presented to the approver and is written into the requestor’s User object &nbsp;if the request is approved.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="request access.png" style="width: 209px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307360iD5D4B775F43F0365/image-size/large?v=v2&amp;px=999" role="button" title="request access.png" alt="request access.png" /></span></P> <P>&nbsp;</P> <P>While the scenario of needing more information about requestors is more common when supporting external users who reques access to your resources, such as partners or vendors, both of these features can also be used for employees. &nbsp;</P> <P>&nbsp;</P> <P><STRONG>Give it a try</STRONG></P> <P>If you’re already using entitlement management, you can easily add questions or required attributes onto any of your existing access packages, or you can quickly set up a new access package to take advantage of them. We’d love to hear your feedback. Share your thoughts in the comments or reach out to us on Twitter!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Related Articles:&nbsp;</EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/ensure-compliance-using-separation-of-duties-checks-in-access/ba-p/2466939" target="_blank" rel="noopener">Ensure compliance using separation of duties checks in access requests - Microsoft Tech Community</A></LI> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Fri, 03 Sep 2021 18:54:01 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/onboard-partners-more-easily-with-new-azure-ad-entitlement/ba-p/2466924 Joseph Dadzie 2021-09-03T18:54:01Z Secure access to Amazon Managed Grafana with Azure AD https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/secure-access-to-amazon-managed-grafana-with-azure-ad/ba-p/2115721 <P>Our customers tell us that the applications and services they use to succeed extend across clouds and platforms. It’s why we are committed that our identity solutions work seamlessly and securely across platforms and extend to all clouds and apps. Whether customers are using Azure to build applications or using AWS or other cloud providers, our goal is to help customers <A href="#" target="_blank" rel="noopener">secure all their apps, services and data</A>.&nbsp; That’s why today we’re excited to announce that <A href="#" target="_blank" rel="noopener">Amazon Managed Grafana is now available in the Azure AD app gallery</A>.&nbsp;</P> <P>&nbsp;</P> <P>With <A href="#" target="_blank" rel="noopener">Amazon Managed Grafana</A> available as a pre-integrated app in the Azure AD app gallery, you can now quickly configure single sign-on and apply Conditional Access policies to ensure the right users have access to Amazon Managed Grafana. Grafana is a popular open-source analytics platform that enables you to query, visualize, alert on and understand your metrics no matter where they are stored. With Amazon Managed Grafana customers can analyze their metrics, logs, and traces without having to provision servers, configure and update software, or do the heavy lifting involved in securing and scaling Grafana in production.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Browse AAD Gallery.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307006i691D95B0CC650477/image-size/large?v=v2&amp;px=999" role="button" title="Browse AAD Gallery.png" alt="Browse AAD Gallery.png" /></span></P> <P><BR />To learn more about protecting Amazon Managed Grafana with Azure AD, review our <A href="#" target="_blank" rel="noopener">documentation</A> and visit the <A href="#" target="_blank" rel="noopener">Amazon Managed Grafana webpage</A> for more details. Let us know what you think in the comments below. As always, we’d love to hear any feedback or suggestions you have.</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Sue Bohn</P> <P>Partner Director of Program Management</P> <P>Microsoft Identity Division</P> <P>Twitter: <A href="#" target="_self"><SPAN>@Sue_Bohn</SPAN></A></P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Wed, 15 Sep 2021 19:52:44 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/secure-access-to-amazon-managed-grafana-with-azure-ad/ba-p/2115721 Sue Bohn 2021-09-15T19:52:44Z HashiCorp’s Azure AD Provider Migrates to Microsoft Graph, Improving Performance and User Experience https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/hashicorp-s-azure-ad-provider-migrates-to-microsoft-graph/ba-p/2115720 <P><EM>Hello! I’m Sue Bohn, Partner Director of Program Management for Identity and Access Management. In this Voice of the ISV blog post, we’ve invited <STRONG>Tom Bamford, Senior Engineer at HashiCorp</STRONG>, to discuss the migration of their Terraform Azure AD provider to the new Microsoft Graph API. HashiCorp made a commitment to move away from Azure AD Graph and Azure Active Directory Authentication Library (ADAL) well before the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363" target="_blank" rel="noopener"><EM>June 30, 2022 end-of-support date</EM></A><EM>. According to Tom, the decision is already paying</EM><EM> dividends.</EM></P> <P>&nbsp;</P> <H4><STRONG>Building solution-based software</STRONG></H4> <P><A href="#" target="_blank" rel="noopener">HashiCorp</A> is an open-source software company that was founded in 2012 with the goal of revolutionizing datacenter management, including application development, delivery, and maintenance<EM>.</EM> Our tools manage both physical and virtual machines, Windows, Linux, SaaS, and IaaS. We build solutions that span the gaps, and we’re committed to supporting next-generation technologies. The company is based in San Francisco, but about 80 percent of our roughly 1,500 employees work remotely.</P> <P>&nbsp;</P> <H4><STRONG>Terraform integration with Azure AD</STRONG></H4> <P><A href="#" target="_blank" rel="noopener">HashiCorp Terraform</A> is an infrastructure as code (IaC) tool that allows users to build, change, and version infrastructure safely and efficiently. With Terraform, you can design your configurations to match your company’s structure and goals, delegate between teams, and enable self-service infrastructure—all while maintaining accountability. The <A href="#" target="_blank" rel="noopener">Terraform Azure AD provider</A> enables you to manage your <A href="#" target="_blank" rel="noopener">Azure Active Directory (Azure AD)</A> resources with Terraform. Our goal is to make Azure AD more approachable and accessible, giving our customers a great workflow. In addition, <A href="#" target="_blank" rel="noopener">HashiCorp Vault</A> manages authentication principals on behalf of users and closely integrates with Azure AD.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Hashicorp.png" style="width: 452px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306837i297C16C671A79AD2/image-size/large?v=v2&amp;px=999" role="button" title="Hashicorp.png" alt="Hashicorp.png" /></span></P> <P><EM>Figure 1: Terraform &amp; Azure Active Directory</EM></P> <P>&nbsp;</P> <H4><STRONG>Embracing </STRONG><STRONG>change</STRONG></H4> <P>As an open-source software company, we build our products in the open to provide maximum value to customers. We’ve been watching the development of <A href="#" target="_blank" rel="noopener">Microsoft Graph</A> with great interest since 2019, when Microsoft announced that all new identity capabilities moving forward would be available only in <A href="#" target="_blank" rel="noopener">Microsoft Authentication Library (MSAL)</A> and Microsoft Graph. We knew we wanted to commit to the new API sooner rather than later to ensure that our customers were in good shape well ahead of the <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363" target="_blank" rel="noopener">June 30, 2022 end-of-support date</A> for Azure AD Graph API and Active Directory Authentication Library (ADAL). Due to constant updates to Azure AD, it can become increasingly difficult to rely on the older APIs over time.</P> <P>&nbsp;</P> <H4><STRONG>Migrating to Microsoft Graph</STRONG></H4> <P>The two-year timeline for moving to Microsoft Graph was perfect for us. Microsoft invested heavily in <A href="#" target="_blank" rel="noopener">documentation and support</A>, which made our migration experience quite easy—the whole process lasted about six months, without any major issues. Our main concern was maintaining compatibility for our customers throughout the migration process. Now, when customers choose to swap to the new Microsoft Graph API, they can do so without any undesired changes to the resources in their directory and without needing to update their configurations.</P> <P>&nbsp;</P> <H4><STRONG>Enabling </STRONG><STRONG>customer success</STRONG></H4> <P>We created a <A href="#" target="_blank" rel="noopener">comprehensive migration guide</A> to assist customers through updating their configurations—from the principals Terraform needs to authenticate to the Graph API, to any resource configuration updates. The guide includes changes introduced to existing resources and data sources. The provider migration to Microsoft Graph API corresponds to a major version release (v2.0.0); so, our customers are aware of the changes. There’s also a section in the migration guide where we explain the permission changes for Microsoft Graph. For those in the process of migrating, we held off on introducing any new features. We’re beginning to roll out some first-class support for Microsoft Graph while dropping support for Azure AD Graph.</P> <P>In addition, we’ve created the <A href="#" target="_blank" rel="noopener">Manage Azure Active Directory Users and Groups Learn tutorial</A>, which guides users through using Terraform and the Azure AD v2.0.0 provider. In the process, you’ll learn Terraform's configuration language, the Terraform Azure AD provider, and how to leverage both to simplify and automate your workflows.</P> <P>&nbsp;</P> <H4><STRONG>B</STRONG><STRONG>etter performance and user experience </STRONG></H4> <P>Since migrating to Microsoft Graph, we’ve seen immediate performance benefits that create a better user experience. With the legacy API, we had to set up custom polling mechanisms to verify the changes made to the resources. Microsoft Graph API’s much faster response time and better data consistency address these concerns, and will enable us to deliver many more of our customers’ feature requests.</P> <P>&nbsp;</P> <P>For our customers, the most significant benefit is Microsoft Graph API's increased reliability. With previous providers using Azure AD Graph, customers would have to assign administrative directory roles to their principals to do certain operations. With Microsoft Graph, the permissions are more granular, manageable, auditable, and maintainable. Also, we’re able to provide increased coverage to automate customers' tenants and their associated products.</P> <P>&nbsp;</P> <H4><STRONG>Lessons </STRONG><STRONG>learned and looking ahead</STRONG></H4> <P>For developers planning this migration, consider the schema differences that may affect your particular configuration in your tenant, mainly around applications. Be sure you can maintain continued availability while you migrate; so that you do not inadvertently change something that is difficult to track down. It is possible to migrate fairly seamlessly if you plan it out carefully.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Wed, 01 Sep 2021 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/hashicorp-s-azure-ad-provider-migrates-to-microsoft-graph/ba-p/2115720 Sue Bohn 2021-09-01T16:00:00Z Migrate your apps to access the license managements APIs from Microsoft Graph https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366 <P>Howdy folks!</P> <P>&nbsp;</P> <P>In June, I reminded you to <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/have-you-updated-your-applications-to-use-the-microsoft/ba-p/1144698" target="_blank" rel="noopener">update your apps to use Microsoft Graph</A> due to <A href="#" target="_blank" rel="noopener">the end of support for Azure Active Directory (Azure AD) Graph</A> on June 30, 2022. Apps using Azure AD Graph after this time will no longer receive responses from the Azure AD Graph endpoint. &nbsp;</P> <P>&nbsp;</P> <H3><STRONG>Retiring license assignment APIs</STRONG></H3> <P>Since the Azure AD Graph APIs are being retired, we are also retiring the license assignment operation in the MSOnline and Azure AD PowerShell modules. We recommend that you update existing applications to access the license assignment APIs from the <A href="#" target="_blank" rel="noopener">Microsoft Graph</A> endpoint and update your scripts to use the <A href="#" target="_blank" rel="noopener">Microsoft Graph PowerShell</A> module to reduce the impact on operations. Other operations in the MSOnline and Azure AD PowerShell modules won’t be impacted.</P> <P>&nbsp;</P> <P>Below are some of the operations that will no longer receive a successful response beginning on June 30, 2022.</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="349"> <P><STRONG>Existing operation (will no longer receive a successful response)</STRONG></P> </TD> <TD width="349"> <P><STRONG>Microsoft Graph equivalent to use going forward</STRONG></P> </TD> </TR> <TR> <TD width="349"> <P><A href="#" target="_blank" rel="noopener">MSOnline PowerShell</A></P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Set-MsolUserLicense</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; New-MsolUser (where -LicenseAssignment or -LicenseOptions is provided)</P> </TD> <TD rowspan="2" width="349"> <P>Microsoft Graph PowerShell</P> <P><SPAN>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><A href="#" target="_blank" rel="noopener">Set-MgUserLicense</A></P> </TD> </TR> <TR> <TD width="349"> <P><A href="#" target="_blank" rel="noopener">Azure AD PowerShell</A></P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Set-AzureADUserLicense</P> </TD> </TR> <TR> <TD width="349"> <P>Azure AD Graph API (graph.windows.net)</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; assignLicense</P> </TD> <TD width="349"> <P>Microsoft Graph API</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="#" target="_blank" rel="noopener">assignLicense</A></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>&nbsp;</P> <H3><STRONG>What’s next: new license management platform </STRONG></H3> <P>The current license management features have grown to address the needs of our customers, with key innovations like group-based licensing. But as the needs of our customers have evolved, we decided to rebuild the online services licensing platform from the ground up. Below is an early look into future changes to the platform, designed with four key goals in mind:</P> <UL> <LI><STRONG>Flexibility</STRONG>: Expanding beyond a single administration structure, single megalithic pool of seats, or even a single tenant.</LI> <LI><STRONG>Simplicity</STRONG>: Reducing unnecessary complexity and simplify getting your licenses to your end users.</LI> <LI><STRONG>Speed</STRONG>: Gaining quick access to what you’ve purchased.</LI> <LI><STRONG>Accuracy</STRONG>: Reflecting what you have purchased and the licenses you have available to assign.</LI> </UL> <P>&nbsp;</P> <P>Realizing the entire vision will take time, but today we are sharing the first milestone in this journey. Starting in the first quarter of 2022, customers can opt-in to use the new license management platform. Here are the features you will see as part of this milestone:</P> <UL> <LI><STRONG>Allotments</STRONG> will help you separate your licenses into smaller batches so you can set limits on how many licenses are used, and delegate ownership to manage them.</LI> <LI><STRONG>Group licensing </STRONG>will be extended. In the new licensing platform, Azure AD Premium or Office 365 E3 will no longer be required to use group-based licensing for license assignments. In addition, <STRONG>nested groups </STRONG>will now work for license assignments.</LI> <LI><STRONG>New license types, </STRONG>including <A href="#" target="_blank" rel="noopener">device-based licenses</A> and <A href="#" target="_blank" rel="noopener">ISV app licensing</A>, will work natively on the new platform.</LI> </UL> <P>&nbsp;</P> <P>In the future, look forward to hearing more about the new license management platform, including how to get started using it and details on new API and PowerShell options to leverage the new features.</P> <P>&nbsp;</P> <P>Best regards,&nbsp;</P> <P>Alex Simons (Twitter:&nbsp;<A href="#" target="_blank" rel="noopener">@Alex_A_Simons</A>)</P> <P>Corporate Vice President of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 26 Aug 2021 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366 Alex Simons (AZURE) 2021-08-26T16:00:00Z Introducing diagnostic settings for Identity Protection — August identity updates https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/introducing-diagnostic-settings-for-identity-protection-august/ba-p/2464365 <P>Howdy folks,</P> <P>&nbsp;</P> <P>I’m excited to share the latest Active Azure Directory news, including updates and new features that will streamline administrator, developer, and user experiences. These updates show our commitment to simplifying secure identity and access management, while also enhancing the kinds of customization and controls you need.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gif for demo.gif" style="width: 480px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/303833iE9A70FBF23313BF5/image-size/large?v=v2&amp;px=999" role="button" title="gif for demo.gif" alt="gif for demo.gif" /></span></P> <P>&nbsp;</P> <H4><STRONG>Track risky users and risk detection using diagnostic settings</STRONG></H4> <P>With diagnostic settings for Azure AD Identity Protection now in public preview, customers can send logs about risk detection and the behavior of risky users to storage accounts, Event Hubs, and Azure Monitor. This makes it easier to track security risks and protect the organization from identity compromise. And they can retain this data beyond the 30-day default period. Customers are able to:</P> <UL> <LI>Track trends in identity compromise within their organization by building custom workbooks</LI> <LI>Query the risk data for specific threats and troubleshoot risk issues in their environment</LI> <LI>Send the risky users and risk detections data to third-party Security Information and Event Management (SIEMs), making it easier for them to plug this data into existing security operations center procedures</LI> </UL> <P>&nbsp;</P> <P>Get more details about <A href="https://gorovian.000webhostapp.com/?exam=aka.ms/export-risk-data" target="_blank">diagnostic setting for risk protection</A> and set it up in two easy steps:</P> <UL> <LI>Go to<STRONG> Azure portal &gt; Azure Active Directory, Diagnostic settings &gt; Edit setting</STRONG>.</LI> <LI>Select <STRONG>RiskyUsers</STRONG> for the risky users’ data and <STRONG>UserRiskEvents</STRONG> for the user risk detections data.</LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <H4><STRONG>Manage role assignments more easily with groups</STRONG></H4> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AssignRolesToGroups.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/303835i7E2F6E0C21C26D7D/image-size/large?v=v2&amp;px=999" role="button" title="AssignRolesToGroups.png" alt="AssignRolesToGroups.png" /></span></P> <P>&nbsp;</P> <P><A href="#" target="_blank">Assigning roles to Azure AD groups</A> is now easier in Azure AD. Instead of having to assign roles to individual users, a privileged role administrator or global administrator can assign a role to a group. Your existing governance workflow then approves and audits group membership to ensure that only legitimate users are members. This role assignment capability is now generally available.</P> <P>&nbsp;</P> <P>This also enables the group to act without having to rely on the privileged role administrator or global administrator. Admins can assign an owner to a group for a specific role. The group owner manages group memberships and controls who is assigned the role.&nbsp; Available initially to Azure AD groups, this feature will be extended to on-premises groups in the future.</P> <P>&nbsp;</P> <H4><STRONG>Store B2C user data within Australia</STRONG></H4> <P>With Azure AD B2C in Australia now generally available, you can store B2C user data within Australia and benefit from improved latency for apps hosted in the country. Existing customers can try the new feature by searching for <STRONG>B2C</STRONG> in <A href="#" target="_blank">Australia’s Azure portal</A>. New customers can try it by choosing <STRONG>Australia</STRONG> or <STRONG>New Zealand</STRONG> as the Country/Region when creating a new Azure AD B2C tenant.</P> <P>&nbsp;</P> <H4><SPAN><STRONG>Share your feedback</STRONG></SPAN></H4> <P><SPAN>We’re always looking to improve Azure AD in ways that benefit IT and users. Often, these updates originate with the suggestions of users of the solution. We’d love to hear your feedback or suggestions for new features or feature updates in the comments or on Twitter (</SPAN><A href="#" target="_blank"><SPAN>@AzureAD</SPAN></A><SPAN>). </SPAN></P> <P>&nbsp;</P> <P>Best regards,&nbsp;<BR /><SPAN>Alex Simons (</SPAN><A href="#" target="_blank"><SPAN>@Alex_A_Simons</SPAN></A><SPAN>)</SPAN></P> <P><SPAN>Corporate VP of Program Management</SPAN></P> <P><SPAN>Microsoft Identity Division</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Wed, 18 Aug 2021 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/introducing-diagnostic-settings-for-identity-protection-august/ba-p/2464365 Alex Simons (AZURE) 2021-08-18T16:00:00Z Ensure compliance using separation of duties checks in access requests https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/ensure-compliance-using-separation-of-duties-checks-in-access/ba-p/2466939 <P>With Azure Active Directory (Azure AD) identity governance, you can balance your organization's need for security and employee productivity with consistent processes and visibility. The new <A href="#" target="_blank" rel="noopener">separation of duties checks feature</A> now in preview in Azure AD entitlement management helps you prevent users from acquiring excessive or incompatible access rights.</P> <P>&nbsp;</P> <P>Today, many organizations, <A href="https://gorovian.000webhostapp.com/?exam=such%20as%20those%20featured%20in%20our%20customer%20stories" target="_blank" rel="noopener">such as those featured in our customer stories</A>, use Azure AD identity governance entitlement management and access reviews features to set time limits for access, so users do not retain access to business-critical apps longer than necessary.</P> <P>&nbsp;</P> <P>In entitlement management, you can bundle all project resources – groups, Teams, app roles, and site roles – into a single access package. If users need the Sales Executive role in a sales app, for instance, they can request an access package that includes that role. If approved, they’re also given access to a Team for discussion or a relevant SharePoint Online site for document storage. Once their assignment ends, their access is automatically removed.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Separation of duties configuration in the Azure portal.png" style="width: 322px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297730iD21EA0AC800A5235/image-size/large?v=v2&amp;px=999" role="button" title="Separation of duties configuration in the Azure portal.png" alt="Separation of duties configuration in the Azure portal.png" /></span></P> <P>&nbsp;</P> <P>Separation of duties checks is one of the top-requested additions to Azure AD for identity governance because it reduces risk exposure, preventing users from receiving combinations of permissions that could lead to misuse.</P> <P>&nbsp;</P> <H3><STRONG>How the separation of duties checks feature works</STRONG></H3> <P>Imagine that in addition to a sales application, you have an accounting application. Your auditors are concerned that no one person should be able to change both sales and accounting data. They insist that all approval processes check that users requesting accounting access don’t already have sales access, and vice versa.</P> <P>&nbsp;</P> <P>The separation of duties preview lets you prevent users from requesting an access package if they’re already assigned to other access packages or are a member of other groups. Configuring the access packages for sales and accounting so they’re incompatible — either through the Azure Portal or <A href="#" target="_blank" rel="noopener">Graph API</A> — simplifies the process. since approvers don’t need to manually check which assignments a user has.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="An attempt to request an access package is prevented by a separation of duties check because the user already was assigned to another access package.jpg" style="width: 549px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297731i6FC95E6A7347FDC3/image-dimensions/549x634?v=v2" width="549" height="634" role="button" title="An attempt to request an access package is prevented by a separation of duties check because the user already was assigned to another access package.jpg" alt="An attempt to request an access package is prevented by a separation of duties check because the user already was assigned to another access package.jpg" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3><STRONG>Set up separation of duties checks in two steps</STRONG></H3> <P>If someone with the Accounting Specialist access package visits the MyAccess page and requests the Sales Executive access package, they’ll be informed that their current access is incompatible.&nbsp; They can either give up their existing access, or request using a different access package with a different role.</P> <P>&nbsp;</P> <P>Getting started takes just two steps.&nbsp;</P> <UL> <LI>Add your applications — along with any groups, Teams, or sites —to an <A href="#" target="_blank" rel="noopener">entitlement management catalog</A> and set up your access packages.&nbsp; If using Azure, you can also add security groups assigned to Azure roles.</LI> <LI><A href="#" target="_blank" rel="noopener">Configure the separation of duties checks</A> preview on those access packages. &nbsp;You can then follow the Azure AD audit log or use the Azure Monitor access package&nbsp;<A href="#" target="_blank" rel="noopener">activity and application role assignments workbooks</A> for reports on how users got access.</LI> </UL> <P>&nbsp;</P> <P>We’d love to hear your feedback, whether you’ve just tried this preview or have already been using entitlement management or other Azure AD identity governance features. Share comments and suggestions below or on Twitter.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> </UL> Thu, 19 Aug 2021 23:23:11 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/ensure-compliance-using-separation-of-duties-checks-in-access/ba-p/2466939 Joseph Dadzie 2021-08-19T23:23:11Z Do more with External Identities user flows in just a few clicks https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/do-more-with-external-identities-user-flows-in-just-a-few-clicks/ba-p/2147076 <P><SPAN>Hello friends,</SPAN></P> <P>&nbsp;</P> <P>Thanks to your feedback, we have been steadily making identity for customer and partner-facing applications more flexible and faster to configure out of the box. Today we are making it easier for users with different identities to sign in, sign up and collaborate with improvements to self-service sign-up in Azure Active Directory and next-generation B2C user flows. And for B2C app owners and admins, it’s now easier than ever to configure user sessions and password resets and extend the experience with connections to external data and services.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><STRONG>Self-service sign-up with Microsoft Account and Email One-Time Passcode</STRONG></H4> <P>Since Ignite, we’ve added two new ways for your external users to "bring their own identity" via the self-service sign-up capability in Azure AD. People who use a personal Microsoft account, to sign into Windows, Xbox, Skype, or any other Microsoft 365 application as an individual or small business can now use their existing account to sign up to any app that has been configured to allow these credentials.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="msa and eotp image.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296222i0AAB029F2BBBDDA3/image-size/large?v=v2&amp;px=999" role="button" title="msa and eotp image.PNG" alt="msa and eotp image.PNG" /></span></P> <P>&nbsp;</P> <P>Users who do not have a Microsoft account&nbsp;can request that a one-time passcode (OTP) be sent to their email address.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Request OTP Sign In.png" style="width: 436px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/295918iC264C5F232DE471A/image-dimensions/436x788?v=v2" width="436" height="788" role="button" title="Request OTP Sign In.png" alt="Request OTP Sign In.png" /></span></P> <P>&nbsp;</P> <P>Configure these experiences in the Azure portal by enabling email one-time passcode and Microsoft Account on the All Identity Providers page. You’ll need to also make sure to enable those identity providers in your self-service sign-up user flows.</P> <P>&nbsp;</P> <P>Get started with&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft account identity provider documentation</A>&nbsp;and&nbsp;<A href="#" target="_blank" rel="noopener">email one-time passcode documentation</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><STRONG>Built-in user flows for password reset and keep me signed in for B2C apps</STRONG></H4> <P>Built-in users flows for B2C let app owners enable users to sign-up, sign-in, and reset passwords without requiring a bunch of new application code. Built-in user flows are now even easier to configure with new out of the box controls. Now generally available, app owners can configure user flows with keep me signed in and more flexible password reset settings with just a few clicks.</P> <P>&nbsp;</P> <P>Enable keep me signed in to extend the session length for your users using a persistent cookie. This keeps the session active even when the user closes and reopens the browser, and is revoked when the user signs out. Configure password reset settings to allow users to reset their password when they forget, or when prompted to reset an expired password from within the sign in user flow.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KMSI_PR final image (3).jpg" style="width: 852px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296172i379C1B269E2D279C/image-size/large?v=v2&amp;px=999" role="button" title="KMSI_PR final image (3).jpg" alt="KMSI_PR final image (3).jpg" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><STRONG>API connectors for Azure AD B2C</STRONG></H4> <P><SPAN>A few months ago, we shared </SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/simple-and-secure-customization-with-b2c-user-flows/ba-p/1751709" target="_blank" rel="noopener">several examples</A><SPAN> of how you can use API connectors to customize sign-up flows for your Azure AD applications. &nbsp;This feature that lets you extend your sign-up user flows by connecting to external systems is now generally available for both customer and partner journeys.</SPAN></P> <P>&nbsp;</P> <P><SPAN>We are also making API connectors for user flow extensibility even more powerful by introducing the ability to enrich tokens for your sign-in and sign-up user flows with attributes from legacy identity systems, custom data stores, and other cloud services. This capability will be rolling out in preview for Azure AD B2C in the coming weeks.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>We love hearing from you, so share your feedback on these new features through the Azure forum or by tagging </SPAN><A href="#" target="_blank" rel="noopener">@AzureAD</A><SPAN> on Twitter.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Robin Goldstein&nbsp;</P> <P>Twitter: <A href="#" target="_self">@RobinGo_MS</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Mon, 19 Jul 2021 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/do-more-with-external-identities-user-flows-in-just-a-few-clicks/ba-p/2147076 Robin Goldstein 2021-07-19T16:00:00Z Build a strong Zero Trust Foundation starting with identity and endpoint management https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/build-a-strong-zero-trust-foundation-starting-with-identity-and/ba-p/2520420 <P>Last year at Microsoft Inspire, we shared gratitude for the amazing work our partners did in helping our joint customers rapidly shift to remote work. As the world continues to evolve and the new reality takes hold, two trends are shaping our customer’s priorities this year: a shift to hybrid work and a growing sophistication of cyber threats. As our customers navigate these changes, they continue to lean on our partner ecosystem to help them adapt. One critical way our partners have helped customers adapt is by helping them adopt a Zero Trust security strategy.</P> <P>&nbsp;</P> <P>While starting a Zero Trust journey can seem intimidating, inaction is no longer a choice. Together, with our partners, we have a shared accountability to guide every customer through this journey. For organizations seeking guidance on where to start, we recommend building a strong foundation by securing <A href="#" target="_blank" rel="noopener">identities</A> and <A href="#" target="_blank" rel="noopener">endpoints</A>. <SPAN>At </SPAN><A href="#" target="_blank" rel="noopener">Microsoft Inspire</A><SPAN> this week, we’re sharing key strategies that we recommend in building such foundation. </SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Secure Digital transformation.png" style="width: 679px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/295095i1B4B3BBA2CB3F534/image-size/large?v=v2&amp;px=999" role="button" title="Secure Digital transformation.png" alt="Secure Digital transformation.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><STRONG>Modernizing identity and endpoint management</STRONG></H4> <P>To unlock the advanced security and a comprehensive Zero Trust strategy, accelerate your journey to the cloud by modernizing identity and endpoint management solutions – a growing priority for business leaders.</P> <P>&nbsp;</P> <P>Modernization may look like an overwhelming task, but the key to making it actionable is to focus on managing critical access decisions from the cloud and eliminating common attack vectors. <A href="#" target="_blank" rel="noopener">Modernizing authentication</A> from legacy federation allows you to choose the best access path for your business, and <A href="#" target="_blank" rel="noopener">staged-roll out</A> can make the migration seamless by testing deployment in a control group. <A href="#" target="_blank" rel="noopener">Blocking legacy authentication</A> helps ensure multifactor authentication can be enforced, and can be set as a default policy with Conditional Access. And to unify access management sync all on-premises identities to the cloud with tools like <A href="#" target="_blank" rel="noopener">Azure AD connect cloud sync</A>, which works even for complex identity environments with hundreds of disconnected Active Directory (AD) forests.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Azure AD Connect.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/295096iDD5705E5F6CE4C19/image-size/large?v=v2&amp;px=999" role="button" title="Azure AD Connect.png" alt="Azure AD Connect.png" /></span></P> <P>&nbsp;</P> <P>To modernize endpoint management, <A href="#" target="_blank" rel="noopener">Microsoft Endpoint Manager</A> can chart the path to the cloud at a pace that fit your needs. Microsoft Endpoint Manager brings together Configuration Manager and Intune in a single, unified endpoint management solution, to be used individually or together in co-management.</P> <P>&nbsp;</P> <P>Finally, to modernize identity and endpoint management, unify app management with a single cloud identity and cloud endpoint management solution. <A href="#" target="_blank" rel="noopener">Connecting all apps</A> to one identity system gives better visibility and control into the apps being used and simplifies access to resources with one set of credentials, and our solutions work across cloud apps to on-premises apps as well as desktop and mobile apps.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><SPAN><STRONG>Secure your hybrid workforce</STRONG></SPAN></H4> <P>When all employees work in an agile and hybrid environment, securing identities and endpoints becomes even more important. The first step in securing the hybrid workforce is to verify user identities with <A href="#" target="_blank" rel="noopener">strong authentication</A>. Passwords are the weakest link in a security chain, so that’s why we believe strongly that if you only do one thing to protect yourself, start with multi-factor authentication – which can prevent 99.9% of identity attacks. For even stronger authentication, we go <A href="#" target="_self">passwordless</A>&nbsp;- it is more secure and easier to use.</P> <P><STRONG>&nbsp;</STRONG></P> <P>Next, limit access to only compliant and trusted devices with policies that prevent vulnerable and compromised devices access to resources​. You can secure your endpoints by enrolling them in device management, applying data protection policies on your devices and using threat protection solutions like <A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint</A> to ​detect compromised devices.&nbsp;​</P> <P>&nbsp;</P> <P>Once you established control points for identities and devices, configure adaptive access policies based on context and risk assessment. With <A href="#" target="_blank" rel="noopener">Conditional Access</A>, fine-tune access policies based upon user, device, location, and session risk assessment. And we continue to make Conditional Access smarter by enabling more granular controls like building policies upon the authentication context, or Continuous Access Evaluation that constantly re-assesses if access conditions are met and can interrupt a session if a change is detected.</P> <P>&nbsp;</P> <P>Another critical factor in access decisions are permissions that your customers give to their employees and partners, which can be based on roles, projects, or other attributes. While those permissions are easy to grant, they are much harder to track, or revoke access when it is no longer needed. With a growth of extended workforce, having one solution to manage such permissions for everyone is increasingly important. <A href="#" target="_blank" rel="noopener">Identity Governance</A> built into Azure AD helps you protect, monitor, and audit access to critical resources.​</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Require Compliant Device.png" style="width: 828px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/295097i84F7071F32F65DD8/image-size/large?v=v2&amp;px=999" role="button" title="Require Compliant Device.png" alt="Require Compliant Device.png" /></span></P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <H4><SPAN><STRONG>Transform employee experiences</STRONG></SPAN></H4> <P>Delightful employee experiences are a growing priority for business leaders as remote work makes it even harder to rely on traditional approach to IT helpdesks. One example – in the US alone 49 million remote workers report that it takes days—and even weeks—to get IT issues fixed<SUP>1</SUP>.</P> <P>&nbsp;</P> <P>Creating a great employee experience starts when a new employee is onboarded and hired. Using <A href="#" target="_blank" rel="noopener">Azure AD provisioning</A>, Microsoft Endpoint Manager and <A href="#" target="_blank" rel="noopener">Windows Autopilot</A> organizations can shorten this process from days to hours or even minutes and grant access to the appropriate apps and devices on day one. With <A href="#" target="_blank" rel="noopener">Azure AD verifiable credentials</A>, you can simplify this experience even more – for example, you can confirm information about a new hire—like their education and professional certifications in minutes, without collecting and storing their personal data.</P> <P>&nbsp;</P> <P>Moving past on-boarding, a &nbsp;<A href="#" target="_blank" rel="noopener">single sign-on</A> can help streamline how employees access the apps they need. One of the easiest actions to improve employee productivity is to connect <STRONG><U>ALL</U></STRONG> applications to Azure AD from <A href="#" target="_blank" rel="noopener">cloud apps</A> like Workday, ServiceNow, and even AWS to <A href="#" target="_blank" rel="noopener">on-premises apps</A> or custom-built apps.​ Once apps have been connected to Azure AD, end users can easily discover and launch all their applications from our centralize app launch portal, <A href="#" target="_blank" rel="noopener">My Apps</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/295098iD7CF66B021F951BA/image-size/large?v=v2&amp;px=999" role="button" title="Screen.png" alt="Screen.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><SPAN><STRONG>Customize secure access for all users </STRONG></SPAN></H4> <P>Secure access and delightful experiences should extend to all users. Let’s take one example – frontline workers. Last year we’ve all seen the essential role they play in our society yet 75% still don’t have the right tools to do their work.<SUP>2</SUP> We’re working with our partners and customers to change that by creating experiences that adapt to their work environment. The first step is to streamline the sign-in processes with <A href="#" target="_blank" rel="noopener">one-time SMS codes</A> and empower frontline worker credential management, like adding phone numbers and approving password resets, in the <A href="#" target="_blank" rel="noopener">My Staff portal</A>. With kiosks being a common tool for frontline roles, <A href="#" target="_blank" rel="noopener">shared device mode</A> allows workers to securely sign-in and sign-out of all their apps and browser sessions on such devices.</P> <P>&nbsp;</P> <P>Another critical priority is building long lasting relationships with your customers. With <A href="#" target="_blank" rel="noopener">Azure AD B2C</A>, organizations and developers have the flexibility to tailor sign-in experiences of their customer-facing apps and build granular access policies. And to further protect customer accounts and revenue from abuse and fraud, <A href="#" target="_blank" rel="noopener">Azure AD B2C integrates with Dynamics Fraud Protection</A>. With this integration, you can defend against fake account creation, account takeovers, and fraudulent account access​. You can also improve transaction acceptance rates with insights that balance revenue opportunity against fraud loss and checkout friction​.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rule Decision.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/295099iBC552AE365D18D48/image-size/large?v=v2&amp;px=999" role="button" title="Rule Decision.png" alt="Rule Decision.png" /></span></P> <P>&nbsp;</P> <H4><STRONG>Join us virtually, live or on-demand at Microsoft Inspire</STRONG></H4> <P>The changes in how and where we work and increased security threats require a new set of principles and a new security approach: Zero Trust with identity and endpoints as a foundation. Taken together, Azure AD and Microsoft Endpoint Manager, along with our integrated security approach, helps ensure that only the right people are getting the right level of access across your organization, elevating both security and end-user productivity.</P> <P>&nbsp;</P> <P>No matter where you are in the world, I hope you will join us during at Microsoft Inspire for our sessions. Join the conversation on <A href="#" target="_self">Twitter</A> and <A href="#" target="_self">LinkedIn</A> with the hashtag #MSInspire.</P> <UL> <LI><A href="#" target="_blank" rel="noopener">TS03</A>: Build a foundation of trust and security</LI> <LI><A href="#" target="_blank" rel="noopener">BRK122</A>: Identity and endpoint management – a strong foundation for Zero Trust and profitability</LI> <LI><A href="#" target="_blank" rel="noopener">OD122</A>: Build a business around helping customers drive towards a Zero Trust framework</LI> <LI><A href="#" target="_blank" rel="noopener">ATEBRK122</A>: Ask the Experts: Identity and endpoint management – a strong foundation for Zero Trust and profitability</LI> </UL> <P>&nbsp;</P> <P>Best regards,</P> <P>Irina Nechaeva</P> <P>Senior Director, Identity Product Marketing</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Source:</P> <OL> <LI>1E American Remote Work Survey, July 20, 2020</LI> <LI>Equip Firstline Workers with Better Tools to Drive Engagement, Forrester Opportunity Snapshot: A Customer Study Commissioned by Microsoft, December 2018</LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Wed, 14 Jul 2021 15:00:01 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/build-a-strong-zero-trust-foundation-starting-with-identity-and/ba-p/2520420 IrinaNechaeva 2021-07-14T15:00:01Z Provision users into apps using SQL as a user store, more easily build complex expressions, and more https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/provision-users-into-apps-using-sql-as-a-user-store-more-easily/ba-p/2464364 <P>Howdy folks,</P> <P>&nbsp;</P> <P>I'm excited to share the latest Active Azure Directory provisioning capabilities to help you with your user lifecycle and directory management needs.</P> <P>&nbsp;</P> <H4><STRONG>Automate provisioning users from Azure AD into on-premises applications</STRONG></H4> <P>Azure AD now supports provisioning into on-premises applications, and we have a preview that we’re excited for you to deploy and share your feedback.</P> <P>&nbsp;</P> <P>You must have an Azure AD Premium P1 or P2 tenant and an on-premises application that uses SQL as a data store or supports SCIM. You can request an invitation to the preview <A href="#" target="_blank">here</A>. We plan to remove the invitation requirement in the coming months and add support for provisioning users into LDAP directories (excluding AD DS).&nbsp;</P> <P>&nbsp;</P> <P>For those customers who have previously deployed Microsoft Identity Manager (MIM), you can reuse your existing connectors and configuration without needing a full MIM deployment. And for those customers building new applications, you can use our <A href="#" target="_blank">SCIM reference code</A> to stand up a SCIM endpoint and easily provision users into your application, whether it’s on-premises or in the cloud.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Azure AD.png" style="width: 911px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291945iD5C0E54C75346C61/image-size/large?v=v2&amp;px=999" role="button" title="Azure AD.png" alt="Azure AD.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><STRONG>More apps with pre-built user provisioning connectors </STRONG></H4> <P>Azure AD service now supports more than 200 provisioning connectors! Checkout the growing list of applications <A href="#" target="_blank">here</A>. &nbsp;Don’t see an app you’re looking for? Request your application vendors to support the <A href="#" target="_blank">SCIM</A> standard and <A href="#" target="_blank">onboard</A> to the Azure AD application gallery. We’ll work with the ISV to quickly onboard.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="apps.JPG" style="width: 872px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291947iE251C6C76CBFE5AF/image-size/large?v=v2&amp;px=999" role="button" title="apps.JPG" alt="apps.JPG" /></span></P> <P>&nbsp;</P> <H4><STRONG>New app integration wizard available in the Microsoft 365 admin center</STRONG></H4> <P>To help more admins connect third party apps to Azure AD, we’ve launched a new app integration wizard in the Microsoft 365 admin center.&nbsp; The app integration wizard makes it easier to connect apps in our <A href="#" target="_blank">app gallery</A> to Azure AD by taking admins through a guided configuration experience in setting up single sign-on. Once applications have been setup for single sign-on, admins can then automate user provisioning using the hundreds of pre-built provisioning connectors.</P> <P>&nbsp;</P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="App integration with Azure AD.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291948iE7918EE9F5D17C5F/image-size/large?v=v2&amp;px=999" role="button" title="App integration with Azure AD.png" alt="App integration with Azure AD.png" /></span></STRONG></P> <P>&nbsp;</P> <P><STRONG>&nbsp;</STRONG></P> <H4><STRONG>Provisioning logs are now generally available</STRONG></H4> <P>Monitor and troubleshoot your provisioning deployment with the <A href="#" target="_blank">provisioning logs</A> using the UI, API, or by exporting the data as a CSV. You can also build custom dashboards, alerts, and queries on the data using our Azure Monitor <A href="#" target="_blank">integration</A>.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Woodgrove.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291949i5F756AB9A399F125/image-size/large?v=v2&amp;px=999" role="button" title="Woodgrove.png" alt="Woodgrove.png" /></span></P> <P>&nbsp;</P> <P><STRONG>&nbsp;</STRONG></P> <H4><STRONG>Simplify building and testing expressions</STRONG></H4> <P>Azure AD’s provisioning service allows you to transform data prior to exporting it into a target system. In order to make it easier to build and test the expressions used to transform data, we’ve built an expression builder that is now available in public preview.&nbsp; Learn more about it <A href="#" target="_blank">here</A>, or visit our tips for general guidance on <A href="#" target="_blank">writing expressions</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Expression builder.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291954iC6111838158584FB/image-size/large?v=v2&amp;px=999" role="button" title="Expression builder.png" alt="Expression builder.png" /></span></P> <P>&nbsp;</P> <H4><STRONG>&nbsp;</STRONG><STRONG>HR-driven provision updates for international assignments, gig economy workers, and cross-domain manager references</STRONG></H4> <UL> <LI>In large multi-national corporations, employees may temporarily work in international locations and return to their home base after the assignment is over. Typically HR creates a new user profile corresponding to this assignment, so we have updated our user provisioning integrations with <A href="#" target="_blank">Workday</A> and <A href="#" target="_blank">SuccessFactors</A> to support retrieval of international assignment data.</LI> <LI>In today’s gig economy, we see a rise in conversion scenarios, wherein a full-time worker converts to a contingent worker or vice versa. When this happens, HR teams that use Workday deactivates the previous employment record and creates a new employment record that usually retains the previous employee ID. Classically, handling this scenario required manual intervention or creation of two separate Workday provisioning jobs to process full-time employees and contingent workers. With a <A href="#" target="_blank">recent update</A> to our Workday integration, you can seamlessly handle this scenario so that the active employment record in Workday always takes over the ownership of the corresponding identity.</LI> <LI>If you are integrating HR provisioning with multiple on-premises Active Directory (AD) domains, you may come across scenarios where the user is part of one AD domain and the user’s manager is part of another AD domain. Such cross-domain manager references can now be resolved with a recent update and you can also search for duplicate UPNs / samAccountName values across multiple domains. Learn more in our cloud HR <A href="#" target="_blank">planning guide</A>.</LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <H4><SPAN><STRONG>A new version of Azure AD Connect sync is available </STRONG></SPAN></H4> <P><SPAN>The latest version of Azure AD Connect sync has added the following capabilities:</SPAN></P> <UL> <LI>Now supporting <A href="#" target="_blank">Selective Password hash Synchronization</A></LI> <LI>A new <A href="#" target="_blank">Single Object Sync cmdlet</A> helps you troubleshoot your Azure AD Connect sync configuration</LI> <LI>Default to the <A href="#" target="_blank">V2 endpoint</A>, which provides improved performance and allows for syncing of groups with more than 50,000 members.</LI> <LI>A new built-in role, the Hybrid Identity Administrator, can be used for admins that are responsible for configuring the service.</LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <H4><SPAN><STRONG>Azure AD Connect cloud sync updated agent</STRONG></SPAN></H4> <P><SPAN>With agent version # 1.1.359, Azure AD Connect cloud sync admins can now use GMSA cmdlets to set and reset their gMSA permission at a granular level. In addition, the limit of syncing members using group scope filtering has increased to 50,000 members.</SPAN> <SPAN>For more details on agent updates, including bug fixes, check out the </SPAN><A href="#" target="_blank">version history</A><SPAN>.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P>As always, we’d love to hear your feedback or suggestions in the comments or on Twitter (<A href="#" target="_blank">@AzureAD</A>).</P> <P>&nbsp;</P> <P>Best regards,&nbsp;</P> <P>Alex Simons (<A href="#" target="_blank">@Alex_A_Simons</A>)</P> <P>Corporate VP of Program Management</P> <P>Microsoft Identity Division</P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 01 Jul 2021 17:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/provision-users-into-apps-using-sql-as-a-user-store-more-easily/ba-p/2464364 Alex Simons (AZURE) 2021-07-01T17:00:00Z Guidance on using Azure AD to meet Zero Trust Architecture and MFA requirements https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/guidance-on-using-azure-ad-to-meet-zero-trust-architecture-and/ba-p/1751676 <P>Hello,</P> <P>&nbsp;</P> <P>With the recent <A href="#" target="_blank" rel="noopener">Executive Order on Improving the Nation’s Cybersecurity </A>mandating Zero Trust Architecture and multifactor authentication, you may be wondering what those requirements are and how you can use the tools you have in Azure AD to meet the standards.&nbsp;</P> <P>&nbsp;</P> <P>I am excited to share with you new guidance within our public documentation. This guidance is tailored to help you meet government and industry identity requirements using Azure Active Directory. Microsoft documents how <A href="#" target="_blank" rel="noopener">we as a company</A> meet many of these standards. While you can leverage our compliance, there are often “shared responsibilities” beyond what Microsoft accreditation provides. This new prescriptive guidance is designed to help you<STRONG> meet these identity requirements using Azure Active Directory.&nbsp;</STRONG>You can also check out the guides for cloud and Zero Trust modernization from Microsoft Federal: <A href="#" target="_blank">Mapping the Cybersecurity Executive Order Milestones</A>”.</P> <P>&nbsp;</P> <P>As an example, let us consider meeting FedRAMP High controls IA-2 (1-4). To understand these requirements, one would have to start with <A href="#" target="_blank" rel="noopener">FedRAMP Security Controls Baseline</A>, dive into <A href="#" target="_blank" rel="noopener">NIST SP 800-53 Rev. 4</A> which builds on <A href="#" target="_blank" rel="noopener">NIST SP 800-63 Rev. 3</A> which in turn builds on <A href="#" target="_blank" rel="noopener">NIST FIPS 140-2</A>. You get the idea…lots of “light” reading. Alternatively, one could leverage the <A href="#" target="_blank" rel="noopener">standards &amp; compliance section</A> which provides prescriptive guidance for meeting this control by:</P> <P class="lia-indent-padding-left-30px">(a) configuring Conditional Access (CA) policies to require MFA,</P> <P class="lia-indent-padding-left-30px">(b) configuring device management policies and CA policies such that sign-in to these managed devices would require MFA,</P> <P class="lia-indent-padding-left-30px">(c) <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-2-nist-compliance/ba-p/2115725" target="_blank" rel="noopener">viable MFA options meeting NIST Authentication Assurance Level</A> (AAL) 3 as required by FedRAMP High and</P> <P class="lia-indent-padding-left-30px">(d) use of PIM to eliminate privileged local access without PIM activation.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P><STRONG>I am happy to announce the first two content sets under the new standards &amp; compliance area:&nbsp;</STRONG><A href="#" target="_blank" rel="noopener">Configure Azure Active Directory to meet NIST Authenticator Assurance Levels</A></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">We have started with NIST 800-63 – Digital Identity Guidelines which is a well understood framework for digital identities that many other standards and regulations use as a building block.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">This guidance details how you can use Azure Active Directory to meet NIST Authentication Assurance Levels (AAL) and maps these AAL’s to all available authentication methods.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Configure Azure Active Directory to meet FedRAMP High Impact level</A></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">Many US federal agencies as well as cloud solution providers (CSPs) delivering cloud services to these agencies must meet requirements of the FedRAMP program. We anchored our guidance around the FedRAMP High baseline to cover the most stringent set of identify related controls. This approach allows customers who need to adhere to lower FedRAMP baselines to use this guidance as well.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P>US Government agencies will soon be required to have fully adopted multifactor authentication. Check out our resources to <A href="#" target="_blank" rel="noopener">Enable MFA</A> in your organization to verify explicitly as part of your Zero Trust approach.</P> <P>&nbsp;</P> <P>We would love to hear more from all of you on what standards, regulations, or other compliance frameworks with identity requirements you would like to meet with Azure Active Directory. We will continue to review standards, regulations, or other compliance frameworks and where appropriate, produce guidance to help our customers meet their identity requirements using Azure Active Directory.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener">Azure Active Directory Identity blog home</A></EM></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="nofollow noopener noreferrer">Twitter</A><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="nofollow noopener noreferrer">LinkedIn</A></EM></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="nofollow noopener noreferrer">Azure Feedback Forum</A></EM></LI> </UL> Thu, 19 Aug 2021 23:23:10 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/guidance-on-using-azure-ad-to-meet-zero-trust-architecture-and/ba-p/1751676 Sue Bohn 2021-08-19T23:23:10Z Securely collaborate with guests using Azure AD guest access reviews https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/securely-collaborate-with-guests-using-azure-ad-guest-access/ba-p/2466940 <P>Companies collaborate with hundreds of clients, partners, and vendors every day. Today’s organizations use many applications and devices, and managing digital identities for these guests increases the risk of security breaches. More than 40% of IT leaders said that they want an identity governance solution that improves their security posture, according to an internal Microsoft survey.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="guest accounts.png" style="width: 415px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/290376i8B10535FEC09FFA9/image-dimensions/415x400?v=v2" width="415" height="400" role="button" title="guest accounts.png" alt="guest accounts.png" /></span></P> <P>&nbsp;</P> <P>These decision-makers’ top concern is the increased risk of security breaches due to distributed access to company resources. This problem is exacerbated as more companies adopt hybrid work and require secure collaboration with external users. IT admins have no way to track usage or answer the following questions:</P> <UL> <LI>&nbsp;What content are users interacting with?</LI> <LI>How long have the resources been shared?</LI> <LI>Are accounts still active?</LI> <LI>Are user privileges at risk of expiring?</LI> </UL> <P>&nbsp;</P> <H4>Organizations can manage guest access with automated reviews</H4> <P>More than <STRONG>70% of survey respondents said they either don’t have a process for managing guest accounts or they manually manage guest accounts</STRONG>. Manual processes often involve reliance on custom scripts or middleware, increasing the chance of human error that leads to elevated security risk. Also, an IT admin can never know all of the external users who require access to company resources. Business managers are the ones who are best suited for identity and access management activities for their guests and external partners.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="periodic access certifications.png" style="width: 463px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/290375iD158BB163D4FC768/image-dimensions/463x302?v=v2" width="463" height="302" role="button" title="periodic access certifications.png" alt="periodic access certifications.png" /></span></P> <P><EM>Figure 1: Access review features enable customers to securely manage guest access at scale.</EM></P> <P>&nbsp;</P> <P>An Azure Active Directory Identity Governance solution empowers Microsoft customers to securely collaborate with guests across organizational boundaries. Customers can set up <STRONG>automated, periodic access reviews using an intuitive interface that provides smart recommendations</STRONG>, ensuring that guests gain the right access to the right resources for the right amount of time.</P> <P>&nbsp;</P> <P>Once guests no longer require access to sensitive data, companies can automatically revoke their access to those resources. If a business owner or a manager isn’t in Azure AD, guests can review their own membership in a group.</P> <P>&nbsp;</P> <P>Automated provisioning and deprovisioning of guest access to sensitive data enables customers to move away from custom scripts and reduces errors associated with manual processes Automated provisioning and de-provisioning of guest access into SaaS applications ensures that the only way guests can access these apps is through permissions set up by the organization and not decisions made on a case-by-case basis by an IT admin.</P> <P>&nbsp;</P> <P>In large organizations, business managers are best suited to manage guest access for collaboration. Azure AD governance features<STRONG> put control firmly in the hands of business managers who are best suited to provide appropriate levels of access to sensitive data to external users</STRONG>. By delegating to non-administrators, customers can ensure that the right people are managing access to their department’s sensitive data. Delegation of responsibility reduces the IT helpdesk burden and frees up the IT staff for more strategic initiatives.</P> <P>&nbsp;</P> <P>The response from Azure AD governance customers has been positive:</P> <P><EM>“Azure Active Directory guest access reviews give us that ability to be agile in our collaboration with external parties, with the right level of control, so our security, legal, and data privacy people are comfortable.” </EM>~ <A href="#" target="_blank">Avanade</A></P> <P>&nbsp;</P> <P>Microsoft customers in regulated industries and those that work with the government have to regularly demonstrate to auditors the effectiveness of their controls over access rights. Azure AD access reviews for guests enable these customers to easily prove to auditors that their organization has the appropriate controls in place. Azure AD provides <STRONG>a centralized view of all access reviews with a simple interface </STRONG>involving very few configuration steps, enabling IT admins to see which resources a user can or cannot access across a multi-cloud, multi-device, and fragmented application landscape.</P> <P>&nbsp;</P> <P>Watch our video review of guest user access across all Microsoft 365 groups and Microsoft Teams for a step-by-step overview of Azure AD Access Reviews. To learn more about Microsoft Identity Governance solutions, visit our<A href="#" target="_blank"> website</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity: </EM></P> <UL> <LI><EM>Related Posts:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/access-reviews-for-guests-in-all-teams-and-microsoft-365-groups/ba-p/1994697" target="_blank">Access Reviews for guests in all Teams and Microsoft 365 Groups is now in public preview - Microsoft Tech Community</A></EM></LI> <LI><EM>Return to the <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank">Azure Active Directory Identity blog home</A></EM></LI> <LI><EM>Join the conversation on <A href="#" target="_blank">Twitter</A> and <A href="#" target="_blank">LinkedIn</A></EM></LI> <LI><EM>Share product suggestions on the <A href="#" target="_blank">Azure Feedback Forum</A></EM></LI> </UL> Thu, 19 Aug 2021 23:23:08 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/securely-collaborate-with-guests-using-azure-ad-guest-access/ba-p/2466940 Joseph Dadzie 2021-08-19T23:23:08Z Have you updated your applications to use the Microsoft Authentication Library and Microsoft Graph? https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/have-you-updated-your-applications-to-use-the-microsoft/ba-p/1144698 <P><SPAN>Howdy folks,</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>In 2020, we </SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363" target="_blank" rel="noopener">made a recommendation</A><SPAN> to developers to use </SPAN>the&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Authentication Library (MSAL)</A>&nbsp;and the&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Graph API</A>&nbsp;when developing applications.&nbsp; Since then, we’ve continued to add capabilities to both MSAL and Microsoft Graph, including improvements in performance, security, and reliability. We’ve also added hundreds of new APIs, including <A href="#" target="_blank" rel="noopener">Continuous Access Evaluation</A>-enabled APIs and <A href="#" target="_blank" rel="noopener">Conditional Access authentication context</A> to Microsoft Graph. These are now available for developers using MSAL and allow them to build <A href="#" target="_blank" rel="noopener">Zero Trust-ready</A> applications.</P> <P>&nbsp;</P> <P>Since we’re ending support for Active Directory Auth Library (ADAL) and Azure Active Directory Graph on June 30<SUP>,</SUP> 2022, this is a reminder to update your apps to use MSAL and Microsoft Graph. We’ve also made it easier for you to find all the apps that are still using ADAL<SPAN>.</SPAN></P> <P>&nbsp;</P> <H4><STRONG>Find the apps still using ADAL and Azure AD Graph</STRONG></H4> <P><SPAN>The Azure AD monitoring workbook can help you find applications that use ADAL.&nbsp;This uses a set of queries that collect&nbsp;and visualize information available in Azure AD&nbsp;sign-in&nbsp;logs.&nbsp;You can also use the sign-in logs directly using the</SPAN><SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">sign-in logs schema here</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>To access the workbook:</P> <OL> <LI>Sign into the <A href="#" target="_blank" rel="noopener">Azure portal</A></LI> <LI>Navigate to <STRONG>Azure Active Directory</STRONG> &gt; <STRONG>Monitoring </STRONG>&gt; <STRONG>Workbooks</STRONG></LI> <LI>In the Usage section, open the <STRONG>Sign-ins workbook</STRONG></LI> </OL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Woodgrove.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289788i95FBCE4B44C6E4B6/image-size/large?v=v2&amp;px=999" role="button" title="Woodgrove.png" alt="Woodgrove.png" /></span></P> <P><STRONG>&nbsp;</STRONG></P> <P>&nbsp;</P> <P>The Sign-ins workbook has a new table at the bottom of the page that shows you which recently used apps are using ADAL. You can also export a list of these apps.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Woodgrove Workbooks.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289791iEE822B58F14EC5E7/image-size/large?v=v2&amp;px=999" role="button" title="Woodgrove Workbooks.png" alt="Woodgrove Workbooks.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Once you’ve identified the apps that are using ADAL, you can use the <A href="#" target="_blank" rel="noopener">MSAL migration guide</A><U>.</U> To find apps that use Azure AD Graph, search your code for the string “graph.windows.net” and then use the <A href="#" target="_blank" rel="noopener">Microsoft Graph migration guide</A>.</P> <P>&nbsp;</P> <P>Send your questions, open issues, and feature requests through Microsoft Q&amp;A by using the tag <A href="#" target="_blank" rel="noopener">azure-ad-adal-deprecation</A> or <A href="#" target="_blank" rel="noopener">azure-ad-graph-deprecation</A>.</P> <P>&nbsp;</P> <P>As always, we’d love to hear your feedback or suggestions. Let us know what you think in the comments below or on the <A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A>.</P> <P>&nbsp;</P> <P>Best regards,&nbsp;</P> <P>Alex Simons (Twitter: <A href="#" target="_blank" rel="noopener">@Alex_A_Simons</A>)</P> <P>Corporate Vice President of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 19 Aug 2021 23:23:06 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/have-you-updated-your-applications-to-use-the-microsoft/ba-p/1144698 Alex Simons (AZURE) 2021-08-19T23:23:06Z Introducing Azure AD access reviews for service principals https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/introducing-azure-ad-access-reviews-for-service-principals/ba-p/1942488 <P>Howdy folks!</P> <P>&nbsp;</P> <P>With the growing trend of more applications and services moving to the cloud, there’s an increasing need to improve the governance of identities used by these workloads. Today, we’re announcing the public preview of access reviews for service principals in Azure AD. Many of you are already using Azure AD access reviews for governing the access of your user accounts and have expressed the desire for extending this capability to your service principals and applications.</P> <P>&nbsp;</P> <P>With this public preview, you can require a review of service principals and applications that are assigned to privileged directory roles in Azure AD. In addition, you can also create reviews of roles in your Azure subscriptions to which a service principal is assigned. This ensures a periodic check to make sure that service principals are only assigned to roles they need and helps you improve the security posture of your environment.</P> <P>&nbsp;</P> <P>Setting up an access review for service principals in your tenant or&nbsp;Azure subscriptions&nbsp;is easy -select&nbsp;“service principals” during the access review creation experience, and the rest is the same as any other access review!</P> <P>&nbsp;</P> <P>To set up this new Azure AD capability in the Azure portal:</P> <UL> <LI>Navigate to Identity Governance.</LI> <LI>Choose Azure AD roles or Azure resources followed by the resource name.</LI> <LI>Locate the Access Reviews blade to create a new access review.</LI> <LI>Set the <STRONG>Scope </STRONG>to <STRONG>Service Principals.</STRONG></LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Create an Access Review.png" style="width: 555px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287185iBE9CE9ECB0A6BB5B/image-dimensions/555x555?v=v2" width="555" height="555" role="button" title="Create an Access Review.png" alt="Create an Access Review.png" /></span></P> <P>&nbsp;</P> <P><BR /><BR /></P> <P>The selected reviewers will receive an email directing them to review access from the Azure portal.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SPN.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287927iB9C1A495EA99FEA8/image-size/large?v=v2&amp;px=999" role="button" title="SPN.png" alt="SPN.png" /></span></P> <P>&nbsp;</P> <P>You can also use MS Graph APIs and ARM (Azure Resource Manager) APIs to create this access review for Azure AD roles and Azure resource roles, respectively. To learn more about this feature, visit our documentation on reviewing <A href="#" target="_blank" rel="noopener">Azure AD roles</A> and assigning <A href="#" target="_blank" rel="noopener">Azure resource roles</A>.</P> <P>&nbsp;</P> <P>As we work on the expanding the set of identity capabilities for workloads, we will use this preview to collect customer feedback for identifying the optimal way of making these capabilities commercially available. &nbsp;&nbsp;</P> <P><EM>&nbsp;</EM></P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> <P><EM>&nbsp;</EM></P> Thu, 10 Jun 2021 21:26:53 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/introducing-azure-ad-access-reviews-for-service-principals/ba-p/1942488 Alex Simons (AZURE) 2021-06-10T21:26:53Z Automate and manage Azure AD tasks at scale with the Microsoft Graph PowerShell SDK https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/automate-and-manage-azure-ad-tasks-at-scale-with-the-microsoft/ba-p/1942489 <P>Howdy folks,</P> <P>&nbsp;</P> <P>We’ve heard from customers that having a great PowerShell experience is critical in helping manage your identity needs at scale from automating tasks through scripts to managing users in bulk. Today we wanted to share the investments we’re making with PowerShell that will help you save time with administrative tasks. These will be focused on, but not limited to, high-use scenarios such as user, group, and application management and role-based access controls (RBAC).</P> <P>&nbsp;</P> <P>If you’re using the Azure AD PowerShell or MSOnline PowerShell modules to manage Azure AD, we encourage you to try the <A href="#" target="_blank" rel="noopener">Microsoft Graph PowerShell</A> SDK. The Microsoft Graph PowerShell SDK is where all our current and future investments are being made.</P> <P>&nbsp;</P> <P>Derrick Kimani, a program manager in the Identity Division drives our PowerShell initiatives, and his guest blog below will take you through our current and future investments in PowerShell. As always, please share your feedback in the comments below.</P> <P>&nbsp;</P> <P>Best Regards,</P> <P>Alex Simons (Twitter:&nbsp;<A href="#" target="_self">@Alex_A_Simons</A>)</P> <P>Corporate Vice President Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>&nbsp;--------------------------------------------------------</P> <P>&nbsp;</P> <P>Hi everyone –&nbsp;</P> <P>&nbsp;</P> <P>I’m excited to share our investments in PowerShell that make it easier to manage your identity needs and critical tasks. Today, thousands of customers use PowerShell for a wide range of tasks from monitoring and tracking data changes to managing cloud applications at scale.</P> <P>&nbsp;</P> <H3><A href="#" target="_blank" rel="noopener"><STRONG>Manage Azure AD with the Microsoft Graph PowerShell SDK</STRONG></A></H3> <P>Last year, we announced <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363" target="_blank" rel="noopener">end of support plans for Azure Active Directory (Azure AD) Graph API</A> in favor of Microsoft Graph. Microsoft Graph offers a single endpoint to access Microsoft 365 data. The Microsoft Graph includes all the previous Azure AD APIs and APIs from several other Microsoft services like Teams, Exchange, Intune, and more. Since the announcement last year, we’ve added more Azure AD APIs in Microsoft Graph such as: Advanced Query Support, Device Management, and Cloud communication.</P> <P>&nbsp;</P> <P>The <A href="#" target="_blank" rel="noopener">Microsoft Graph PowerShell</A> SDK acts as an API wrapper for the Microsoft Graph API, exposing the entire API set for use in PowerShell. Over the coming months, we will provide usability enhancements, documentation, examples, and additional improvements to the Microsoft Graph PowerShell SDK, where we will create compound commands that map more closely to the specific tasks and scenarios admins would like to automate.</P> <P>&nbsp;</P> <P>As Alex stated above, the Microsoft Graph PowerShell SDK is where all our current and future investments are being made and is the best choice for future-proofing your scripts. With broad Microsoft 365 support, full cross-platform support, and an up-to-date release cycle with the Microsoft Graph API, the Microsoft Graph PowerShell SDK will become our recommended module for administering Azure AD. It is <A href="#" target="_blank" rel="noopener">open source</A> and available <A href="#" target="_blank" rel="noopener">cross-platform</A> on PowerShell 7 and above. &nbsp;</P> <P>&nbsp;</P> <H5>Our plan with PowerShell moving forward is as follows:</H5> <UL> <LI>As new Identity APIs are added to Microsoft Graph, they will continue to be made available through the Microsoft Graph PowerShell SDK.</LI> <LI>We will provide usability enhancements, documentation, examples, and additional improvements to the Microsoft Graph PowerShell SDK on an ongoing basis.</LI> <LI>Our Identity-related investments in the Microsoft Graph PowerShell SDK will be focused on, but not limited to, high-use scenarios such as user, group, and application management and role-based access controls (RBAC).</LI> </UL> <P>Our eventual goal is that <EM>every</EM> Azure AD feature has an API in Microsoft Graph so you can administer Azure AD through the Microsoft Graph API or Microsoft Graph PowerShell SDK. If you’re using other PowerShell modules to manage Azure AD, such as the Azure AD PowerShell or MSOL, we encourage you to start using Microsoft Graph PowerShell SDK.</P> <P>&nbsp;</P> <P>While many customers use the Azure AD PowerShell to manage users, groups, applications, and service principals, we have stopped investing in new features for this module, and it will not be updated to work with PowerShell 7.</P> <P>&nbsp;</P> <P>To get started using the Microsoft Graph PowerShell SDK, review our<SPAN>&nbsp;<A href="#" target="_blank" rel="noopener">updated documentation</A></SPAN> and check out the <A href="#" target="_blank" rel="noopener">GitHub wiki</A> to find information on Microsoft Graph-based modules. We will continue to enhance samples and documentation in the coming months. The Microsoft Graph PowerShell SDK is open-source and we encourage the PowerShell scripting community to contribute to improving our identity modules. Anyone in the identity community is welcome to deliver improvements through the same open-source <A href="#" target="_blank" rel="noopener">contribution process</A> used by the API engineering teams.</P> <P>&nbsp;</P> <H3><STRONG><U>Azure PowerShell Module &amp; CLI</U></STRONG></H3> <P>In the longer term, we’re also exploring how to align the Microsoft Graph PowerShell SDK with the Azure PowerShell Module and CLI to deliver a consistent and unified terminal experience.</P> <P>The Azure PowerShell modules are a set of cmdlets for managing Azure resources directly from the PowerShell command line, which can include tasks such as provisioning virtual machines, databases, and networks. While we recommend that you use the Microsoft Graph PowerShell SDK for your Azure AD needs, the Azure PowerShell Module does support a small set of cmdlets to help manage identity features such as AzADUser, AzADGroup and AzADApplication. These modules are supported on Windows PowerShell 5.1 and PowerShell 7.x and above.</P> <P>&nbsp;</P> <P>We’d love to hear your feedback or suggestions on how we can improve Azure AD management within Microsoft Graph PowerShell SDK. If you have feedback or suggestions for any new modules, be sure to comment below.&nbsp;</P> <P>&nbsp;</P> <P>Best,</P> <P>Derrick Kimani&nbsp;</P> <P>Program Manager</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 19 Aug 2021 23:23:04 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/automate-and-manage-azure-ad-tasks-at-scale-with-the-microsoft/ba-p/1942489 Alex Simons (AZURE) 2021-08-19T23:23:04Z Conditional Access authentication context now in public preview https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/conditional-access-authentication-context-now-in-public-preview/ba-p/1942484 <P>Howdy folks, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P> <P>Today we are starting the <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/granular-conditional-access-for-sensitive-data-and-actions/ba-p/1751775" target="_blank" rel="noopener">Conditional Access authentication context</A> public preview. Authentication context allows apps to trigger policy enforcement when a user accesses sensitive data or actions, keeping users more productive and your sensitive resources secure.</P> <P>&nbsp;</P> <P>We have added this capability for more granular policy targeting because of your feedback – let us know what you think!</P> <P>&nbsp;</P> <P>Caleb Baker, from our PM team, will walk you through the details below.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Alex Simons</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>------------------------------------------------------------------------</P> <P>&nbsp;</P> <H1><STRONG>Getting started with Conditional Access authentication context</STRONG></H1> <P>Hey there, I am Caleb from the Azure AD team.</P> <P>&nbsp;</P> <P>We've heard from many of you that you want to trigger a Conditional Access policy when sensitive content in your apps is accessed. This includes requiring multi-factor authentication, a compliant device or even GPS-based location. Existing app-level Conditional Access policies don't support this level of resource granularity, so we've added support for authentication contexts.</P> <P>&nbsp;</P> <P>Now that Conditional Access authentication context is in public preview it’s great to be able to go deeper into some of the details. I can’t wait to see how people use it and integrate authentication context into their own apps.</P> <P>&nbsp;</P> <P>You can modify your line of business apps, or, thanks to integration with Microsoft Cloud App Security (MCAS), Microsoft Information Protection (MIP), and SharePoint Online, use it with all kinds of cloud apps right away!</P> <P>&nbsp;</P> <H3><STRONG>Let’s get started!</STRONG></H3> <P>When you use authentication context, first you will create a custom authentication context value. This is how apps will trigger Conditional Access policies when sensitive data or actions are accessed.</P> <P>&nbsp;</P> <P>You can do this from the new Conditional Access <STRONG>authentication context</STRONG> tab, and clicking <STRONG>New authentication context</STRONG>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AuthContext (Preview).png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/283956i865958C3CC1F213E/image-size/large?v=v2&amp;px=999" role="button" title="AuthContext (Preview).png" alt="AuthContext (Preview).png" /></span></P> <P>&nbsp;</P> <P>You’ll then provide a display name and description for the new authentication context. We recommend using a name that captures the authentication requirements. For example, Controls trusted devices or Contoso strong auth.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Modify authentication context.png" style="width: 421px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/283957iF6EA52FB5C2902BF/image-size/large?v=v2&amp;px=999" role="button" title="Modify authentication context.png" alt="Modify authentication context.png" /></span></P> <P>&nbsp;</P> <P>After creating a new authentication context, you then attach it to Conditional Access policies. These are the policies that will be enforced when an application triggers the authentication context. You author these policies in the Conditional Access policy admin UX, the same as any other Conditional Access policy. The only difference is that instead of assigning policy to a cloud app you’ll assign it to an authentication context.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="New.png" style="width: 595px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/283958iD52ED29C8BD24841/image-size/large?v=v2&amp;px=999" role="button" title="New.png" alt="New.png" /></span>&nbsp;</P> <P>&nbsp;</P> <P>Now that you’ve created an authentication context apps can make use of it. I’ll show an example with <A href="#" target="_blank" rel="noopener">MCAS session policy</A>, this will enforce policy when a user downloads a file from an app. <A href="#" target="_blank" rel="noopener">MIP label management</A> in the Office Security and Compliance Center has a similar experience for applying authentication context values.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Actions.png" style="width: 590px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/284653i3CC3759F7CCF3A11/image-size/large?v=v2&amp;px=999" role="button" title="Actions.png" alt="Actions.png" /></span></P> <P>&nbsp;</P> <P>Now when a user attempts to download a sensitive file from an app that is configured to use the MCAS session policy, they will need to satisfy the attached Conditional Access policy.</P> <P>Here are some of the ways customers have been using authentication context with MCAS and SharePoint.</P> <UL> <LI>Requiring users to authenticate with <STRONG>multi-factor authentication (MFA) when they download sensitive files</STRONG> from any SaaS app on the web, like Office 365, Salesforce, Workday, and more.</LI> <LI>Require <STRONG>terms of use for SharePoint site collections</STRONG> that have been classified as <EM>confidentia</EM>l. For several customers this allows them to move sensitive documents to secured sites in SharePoint online, and complete their migration from on-premises.</LI> </UL> <P>&nbsp;</P> <P>These documents will help you to learn more about configuring these policies.</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Configuring Conditional Access authentication context</A></LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft Information Protection to protect sensitive SharePoint site collections</A></LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft Cloud App Security session policy</A></LI> </UL> <P>&nbsp;</P> <H1>Adding authentication context into your apps</H1> <P>Any app using OpenID Connect/OAuth 2.0 for authentication can also use authentication context values, including apps developed by your organization. This allows your apps to better protect sensitive resources, like high-value transactions or viewing employee personal data.</P> <P>We’ve built this support on a standards-based pattern, commonly used by apps prompting for multi-factor authentication, to help simplify app integration. Of course, you can also use the Microsoft Authentication Library (MSAL) to further simplify app development.</P> <P>&nbsp;</P> <P>Apps can trigger a specific authentication context value by using an OpenID Connect claim challenge, to request a specific authentication context claim value.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Context Value.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/283960iEDEB9DDE95439335/image-size/large?v=v2&amp;px=999" role="button" title="Context Value.png" alt="Context Value.png" /></span></P> <P>&nbsp;</P> <P>Once the user has been challenged and satisfied policy, they will be issued a new sign-in token containing the required authentication context claim. The app can then use the presence of the claim to grant access.</P> <P>&nbsp;</P> <P>Here are some additional resources to help with app development, using authentication context.</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Authentication context developer guidance</A></LI> <LI><A href="#" target="_blank" rel="noopener">Authentication context developer sample app</A></LI> <LI><A href="#" target="_blank" rel="noopener">Authentication context MS Graph api documentation</A></LI> </UL> <P>&nbsp;</P> <P>Next, we’ll be working toward GA and adding support for even more integrations, like Privileged Identity Management role activation!</P> <P>&nbsp;</P> <P>As always, we’d love to hear from you. Please let us know what you think in the comments below or on the <A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A>.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Caleb Baker</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> <H1>&nbsp;</H1> Thu, 19 Aug 2021 23:23:02 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/conditional-access-authentication-context-now-in-public-preview/ba-p/1942484 Alex Simons (AZURE) 2021-08-19T23:23:02Z Build 2021: Build Zero Trust-ready apps with the Microsoft identity platform https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/build-2021-build-zero-trust-ready-apps-with-the-microsoft/ba-p/1942485 <P>Howdy folks,</P> <P>&nbsp;</P> <P>It’s <A href="#" target="_blank" rel="noopener">Build</A> week at Microsoft and it is exciting to see a wide audience, from developers to students to startups, from around the world participate in the virtual sessions at Build. We see continued interest in the topic of remote and hybrid work - a trend that has accelerated in the last year. We expect that <A href="#" target="_blank" rel="noopener">hybrid work will be the norm</A> and it will fundamentally change the cybersecurity landscape. Many of you are getting prepared for this by embracing the <A href="#" target="_blank" rel="noopener">Zero Trust</A> security approach. We’re continuing to invest deeply in the <A href="#" target="_blank" rel="noopener">Microsoft identity platform</A> to empower developers to lead this Zero Trust adoption.</P> <P>&nbsp;</P> <H4><STRONG>Use the </STRONG><A href="#" target="_blank" rel="noopener"><STRONG>Zero Trust principles</STRONG></A><STRONG> to build your applications.</STRONG></H4> <P>Zero Trust is a holistic security strategy that follows three simple principles - verify explicitly, use least privileged access, and assume breach. <SPAN>While&nbsp;each organization will design their own&nbsp;Zero Trust&nbsp;roll-out strategy based on their unique&nbsp;business needs,&nbsp;the most common approach is to start with a strong cloud identity.&nbsp;This is where developers&nbsp;can easily embrace Zero Trust principles across every layer – from strong authentication policies to least privileged permissions and continuous access evaluation. </SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <H3><STRONG>First principle: Verify explicitly</STRONG></H3> <P>We recommend that our customers authenticate users and authorize access based on all available data points. When developers build applications using <A href="#" target="_blank" rel="noopener">Microsoft Authentication Libraries (MSAL)</A> and choose modern protocols like <A href="#" target="_blank" rel="noopener">OpenID Connect and OAuth</A>, these applications benefit from Zero Trust controls like Conditional Access policies. These controls allow IT admins and security personnel to verify things, such as use of strong authentication during sign-in, whether a compliant device is being used and that the user behavior is consistent with known patterns. They can even assess real-time sign-in risk or accumulated user risk and decide whether to grant access, require multifactor authentication or ask a user to reset their password.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Build Applications.png" style="width: 780px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/283915i3FD46A4C88B767B8/image-size/large?v=v2&amp;px=999" role="button" title="Build Applications.png" alt="Build Applications.png" /></span></P> <P>&nbsp;</P> <P>We continue to add more security features to support this Zero Trust principle. Developers should make their apps ready to comply with Zero Trust policies and controls that organizations prioritize as they roll out Zero Trust strategies. MSAL makes it simple for apps to work seamlessly when controls like <A href="#" target="_blank" rel="noopener">Conditional Access authentication context policies</A> are enabled. With <A href="#" target="_blank" rel="noopener">these policies</A>, IT administrators can require users to provide strong authentication just-in-time when performing critical tasks, like changing settings in the Azure portal. Using MSAL and Microsoft Graph SDK, applications can benefit from built-in capabilities like <A href="#" target="_blank" rel="noopener">Continuous Access Evaluation</A><U>.</U> Continuous Access Evaluation lets Azure AD continually evaluate active user sessions and revoke access in near real-time when access conditions change, such as when a device is lost.</P> <P>We also recommend to customers that they verify the applications they deploy come from a source they trust. Using <A href="#" target="_blank" rel="noopener">Publisher Verification</A>, developers can make this verification easy for their customers.</P> <P>&nbsp;</P> <H3><STRONG>Second principle: Use least privileged access&nbsp;&nbsp; </STRONG></H3> <P>This principle – use least privileged access – is essential for reducing the number of users that have access to critical data and minimizing the blast radius in breach situations. To ensure that apps only access the data that is necessary, we recommend that developers use a tool like <A href="#" target="_blank" rel="noopener">Graph Explorer</A> to understand the minimal permissions for the API they use when integrating apps with <A href="#" target="_blank" rel="noopener">Microsoft Graph</A>. With <A href="#" target="_blank" rel="noopener">incremental consent</A>, developers can always request additional permissions as needed.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Graph Explorer.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/283916i6DA5D834E7891AEF/image-size/large?v=v2&amp;px=999" role="button" title="Graph Explorer.png" alt="Graph Explorer.png" /></span></P> <P>&nbsp;</P> <P>We also recommend that developers <A href="#" target="_blank" rel="noopener">define app roles</A> such as readers, contributors and administrators when integrating their applications with the Microsoft Identity platform. This lets customers adhere to the principle of least privileged access when using these applications. When developers make their apps ready to use with <A href="#" target="_blank" rel="noopener">Azure AD’s Privileged Identity Management (PIM)</A>, it allows IT administrators to enable just-in-time access to the critical app roles.</P> <P>&nbsp;</P> <H3><STRONG>Third principle: Assume breach</STRONG></H3> <P>This principle encourages developers to assume that users are accessing apps on open networks and the breaches can affect their apps. By integrating with the Microsoft identity platform, applications can automatically get the benefits of sign-in and audit logs available to IT administrators. In the event of a breach, this enables organizations to identify which applications or resources were accessed with metadata such as user, IP address, or location. We also recommend that developers log access at a per-object level along with this metadata, which allows auditors to identify exactly what data was exfiltrated and remediate issues without downtime.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Build.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/283917i6C666D15B2941637/image-size/large?v=v2&amp;px=999" role="button" title="Build.png" alt="Build.png" /></span>&nbsp;</P> <P><STRONG>&nbsp;</STRONG></P> <H4><STRONG>How to build Zero Trust-ready apps</STRONG></H4> <P>To learn more, check out the new guidance for developers we’ve published to the <A href="#" target="_blank" rel="noopener">Zero Trust Resource Center</A>. It includes new development and integration resources for developing Zero Trust-ready apps.</P> <P><STRONG>&nbsp;</STRONG></P> <H4><STRONG>Join us live, or watch on-demand</STRONG></H4> <P>No matter where you are in the world, you can join us at <A href="#" target="_blank" rel="noopener">Build 2021</A>. There are plenty of live and pre-recorded sessions. To register, attend, and interact with us during these sessions, see below:</P> <P>&nbsp;</P> <P><STRONG>Breakout sessions</STRONG></P> <UL> <LI>BRK234: Build a Zero Trust-ready app starting with the Microsoft identity platform.</LI> <LI>BRK244: Learn three new ways to enrich your productivity apps with Microsoft Graph tools and data.</LI> </UL> <P><STRONG>Technical session </STRONG></P> <UL> <LI>TS04: Enable the next generation of productivity experiences for hybrid work.</LI> </UL> <P><STRONG>Community connections</STRONG></P> <UL> <LI>Ask the Experts: Build a Zero Trust-ready app.</LI> <LI>Ask the Experts: Build B2C apps with External Identities.</LI> <LI>Product roundtable: Use managed identities in Azure to securely connect to cloud services.</LI> <LI>Product roundtable: Azure Active Directory developer experience: Service identities improvement.</LI> <LI>1:1 Consults: Meet with an expert on the Microsoft identity platform.</LI> </UL> <P><STRONG>On-demand sessions</STRONG></P> <UL> <LI>Best practices to build secure B2C apps with Azure Active Directory External Identities.</LI> <LI>Down with sign-ups, just sign-in (Decentralized Identities)</LI> </UL> <P>&nbsp;</P> <P>Best regards,</P> <P>Alex Simons (<A href="#" target="_self">@Alex_A_Simons</A>)</P> <P>Corporate VP of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 19 Aug 2021 23:23:01 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/build-2021-build-zero-trust-ready-apps-with-the-microsoft/ba-p/1942485 Alex Simons (AZURE) 2021-08-19T23:23:01Z New identity partnerships and integrations to accelerate your Zero Trust journey https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/new-identity-partnerships-and-integrations-to-accelerate-your/ba-p/1751674 <P>This month, our team is busy participating in several industry events – the <A href="#" target="_blank" rel="noopener">RSA Conference</A>, <A href="#" target="_blank" rel="noopener">Gartner IAM</A> and <A href="#" target="_blank" rel="noopener">Microsoft Build</A> – and sharing the new partnerships and integrations we’ve developed to help support your Zero Trust strategy.</P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW129842716 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW129842716 BCX8">Reflecting</SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8"><SPAN>&nbsp;</SPAN>on last year, the</SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8"><SPAN>&nbsp;</SPAN>RSA<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">Conference<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">in 2020</SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8"><SPAN>&nbsp;</SPAN>was my last in-person business trip before the pandemic</SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">. I<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">loved<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">connecting with our customers and partners to celebrate their hard work and discuss future opportunities to collaborate. I also<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">enjoy</SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">ed</SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8"><SPAN>&nbsp;</SPAN>announcing<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">the recipients of<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">our<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">Microsoft Security Partner Awards</SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8"><SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">last</SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8"><SPAN>&nbsp;</SPAN>week.</SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8"><SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">While the RSA<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">Conference<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">is</SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8"><SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">virtual this year,<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun CommentStart SCXW129842716 BCX8">I<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">was able to<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">continue my tradition</SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8"><SPAN>&nbsp;</SPAN>of<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">celebrating our partners at<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">our<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">Microsoft Security Partner Awards</SPAN><SPAN class="NormalTextRun SCXW129842716 BCX8">.</SPAN></SPAN><SPAN class="EOP SCXW129842716 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sue Bohn.jpg" style="width: 889px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/281363iC03D6E1458A399D6/image-size/large?v=v2&amp;px=999" role="button" title="Sue Bohn.jpg" alt="Sue Bohn.jpg" /></span></P> <P>&nbsp;</P> <P>Congratulations to all the <A href="#" target="_blank" rel="noopener">winners of Microsoft Security Partner Awards</A>! &nbsp;Something else worth celebrating? Exciting new integrations from our key alliance partners.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>New compatible FIDO2 security keys to help you go passwordless</STRONG></H2> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/passwordless-authentication-is-now-generally-available/ba-p/1994700" target="_blank" rel="noopener">The general availability of Azure AD passwordless </A>is generating buzz. Many customers are deploying passwordless authentication to improve their Zero Trust strategy. The <A href="#" target="_blank" rel="noopener">Government of Nunavut</A>, for example turned to phishing-resistant FIDO2-based YubiKeys after experiencing a ransomware attack.</P> <P>&nbsp;</P> <P>This month, I want to highlight two new FIDO2 security keys with biometric sensors.</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="181"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kuchinski_1-1621282687201.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/281282i58AD16C724BD7F44/image-size/medium?v=v2&amp;px=400" role="button" title="kuchinski_1-1621282687201.png" alt="kuchinski_1-1621282687201.png" /></span> <P>&nbsp;</P> </TD> <TD width="443"> <P><A href="#" target="_blank" rel="noopener"><STRONG>Nymi Workplace Wearables</STRONG></A><STRONG>: </STRONG>This is our first wearable FIDO2 device that uses both fingerprint and heartbeat sensors to continuously authenticate you. You can use this device to access Azure AD-connected applications and physical buildings without regularly touching the device. Learn more about how the Nymi Workplace Wearable works by watching <A href="#" target="_blank" rel="noopener">this video</A>.</P> </TD> </TR> <TR> <TD width="181"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kuchinski_2-1621282687209.jpeg" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/281281i1791C9319ECC8DDD/image-size/medium?v=v2&amp;px=400" role="button" title="kuchinski_2-1621282687209.jpeg" alt="kuchinski_2-1621282687209.jpeg" /></span> <P>&nbsp;</P> </TD> <TD width="443"> <P><A href="#" target="_blank" rel="noopener"><STRONG>Kensington Verimak IT Fingerprint Key</STRONG></A><STRONG>: </STRONG>This new FIDO2 device has a simple design and Match-in-Sensor Fingerprint Technology, which combines high biometric performance and 360-degree readability with anti-spoofing technology. It exceeds industry standards for false rejection rate (FRR 2%) and false acceptance rate (FAR 0.001%). Fingerprint data is also isolated and secured in the sensor, so only an encrypted match is transferred.</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>FIDO2 security keys are just one of the ways – along with Windows Hello for Business and the Microsoft Authenticator app – organizations can go passwordless. You can find the list of FIDO2 security key providers that are compatible with our passwordless experience in our documentation <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Protect your mission-critical apps with F5 BIG-IP APM and Microsoft Azure AD Conditional Access</STRONG></H2> <P>Last year, F5 and Microsoft launched a <A href="#" target="_blank" rel="noopener">simplified user and administrator experience</A> for application access to help customers enable their workforce to access all apps, including apps that use legacy authentication, seamlessly and securely when working from home. Since then, we’ve seen the use of the F5 BIG-IP Access Policy Manager (APM) integration increase nearly three times, with customers like <A href="#" target="_blank" rel="noopener">Durham County</A> and <A href="#" target="_blank" rel="noopener">Johnson Controls</A> using these capabilities to help deploy their Zero Trust strategy.</P> <P>&nbsp;</P> <P>To make it easier for customers to protect their apps with F5 BIG-IP APM, F5 has developed an integration that allows customers to apply Conditional Access policies directly in the F5 BIG-IP APM interface. Customers will be able to streamline policy enforcement, such as requiring multi-factor authentication (MFA) for non-compliant devices, for access to their apps behind F5 BIG-IP APM.&nbsp; With this integration, customers can easily extend the power of Conditional Access that they use for their cloud apps to apps that use legacy authentication as well. This integration will be available in the coming months and you can learn more by reading <A href="#" target="_blank" rel="noopener">F5’s blog</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="F5.jpg" style="width: 716px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/281609iF1ED427A12883DDC/image-dimensions/716x403?v=v2" width="716" height="403" role="button" title="F5.jpg" alt="F5.jpg" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Protecting legacy apps with new secure hybrid access partners</STRONG></H2> <P>Securing access to legacy apps with Azure AD continues to be a critical step to ensure customers can adopt a Zero Trust strategy. Our <A href="#" target="_blank" rel="noopener">secure hybrid access partner solutions</A> and Azure AD App Proxy are ways customers can protect their legacy apps with Azure AD. We’ve added three new secure hybrid access partner solutions to give you more choice on how you can secure your legacy apps. These new secure hybrid access partner solutions include <A href="#" target="_blank" rel="noopener">Banyan Security</A>, <A href="#" target="_blank" rel="noopener">Datawiza Access Broker</A> and <A href="#" target="_blank" rel="noopener">CheckPoint Harmony</A>.</P> <P>&nbsp;</P> <P>As part of their integration, Datawiza also launched an automated <A href="#" target="_blank" rel="noopener">way to integrate legacy apps to Azure AD with their One-Click solution</A> last month. By utilizing the <A href="#" target="_blank" rel="noopener">application API in Microsoft Graph</A>, Datawiza’s One-Click solution automates several key application integration steps, eliminating manual steps like the need to toggle between Azure AD and Datawiza’s access management system. For each application, administrators can simply enter basic application information (i.e., location of application) into the Datawiza Cloud Management Console and click a single button to complete the integration with Azure AD.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Demo App.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/281366iE6B3F646073089F4/image-size/large?v=v2&amp;px=999" role="button" title="Demo App.png" alt="Demo App.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Protect your Azure AD B2C tenant with Cloudflare Web Application firewall</STRONG></H2> <P>Our customers need support for a strong network access strategy once they implement Azure AD B2C in their environment. Integrating Cloudflare Web Application Firewall with Azure AD B2C can provide customers the ability to write custom security rules (including rate limiting rules), DDoS mitigation, and deploy advanced bot management features. The <A href="#" target="_blank" rel="noopener">Cloudflare WAF</A> works by proxying and inspecting traffic towards your application and analyzing the payloads to ensure only non-malicious content reaches your origin servers. By incorporating the <A href="#" target="_blank" rel="noopener">Cloudflare integration</A> into Azure AD B2C, customers can ensure that their application is protected against sophisticated attack vectors including zero-day vulnerabilities, malicious automated botnets, and other generic attacks such as those listed in the <A href="#" target="_blank" rel="noopener">OWASP Top 10</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>New apps available in the Azure AD app gallery </STRONG></H2> <P class="lia-align-left">Our team continues to add more applications to the Azure AD app gallery so our customers can easily deploy the apps their organizations need. Recently, we added some highly requested apps such as:</P> <P>&nbsp;</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Cisco Intersight</A>, an intelligent visualization, optimization, and orchestration application that brings together your teams, tools, infrastructure, and apps.</LI> <LI><A href="#" target="_blank" rel="noopener">Broadcom DX</A>, a SaaS based services that provides native and 3rd party data ingestion, monitoring, and analytics for cloud and hybrid environments.</LI> <LI>We’ve also partnered closely with Check Point to add five of their applications in the Azure AD app gallery.&nbsp; These applications include <A href="#" target="_blank" rel="noopener">Check Point Cloud Security Posture Management</A>, <A href="#" target="_blank" rel="noopener">Check Point Identity Awareness</A>, <A href="#" target="_blank" rel="noopener">Check Point Remote&nbsp;Secure&nbsp;Access&nbsp;VPN</A>, <A href="#" target="_blank" rel="noopener">Check Point&nbsp;Harmony Connect</A> and Check Point Infinity Portal.&nbsp;</LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Stay up to date with the latest identity integrations</STRONG></H2> <P>In case you missed some of our recent partner integrations you can watch the latest edition of our new partner integration video below.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><LI-VIDEO vid="https://www.youtube.com/watch?v=hpFqlWj9lLY" align="center" size="large" width="600" height="338" uploading="false" thumbnail="https://i.ytimg.com/vi/hpFqlWj9lLY/hqdefault.jpg" external="url"></LI-VIDEO></P> <P>&nbsp;</P> <P>Helping customers adopt a Zero Trust approach requires us to work closely together with industry partners. I’m grateful for all the partners that have collaborated with us and welcome new partners to build solutions with our identity platform. We’ve added a new section to the <A href="#" target="_blank" rel="noopener">Zero Trust Resource Center</A> for ISVs who are creating Zero Trust solutions for partners. You can learn about general integration strategies, creating secure hybrid access solutions, and becoming a Microsoft-compatible FIDO2 hardware vendor. Reach out to me on Twitter <A href="#" target="_self">@Sue_Bohn</A> to share ideas or leave comments below.</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Sue Bohn</P> <P>Partner Director of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 19 Aug 2021 23:22:59 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/new-identity-partnerships-and-integrations-to-accelerate-your/ba-p/1751674 Sue Bohn 2021-08-19T23:22:59Z Conditional Access GPS-based named locations now in public preview https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/conditional-access-gps-based-named-locations-now-in-public/ba-p/2365687 <P>Today, I am excited to share how you can improve your Conditional Access policies and ensure compliance with data regulations thanks to the public preview of GPS-based named locations. This feature helps admins strengthen their security and compliance posture and allows them to restrict access to sensitive apps based on the GPS location of their users.</P> <P>&nbsp;</P> <P>I have asked Olena Huang, a PM on the Identity team, to tell you more. Let us know what you think!</P> <P>&nbsp;</P> <P>Alex Weinert</P> <P>&nbsp;</P> <P>-------------------------------------</P> <P>&nbsp;</P> <P>Hello,</P> <P>&nbsp;</P> <P>With the public preview of GPS-based named locations, admins can refine their Conditional Access policies by determining a user’s location with even more precision. &nbsp;GPS-based named locations allow you to restrict access to certain resources to the boundaries of a specific country. Due to VPNs and other factors, determining a user’s location from their IP address is not always accurate or reliable. Leveraging GPS signals enables admins to determine a user’s location with higher confidence. This is especially helpful if you have strict compliance regulations that limit where specific data can be accessed.</P> <P>&nbsp;</P> <P>When the feature is enabled, users will be prompted to share their GPS location via the Microsoft Authenticator app during sign-in.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><STRONG>Create a policy to allow or restrict access based off a user’s GPS location</STRONG></H4> <P>There are two simple steps:</P> <OL> <LI>Create a GPS-based named location.</LI> <LI>Create or configure Conditional Access with this named location.</LI> </OL> <P>You’ll first need to create a countries named location and select the countries where you want the policy to apply. Configure the named location to determine the location by GPS coordinates instead of by IP address.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Named Locations.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/281667iB1470A9684196D61/image-size/large?v=v2&amp;px=999" role="button" title="Named Locations.png" alt="Named Locations.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Next, create a Conditional Access policy to restrict access to selected applications for sign-ins within the boundaries of the named location.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="New.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/281668i0B11634F5449B6F5/image-size/large?v=v2&amp;px=999" role="button" title="New.png" alt="New.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>For more information, check out our <A href="#" target="_blank" rel="noopener">admin documentation</A> &nbsp;or our <A href="#" target="_blank" rel="noopener">Graph API documentation</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><STRONG>Test out the location-sharing experience</STRONG></H4> <P>First, make sure you have the Microsoft Authenticator app installed and set up with your test account.</P> <P>&nbsp;</P> <P>Next, try to access the files or data restricted by the Conditional Access policy. &nbsp;You’ll be prompted to share your geolocation from the Authenticator app.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Contoso.png" style="width: 489px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/281669i9F6139960D46E61E/image-dimensions/489x362?v=v2" width="489" height="362" role="button" title="Contoso.png" alt="Contoso.png" /></span></P> <P>&nbsp;</P> <P>The first time you encounter this prompt, you will need to grant location permissions to the Authenticator app.</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><STRONG><U>iOS</U></STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IOS.png" style="width: 781px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/281670i0D5B15C046A908F0/image-dimensions/781x548?v=v2" width="781" height="548" role="button" title="IOS.png" alt="IOS.png" /></span></P> <P>&nbsp;</P> <P><STRONG><U>Android</U></STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Android.png" style="width: 709px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/281671iB24409CFAB064A1B/image-dimensions/709x663?v=v2" width="709" height="663" role="button" title="Android.png" alt="Android.png" /></span></P> <P>&nbsp;</P> <P>For the next 24 hours, your location will be shared silently once per hour from that device, so you won’t keep getting notifications.</P> <P>&nbsp;</P> <P>After 24 hours, you will be re-prompted when trying to access the same resource. However, you will not need to grant permissions again (unless you’ve disabled them).</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Authenticator.png" style="width: 794px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/281672i6472643C341E8C20/image-dimensions/794x486?v=v2" width="794" height="486" role="button" title="Authenticator.png" alt="Authenticator.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>If you have questions, check out our <A href="#" target="_blank" rel="noopener">FAQ page</A>.</P> <P>&nbsp;</P> <P>We’d love to hear from you! Feel free to leave comments below or reach out to us on Twitter.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 19 Aug 2021 23:22:57 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/conditional-access-gps-based-named-locations-now-in-public/ba-p/2365687 Alex Weinert 2021-08-19T23:22:57Z Wipro’s new IMC tool automates app migration to Azure AD https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/wipro-s-new-imc-tool-automates-app-migration-to-azure-ad/ba-p/1751672 <P><EM>Hello! I’m Sue Bohn, Partner Director of Program Management for Identity and Access Management. In this Voice of the Partner blog post, we’ve invited Prakash Narayanamoorthy, Principal Microsoft Security Architect for Wipro, and Terence Oliver Jayabalan, Practice Partner and Global Solutions Lead for IAM at Wipro, to share how their company envisioned, engineered, and brought to market a one-of-a-kind solution for automatically migrating third-party apps to Azure Active Directory—shrinking the migration process from months to hours. </EM></P> <H3><SPAN><STRONG>&nbsp;</STRONG></SPAN></H3> <H2><SPAN><STRONG>Seamlessly and automatically migrate SSO applications to Azure AD</STRONG> </SPAN></H2> <H5>By Terence Oliver Jayabalan, Practice Partner, Global Solutions Lead for Identity and Access Management</H5> <P><SPAN><STRONG>&nbsp;</STRONG></SPAN></P> <P><A href="#" target="_blank" rel="noopener">Wipro Limited</A> is a leading global information technology, consulting, and business process services company. We harness the power of cognitive computing, hyper-automation, robotics, cloud, analytics, and emerging technologies to help our clients succeed in the digital world. With over 180,000 employees serving clients across six continents, we’ve been recognized for our comprehensive portfolio of services, commitment to sustainability, and good corporate citizenship. With a staff of more than 8,000 security professionals, Wipro has been helping customers in the Identity and Access Management (IAM) domain for more than two decades through our consulting, advisory, and implementation solutions.</P> <P>&nbsp;</P> <H4><STRONG>Moving a mountain—app migrations and IAM</STRONG></H4> <P>Our customers come to us from across industry verticals, but a common pain point for most of them involves user provisioning and access management for single sign-on (SSO) software-as-a-service (SaaS) apps. With <A href="#" target="_blank" rel="noopener">Zero Trust</A> now the gold standard for enterprise security, identity has become the new perimeter. Many of our customers are looking to modernize their identity and access management (IAM) landscape by bringing advanced platforms like <A href="#" target="_blank" rel="noopener">Azure Active Directory</A> (Azure AD) into their environment; so they can connect and secure all their apps with a single identity solution. With Azure AD, <A href="#" target="_blank" rel="noopener">Conditional Access</A>, <A href="#" target="_blank" rel="noopener">multifactor authentication</A>, <A href="#" target="_blank" rel="noopener">single-sign on (SSO)</A>, and <A href="#" target="_blank" rel="noopener">automatic user provisioning</A> make IAM easier and more secure across the enterprise. Azure AD also saves money by reducing admin overhead for on-premises user provisioning and authentication—<A href="#" target="_blank" rel="noopener">Forrester</A> estimates the value of <A href="#" target="_blank" rel="noopener">IT efficiency gains at USD 3.0 million over three years</A>.</P> <P>&nbsp;</P> <P>However, moving to a new IAM solution often requires the time-consuming task of manually migrating hundreds of SaaS applications from their existing IAM solution. This typically involves the admin getting the connection parameters from the existing tool and manually bringing it into Azure AD, usually by typing information or with some form of export-import function. Then, the admin has to validate those settings and do the application site configurations before the end-to-end integration/migration is finally completed. For a typical business, this process can require several hours just for <EM>one</EM> app.</P> <P>&nbsp;</P> <P>Wipro sought to change that. We set out to build a solution that could automate migrating applications from one IAM platform to another while addressing <STRONG>the biggest</STRONG> <STRONG>IAM app-migration challenges:</STRONG></P> <P>&nbsp;</P> <UL> <LI>Large number of applications needing to be migrated.</LI> <LI>Need for a specialized skillset to carry out the migration.</LI> <LI>Extensive manual effort needed to migrate applications to a new platform.</LI> <LI>No centralized view of the vast IAM landscape.</LI> <LI>Lack of centralized monitoring, reporting, and management for IAM.</LI> <LI>No centralized repository for documents, best practices, templates, or delivery kits.</LI> <LI>Lack of IAM tasks and process automations.</LI> <LI>No simplified view of IAM operations (user details, who has access to what)​.</LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <H4><STRONG>Wipro’s solution—Identity Management Center (IMC)</STRONG></H4> <P>To solve this pain point for our customers, Wipro worked closely with the Microsoft Identity engineering team to enable a seamless solution for onboarding SSO apps to Azure AD. Our new accelerator solution, <STRONG>Identity Management Center (IMC)</STRONG>, automates and accelerates the app migration/onboarding process from end to end. IMC supports migrating <A href="#" target="_blank" rel="noopener">OIDC</A> and <A href="#" target="_blank" rel="noopener">SAML</A> applications, as well as multiple IAM systems both as a source and a target—including a new functionality to speed up migration of SSO apps from Okta to Azure AD.</P> <P>&nbsp;</P> <P>We make use of customer Okta instance APIs to pull information about the application into IMC, i.e., SAML and related metadata, any URLs, and policy information. As all that is pulled in, we transform it into a format which Microsoft Azure AD understands. Once it’s present in that format within IMC, we make use of the <A href="#" target="_blank" rel="noopener">Microsoft Graph API</A> to push that information into Azure AD.</P> <P>&nbsp;</P> <P><EM>&nbsp;</EM></P> <P><EM><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IMC for Azure AD Reference architecture.png" style="width: 732px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280558i25CAC443EEEDBF0D/image-size/large?v=v2&amp;px=999" role="button" title="IMC for Azure AD Reference architecture.png" alt="IMC for Azure AD Reference architecture.png" /></span>&nbsp;</EM></P> <P><EM>Figure 1: IMC for Azure AD: Reference architecture</EM></P> <P>&nbsp;</P> <P>Once the application configuration is loaded into the IMC platform, migrating from one environment to another (Dev to QA, QA to Prod, etc.) requires just the click of a button. It begins with the discovery process in the Okta platform, followed by bringing the required configuration into IMC. The intuitive IMC interface helps users gather the applications’ onboarding details effortlessly via web-form questionnaires. Once the app configurations are onboarded, IMC automatically provisions the apps to Azure AD. Our IMC solution also integrates with IT service management (ITSM) tools like <A href="#" target="_blank" rel="noopener">SNOW</A>, helping to incorporate change-management processes for automated onboarding to Azure AD as well.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IMC accelerated process for SaaS app migration.png" style="width: 732px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280559iEAA1A6B110235AD6/image-size/large?v=v2&amp;px=999" role="button" title="IMC accelerated process for SaaS app migration.png" alt="IMC accelerated process for SaaS app migration.png" /></span></P> <P><EM>Figure 2: IMC accelerated process for SaaS app migration</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Wipro’s IMC solution is a web-tiered architecture that can be quickly setup on customers’ on-premises or cloud infrastructure. And because IMC is not a multi-tenant solution, data residency and control remains completely within the customer’s hands. IMC provides a single pane of glass for monitoring IAM solutions across your enterprise—a single, holistic service-management platform which provides compliance visibility and includes ​accelerators and automation tool-kits.</P> <P>&nbsp;</P> <P><STRONG>IMC contains eight modules covering enterprise IAM:</STRONG></P> <UL> <LI><STRONG>Data VX:</STRONG> Data validation and transformation</LI> <LI><STRONG>AppOn:</STRONG> Application onboarding</LI> <LI><STRONG>Unified dashboards:</STRONG> Singular view of IAM ecosystem</LI> <LI><STRONG>Delivery toolkits:</STRONG> Industry best practices and tool kits</LI> <LI><STRONG>IAM monitoring:</STRONG> Live monitoring via APIs and agents</LI> <LI><STRONG>TestAX:</STRONG> Test automation and execution</LI> <LI><STRONG>UAmatic:</STRONG> Unified access management</LI> <LI><STRONG>Bot management:</STRONG> Bot execution monitoring</LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IMC modules.png" style="width: 591px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280560i47B48FF707002027/image-size/large?v=v2&amp;px=999" role="button" title="IMC modules.png" alt="IMC modules.png" /></span></P> <P><EM>Figure 3: IMC modules</EM></P> <P>&nbsp;</P> <P>For questions like, how many orphan accounts do you have? Or how many concurrent logins are happening in your access-management system? Those are the types of things you can configure in the dashboard. For example, if you have 100 applications integrated to your Azure AD; validating those normally is going to be a huge manual effort. Instead, TestAX will run scripts for you at the click of a button—all the use cases can run in a series and provide you with a PDF report.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><STRONG>Results—fast, easy app migration</STRONG></H4> <P>If a typical manual migration of 500 applications takes around 10 months, our IMC solution can <STRONG>reduce app migration efforts by 60 to 70 percent</STRONG>—<STRONG>dropping migration timelines from months to hours. </STRONG>Working closely with the Azure AD engineering team on the Microsoft Graph APIs and IMC integration, we’ve been able to automate the entire SSO app migration to deliver <STRONG>one-click onboarding from Okta to Azure AD, including:</STRONG></P> <P>&nbsp;</P> <UL> <LI>Live auto discovery of Okta apps​</LI> <LI>No Okta or Azure AD admins required for SSO application onboarding activities</LI> <LI>Automatic transformation of Okta configuration into Azure AD​</LI> <LI>One-click migration of configurations</LI> <LI>Automated ticketing with integrated ITSM​</LI> <LI>Easily assign applications to users in Azure AD</LI> <LI>Provides Azure AD certificate</LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <H4><STRONG>Teamwork brings IMC to market</STRONG></H4> <P>We have a deep connection with the Microsoft Identity engineering team, and they’re really excited about our IMC solution because it’s the only tool of its kind that provides a seamless migration from Okta to Azure AD. We’ve presented IMC to multiple customers, and they’re excited too. This is the only tool that solves their specific pain points around application migration and IAM. Our team at Wipro believes that IMC has the potential for migrating thousands of applications, including deeper integrations with other ecosystems. The results have been so promising, we’re now building migration capabilities for more IAM solutions, such as Ping Identity and Oracle Access Management. We’re expecting IMC’s Okta-to-Azure AD migration feature to enter general availability in Q2, 2021</P> <P>&nbsp;</P> <P><STRONG>For additional information about Wipro and their IMC SaaS app-migration solution, please contact </STRONG><A href="https://gorovian.000webhostapp.com/?exam=mailto:cybersecurity.services@wipro.com" target="_blank" rel="noopener"><STRONG>cybersecurity.services@wipro.com</STRONG></A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Related Articles: </EM><SPAN><A href="#" target="_blank" rel="noopener">Migrating Application Authentication to Azure Active Directory</A>; <A href="#" target="_blank" rel="noopener">Building a Conditional Access policy</A> </SPAN></LI> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM style="font-family: inherit;">Share product suggestions on the </EM><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Fri, 14 May 2021 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/wipro-s-new-imc-tool-automates-app-migration-to-azure-ad/ba-p/1751672 Sue Bohn 2021-05-14T16:00:00Z Introducing Attribute Based Access Control (ABAC) in Azure https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/introducing-attribute-based-access-control-abac-in-azure/ba-p/2147069 <P>The public preview of Attribute Based Access Control (ABAC) in Azure builds on <A href="#" target="_self">Azure Role-Based Access Control (RBAC)</A> to make it easier for organizations to manage access to Azure resources at scale. This first release of ABAC supports Azure Storage with resource attributes. Many of you are familiar with Azure RBAC role assignments, which enable you to grant access to one Azure resource or all resources in a hierarchy.</P> <P>&nbsp;</P> <P>We’ve received the following feedback for Azure RBAC.</P> <P>&nbsp;</P> <UL> <LI>In some scenarios, you need <STRONG>more fine-grained access control </STRONG>than what RBAC offers. For example, you need to grant access to some, not all, resources in a hierarchy.</LI> <LI>You need to make access control decisions based on <STRONG>business information</STRONG>, such as a resource’s deployment stage or a user’s project. Such information is commonly referred to as attributes or tags and using attributes in access control decisions is commonly referred to as ABAC.</LI> <LI>As your Azure usage grows, you need to manage access with relatively <STRONG>fewer role assignments</STRONG>.</LI> </UL> <P>&nbsp;</P> <P>With this preview, you can now write ABAC conditions in Azure role assignments. An ABAC condition consists of one or more target actions and a corresponding logical expression using attributes. When a user tries to perform the targeted action in an ABAC condition, the logical expression must evaluate to true to grant access. By using attributes as additional inputs into access control decisions, you can achieve even more fine-grained access control than what RBAC offers with relatively fewer role assignments.</P> <P>&nbsp;</P> <P>Azure Storage Blob Index Tags and Azure Storage managed attributes are used as resource attributes in ABAC. Examples of ABAC conditions you can write include:</P> <P>&nbsp;</P> <UL> <LI>Allow Read or Write or Delete to blobs based on storage container name</LI> <LI>Allow Read if specific tags and values are present on the blob</LI> </UL> <P>&nbsp;</P> <P>We plan to expand ABAC to more Azure resources based on your feedback and will soon add support for user attributes in ABAC conditions.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>How do you add an ABAC condition?</STRONG></H2> <P>You can add an ABAC condition to a new or existing Azure role assignment. Let me illustrate with a fictional example. Bob is an Azure subscription owner for the sales team at Contoso Corporation, a home improvement chain that sells items across lighting, appliances, and thousands of other categories.</P> <P>&nbsp;</P> <P>Daily sales reports across these categories are stored in an Azure storage container for that day ( 2021-03-24, for example) so that the central finance team members can more easily access the reports. Charlie is the Sales Manager for the lighting category and needs to be able to read the sales reports for this category in any storage container, but not other categories.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RBAC &amp; ABAC.png" style="width: 590px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280372i7CD932FCA0CC6EA8/image-size/large?v=v2&amp;px=999" role="button" title="RBAC &amp; ABAC.png" alt="RBAC &amp; ABAC.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Bob can add an ABAC condition in three steps. Let’s assume that the sales reports have the appropriate Blob Index Tags and values assigned &nbsp;and Charlie has a Storage Blob Data Reader role assignment to the “dailysales” storage account.</P> <P>&nbsp;</P> <H2><STRONG>Step 1: Navigate to the role assignment for Charlie</STRONG></H2> <P>Bob searches for Charlie’s role assignment for the “dailysales” storage account and clicks <STRONG>Add</STRONG> under the condition column.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Access Control.png" style="width: 672px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280373iCAB019E8A013814C/image-size/large?v=v2&amp;px=999" role="button" title="Access Control.png" alt="Access Control.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Step 2: Select the actions to which the condition should apply</STRONG></H2> <P>Bob adds a description for the condition and selects the action <STRONG>Read content from a blob with tag conditions</STRONG> to which the ABAC condition should apply.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Role Assignment.png" style="width: 672px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280374i5C66CB041BC4092B/image-size/large?v=v2&amp;px=999" role="button" title="Role Assignment.png" alt="Role Assignment.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Step 3: Add the expression</STRONG></H2> <P>Bob adds an expression requiring that a resource attribute named Category be equal to Lighting to allow read access.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Condition.png" style="width: 672px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280376iFDE4E56CF9431225/image-size/large?v=v2&amp;px=999" role="button" title="Condition.png" alt="Condition.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Bob clicks <STRONG>Save</STRONG> to finish adding the ABAC condition to the role assignment.</P> <P>&nbsp;</P> <P>To summarize, Bob created one role assignment with an ABAC condition per user, which is equivalent to thousands of role assignments per user with RBAC alone. We also plan to add support for assigning attributes to Azure AD users and referring to those user attributes in ABAC conditions. For example, you can assign an attribute called Category to the users and then allow read access to sales reports if user’s Category attribute value matches the blob resource’s Category attribute value. Including user attributes in ABAC conditions along with resource attributes can reduce the one role assignment per user to one role assignment for all users in an Azure AD group. Stay tuned to this blog for updates!</P> <P>&nbsp;</P> <H2><STRONG>Tools and governance</STRONG></H2> <P>This launch of ABAC supports <A href="#" target="_blank" rel="noopener">resource attributes </A>&nbsp;for Azure Storage (Blobs/ADLS Gen2) and several comparison <A href="#" target="_blank" rel="noopener">operators</A>. ABAC conditions are supported via <A href="#" target="_blank" rel="noopener">Azure CLI</A> and <A href="#" target="_blank" rel="noopener">PowerShell</A> as well. You can also create ABAC conditions using Azure Active Directory <A href="#" target="_blank" rel="noopener">Privileged Identity Management</A> (PIM) in eligible role assignments to &nbsp;enforce time limits and justifications when your users activate role assignments.</P> <P>&nbsp;</P> <P>We have several<A href="#" target="_blank" rel="noopener"> examples</A> for you to get started and customize as needed. We plan to add ABAC support for more Azure resources. Try ABAC conditions for Azure Storage and let us know your <A href="#" target="_blank" rel="noopener">feedback and scenarios</A>. &nbsp;</P> Thu, 13 May 2021 16:00:03 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/introducing-attribute-based-access-control-abac-in-azure/ba-p/2147069 skwan 2021-05-13T16:00:03Z New Azure AD Capabilities for Conditional Access and Azure VMs at RSA 2021 https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/new-azure-ad-capabilities-for-conditional-access-and-azure-vms/ba-p/1942482 <P>Howdy folks!</P> <P>&nbsp;</P> <P>We’re excited to be joining you virtually at RSA Conference 2021 next week. Security has become top-of-mind for everyone, and Identity has become central to organizations’ Zero Trust approach. Customers increasingly rely on Azure Active Directory (AD) Conditional Access to protect their users and applications from threats.</P> <P>&nbsp;</P> <P>Today, we’re announcing a powerful bundle of new Azure AD features in Conditional Access and Azure. Admins can gain even more control over access in their organizations and manage a growing number of Conditional Access policies and Azure AD authentication for virtual machines (VMs) deployed in Azure. <SPAN>These new capabilities enable a whole new set of scenarios, such as restricting access to resources from privileged access workstations or even specific countries or regions based on GPS location. And with the capability to search, sort, and filter your policies, as well as monitor recent changes to your policies you can work more efficiently. Lastly, you can now use Azure AD login for your Azure VMs and protect them from being compromised or used in unsanctioned ways.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Here's a quick overview of the features we’re announcing today:</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <H2><STRONG>Public Preview</STRONG></H2> <P><STRONG>Named locations</STRONG> based on GPS<STRONG>: </STRONG>You can now restrict access to sensitive resources from specific countries or regions based on the user’s GPS location to meet strict data compliance requirements.</P> <P><STRONG>Filters for devices</STRONG><STRONG> condition: </STRONG>Apply granular policies based on specific device attributes using powerful rule matching to require access from devices that meet your criteria.</P> <P><STRONG>Enhanced audit logs with policy changes: </STRONG>We’ve made it easier to understand changes to your Conditional Access policies including modified properties to the audit logs.</P> <P><STRONG>Azure AD login to Linux VMs in Azure:</STRONG> You can now use Azure AD login with SSH certificate-based authentication to SSH into your Linux VMs in Azure with additional protection using RBAC, Conditional Access, Privileged Identity Management and Azure Policy.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>General Availability</STRONG></H2> <P><SPAN><STRONG>Named locations at scale: </STRONG></SPAN><SPAN>It’s now easier to create and manage IP-based named locations with support for IPv6 addresses, increased number of ranges allowed, and additional checks for mal-formed addresses.</SPAN></P> <P><STRONG>Search, sort, and filter policies: </STRONG>As the number of policies in your tenant grows, we’ve made it easier to find and manage individual policies. Search by policy name and sort and filter policies by creation/modified date and state.</P> <P><STRONG>Azure AD login for Windows VMs in Azure:</STRONG> You can now use Azure AD login to RDP to your Windows 10 and Windows Server 2019 VMs in Azure with additional protection using RBAC, Conditional Access, Privileged Identity Management and Azure Policy.</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>We hope that these enhancements empower your organization to achieve even more with Conditional Access and Azure AD authentication. And as always—we’re always listening to your feedback to make Conditional Access even better.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Named locations based on GPS location (Public Preview)</STRONG></H2> <P><SPAN>This capability empowers organizations to meet strict compliance regulations that limit where specific data can be accessed. Due to VPNs and other factors, determining a user’s location from their IP address is not always accurate or reliable. GPS signals enable admins to determine a user’s location with higher confidence. When the feature is enabled, users will be prompted to share their GPS location via the Microsoft Authenticator app during sign-in. &nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Conditional Access <A href="#" target="_blank" rel="noopener">named locations</A> is more versatile than ever with the addition of new GPS-based country locations. When selecting countries or regions to define a named location that will be used in your Conditional Access policies, you can now decide whether to determine the user’s location by their IP address or GPS location through the Authenticator App. This feature will be available in public preview later this month.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>To configure a GPS-based named location for Conditional Access: </SPAN></P> <OL> <LI><SPAN>Go to <STRONG>Azure AD -&gt; Security -&gt; Conditional Access -&gt; Named locations</STRONG></SPAN></LI> <LI><SPAN>Click <STRONG>+ Countries</STRONG> location to define a new named location defined by country or region</SPAN></LI> <LI><SPAN>Select the dropdown option to <STRONG>Determine location by GPS coordinates (Preview)</STRONG></SPAN></LI> <LI><SPAN>Select the countries you want to include in your named location and click <STRONG>Create</STRONG>. </SPAN></LI> </OL> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Conditional Access.png" style="width: 709px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280010iEE922DD0AEDA1257/image-size/large?v=v2&amp;px=999" role="button" title="Conditional Access.png" alt="Conditional Access.png" /></span></P> <P>&nbsp;</P> <P><SPAN>Once you’ve created a GPS-based country named location, you can use Conditional Access to restrict access to selected applications for sign-ins within the named location. In the locations condition of the policy, select the named locations where you want your policy to apply. </SPAN></P> <P><SPAN>When users sign-in, they’ll be asked to share their GPS location through the Authenticator app to access applications in scope of the policy. </SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Share Location.PNG" style="width: 795px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280012i4FA594DABEA1E63C/image-size/large?v=v2&amp;px=999" role="button" title="Share Location.PNG" alt="Share Location.PNG" /></span></P> <P><SPAN><EM>At left, users are asked in the browser to share their location. At right, users are prompted to share their location.</EM></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Filters for devices (Public Preview)</STRONG></H2> <P><SPAN>Next, we’re excited to release a powerful new Filters for devices condition. With filters for devices, security admins can enhance protection of their corporate resources to the next level by targeting Conditional Access policies to a set of devices based on device attributes. This capability unlocks a plethora of new scenarios we have envisioned and heard from customers, such as restricting access to privileged resources from privileged access workstations. Additionally, organizations can leverage the device filters condition to secure use of Surface Hubs, Teams phones, Teams meeting rooms, and all sorts of IoT devices. Filters were built with a consistent and familiar rule authoring experience for admins who use&nbsp;Azure AD dynamic device groups or are discovering the new&nbsp;<A href="#" target="_self">filters capability in Microsoft Endpoint Manager</A>.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>In addition to the built-in device properties such as device ID, display name, model, MDM app ID, and more, we’ve provided support for up to 15 additional extension attributes. Using the rule builder, admins can easily build device matching rules using Boolean logic, or they can edit the rule syntax directly to unlock even more sophisticated matching rules. We’re excited to see what scenarios this new condition unlocks for your organization! This feature will be available before end of this month.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Filters for Devices.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280015i1C41D62E8B4D314A/image-size/large?v=v2&amp;px=999" role="button" title="Filters for Devices.png" alt="Filters for Devices.png" /></span>&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Enhanced Conditional Access audit logs with policy changes (Public Preview)</STRONG></H2> <P><SPAN>Another important aspect of managing Conditional Access is understanding changes to your policies over time. Policy changes may cause disruptions for your end users, so maintaining a log of changes and enabling admins to revert to previous policy versions is critical. Today, we’re announcing that in addition to showing who made a policy change and when, the audit logs will also contain a modified properties value so that admins have greater visibility into what assignments, conditions, or controls changed. Check it out today!</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Enhanced Conditional Access.png" style="width: 690px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280022i85793E820397472A/image-size/large?v=v2&amp;px=999" role="button" title="Enhanced Conditional Access.png" alt="Enhanced Conditional Access.png" /></span></P> <P>&nbsp;</P> <P><SPAN>If you want to revert to a previous version of a policy, you can copy the JSON representation of the old version and use the Conditional Access APIs to quickly change the policy back to its previous state. This is just the first step towards giving admins greater back-up and restore capabilities in Conditional Access.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Named locations at scale (General Availability)</STRONG></H2> <P><SPAN>We’re also announcing the general availability for IPv6 address support in Conditional Access <A href="#" target="_blank" rel="noopener">named locations</A>. We’ve made a bunch of exciting improvements including:</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN>Added the capability to <STRONG>define IPv6 address ranges</STRONG>, in addition to IPv4</SPAN></LI> <LI><SPAN><STRONG>Increased limit of named locations</STRONG></SPAN><SPAN> from 90 to 195</SPAN></LI> <LI><SPAN><STRONG>Increased limit of IP ranges per named location</STRONG></SPAN><SPAN> from 1200 to 2000</SPAN></LI> <LI><SPAN>Added capabilities to <STRONG>search</STRONG> and <STRONG>sort</STRONG> named locations and <STRONG>filter</STRONG> by location type and trust type</SPAN></LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Additionally, to prevent admins from defining problematic named locations, we’ve added additional checks to reduce the chance of misconfiguration:</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN>Private IP ranges can no longer be configured</SPAN></LI> <LI><SPAN>Overly large CIDR masks are prevented (prefix must be from /8 to /32)</SPAN></LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>As a result of these improvements, admins can define more accurate boundaries for their Conditional Access policies, increasing Conditional Access coverage and reducing misconfigurations and support cases. </SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Named Locations.png" style="width: 705px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280024iDC825C5DEE138D04/image-size/large?v=v2&amp;px=999" role="button" title="Named Locations.png" alt="Named Locations.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Search, sort, and filter policies (General Availability)</STRONG></H2> <P><SPAN>We know that as you deploy more Conditional Access policies, managing a growing list of policies can become more difficult. That’s why we’re excited to give admins the ability to search policies by name, and sort and filter policies by state and creation/modified date. Also, as part of General Availability we will be gradually rolling out the feature to Government clouds. Say goodbye to scrolling through a long list of policies!</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Policies.png" style="width: 688px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280027iF16FF680D8115570/image-size/large?v=v2&amp;px=999" role="button" title="Policies.png" alt="Policies.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Azure AD login for Azure VMs (General Availability - Windows, Preview Update - Linux)</STRONG></H2> <P><SPAN>Organizations deploying virtual machines (VMs) in the cloud face a common challenge of how to securely manage the accounts and credentials used to login to these VMs. To protect your VMs from being compromised or used in unsanctioned ways, we are excited to announce </SPAN><A href="#" target="_blank" rel="noopener">General Availability of Azure AD login for Azure Windows 10 and Windows Server 2019 VMs</A><SPAN>. Additionally, we are also announcing an </SPAN><A href="#" target="_blank" rel="noopener">update to preview of Azure AD login for Azure Linux VMs</A><SPAN>. These features are now available in Azure Global and will be available in Azure Government and China clouds before the end of this month.</SPAN></P> <P>&nbsp;</P> <P><SPAN>With the preview update for Azure Linux VMs, you can use either user or service principal-based Azure AD login with SSH certificate-based authentication for all major Linux distributions. As a result, you don’t need to worry about credential lifecycle management since you no longer need to provision local accounts or SSH keys. And with Azure RBAC, you can authorize who should have access to your VMs and whether they get administrator or standard user permissions. </SPAN></P> <P><SPAN>Using Conditional Access, you can require MFA or managed devices and prevent risky sign-ins to your VMs. Additionally, you can deploy Azure Policies to require Azure AD login if it wasn’t enabled during VM creation. You can also audit existing VMs where Azure AD login isn’t enabled, and track VMs when a non-approved local account is detected on the machine.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Virtual Machine.png" style="width: 921px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280029i6749245E160B8374/image-size/large?v=v2&amp;px=999" role="button" title="Virtual Machine.png" alt="Virtual Machine.png" /></span></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>We hope that these new Azure AD capabilities in Conditional Access and Azure make it even easier to secure your organization and unlock a new wave of scenarios for your organization. </SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>As always, join the conversation in the Microsoft Tech Community and share your feedback and suggestions with us. We build the best products when we listen to our customers!</SPAN></P> <P><SPAN><BR />Best regards, </SPAN></P> <P><SPAN>Alex Simons (@Alex_A_Simons)</SPAN></P> <P><SPAN>Corporate VP of Program Management</SPAN></P> <P><SPAN>Microsoft Identity Division</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><EM><A href="#" target="_blank" rel="noopener nofollow noreferrer">LinkedIn</A></EM></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Wed, 12 May 2021 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/new-azure-ad-capabilities-for-conditional-access-and-azure-vms/ba-p/1942482 Alex Simons (AZURE) 2021-05-12T16:00:00Z Gogo soars through industry contraction by switching to Azure AD https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/gogo-soars-through-industry-contraction-by-switching-to-azure-ad/ba-p/2115722 <P><EM>Hello! In today’s “Voice of the Customer” blog, Chris Szorc, Director of IT Engineering for Gogo, explains how the company cut costs and streamlined their identity and access management as the pandemic was grounding their airline partners, drying up revenue, and forcing thousands of employees to work remotely. By leveraging their existing Azure subscription, Chris and her IT team were able to migrate thousands of internal and external users to Microsoft Azure Active Directory for simplified, secure access across their enterprise.</EM></P> <P><EM>&nbsp;</EM></P> <P><EM>Editor’s Note:</EM></P> <P>This story began in May 2020 when Gogo served both Commercial Aviation and Business Aviation. In December 2020, Gogo’s Commercial Aviation business was sold to Intelsat. As a result, the structure and business model has changed drastically for Gogo, which now has approximately 350 employees and is solely focused on serving Business Aviation.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>How to cut costs and simplify IAM during hard times</H2> <P><STRONG>By </STRONG><STRONG>Chris Szorc, Director of IT Engineering for Gogo</STRONG></P> <P>In 2020, <A href="#" target="_blank" rel="noopener">Gogo</A> was a provider of in-flight broadband internet services for commercial and business aircraft. We were based in Chicago, Illinois with 1,100 employees, and at the time we equipped more than 2,500 commercial and 6,600 business aircraft with onboard Wi-Fi services, including 2Ku, our latest in-flight satellite-based Wi-Fi technology.</P> <P>&nbsp;</P> <P>As we all know, 2020 wasn’t a great year for the airline industry. Last May, the pandemic had drastically shrunk our revenue, forcing the company to cut costs wherever possible. A looming three-year renewal contract with Okta prompted my IT team to consider bringing all our identity and access management (IAM) under the Microsoft umbrella to cut costs and simplify access.</P> <P>&nbsp;</P> <H2>Favor security and simplicity</H2> <P>Pulling off a major migration to <A href="#" target="_blank" rel="noopener">Microsoft Azure Active Directory</A> (Azure AD)—when the IT team is shorthanded and working remotely—would be a challenge for anyone. For my team, the first consideration was security. We had to protect our PCI (payment card industry) status, as well as the custom apps that we create with our airline partners. We certify ourselves with ISO (International Organization for Standardization), and we pass our SOX (Sarbanes Oxley Act) audits every year. As it happened, Deloitte was reviewing us, so the industry certifications for Azure AD and <A href="#" target="_blank" rel="noopener">Microsoft 365</A> helped maintain our security standing as well. We made sure to get the most from our Microsoft agreement—including all the security tools in the <A href="#" target="_blank" rel="noopener">Microsoft Azure</A> tool set.</P> <P>&nbsp;</P> <P>We were already using on-premises Active Directory, but we wanted a hybrid cloud identity model for the seamless <A href="#" target="_blank" rel="noopener">single sign-on (SSO)</A> experience for our users and applications. We collaborate with a lot of airlines and contractors; so hybrid access fits our model. Like us, you might see migration as an opportunity to reduce the number of redundant apps in your user base. At Gogo, we went app by app, figuring out how people were using each of them, and we saw that Microsoft could cover <A href="#" target="_blank" rel="noopener">data analytics</A> among other business functions, as well as IAM.</P> <P>&nbsp;</P> <P>We were able to further consolidate and simplify by adopting the full <A href="#" target="_blank" rel="noopener">Microsoft 365 suite of productivity tools</A>. <A href="#" target="_blank" rel="noopener">Microsoft Teams</A>, in particular, was a hit with users. People were working from home because of the pandemic, and discovered they preferred Teams over Skype. Once our people started asking for it, that gave us the green light to roll out Teams companywide as a unified platform for online meetings, document sharing, and more.</P> <P>&nbsp;</P> <H2>Make use of vendor support</H2> <P>Times were tough enough already; we couldn’t allow migrating our multifactor authentication from Okta to Azure AD to disrupt workflow. We knew we couldn't overwhelm our help desk with calls and tickets; so, we chose to make the migration in waves of 100 users at a time.</P> <P>&nbsp;</P> <P>My advice—take advantage of all the technical support that’s available. After all, it's not as if you’ll have a complete test environment to train yourself. You have your production identity, domain, and your services—multifactor authentication, <A href="#" target="_blank" rel="noopener">conditional access</A>, sign in—and if you don't do it right, you're severely impacting people.</P> <P>&nbsp;</P> <P>No matter how qualified your IT team is, there’s a wealth of knowledge that a good vendor can provide. <A href="#" target="_blank" rel="noopener">Microsoft FastTrack</A> was included with our Azure AD subscription. We also used<A href="#" target="_blank" rel="noopener"> Netrix</A> for guidance on bringing the migration in on time. FastTrack helped us know where to put people and how to organize—their entire mission is built around helping you complete a successful migration.</P> <P>&nbsp;</P> <P>FastTrack also helped us untangle previous IAM implementations that were set up before my team was hired. They showed us where Okta Verify could be replaced with the latest best practices in multifactor authentication, enabling us to deliver simplified, up-to-date security with Azure AD. That’s the kind of issue you rarely anticipate during a migration, and it’s one where the right support proves invaluable.</P> <P>&nbsp;</P> <H2>Ensure maximum ROI</H2> <P>At Gogo, we’re already enjoying the advantages that come with unifying our IAM for simplicity and maximum return on investment (ROI). Since adopting Teams and other Microsoft 365 apps, we’ve been able to drop other services like Box and Okta—that saves the company money.</P> <P>&nbsp;</P> <P>We’re doing federated sharing with <A href="#" target="_blank" rel="noopener">Microsoft Exchange Online</A>, sharing calendars with partner tenants, which has been great for planning meetings. We do entitlement management to set up catalog access packages with expiration policies, to stage workflow and access reviews for vendors and collaborators, rather than give them identities in our Gogo directory.</P> <P>&nbsp;</P> <P>Our IT team seized on migration as an opportunity to implement Azure AD’s <A href="#" target="_blank" rel="noopener">self-service password reset</A> feature, which allows users to reset their password without involving the help desk. The decision to simplify your IAM solution will likely pay off in more ways than you can anticipate. We accomplished more than just a migration from Okta to Azure AD; Microsoft helped us streamline our IT services and provided us with direction for future improvements.</P> <P>&nbsp;</P> <H2>Learn more</H2> <P><EM>I hope Gogo’s story of undertaking a daunting migration during tough times serves as inspiration for your organization. To learn more about our customers’ experiences, take a look at the other stories in the “Voice of the Customer” series.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><EM><A href="#" target="_blank" rel="noopener nofollow noreferrer">LinkedIn</A></EM></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Fri, 07 May 2021 16:21:23 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/gogo-soars-through-industry-contraction-by-switching-to-azure-ad/ba-p/2115722 Sue Bohn 2021-05-07T16:21:23Z April identity updates https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/april-identity-updates/ba-p/1994707 <P>Howdy folks,</P> <P>&nbsp;</P> <P>I’m excited to share the latest Active Azure Directory news, including feature updates, support depreciation, and the general availability of new features that will streamline administrator, developer, and end user experiences. These new features and feature updates show our commitment to simplifying identity and access management, while also enhancing the kinds of customization and controls our customers need.</P> <P>&nbsp;</P> <H4><STRONG>New features</STRONG></H4> <UL> <LI><STRONG>Additional service and client support for Continuous Access Evaluation (CAE) –</STRONG> MS Graph service &amp; OneDrive clients on all platforms (Windows, Web, Mac, iOS, and Android) start to support CAE at the beginning of April. Now OneDrive client access can be terminated immediately right after security events, like session revocation or password reset, if you have CAE <A href="#" target="_blank" rel="noopener">enabled</A> in your tenant.</LI> </UL> <P>&nbsp;</P> <UL> <LI><STRONG>Embed Azure AD B2C sign-in interface in an iframe (Preview)</STRONG>: Customers have told us how jarring it is to do a full-page redirect when users authenticate. Using a custom policy, you can now embed the Azure AD B2C experience within an iframe so that it appears seamlessly within your web application. Learn more in the <A href="#" target="_blank" rel="noopener">documentation</A>.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="B2C iframe.png" style="width: 898px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275178i79A047ACC8FB7501/image-size/large?v=v2&amp;px=999" role="button" title="B2C iframe.png" alt="B2C iframe.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <UL> <LI><STRONG>Custom email verification for Azure AD B2C (GA): </STRONG>You can send customized email to users that sign up to use your customer applications, with a third-party email provider such as Mailjet or SendGrid. Using a Azure AD B2C custom policy, you can set up an email template, From: address, and subject, as well as support localization and custom one-time password (OTP) settings. Learn more in the documentation.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="B2customemail.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275177iA4284EADB546FD96/image-size/large?v=v2&amp;px=999" role="button" title="B2customemail.png" alt="B2customemail.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>We’re always looking to improve Azure AD in ways that benefit IT and end users. Often, these updates originate with the suggestions of users of the solution. We’d love to hear your feedback or suggestions for new features or feature updates in the comments or on Twitter (</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>@AzureAD</SPAN></A><SPAN>). </SPAN></P> <P><BR /><SPAN>Alex Simons (</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>@Alex_A_Simons</SPAN></A><SPAN>)</SPAN></P> <P><SPAN>Corporate VP of Program Management</SPAN></P> <P><SPAN>Microsoft Identity Division</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="nofollow noopener noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="nofollow noopener noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="nofollow noopener noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 19 Aug 2021 23:22:55 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/april-identity-updates/ba-p/1994707 Alex Simons (AZURE) 2021-08-19T23:22:55Z Introducing custom domains and Australia expansion for Azure Active Directory B2C https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/introducing-custom-domains-and-australia-expansion-for-azure/ba-p/2147075 <P><SPAN>Hello friends,</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Since </SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-active-directory-external-identities-is-generally/ba-p/2147080" target="_blank" rel="noopener">my last update</A><SPAN>, the Azure Active Directory (Azure AD) External Identities team has been focused on delivering so many exciting new features that I can’t wait to share. Here are two that we’re releasing today: <STRONG>Now, Azure AD B2C developers can create custom domains for B2C user experiences with Azure Front Door; and public preview of Azure AD B2C in Australia allows organizations there to optimize their customer experiences.</STRONG> These two updates represent Microsoft’s ongoing commitment to making it easier for organizations to deliver experiences to employees, partners, and customers.</SPAN></P> <P>&nbsp;</P> <H1>Self-service custom domains</H1> <P>Customer experiences should reflect your company’s brand from start to finish – even when users are redirected to authenticate. Now, Azure AD B2C developers worldwide can set up a <STRONG>custom domain name</STRONG> through a self-service process, which is possible via integration with <A href="#" target="_blank" rel="noopener">Azure Front Door</A>. Instead of redirecting users to a generic Azure AD B2C&nbsp;domain (eg. contoso.b2clogin.com), you can direct users to a&nbsp;custom domain specified by you (eg. login.contoso.com) for a more seamless, branded experience.</P> <P>&nbsp;</P> <P>Setting up custom domains for Azure AD B2C with Azure Front Door is seamless and works with both standard and custom user flows. You can learn more on how to set it up in our <A href="#" target="_blank" rel="noopener">documentation</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="B2C Custom Domains.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/271229iAD7E35E26145360C/image-size/large?v=v2&amp;px=999" role="button" title="B2C Custom Domains.png" alt="B2C Custom Domains.png" /></span></P> <P><EM style="font-family: inherit;">Instead of redirecting to contoso.b2clogin.com, Azure AD B2C displays a custom domain name specified by the app owner.</EM></P> <P><EM>&nbsp;</EM></P> <H1>Expanded availability in Australia</H1> <P>Starting today, Azure AD B2C tenants are available in <STRONG>public preview in Australia</STRONG>. This enables organizations to access all the capabilities of our global Azure AD B2C service, with the added benefit of being able to store B2C user data within Australia. In addition, apps hosted in Australia will avoid latency in the identity experience since the service is hosted on the same side of the world.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Australia.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/271231i3621E1A9F715FAD8/image-size/large?v=v2&amp;px=999" role="button" title="Australia.png" alt="Australia.png" /></span></P> <DIV><EM>Create a tenant in Australia.</EM></DIV> <P>&nbsp;</P> <P>&nbsp;</P> <P>Existing Azure customers in Australia and New Zealand can try it out by going to the <A href="#" target="_blank" rel="noopener">Azure portal in Australia</A> and searching for <STRONG>B2C</STRONG>. New customers can try it out by choosing Australia or New Zealand as the Country/Region when creating a new Azure AD B2C tenant.</P> <P>&nbsp;</P> <P>We love hearing from you, so keep trying new features and sharing feedback through the Azure forum or by following <A href="#" target="_blank" rel="noopener">@AzureAD</A> on Twitter.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><EM><A href="#" target="_blank" rel="noopener">LinkedIn</A></EM></LI> <LI><EM style="font-family: inherit;">Share product suggestions on the </EM><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Mon, 07 Jun 2021 15:42:43 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/introducing-custom-domains-and-australia-expansion-for-azure/ba-p/2147075 Robin Goldstein 2021-06-07T15:42:43Z WhoIAM: Enabling inclusive security through identity protection and fraud prevention https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/whoiam-enabling-inclusive-security-through-identity-protection/ba-p/1751670 <P><EM>Greetings,</EM></P> <P>&nbsp;</P> <P><EM>This is Sue Bohn, Director of Program Management for Identity and Access Management. In this Voice of the Partner blog post, we’ve invited Ajith Alexander, Head of Product Management at WhoIAM, a leading identity and access management (IAM) company, to share his experience around providing a more accessible, secure authentication and identity management solution leveraging Microsoft Azure Active Directory platform for big-brand consumer businesses across the world.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <H5><FONT size="6">Enabling inclusive security with Azure Active Directory</FONT><BR /><FONT size="4">by Ajith Alexander, Head of Product Management at WhoIAM</FONT></H5> <P>&nbsp;</P> <P><SPAN>WhoIAM is headquartered in Bellevue, Washington, with engineering teams in the United Kingdom, South America, India, and here in the Pacific Northwest. Our team is focused on addressing the evolving challenges of identity security, working with clients to provide customized biometric and hardware-based authentication methods that fit their unique business needs.</SPAN></P> <P>&nbsp;</P> <P><SPAN>WhoIAM operates simultaneously as both a systems integrator and an independent software vendor (ISV). As a systems integrator, we rely heavily on the Microsoft Identity Platform, including </SPAN><A href="#" target="_blank" rel="noopener">Microsoft Azure Active Directory</A><SPAN> (Azure AD) &nbsp;and </SPAN><A href="#" target="_blank" rel="noopener">External Identities</A>. <SPAN>We mostly work with government clients and large consumer brands, helping them critically evaluate their current </SPAN><A href="#" target="_blank" rel="noopener">customer identity and access management (CIAM)</A><SPAN> architecture to better secure their end users’ identities, as well as upgrade the company’s digital ID solutions. As an ISV, we build customized CIAM extensibility apps that fill critical gaps for our clients.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><FONT size="5"><SPAN>T</SPAN>he market landscape per WhoIAM</FONT></H4> <P><SPAN>The global CIAM software market is projected to grow from USD 7.5 billion in 2020 to </SPAN><A href="#" target="_blank" rel="noopener">15.3 billion by 2025</A><SPAN>. Today’s consumers expect companies to protect their personal information, and to do so in a way that won’t inconvenience or frustrate them. Our clients come to us because they have a brand that needs protecting, and part of their brand value hinges on providing seamless security. We help them deliver on their brand promise by using a carefully orchestrated combination of Azure AD External Identities for their CIAM needs, </SPAN><A href="#" target="_blank" rel="noopener">Dynamics Fraud Protection</A> <SPAN>for account/payment protection</SPAN><SPAN> and network penetration testing, and our own </SPAN><A href="#" target="_blank" rel="noopener">biometric and hardware-based authentication methods</A><SPAN> using WhoIAM’s </SPAN><A href="#" target="_blank" rel="noopener">Branded Identity Management System (BRIMS)</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>We work across multiple industries. In the government space, we work with <SPAN>agencies who need to protect their services from fraudulent use, such as during enrollment for health or unemployment insurance. </SPAN>In the private sector, we work with clients in the airline industry, big restaurant chains, and other big brands. Typically, these companies have millions of end users and many B2B relationships as well; therefore, they need support around preventing fraudulent transactions as well as secure payment processing.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><FONT size="5"><SPAN>The challenge: Inclusive security</SPAN></FONT></H4> <P><SPAN>IT decision-makers are usually quite tuned in to the challenges around the cost of acquiring new customers, keeping user data secure, and managing infrastructure costs. However, large groups of users are often left behind because of an inherent set of biases in identity security.</SPAN></P> <P>&nbsp;</P> <P><SPAN>For instance, authenticator apps, while secure, require a reasonably tech-savvy user. On-device biometrics such as a fingerprint sensor or retina scan create a dependency on newer, more powerful hardware. SMS-based MFA, while more readily available, is expensive both to our client and their end customers and is considered less secure than other authentication factors. Even onscreen identity verification challenges tend to be biased towards English speakers who don’t have visual impairments. Asking a non-native speaker to solve a CAPTCHA that identifies all “sidewalks” or “stop lights” often does not translate well, and CAPTCHAs are historically a poor option for the visually impaired.</SPAN></P> <P>&nbsp;</P> <P><SPAN>While these are important factors to solve for, consumer brands still have to strike the right balance between </SPAN>security, cost, and usability<SPAN>. Here are some of the important litmus-test questions we ask our clients as they adapt their user-identity strategy to be more inclusive:</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN>What are the added costs of implementing a new authentication factor?</SPAN></LI> <LI><SPAN>How disruptive—how many users do you risk losing because of changes to your existing sign-up or sign-in process? </SPAN></LI> <LI><SPAN>Is there a specific group of users who are unfairly impacted by your current set of authentication factors? Are there alternative authentication factors you can present to such users?</SPAN></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <H4><FONT size="5"><SPAN>Solution: Azure AD B2C, Dynamics Fraud Protection, and BRIMS</SPAN></FONT></H4> <P>We use a layered approach of <A href="#" target="_blank" rel="noopener">Azure AD B2C</A>, Dynamics Fraud Protection, and BRIMS to learn as much as we can about the user and their specific scenario or situation up front. We then make in-flight decisions on authentication factors as they sign-up or sign-in to an app or site.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Branded Management System.png" style="width: 543px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268387iF0FFE138CA6D7AAE/image-dimensions/543x352?v=v2" width="543" height="352" role="button" title="Branded Management System.png" alt="Branded Management System.png" /></span></P> <P><EM><FONT size="3">Figure 2: WhoIAM BRIMS (Branded Identity Management System) runs on Azure AD</FONT></EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>To begin, we use Dynamics Fraud Protection’s <A href="#" target="_blank" rel="noopener">device fingerprinting</A> <SPAN>and risk detection, which works by embedding a small piece of JavaScript on an app’s pages. We use Fraud Protection’s scores</SPAN> to get two broad categories of assessments even before a user begins an authentication journey<SPAN>:</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <OL> <LI><SPAN><STRONG>Per-transaction assessments:</STRONG></SPAN><SPAN> These help us examine each access request individually; evaluating the likelihood of the transaction being a bot, as well as determining the type of device and the location from which the connection originates. </SPAN></LI> <LI><SPAN><STRONG>Macro-trends-based assessments:</STRONG></SPAN> We’re also able to keep track of metrics, <SPAN>such as users experiencing low completion rates for authentication.</SPAN></LI> </OL> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Subsequently during authentication, Azure AD B2C calls an intermediate API that checks Fraud Protection’s rules engine, as well as the individual user’s risk scoring, and then responds back. </SPAN><SPAN>Combined with </SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-active-directory-external-identities-goes-premium-with/ba-p/1604572" target="_blank" rel="noopener">Azure AD Identity Protection</A><SPAN>, this information</SPAN><SPAN> enables us to configure rules so that Azure AD B2C can present authentication journeys that are aware of the user’s specific scenarios as they attempt to interact with an application. Being able to identify a user as being low-risk for being a bot allows us to bypass an unnecessary human-or-not check that may have inclusivity challenges. Similarly, being able to spot groups of users with low authentication completion rates can be used to identify issues such as an inability to understand the on-screen instructions, or not knowing how to interact with complex hardware capabilities on their device.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Using </SPAN><A href="#" target="_blank" rel="noopener">voice biometrics</A><SPAN> for verification </SPAN><SPAN>is also a powerful tool for implementing inclusive security. Human voices are readily available, can be recorded in a contactless way, and do not require specialized hardware. Our voice carries an imprint of our identity that comes through regardless of what we’re saying, what language we’re speaking, or where we’re speaking from. This makes voice biometrics an ideal choice for catering to users who are visually impaired, have difficulty reading or understanding a language, don’t have access to a dedicated personal device (residents at assisted-living communities, shift-workers), or live in less developed areas that rely on fixed phone lines. </SPAN></P> <P>&nbsp;</P> <P data-unlink="true"><SPAN>For such users, we enable BRIMS voice biometrics, which relies on</SPAN> Deep Neural Networks (DNN)-based speaker recognition technologies <A href="#" target="_self">developed by our partner, Oxford Wave Research</A>. For voice biometrics to work accurately, we need a short recording of a person’s speech. BRIMS uses a combination of speaker recognition (who said it), as well as automatic speech recognition (What did they say?) to accurately identify a user. For the visually impaired, we prompt the user to respond to a knowledge-based question, such as their name, employee ID, or their favorite city. For other users who have difficulty reading an onscreen prompt due to a language barrier, we present an image for them to describe instead. Creatively solving for flexible, inclusive user verification ensures we can log in previously marginalized customers <SPAN>securely without identity verification being a frustrating experience.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <H4><FONT size="5"><SPAN>Results: Azure AD and Dynamics Fraud Protection help us compete</SPAN></FONT></H4> <P><SPAN>For WhoIAM, betting on the Microsoft Identity Platform makes a lot of sense, and we’re looking to expand our footprint in Azure to achieve our goal of inclusive security. Because of Azure AD B2C’s design flexibility with its policy engine,</SPAN><SPAN> and</SPAN><SPAN> Dynamics Fraud Protection’s customer signaling from sign-in to sign-out; we’re able </SPAN>to weave in full-circle alerting and real-time decision making. This enables us to present our clients with strong security that’s both inclusive and affordable<SPAN>. Additionally, the availability of the entire Azure stack across </SPAN><A href="#" target="_blank" rel="noopener">Azure Key Vault</A><SPAN>, </SPAN><A href="#" target="_blank" rel="noopener">Azure App Service</A><SPAN>, </SPAN><A href="#" target="_blank" rel="noopener">Azure Cosmos DB</A><SPAN> and a whole slew of complementary products on the same Azure subscription is invaluable. This makes it easy for us to put together highly customized identity architectures for our clients while using Azure as a one-stop shop. </SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="nofollow noopener noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="nofollow noopener noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="nofollow noopener noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 08 Apr 2021 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/whoiam-enabling-inclusive-security-through-identity-protection/ba-p/1751670 Sue Bohn 2021-04-08T16:00:00Z Confidently modernize to cloud authentication with Azure AD staged rollout, now generally available https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/confidently-modernize-to-cloud-authentication-with-azure-ad/ba-p/1994709 <P>Howdy folks,</P> <P>&nbsp;</P> <P>I’m excited to announce&nbsp;that <A href="#" target="_blank" rel="noopener">staged rollout</A> to cloud authentication is now generally available!&nbsp;This feature&nbsp;allows you to selectively test groups of users with cloud authentication methods, such as <A href="#" target="_blank" rel="noopener">pass-through authentication</A> (PTA) or <A href="#" target="_blank" rel="noopener">password hash sync</A> (PHS), while all other users in the federated domains continue to use federation services, such as AD FS, Ping Federate, Okta, or any other federation services to authenticate users.</P> <P>&nbsp;</P> <P>Moving your Azure AD authentication from federation services to the cloud allows you to manage user and device sign-in from a single control plane in Azure AD. Some of the benefits using cloud authentication include reducing the dependency on on-premises infrastructure, which typically includes a farm of servers and proxies that need to be accessible from the&nbsp;internet. In addition, you can take advantage of security capabilities like: Azure&nbsp;AD multifactor authentication (MFA), Conditional Access, Identity Protection for leaked credentials, Identity Governance, and more.</P> <P>&nbsp;</P> <P>New with the general availability, we’ve added the ability to monitor the users and groups added or removed from staged rollout and users sign-ins while in staged rollout, using the new Hybrid Auth workbooks in the Azure portal.&nbsp; In addition, we’ve built a <A href="#" target="_blank" rel="noopener">staged rollout interactive guide</A> to help you learn more and deploy this feature.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="&nbsp;Hybrid Auth workbook.png" style="width: 753px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269489iC542F6CBBD70C383/image-size/large?v=v2&amp;px=999" role="button" title="&nbsp;Hybrid Auth workbook.png" alt="&nbsp;Hybrid Auth workbook.png" /></span></P> <P><EM>Hybrid Auth workbook</EM></P> <P><SPAN>&nbsp;</SPAN></P> <P>As always, we’d love to hear your feedback or suggestions in the comments or on Twitter (<A href="#" target="_blank" rel="noopener">@AzureAD</A>).</P> <P><BR />Alex Simons (<A href="#" target="_blank" rel="noopener">@Alex_A_Simons</A>)</P> <P>Corporate VP of Program Management</P> <P>Microsoft Identity Division</P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Mon, 05 Apr 2021 20:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/confidently-modernize-to-cloud-authentication-with-azure-ad/ba-p/1994709 Alex Simons (AZURE) 2021-04-05T20:00:00Z Announcing Azure AD Verifiable Credentials https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/announcing-azure-ad-verifiable-credentials/ba-p/1994711 <P><SPAN>Howdy folks,</SPAN></P> <P>&nbsp;</P> <P>We started on a <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/decentralized-digital-identities-and-blockchain-the-future-as-we/ba-p/1994714" target="_blank" rel="noopener">journey with the open standards community</A> to empower everyone to own and control their own identity. I’m thrilled to share that we’ve achieved a major milestone in making this vision real. Today we’re announcing that the <STRONG>public preview for Azure AD verifiable credentials is now available: </STRONG>organizations can empower users to control credentials that manage access to their information.</P> <P>&nbsp;</P> <P>This blog post provides an overview of our standards-based platform, and the first solution we’ve built on that platform--to enable a new form of identity verification. We’re also sharing lessons learned from customers during private preview and next steps for improving interoperability with other standards-based systems. Ankur Patel from my team is here to share more.</P> <P>&nbsp;</P> <P>Best Regards,</P> <P>Alex Simons (Twitter: <A href="#" target="_self">@Alex_A_Simons</A>)</P> <P>Corporate Vice President Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>-----------------------------------------------------------------</P> <P>&nbsp;</P> <P>Hello again. In <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/building-trust-into-digital-experiences-with-decentralized/ba-p/1257362" target="_blank" rel="noopener">June 2020</A>, we reported on the open standards community’s progress on decentralized identity.&nbsp;<SPAN>The <U><A tabindex="-1" title="https://nam06.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.w3.org%2ftr%2fdid-core%2f&amp;data=04%7c01%7cmelmay%40microsoft.com%7c3248f2fe8dd9498dc0a208d8f871d270%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c637532515038267510%7cunknown%7ctwfpbgzsb3d8eyjwijoimc4wljawmdailcjqijoiv2lumziilcjbtii6ik1hawwilcjxvci6mn0%3d%7c1000&amp;sdata=julgiryahs%2fvjfbdea9pf3b8hkaoil8hhndgusfkfuc%3d&amp;reserved=0" href="#" target="_blank" rel="noreferrer noopener">Decentralized Identifiers (DID)</A></U></SPAN><SPAN> core specification is now very close to joining <U><A tabindex="-1" title="https://nam06.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.w3.org%2ftr%2fvc-data-model%2f&amp;data=04%7c01%7cmelmay%40microsoft.com%7c3248f2fe8dd9498dc0a208d8f871d270%7c72f988bf86f141af91ab2d7cd011db47%7c1%7c0%7c637532515038267510%7cunknown%7ctwfpbgzsb3d8eyjwijoimc4wljawmdailcjqijoiv2lumziilcjbtii6ik1hawwilcjxvci6mn0%3d%7c1000&amp;sdata=zstgtiulb0hkjbxgotakg9fvntsbcdiql13dnjvvruk%3d&amp;reserved=0" href="#" target="_blank" rel="noreferrer noopener">Verifiable Credentials (VC)</A></U> as a ratified standard.&nbsp;</SPAN>Today, I’m thrilled to share details about the public preview capabilities of Microsoft’s platform, based on these standards, called Azure AD verifiable credentials.</P> <P>&nbsp;</P> <P>Azure AD customers can now easily design and issue verifiable credentials to represent proof of employment, education, or any other claim, so that the holder of such a credential can decide when, and with whom, to share their credentials. Each credential is signed using cryptographic keys associated with the DID that the user owns and controls.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Microsoft Platform Implementation.png" style="width: 800px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269184i3D5BE3C0F6D2C517/image-size/large?v=v2&amp;px=999" role="button" title="Microsoft Platform Implementation.png" alt="Microsoft Platform Implementation.png" /></span></P> <P>&nbsp;</P> <P>Please visit <A href="#" target="_blank" rel="noopener">http://aka.ms/verifyonce</A> to learn more.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Unlike current proprietary identity systems, verifiable credentials are standards-based which makes it easy for developers to understand, and doesn't require custom integration. Applications can request and verify the authenticity of credentials from any organization using APIs included in the platform SDK.</P> <P>&nbsp;</P> <P>Just as they manage any other permission requests, users can manage and present credentials using Microsoft Authenticator, with one key difference under the hood. Unlike domain-specific credentials, verifiable credentials function as “proofs” that users control, even when they’re issued by organizations. Because verifiable credentials are attached to DIDs that users own, they can be confident that they—and only they—control who can access them and how.</P> <P>&nbsp;</P> <P>&nbsp;</P> <TABLE style="width: 100%;" border=".5" width="100%"> <TBODY> <TR> <TD width="50%" class="lia-align-center" style="width: 50%; vertical-align: middle;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="flanders.PNG" style="width: 336px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269680i77B9AC63BACCECEE/image-dimensions/336x256?v=v2" width="336" height="256" role="button" title="flanders.PNG" alt="flanders.PNG" /></span></TD> <TD width="50%"><A href="#" target="_self">Government of Flanders</A> is one of the many early customers that leveraged the private preview capabilities to make it easier for citizens to start a new business. Today, a citizen must provide proof of income and citizenship. By presenting verifiable credentials issued by their bank as proof of income and by their government as proof of citizenship, they could easily meet these requirements. This is one of the many scenarios that came to life during private preview.</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>&nbsp;</P> <P>In addition to announcing public preview of the Azure AD verifiable credentials platform, we’re excited to share with you a new solution based on this approach. Usually, highly regulated interactions, such as pre-employment checks or applying for a loan, are expensive and time-consuming. <STRONG>Microsoft is partnering with industry leading </STRONG><STRONG>identity verification service providers</STRONG> to make it possible to verify an identity once and present it to anyone. Azure AD customers can leverage this solution to validate official documents and electronic records across 192 countries to confidently verify identities. End-users can present these credentials to quickly start a job, apply for a loan, or access secure apps and services—without having to repeatedly share their sensitive information.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="aka.ms.png" style="width: 936px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269186iB80AE33A78499EDE/image-size/large?v=v2&amp;px=999" role="button" title="aka.ms.png" alt="aka.ms.png" /></span></P> <P>Please visit <A href="#" target="_blank" rel="noopener">http://aka.ms/verifyonce</A> to learn more about all our partners.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>We’re grateful for everything we’ve learned from our customers, and to members of <A href="#" target="_blank" rel="noopener">Decentralized Identity Foundation</A>, <A href="#" target="_blank" rel="noopener">Open ID Foundation</A><SPAN>,</SPAN> and <A href="#" target="_blank" rel="noopener">W3C</A> who collaborated with us to develop new standards that enable individuals and organizations to verify credentials directly.</P> <P>&nbsp;</P> <P>While this is an important milestone, we have a lot of work ahead to enable verification on a larger scale while protecting individual privacy. Now that we have built the foundation, we are working on our next key milestone: continue to enrich credentials with implementations that enable additional privacy preserving features and increase our interoperability with solutions from other members of the Decentralized Identity and Verifiable Credentials community.</P> <P>&nbsp;</P> <P>Let’s build a more trustworthy internet together. We were amazed by the variety of ideas that customers presented to us during private preview. We can’t wait for you to <A href="#" target="_blank" rel="noopener">try the new platform</A>!</P> <P>&nbsp;</P> <P>Ankur Patel (<A href="#" target="_self">@_AnkurPatel</A>)</P> <P>Principal Program Manager</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Resources:</P> <UL> <LI>Get involved with <A href="#" target="_blank" rel="noopener">http://identity.foundation</A> , the industry working group for all things Decentralized ID (DID)</LI> <LI>All things Azure AD Verifiable Credentials: <A href="#" target="_blank" rel="noopener">http://aka.ms/verifyonce</A></LI> <LI>Quick overview: <A href="#" target="_blank" rel="noopener">http://aka.ms/didexplained</A></LI> <LI>Documentation for developers: <A href="#" target="_blank" rel="noopener">http://aka.ms/didfordevs</A></LI> <LI>Blogs (including <A href="#" target="_blank" rel="noopener">scale and performance</A> and <A href="#" target="_blank" rel="noopener">self-owned key recovery</A>:(</img> <A href="#" target="_blank" rel="noopener">http://aka.ms/azureadblog/did</A>)</LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="nofollow noopener noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="nofollow noopener noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="nofollow noopener noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 19 Aug 2021 23:22:53 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/announcing-azure-ad-verifiable-credentials/ba-p/1994711 Alex Simons (AZURE) 2021-08-19T23:22:53Z AuthenTrend and Microsoft have partnered to help our customers go passwordless https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/authentrend-and-microsoft-have-partnered-to-help-our-customers/ba-p/2115719 <P>Hello! <BR /><BR /><EM>Microsoft has been working with a variety of hardware key manufacturers to give customers a rich set of choices for their passwordless solutions. In today's post, we hear from Athena Chang from AuthenTrend, who describes the company’s flagship security key, ATKey.Pro. </EM><A href="#" target="_blank" rel="noopener"><EM>AuthenTrend</EM></A><EM> is based in Taiwan and focuses on building biometric-based passwordless solutions. </EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>The paradigm of in-office work has been shattered as a result of COVID-19</STRONG></FONT></P> <P>By Athena Chiang, Director of Business Development, AuthenTrend</P> <P>&nbsp;</P> <P>The paradigm of in-office work has been shattered because of the pandemic. This transition to a permanent hybrid workforce forces organizations to adjust their security strategies to ensure that only the right user can remotely access sensitive systems. A growing number of <A href="#" target="_blank" rel="noopener">AuthenTrend</A> customers are asking about passwordless with biometrics as a more secure alternative to traditional passwords.</P> <P>&nbsp;</P> <P>One customer illustrates the benefits of adopting a passwordless with biometrics solution. After adopting ATKeyPro, this manufacturing company decreased IT costs by 30% to 50% annually and eliminated the hassles of password reset. This improves the user experience because like many companies, employees were previously required to reset their passwords every three months.</P> <P>&nbsp;</P> <P>This customer adopted the mobile authentication application, but most employees on the factory floor are not allowed to use mobile phones, and some executives are hesitant to use their personal phones for business purposes. At AuthenTrend's suggestion, they migrated their solution from Active Directory and on-premises servers to a hybrid solution – Office 365 E3 with <A href="#" target="_blank" rel="noopener">Azure Active Directory</A>. They adopted ATKeyPro and ATKeyCard based on employees' device usage.</P> <P>&nbsp;</P> <P>Founded in 2016, AuthenTrend has one of the largest number of FIDO2 certifications in Taiwan and is the first fingerprint security key company to receive these certifications. Today, AuthenTrend is part of the <A href="#" target="_blank" rel="noopener">Microsoft Intelligent Security Association</A> (MISA), FIDO Alliance, RSA. The customer’s CTO trusts the fingerprints security key solution since AuthenTrend's fingerprint sensor comes with a top industry-level FRR rate and smallest form factor.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Why your passwordless journey should include biometrics</STRONG></FONT></P> <P>That company’s concern about security is understandable. Consider these statistics on threats from a <A href="#" target="_blank" rel="noopener">Microsoft Threat Intelligence report</A> and the <A href="#" target="_blank" rel="noopener">2018 Data Breach Investigations Report (DBIR)</A>:</P> <P>&nbsp;</P> <UL> <LI>230% increase in password spray attacks in 2020</LI> <LI>Nearly one in three of all attacks on enterprises involve phishing.</LI> <LI>81% of data breaches are caused by compromised, weak, and/or reused passwords.</LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <P>A weak password does not protect against modern malware, phishing, or man-in-the-middle attacks. By moving from passwords to hardware-based security keys, organizations enable the most robust authentication form and mitigate the threat of account takeovers.<BR /><BR /></P> <P>Multifactor authentication, such as secondary tokens or one-time codes, may not be enough to prevent cybercrime, according to a <A href="#" target="_blank" rel="noopener">FBI Private Industry Notification</A> (PIN) report. The report recommends that the addition of biometric factors and behavioral information checks to multifactor authentication approaches is crucial to protect identity. Bret Arsenault, CVP/CISO at Microsoft, also <A href="#" target="_blank" rel="noopener">indicated that using biometrics as part of the Azure Active Directory multifactor authentication process boosts security by making it more difficult for backers to steal a person's identity</A>.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Fingerprint-enabled authentication with Azure AD</STRONG>. With the expanded remote workforce, security and accountability risks increase and traditional authentication methods can’t absolutely ensure that the person signed-in is the authorized user. AuthenTrend partnered with Microsoft to offer biometrics solutions to secure this workforce.</P> <P>&nbsp;</P> <P>Employees can use AuthenTrend's FIDO2 fingerprint-enabled Security Keys to sign into their Azure Active Directory-joined or hybrid Azure AD-joined Windows 10 devices using <A href="#" target="_blank" rel="noopener">single-sign-on</A> for cloud and on-premises resources. Users can also sign in to supported browsers. With the fingerprint-matching requirement, enterprises can ensure that only authorized users can assess company information. It’s an option for highly security-sensitive enterprises or enterprises with scenarios or employees who aren't willing or able to use their phones as a second factor.</P> <P><STRONG>&nbsp;</STRONG></P> <P><BR />AuthenTrends flagship product, ATKey.Pro, provides a fingerprint recognition security key that supports Fido2 and U2F. This lets users leverage standard devices to authenticate online services in both mobile and desktop environments. With AuthenTrend's patented standalone enrollment technology, new users can register their fingerprints through the card or the USB key itself without using any supplemental enrollment app.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1.jpg" style="width: 482px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/267999iFD5A2ABC6576D393/image-dimensions/482x271?v=v2" width="482" height="271" role="button" title="Picture1.jpg" alt="Picture1.jpg" /></span></P> <P><EM>To learn more about AuthenTrend’s fingerprint-enabled security key solutions and how they can decrease IT costs visit the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure commercial marketplace</EM></A><EM> or </EM><A href="https://gorovian.000webhostapp.com/?exam=mailto:contact@authentrend.com" target="_blank" rel="noopener"><EM>reach out to AuthenTrend directly</EM></A><EM>.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Learn more</STRONG></P> <P>&nbsp;</P> <P><EM>I hope you’ve been inspired by AuthenTrend’s story of </EM><EM>integrating its passwordless solutions</EM><EM> with Azure AD. Microsoft is partnering with AuthenTrend on a </EM><A href="#" target="_blank" rel="noopener"><EM>pilot program</EM></A><EM> if you’re a SMB or service provider and want to try Azure AD passwordless flow.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><EM><A href="#" target="_blank" rel="noopener">LinkedIn</A></EM></LI> <LI><EM style="font-family: inherit;">Share product suggestions on the </EM><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Tue, 30 Mar 2021 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/authentrend-and-microsoft-have-partnered-to-help-our-customers/ba-p/2115719 Sue Bohn 2021-03-30T16:00:00Z March identity updates – Public preview of AD FS sign-in activity in Azure AD reporting and more https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/march-identity-updates-public-preview-of-ad-fs-sign-in-activity/ba-p/1994705 <P>Howdy folks,</P> <P>&nbsp;</P> <P>I'm excited to share the latest Active Azure Directory capabilities that will streamline your hybrid identity, monitoring, and B2B user experiences. These updates help you achieve a more unified identity management from a single control plane and enrich experiences to help provide seamless and secure collaboration with guest users.</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Unified identity management</STRONG></FONT></P> <UL> <LI><STRONG>Public preview of </STRONG><A href="#" target="_blank"><STRONG>AD FS sign-ins in Azure AD reporting</STRONG></A> – AD FS sign-ins can now be added to Azure AD activity reporting, giving organizations a unified view of their hybrid identity infrastructure and helping them along their identity modernization journey. This sign-in activity appears in the “Federated” column of Azure AD sign-in reports for customers using the latest version of Azure AD <A href="#" target="_blank">Connect Health</A>. Customers can stream this activity and analyze in their own SIEM tools like Azure Sentinel, or they can use the Azure AD integration with <A href="#" target="_blank">Azure Monitor and Log Analytics</A> to unlock insights and build dashboarding within the Azure portal. Log Analytics now has a stream called “ADFS SignIns”, which contains the same schema as the sign-in data in the logs, and Azure Monitor has a new pre-built “Sign-In Report” workbook.</LI> <LI><STRONG>General availability of tenant creation activity in <A href="#" target="_blank">Azure AD audit logs</A></STRONG> – Whenever a user creates a new Azure AD tenant, that activity is now recorded in the Azure AD audit logs of the tenant the user was signed into with the Azure portal, not just the logs of the newly created tenant. The log activity includes the new tenant ID, the UPN and Object ID of the user that created the tenant, and the tenant creation time and date.&nbsp; Admins can use this to more effectively monitor their entire organization and better maintain an inventory of all their tenants.</LI> </UL> <P><EM>&nbsp;</EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Azure Monitor workbook for Azure AD and AD FS sign-in reporting.png" style="width: 959px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268028i714216827BEF4673/image-size/large?v=v2&amp;px=999" role="button" title="Azure Monitor workbook for Azure AD and AD FS sign-in reporting.png" alt="Azure Monitor workbook for Azure AD and AD FS sign-in reporting.png" /></span><EM><BR />Azure Monitor workbook for Azure AD and AD FS sign-in reporting</EM></P> <P><SPAN><EM>&nbsp;</EM></SPAN></P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>External Identities</STRONG></FONT></P> <UL> <LI><A href="#" target="_blank"><STRONG>Email one-time passcode for B2B collaboration</STRONG></A><STRONG> in Arlington/Government Cloud</STRONG> - Organizations in the Microsoft Azure Government cloud can now enable guests to redeem invitations with email one-time passcode (email OTP). Guest users can still collaborate with partners in the Azure Government cloud by requesting and entering a temporary code to sign-in to shared resources.</LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <P>As always, we’d love to hear your feedback or suggestions in the comments or on Twitter (<A href="#" target="_blank">@AzureAD</A>).</P> <P><BR />Alex Simons (<A href="#" target="_blank">@Alex_A_Simons</A>)</P> <P>Corporate VP of Program Management</P> <P>Microsoft Identity Division</P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank"><EM>Azure Feedback Forum</EM></A></LI> </UL> Mon, 29 Mar 2021 21:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/march-identity-updates-public-preview-of-ad-fs-sign-in-activity/ba-p/1994705 Alex Simons (AZURE) 2021-03-29T21:00:00Z Azure AD Ignite 2021 Recap: Securing your application ecosystem https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-ad-ignite-2021-recap-securing-your-application-ecosystem/ba-p/1942490 <P>Howdy folks!</P> <P>&nbsp;</P> <P>As we shared earlier this year in <A href="#" target="_blank" rel="noopener">The state of apps by Microsoft identity report</A>, organizations have been connecting all types of apps with Azure AD to keep employees connected and secure in this era of remote work.&nbsp; In case you missed <A href="#" target="_blank" rel="noopener">Microsoft Ignite</A> earlier this month, we’ve been busy adding new capabilities to help you secure and manage your apps in the cloud and on-premises with Azure AD.&nbsp; Read on to learn more about new app management updates we made this month!</P> <P>&nbsp;</P> <P><STRONG>Increase IT efficiency with new enterprise app management capabilities</STRONG></P> <P>We’ve released three new enterprise <SPAN>app management updates t</SPAN>o <SPAN>give you more ways to secure and manage apps while simplifying&nbsp;employees’&nbsp;access to the apps they need.</SPAN></P> <P>&nbsp;</P> <UL> <LI><STRONG>GA of the new Azure AD app gallery experience </STRONG>– The Azure AD app gallery experience has a refreshed look and feel! The new app gallery experience allows you to filter for applications based on category or on the supported single sign-on type like SAML or OIDC.&nbsp; Additionally, the new app gallery experience includes icons to help you quickly identify which applications support federated single sign-on and provisioning.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="11.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266133i823ED0D49EA43AFF/image-size/large?v=v2&amp;px=999" role="button" title="11.png" alt="11.png" /></span></P> <UL> <LI><STRONG>GA of the </STRONG><A href="#" target="_blank" rel="noopener"><STRONG>Application Template API</STRONG></A> – The application template API available in Microsoft Graph allows admins and developers to programmatically manage applications at scale in the <A href="#" target="_blank" rel="noopener">Azure AD App gallery</A>. Admins and developers can now list, search, update, or add applications from the Azure AD app gallery in their tenant via an API.</LI> <LI><STRONG>GA of the </STRONG><A href="#" target="_blank" rel="noopener"><STRONG>Admin Consent Workflow</STRONG></A> – the admin consent workflow, which is rolling out in the next few days, gives users an easy way to request that an admin review the application they’re trying to use. When users try to access an application that requires consent by an admin, users can now send a request to admins during the sign-in flow. The request is sent via email to admins who have been designated as reviewers and once a reviewer takes action on the request, the user is notified whether access has been granted or denied. You can also list pending admin requests by using APIs in Microsoft Graph or PowerShell. By using our new APIs you can integrate admin consent requests into your existing processes to streamline workflows.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="22.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266134i0D586976B683D3F7/image-size/large?v=v2&amp;px=999" role="button" title="22.png" alt="22.png" /></span></P> <P><STRONG>Modernize your app authentication</STRONG> <STRONG>from Active Directory Federation Services (AD FS) to Azure AD</STRONG></P> <P>One of the best ways to secure your environment is to manage everything from the cloud—and that includes moving your application’s authentication off AD FS to Azure AD. To help upgrade your application authentication from AD FS to Azure AD, the AD FS activity and insights report is now generally available.</P> <P>&nbsp;</P> <UL> <LI><STRONG>GA of the </STRONG><A href="#" target="_blank" rel="noopener"><STRONG>AD FS activity and insights report</STRONG></A><STRONG>.</STRONG> The AD FS activity insights report lets you quickly identify which of your applications are ready to be upgraded to Azure AD with no configuration changes. It assesses all your AD FS applications for compatibility with Azure AD, checks for any configuration differences, and gives guidance on preparing individual applications for migration to Azure AD.&nbsp;</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="55.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266144i3CCF8EFC54D34F25/image-size/large?v=v2&amp;px=999" role="button" title="55.PNG" alt="55.PNG" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Secure your on-premises apps with Azure AD application proxy</STRONG></P> <P>During the past 12 months, organizations have increasingly relied on Azure AD Application Proxy service to give employees remote access to their on-premises apps. To help you get even more out of Azure AD Application Proxy we’ve made the following enhancements:</P> <P>&nbsp;</P> <UL> <LI><STRONG>GA of </STRONG><A href="#" target="_blank" rel="noopener"><STRONG>header-based authentication</STRONG></A> – <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-ad-application-proxy-now-natively-supports-apps-that-use/ba-p/1751707" target="_blank" rel="noopener">Announced last year</A>, Azure AD Application Proxy natively supports apps that use header-based authentication. You can configure a wide range of header values required by your application in Azure AD. These header values will be sent down to the application via Application Proxy. This means that all attributes and transformations available for configuring SAML or OIDC applications can be used as header values.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="44.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266136i19BEFEDFB04636FE/image-size/large?v=v2&amp;px=999" role="button" title="44.png" alt="44.png" /></span></P> <UL> <LI><A href="#" target="_blank" rel="noopener"><STRONG>Optimize your Application Proxy traffic</STRONG></A><STRONG>&nbsp;in public preview: </STRONG>You now can now <SPAN>designate which region your Application Proxy service connector group should use.&nbsp; By choosing the closest region to your applications and connectors, you can improve performance and reduce the latency to the App Proxy service.</SPAN><SPAN>&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MicrosoftTeams-image (1).png" style="width: 292px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266142iFA14C898E1B1B714/image-size/large?v=v2&amp;px=999" role="button" title="MicrosoftTeams-image (1).png" alt="MicrosoftTeams-image (1).png" /></span></P> <P><STRONG>Tell us what you think</STRONG></P> <P><SPAN>As always, we’d love to hear from you. Please let us know what you think in the comments below or on the </SPAN><A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A><SPAN>.&nbsp; And be sure watch our on demand Ignite</SPAN> session “<A href="#" target="_blank" rel="noopener">Prevent attacks by protecting your applications with Azure Active Directory</A>” to learn more about these new app management capabilities.</P> <P>&nbsp;</P> <P>Alex Simons (@Alex_A_Simons)</P> <P>Corporate VP of Program Management</P> <P>Microsoft Identity Division</P> Thu, 19 Aug 2021 23:22:52 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-ad-ignite-2021-recap-securing-your-application-ecosystem/ba-p/1942490 Alex Simons (AZURE) 2021-08-19T23:22:52Z Accelerate your move to the cloud with new capabilities in Azure AD Domain Services https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/accelerate-your-move-to-the-cloud-with-new-capabilities-in-azure/ba-p/1994704 <P><SPAN>Howdy folks! </SPAN><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>New&nbsp;capabilities in <A href="#" target="_blank" rel="noopener">Azure Active Directory Domain Services</A> will make it easier for you to move your&nbsp;legacy, on-premises&nbsp;apps to the cloud. The additional capabilities&nbsp;in our managed domain services solution include&nbsp;geo redundancy,&nbsp;faster&nbsp;sync, and&nbsp;resource forests.</SPAN><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><SPAN><STRONG>Geo-redundancy enhances performance and disaster recovery</STRONG></SPAN></FONT></P> <P><SPAN>Geo-redundancy is a must for large, geographically dispersed organizations with&nbsp;mission&nbsp;critical applications.&nbsp;</SPAN><SPAN>W</SPAN><SPAN>ith the general availability of replica sets you can&nbsp;now create a replica domain controller set for your managed domain in up to four&nbsp;additional regions</SPAN><SPAN>.&nbsp;</SPAN><SPAN>With replica sets, your&nbsp;Azure AD</SPAN><SPAN>&nbsp;</SPAN><SPAN>Domain Services&nbsp;applications&nbsp;gain enhanced performance&nbsp;and disaster recovery&nbsp;for your business&nbsp;by adding&nbsp;geo-redundancy&nbsp;in different regions.</SPAN><SPAN>&nbsp;</SPAN><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="11.jpg" style="width: 696px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263771iBDC8B155436EFAFA/image-size/large?v=v2&amp;px=999" role="button" title="11.jpg" alt="11.jpg" /></span></P> <P><SPAN><EM>Diagram&nbsp;of Azure AD Domain Services replica set with two regions.</EM></SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN> </SPAN></P> <P><SPAN>For most Azure AD Domain Services customers, adding another replica is a quick experience. To learn more about replica sets and how to deploy your own,&nbsp;visit </SPAN><A href="#" target="_blank" rel="noopener"><SPAN>our documentation</SPAN></A><SPAN>.&nbsp;</SPAN><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><SPAN><STRONG>Synchronization speed increases for multiple cores</STRONG></SPAN></FONT></P> <P><SPAN>When managing&nbsp;hybrid identity, you want to know you have the least latency possible between on-site changes and cloud-authenticated updates. To&nbsp;improve&nbsp;this experience,&nbsp;we’ve made&nbsp;changes&nbsp;to the synchronization engine&nbsp;between your&nbsp;managed&nbsp;domain and Azure AD. </SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>We’ve made the following changes to every Azure AD Domain Services-managed domain that is on a resource manager virtual network:</SPAN><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN><STRONG><FONT size="4">Three&nbsp;new&nbsp;attributes:</FONT> </STRONG></SPAN><SPAN>CompanyName,&nbsp;Manager and EmployeeID are now available attributes on user objects in your managed domain. </SPAN><SPAN>&nbsp;</SPAN></LI> <LI><SPAN><STRONG><FONT size="4">Faster initial&nbsp;sync&nbsp;and&nbsp;incremental updates:</FONT> </STRONG></SPAN><SPAN>Performance&nbsp;testing reveals our new sync engine delivers&nbsp;significantly&nbsp;faster automation&nbsp;than the previous service.&nbsp;The upgraded&nbsp;service leverages&nbsp;multiple cores to sync memberships in parallel,&nbsp;resulting in the greatest performance for those customers leveraging more cores.</SPAN><SPAN>&nbsp;</SPAN></LI> </UL> <P><SPAN> </SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN>To learn more about synchronization for Azure AD Domain Services, visit </SPAN><A href="#" target="_blank" rel="noopener"><SPAN>our documentation</SPAN></A><SPAN>. </SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><FONT size="5"><SPAN><STRONG>Resource&nbsp;forest&nbsp;makes it easier to move legacy protocols onto Azure</STRONG></SPAN><SPAN>&nbsp;</SPAN></FONT></P> <P><SPAN>You can&nbsp;now create a resource forest-based managed domain without</SPAN><SPAN>&nbsp;</SPAN><SPAN>password hash synchronization. In a resource forest, user objects and credentials exist in the on-premises Active Directory Domain Services forest, while still enabling you to lift your resources that use&nbsp;legacy</SPAN><SPAN>&nbsp;</SPAN><SPAN>authentication protocols onto Azure. This is great for customers who use smartcards to sign in to their applications.</SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN> </SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN> </SPAN><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="33.png" style="width: 780px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263650iA5377E5F5411974F/image-size/large?v=v2&amp;px=999" role="button" title="33.png" alt="33.png" /></span></SPAN></P> <P><SPAN><EM>Diagram&nbsp;of an Azure AD Domain Services resource forest. </EM></SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN> </SPAN></P> <P><SPAN>When determining whether to create a user forest or a resource forest, we recommend the following guides and resources to help you decide:</SPAN></P> <P>&nbsp;</P> <UL> <LI><A href="#" target="_blank" rel="noopener"><SPAN>Resource forests concepts and features</SPAN></A><SPAN> </SPAN><SPAN>&nbsp;</SPAN></LI> <LI><A href="#" target="_self"><SPAN>Forest trust relationships in Azure</SPAN><SPAN><U> AD Domain Services</U></SPAN></A><SPAN> </SPAN></LI> <LI><A href="#" target="_blank" rel="noopener"><SPAN>Creating an Azure AD Domain Services managed domain</SPAN></A><SPAN> </SPAN><SPAN>&nbsp;</SPAN></LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>And as always,  </SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/Azure-Active-Directory-B2B/bd-p/AzureAD_B2b" target="_blank" rel="noopener"><SPAN>join the conversation</SPAN></A><SPAN> in the Microsoft Tech Community and send us your </SPAN><A href="#" target="_blank" rel="noopener"><SPAN>feedback and suggestions</SPAN></A><SPAN>. You know we’re listening! </SPAN><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Best regards,</SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN> </SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN>Alex Simons (</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>@Alex_A_Simons</SPAN></A><SPAN> )</SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN>Corporate VP of Program Management</SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN>Microsoft Identity Division</SPAN><SPAN>&nbsp;</SPAN></P> Thu, 19 Aug 2021 23:22:50 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/accelerate-your-move-to-the-cloud-with-new-capabilities-in-azure/ba-p/1994704 Alex Simons (AZURE) 2021-08-19T23:22:50Z Azure Active Directory External Identities is Generally Available https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-active-directory-external-identities-is-generally/ba-p/2147080 <P>Hello friends,</P> <P>&nbsp;</P> <P>This week marks a couple of special milestones for me: the 25<SUP>th</SUP> anniversary of my first day as a Microsoft employee, and the culmination of some great work the team is doing to empower Microsoft’s customers to do more and create great experiences with our identity services.</P> <P>&nbsp;</P> <P>Last spring, I <A href="#" target="_blank">shared our vision</A> for <A href="#" target="_blank"><STRONG>Azure Active Directory External Identities</STRONG></A> and encouraged customers to preview <A href="#" target="_blank">self-service sign-up</A>, our first step toward unifying Microsoft’s identity offerings for employee, partner, and customer identity. During the past year, we’ve made significant improvements to Azure AD External Identities with the help of our preview customers, who view this work as critical to making their workflows more flexible, secure, and scalable.</P> <P>&nbsp;</P> <P>Today, we are taking additional steps on this journey with the general availability (GA) of several External Identities features and a few new previews for B2B and B2C scenarios.</P> <P><STRONG>&nbsp;</STRONG></P> <P><FONT size="5"><STRONG>Flexible user experience</STRONG></FONT></P> <P>Delivering customized, intuitive experiences for customers and partners is a top priority for many organizations. Our customers tell us they want digital experiences that reflect their brand and reduce friction for their users.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="22.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261775iF6D3338758776B6B/image-size/large?v=v2&amp;px=999" role="button" title="22.png" alt="22.png" /></span></P> <P><SPAN><EM>Configure the user experience for sign-up with customer user attributes, API Connectors, and Social IDs.</EM></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Now generally available, <STRONG>self-service sign-up user flows</STRONG> for Azure AD make it easy to create, manage, and customize onboarding experiences for external users with little to no application code. You can now:</P> <P>&nbsp;</P> <UL> <LI>Integrate with more <SPAN>external identity providers</SPAN>, including <STRONG>Google and Facebook IDs </STRONG>(generally available), and <STRONG>email-based one-time passcodes</STRONG> or <STRONG>Microsoft accounts </STRONG>(in preview) so that customers and partners can seamlessly bring their own identities. We’ve also improved the experience for users who sign up with a social ID, allowing them to sign in with their email address. Learn more about how to&nbsp;<A href="#" target="_blank">enable self-service sign-up with social IDs</A>.</LI> <LI>Define localizable <STRONG>custom user attributes</STRONG> to collect on the forms that external users complete during self-service sign-up when accessing apps and services in your organization such as Supplier ID or Account Number. Learn more about <A href="#" target="_blank">customizing&nbsp;attributes&nbsp;for your apps</A>.</LI> <LI>Extend your flows with <STRONG>API connectors </STRONG>to validate user input, route information to an external workflow, or perform identity verification. <STRONG>Client certificate authentication of the API calls</STRONG> is now available in preview. Learn how to use <A href="#" target="_blank">API connectors</A>.</LI> <LI>Configure all of the above leveraging the power of <A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank">Microsoft Graph APIs</A><SPAN style="font-family: inherit;">.</SPAN></LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="33.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261778i09FBD5A387A1CF59/image-size/large?v=v2&amp;px=999" role="button" title="33.png" alt="33.png" /></span></P> <P><SPAN><EM>Configure next-generation user flows with Azure AD B2C.</EM></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>To follow this, customers building consumer-facing apps can expect general availability of our improved next-generation user flows for Azure AD B2C in the next few weeks. You’ll be able to:</P> <UL> <LI>Select and create <A href="#" target="_blank">B2C user flows</A> with a <STRONG>new, simplified experience</STRONG> in the portal, and configure all features within the same user flow without the need for versioning in the future.</LI> <LI>Enable <A href="#" target="_blank">phone sign-up sign-in</A> for users so they can <STRONG>sign up and sign in with a phone number </STRONG>using a one-time password (OTP) sent to their phone via SMS.</LI> <LI>Use <A href="#" target="_blank">API connectors</A>, in preview, to <STRONG>extend and secure Azure AD B2C</STRONG> sign-up user flows.</LI> <LI>Enable users to access Azure AD B2C applications using sign-up and sign-in with <A href="#" target="_blank"><STRONG>Apple ID</STRONG></A>, currently in preview.</LI> </UL> <P>&nbsp;</P> <P><A href="#" target="_blank">Identity Protection</A> with risk-based <A href="#" target="_blank">Conditional Access</A> is one of the most widely adopted security features for protecting Azure AD employee accounts. It’s now in preview for next-generation user flows and is expected to become generally available later this spring (details below).</P> <P>&nbsp;</P> <H2><FONT size="5"><STRONG>Adaptive security</STRONG></FONT></H2> <P>Securing data and protecting against unauthorized access is another high priority for our customers with external users and consumer-facing apps.</P> <P><EM>&nbsp;</EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Risky Users Policy.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261820iD1F07565AF115EB4/image-size/large?v=v2&amp;px=999" role="button" title="Risky Users Policy.png" alt="Risky Users Policy.png" /></span></P> <P><EM>Set up risk-based Conditional Access policies for your B2C apps.</EM></P> <P>&nbsp;</P> <P>In a previous post, I shared that we are expanding the power of Azure AD <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-active-directory-external-identities-goes-premium-with/ba-p/1604572" target="_blank">Identity Protection with risk-based Conditional Access to Azure AD B2C</A>. Since then, we’ve been working closely with customers to improve this experience. That means ensuring that the common patterns for user logins can be secured and protected against suspicious or irregular access.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Risky Users B2C.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261795i98FFD87C626DDCA0/image-size/large?v=v2&amp;px=999" role="button" title="Risky Users B2C.png" alt="Risky Users B2C.png" /></span></P> <P>&nbsp;<EM style="font-family: inherit;">Risky users blades in Azure AD B2C portal.</EM></P> <P>&nbsp;</P> <P><A class="Hyperlink SCXW118972290 BCX9" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9" data-ccp-charstyle="Hyperlink">Identity Protection and Conditional Access<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun Underlined SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9" data-ccp-charstyle="Hyperlink">policies<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun Underlined SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9" data-ccp-charstyle="Hyperlink">for Azure AD B2C</SPAN></SPAN></A><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9"><SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9">are<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun CommentStart SCXW118972290 BCX9">currently<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9">enabled for</SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9"><SPAN>&nbsp;</SPAN>customers with Azure AD External Identities</SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9"><SPAN>&nbsp;</SPAN>Premium</SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9"><SPAN>&nbsp;</SPAN>P2, and<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9">we’re looking forward to<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9">making it<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9">general</SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9">ly</SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9"><SPAN>&nbsp;</SPAN>availab</SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9">le</SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9"><SPAN>&nbsp;</SPAN>later<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9">this</SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9"><SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9">spring</SPAN></SPAN><SPAN class="TextRun SCXW118972290 BCX9" data-contrast="none"><SPAN class="NormalTextRun SCXW118972290 BCX9">.</SPAN></SPAN><SPAN class="EOP SCXW118972290 BCX9" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H2><FONT size="5"><STRONG>Scalable lifecycle and user management</STRONG></FONT></H2> <P>As the number of external users in an organization grows, controlling who has access to which resources and for how long can be cumbersome. Many of you have shared that <A href="#" target="_blank">guest access reviews for Microsoft Teams and Microsoft 365 groups</A> are helping to automate that process.</P> <P>&nbsp;</P> <P>We’ve added new capabilities to help organizations manage external users in the cloud, while simplifying the admin experience for all users:</P> <P>&nbsp;</P> <UL> <LI><STRONG>Move guests to the cloud </STRONG>enables guests represented as&nbsp;internal users in the directory&nbsp;to connect and collaborate using External Identities, leaving their object ID, user principal name, group membership, and app assignments&nbsp;intact. Now generally available, <A href="#" target="_blank">Inviting members&nbsp;to B2B collaboration</A> provides a better user experience for guests and improves overall security for the directory.</LI> <LI><STRONG>Reset the redemption status for a guest user</STRONG> sends guests a new invitation to redeem their account for collaboration without having to redo existing access and memberships. <A href="#" target="_blank">Resetting redemption status</A>, in preview, provides continuity for external users when their home tenant account is deleted, or when a new identity provider options become available.</LI> </UL> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Updating our External Identities SLA</STRONG></FONT></P> <P>Finally, we announced an <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/99-99-uptime-for-azure-active-directory-b2c/ba-p/2147049" target="_blank">update to our service level agreement (SLA)</A> for Azure AD B2C tenants. Starting on May 25, 2021, our SLA for Azure AD B2C will promise a 99.99% uptime for Azure AD B2C user authentication, an improvement from our previous 99.9% SLA.</P> <P>&nbsp;</P> <P>Thanks to all the incredible feedback this year, we’ve got many more great features on the roadmap to improve the experience, security, and manageability of all Azure AD External Identities scenarios. We love hearing from you, so keep trying our new features and sharing feedback through&nbsp;the&nbsp;<A href="#" target="_blank">Azure forum</A>&nbsp;or by following&nbsp;<A href="#" target="_blank">@AzureAD</A>&nbsp;on Twitter.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Related articles: </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-active-directory-external-identities-goes-premium-with/ba-p/1604572" target="_blank" rel="noopener">Azure Active Directory External Identities goes premium with advanced security for B2C - Microsoft Tech Community</A>; <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/evolving-azure-ad-for-every-user-and-any-identity-with-external/ba-p/1257361" target="_blank" rel="noopener">Evolving Azure AD for every user and any identity with External Identities - Microsoft Tech Community</A></LI> <LI><EM>Return to the <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener">Azure Active Directory Identity blog home</A></EM></LI> <LI><EM>Join the conversation on <A href="#" target="_blank" rel="noopener">Twitter</A> and <A href="#" target="_blank" rel="noopener">LinkedIn</A></EM></LI> <LI><EM>Share product suggestions on the <A href="#" target="_blank" rel="noopener">Azure Feedback Forum</A></EM></LI> </UL> Wed, 10 Mar 2021 17:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-active-directory-external-identities-is-generally/ba-p/2147080 Robin Goldstein 2021-03-10T17:00:00Z Granular Conditional Access for sensitive data and actions https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/granular-conditional-access-for-sensitive-data-and-actions/ba-p/1751775 <P>Today I am excited to share how you can maximize user productivity AND protect your most sensitive resources with <EM>Conditional Access authentication context</EM>. <A href="#" target="_blank" rel="noopener">Conditional Access</A> is the Zero Trust control plane that allows you to target policies for access to all your apps – old or new, private or public, on prem or multi-cloud. And now, with Conditional Access authentication context, you can apply different policies <EM>within</EM> those apps.</P> <P>&nbsp;</P> <P>I have asked Caleb Baker, a PM on the Identity team, to tell you more. Let us know what you think!</P> <P>&nbsp;</P> <P>Alex Weinert</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>--------------------------</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Hello! We are incredibly excited to introduce Conditional Access authentication context, because it really empowers you to apply policies in exactly the ways you’ve told us you want to. Your HR handbook and secret plans in SharePoint can have different access policies, and your company’s financials app can apply a different standard between reading balances and wiring funds.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="11.png" style="width: 510px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261660i2CE36AE9D78A75C8/image-size/large?v=v2&amp;px=999" role="button" title="11.png" alt="11.png" /></span></P> <P>&nbsp;</P> <P>Conditional Access authentication context lets you target policies for data and actions within an app so you can refine your Zero Trust policies for least privileged access while minimizing user friction.</P> <P>&nbsp;</P> <P>With the public preview, which will start soon, we are adding support to several Microsoft services as well as support for SaaS apps and line-of-business apps:</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Microsoft Cloud App Security (MCAS) file upload and download</STRONG>:</FONT> Use the MCAS session proxy to trigger Conditional Access policy when files are uploaded or downloaded from a Microsoft application SaaS application or apps that use the Application Proxy in <A href="#" target="_blank" rel="noopener">Azure Active Directory</A>.</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Azure AD Privileged Identity Management</STRONG> <STRONG>(PIM)</STRONG> <STRONG>role activation</STRONG>:</FONT> When a user activates Azure AD or Azure roles, you can require Conditional Access policies like <A href="#" target="_blank" rel="noopener">Azure AD multifactor authentication</A>, third-party multi-factor authentication, device compliance, Azure Identity Protection risk levels, or location-based controls. This will make it more difficult for an attacker to act in a privileged role.</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Microsoft Information Protection (MIP) labeled SharePoint site collections</STRONG>:</FONT> Use MIP labels to identify sensitive SharePoint sites and apply Conditional Access policies so your organization’s most sensitive data is kept secure.</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>SaaS app integration:</STRONG></FONT> Conditional Access authentication context support is not just for Microsoft apps. SaaS apps can use the same approach to protect your data and actions. We’d like to thank SaaS app providers like <A href="#" target="_blank" rel="noopener">LumApps</A> and <A href="#" target="_blank" rel="noopener">Powell Software</A> for their help in validating the approach and showcasing how authentication context can be used by all apps.</P> <P>&nbsp;</P> <P><STRONG><FONT size="4">Line-of-business apps:</FONT> </STRONG>The same integration available to SaaS apps is there for your apps. Do you have sensitive employee data in your HR app, or need protection for high-value transactions? Conditional Access will help you add extra security.</P> <P>&nbsp;</P> <P>Look for the public preview in April!</P> <P>&nbsp;</P> <H1>User experience</H1> <P>Here’s what a user sees when authentication context is used to protect an app resource. In this case, we’ll show the MCAS integration, but the user experience is similar in all cases. The user will need to accept terms of use before downloading classified files.</P> <P>&nbsp;</P> <P>After signing into a cloud app, they are redirected to the MCAS session proxy. At this point, if there’s a Conditional Access policy applied to user sign-in, like multifactor authentication, the user will be prompted.</P> <P>&nbsp;</P> <P>When they try to download a classified document, MCAS intercepts the click and displays a page to tell the user an additional security check is required.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="22.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261662iFA7D640BA2EAE92D/image-size/large?v=v2&amp;px=999" role="button" title="22.png" alt="22.png" /></span></P> <P>&nbsp;</P> <P><EM>A user clicks on <STRONG>Download </STRONG></EM><STRONG><EM>PDF</EM></STRONG><EM>.</EM></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="33.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261663i2562DE709D240195/image-size/large?v=v2&amp;px=999" role="button" title="33.png" alt="33.png" /></span></P> <P>&nbsp;</P> <P><EM>User receives a notification that additional security checks are </EM><EM>required.</EM></P> <P>&nbsp;</P> <P>After clicking <STRONG>OK, Proceed,</STRONG> the user is prompted to agree to the organization’s terms of use, on a page triggered by authentication context.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="44.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261664iB99B08CE5C8CD1DE/image-size/large?v=v2&amp;px=999" role="button" title="44.png" alt="44.png" /></span></P> <P>&nbsp;</P> <P>Any app can use this functionality to require a Conditional Access authentication context and make use of the existing Conditional Access controls.</P> <P>&nbsp;</P> <H1>How it works</H1> <P>You may be curious about how this all works behind the scenes. It’s a familiar standards-based pattern that’s used when an app requires Azure AD multifactor authentication, except we’ve allowed the app to make a sign-in request that will trigger Conditional Access policy. After a user signs in, app controls if &nbsp;additional policies need to be enforced. A redirect and new sign-in request is sent back to Azure AD, and the user is then prompted to complete any policy requirements. This way, the app can use its own business logic to trigger additional policies when needed.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="55.png" style="width: 428px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261665i53EB588E100DA7D4/image-size/large?v=v2&amp;px=999" role="button" title="55.png" alt="55.png" /></span></P> <P>&nbsp;</P> <P>The app or MCAS then inspects claims in the sign-in token to tell if the required authentication context and Conditional Access policies have been satisfied. If the required claim is present, the user will be granted access.</P> <P>&nbsp;</P> <P>Protocol support is built on top of industry standards in <A href="#" target="_blank" rel="noopener">OpenID Connect</A>. authentication context reference value with the claims request parameter to give apps a way to trigger policy.</P> <P>&nbsp;</P> <H1>What’s next</H1> <P>We’re finalizing the details of the release and will get the public preview out soon. Then, we plan to extend support to more Microsoft apps and work with more SaaS apps. Our goal is to allow you to create more granular security policies, where you need them, and help move you forward on your Zero Trust journey.</P> <P>&nbsp;</P> <P>We look forward to hearing your feedback and suggestions!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 19 Aug 2021 23:22:48 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/granular-conditional-access-for-sensitive-data-and-actions/ba-p/1751775 Alex Weinert 2021-08-19T23:22:48Z 10 Reasons to Love Passwordless #10: Never use a password https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-10-never-use-a-password/ba-p/2111909 <P><EM>In this series,&nbsp;Microsoft identity&nbsp;team members share their reasons for loving passwordless authentication (and why you should too!). Pamela Dingle </EM><EM>closes the series with a post about the tighter security of passwordless authentication.</EM></P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Here we are at the last of our Ten Reasons to Love Passwordless blog series!&nbsp; This last reason is more than closing the Ten Reasons blog series, it is about choosing to close a chapter on the past – because passwordless authentication means we can finally say goodbye to the password.</SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Password authentication has been around for over 60 years and has always been challenging.&nbsp;A password is supposed to&nbsp;act as a key to help the right person access an account while also operating as a security barrier to protect the account from attackers.&nbsp;However, 80% of hacking-related breaches involve either stolen or weak passwords that were easily guessed by the cybercriminals. Phishing, password spray, and credential stuffing attacks are all attacks that don’t involve an attacker using fancy math to get into your account – instead these attacks rely on you as a statistically predictable human. Attackers know that we humans will type our passwords without due care into a web page that looks mostly reputable.&nbsp; That we don’t set a different password at every website we use. That 1 out of 100 of us have easily guessed passwords like Spring2021! protecting a critical account at this very moment.&nbsp; That they can use 30 year old password attack tools and still succeed, because we use 30 year old protocols that are vulnerable to them. Attackers don’t have to be smart to make money from password theft, just opportunistic. Wouldn’t it be great if we could take that opportunity away?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Traditional multifactor authentication (aka MFA) presents a more secure way for users to access their&nbsp;accounts&nbsp;and resources – password plus another factor. Microsoft supports and encourages multiple ways to use MFA! Adding a second factor to your authentication reduces the probability of account compromise by 99.9%, because it ruins the instant effectiveness of password-based attacks. MFA makes user authentication much safer, but it does impact the user experience. MFA</SPAN><SPAN> also leaves the <A href="#" target="_blank" rel="noopener">oh-so-vulnerable password</A> as part of the equation. &nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Passwordless authentication is a form of multifactor authentication that replaces the password with a secure alternative. One of the underlying principles of&nbsp;passwordless&nbsp;authentication is to eradicate the use of passwords and thereby eliminate their value for attackers. As I hope you have seen in many of our previous blog entries, passwordless authentication methods have protections against the types of attacks that represent easy money for criminals. Replacing passwords with passwordless authentication may not completely prevent all attacks, but we can make successful attacks much more expensive to perpetrate.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Passwordless methods don’t require users to enter their passwords anymore, but what if the account has a password attached to it, from initial setup? That password is less dangerous because it is not in use regularly, which is good, but there is a difference as a user between choosing not to use your password and knowing that nobody else can either. The most secure option would be for the password associated to an account to disappear forever! After all, it is tough to compromise an authentication method that doesn’t exist. You might ask, is there a way to make this happen, other than setting a long random password and forgetting it? There will be soon.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Microsoft has defined a&nbsp;four-step approach to&nbsp;end the era of passwords:</SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="22.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261255i4CB5FED6A17E1099/image-size/large?v=v2&amp;px=999" role="button" title="22.png" alt="22.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>The strategy you see here seems simple, doesn’t it? But let’s just say it has been a journey. It has required singular vision, as well as collaboration both internally across many of our products and externally in our standards-based efforts. We stand today at step #3, and we are on the verge of getting to step #4. Here is a quick taste of where these steps have taken us:</SPAN></P> <P><SPAN><STRONG>&nbsp;</STRONG></SPAN></P> <UL> <LI> <H3><SPAN><STRONG>Deploy password replacement offerings: </STRONG></SPAN></H3> <UL> <LI><SPAN>Introduced by Microsoft in Windows 10, Windows Hello uses biometric sensors or a PIN to verify a user’s identity when signing into work or personal accounts from a PC. </SPAN></LI> <LI><SPAN>The Microsoft Authenticator app generates encrypted messages that allows users to verify their identity with a built-in biometric or a PIN when signing into their work or personal accounts from&nbsp;a mobile phone.</SPAN><SPAN>&nbsp;</SPAN></LI> <LI><SPAN>Via the FIDO2 family of specifications, any website can request a phishing resistant credential from supported Microsoft, Apple, and Google platforms or from certified USB or NFC security keys. </SPAN></LI> </UL> </LI> <LI> <H4><SPAN><STRONG>Reduce user-visible password surface area:</STRONG></SPAN></H4> <UL> <LI><SPAN>Login experiences across Microsoft transition to an ‘identifier-first’ flow, meaning users are no longer asked for a password at the same time they are asked for their username.</SPAN></LI> </UL> </LI> <LI> <H4><SPAN><STRONG>Transition to passwordless deployment:</STRONG></SPAN></H4> <UL> <LI><SPAN>Legacy authentication support is replaced with modern authentication support, and hard-coded assumptions about the omnipresence of passwords are found and removed. </SPAN></LI> <LI><SPAN>Users sign into their accounts with one of the&nbsp;password replacement technologies&nbsp;and use single sign-on to access all their resources.&nbsp;</SPAN></LI> </UL> </LI> <LI> <H4><SPAN><STRONG>Eliminate passwords from identity directory (future):</STRONG></SPAN></H4> <UL> <LI><SPAN>Administrators can choose whether passwords are required, allowed or simply don’t exist for a set of users, and users can choose either to not set a password when an account is created, or to remove their existing password from an account.</SPAN></LI> </UL> </LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>When Microsoft gets to step 4 in our vision, those of you who are security minded will have the power not only to use more secure authentication methods, but to eliminate less secure authentication methods. In Spring 2021, we will launch the functionality to allow password removal on Microsoft consumer accounts.&nbsp;Choosing to go&nbsp;passwordless means that instead of signing in with&nbsp;the&nbsp;Microsoft account password,&nbsp;users will&nbsp;verify sign in with&nbsp;the&nbsp;Microsoft Authenticator app.</SPAN><SPAN>&nbsp;Additional forms of passwordless authentication such as Windows Hello and FIDO2 are also available to round out the options.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="33.png" style="width: 358px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261256i9BB7D7D115961625/image-size/large?v=v2&amp;px=999" role="button" title="33.png" alt="33.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>I can’t tell you how excited I am to see us get to these later stages of our Microsoft passwordless vision, but success in these four steps really just gets us to the starting line when it comes to living without passwords in our daily work, home, and school lives. As passwordless authentication in Azure AD is now generally available, we hope to see meaningful change in adoption rates for multifactor and passwordless authentication. We feel confident now that there are usable, meaningful alternatives to passwords available, and most importantly, the methods you see today are only the beginning. We now have the platform support, the vendor ecosystem, and the standards frameworks needed to foster new innovation and to improve our security posture over time.&nbsp; </SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>I encourage you all to try passwordless authentication on for size, and I hope we have given you 10 really great reasons as to why this journey might be worthwhile. On behalf of all my co-authors, we hope this series has helped you understand passwordless authentication and has provided some useful tips for deploying in your organization. The more we can embrace passwordless as the norm the more we can protect ourselves and our organizations. And – to all of the current and past Microsoft employees who have waited for years to see our vision finally result in real day-to-day usage – we made it!</SPAN></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Check out the other posts in this series:</SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><A href="#" target="_blank" rel="noopener noreferrer">Temporary Access Pass is now in preview</A></LI> <LI><SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/identity-standards-blog/what-s-new-in-passwordless-standards-2021-edition/ba-p/2124136" target="_self">What's New in Passwordless Standards, 2021 edition!</A></SPAN></LI> <LI>10 Reasons to Love Passwordless #1:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-1-fido-rocks/ba-p/2111918" target="_blank" rel="noopener">FIDO Rocks</A></LI> <LI>10 Reasons to Love Passwordless #2:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-2-nist-compliance/ba-p/2115725" target="_blank" rel="noopener">NIST Compliance</A></LI> <LI>10 Reasons to Love Passwordless #3:<SPAN>&nbsp;</SPAN><FONT size="3"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-3-why-biometrics-and/ba-p/1751769" target="_self">Why biometrics and passwordless are a dream combination</A></FONT></LI> <LI>10 Reasons to Love Passwordless #4:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-4-secure-your-digital-estate/ba-p/2115724" target="_self">Secure your digital estate, while securing your bottom line</A></LI> <LI>10 Reasons to Love Passwordless #5:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-5-the-ease-of-use-and/ba-p/2115717" target="_self">The Ease of Use and Portability of Security Keys</A></LI> <LI>10 Reasons to Love Passwordless #6:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-6-the-passwordless-funnel/ba-p/2144513" target="_self">The Passwordless Funnel</A></LI> <LI>10 Reasons to Love Passwordless #7:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-7-authenticator-app-for-easy/ba-p/1751773" target="_self">Authenticator app for easy phone sign in</A>&nbsp;</LI> <LI>10 Reasons to Love Passwordless #8:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-8-you-won-t-get-phished/ba-p/2147056" target="_self">You won't get phished!</A></LI> <LI>10 Reasons to Love Passwordless #9:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-9-onboard-without-a-password/ba-p/1751774" target="_self">Onboard without a password</A></LI> <LI>10 Reasons to Love Passwordless #10: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-10-never-use-a-password/ba-p/2111909" target="_self">Never use a password</A></LI> </UL> <P><EM>&nbsp;</EM></P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Mon, 08 Mar 2021 19:01:29 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-10-never-use-a-password/ba-p/2111909 Pamela Dingle 2021-03-08T19:01:29Z Strengthen your security with new Microsoft identity partner integrations at Ignite 2021 https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/strengthen-your-security-with-new-microsoft-identity-partner/ba-p/2115716 <P><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/top-7-microsoft-identity-partnership-announcements-at-ignite/ba-p/1257352" target="_blank" rel="noopener">Last Microsoft Ignite,</A> I shared how important partners have been in helping our customers enable a new way of work by providing secure and seamless access for their remote workforce. Our partners have continued to help customers adapt to this new way of working by integrating their applications and solutions– from supporting single sign-on and provisioning to passwordless authentication. In case you missed some of our recent partner announcements you can watch the February edition of New Partner Integrations with Microsoft identity below:</P> <P><BR /><LI-VIDEO vid="https://youtu.be/uaQsLzBudJ4" align="center" size="large" width="600" height="338" uploading="false" thumbnail="https://i.ytimg.com/vi/uaQsLzBudJ4/hqdefault.jpg" external="url"></LI-VIDEO></P> <P>&nbsp;</P> <P>This week at <A href="#" target="_blank" rel="noopener">Microsoft Ignite</A>, we made several <A href="#" target="_blank" rel="noopener">announcements to help strengthen Zero Trust defenses in the era of hybrid work</A>. Today, I’d like to highlight partner integrations that complement these announcements and our built-in capabilities.</P> <P>&nbsp;</P> <H2><STRONG>Making passwordless a reality</STRONG></H2> <P>Earlier this week at Ignite we announced that passwordless authentication to deploy across cloud or hybrid environments is now generally available! Over 200 million users sign into their Microsoft personal or work accounts without passwords each month. Employees can use a wide range of passwordless solutions like <A href="#" target="_blank" rel="noopener">Windows Hello for Business</A>, <A href="#" target="_blank" rel="noopener">Microsoft Authenticator app</A>, and <A href="#" target="_blank" rel="noopener">compatible FIDO2 security keys</A> from our partners. Partners like <A href="#" target="_blank" rel="noopener">Yubico</A>, <A href="#" target="_blank" rel="noopener">Feitan Technologies</A>, and <A href="#" target="_blank" rel="noopener">AuthenTrend</A> have helped deliver a variety of options for you to go passwordless. And recently, <A href="#" target="_blank" rel="noopener">ExcelSecu</A>, <A href="#" target="_blank" rel="noopener">Hypersecu</A>, <A href="#" target="_blank" rel="noopener">KONA I</A>, <A href="#" target="_blank" rel="noopener">Token2</A> and <A href="#" target="_blank" rel="noopener">VinCSS</A> have been added to the list of FIDO2 security key vendors compatible with our passwordless experience.</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture23.jpg" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/260265i81A83D3A8E489DB1/image-size/large?v=v2&amp;px=999" role="button" title="Picture23.jpg" alt="Picture23.jpg" /></span></P> <P>&nbsp;</P> <P>If you are a developer and want to support passwordless authentication with FIDO2 security keys in your apps, check out <A href="#" target="_blank" rel="noopener">our best practices</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Building a more trustworthy identity ecosystem with identity verification </STRONG></H2> <P>With <A href="#" target="_blank" rel="noopener">Azure AD verifiable credentials</A> available in public preview in just a few weeks we are partnering with leading identity verification providers to improve verifiability and secure information exchange. Verifiable credentials let organizations confirm information about a business or a user while protecting privacy. Azure AD customers will be able to issue and verify digital claims for employees, vendors, and customers using an open standards approach. Partnering with companies including Acuant, <A href="#" target="_blank" rel="noopener">Au10tix</A>, IDEMIA, Jumio, Onfido, Socure, and <A href="#" target="_self">Vu Security</A> will enable organizations to verify a wide variety of attributes, such as documents and electronic data, while giving individuals more control over access to their information.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture24.png" style="width: 936px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/260270i1121A5FE335B75D8/image-size/large?v=v2&amp;px=999" role="button" title="Picture24.png" alt="Picture24.png" /></span></P> <P>&nbsp;</P> <P><SPAN>Additionally, we are working with services partners to help customers take this next step towards greater privacy and verifiability. </SPAN><A href="#" target="_blank" rel="noopener">AffinitiQuest</A><SPAN>, </SPAN><A href="#" target="_blank" rel="noopener">Condatis</A><SPAN>, and </SPAN><A href="#" target="_blank" rel="noopener">Unify</A><SPAN> are joining us to get our customers started on this journey.</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture25.png" style="width: 871px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/260272i4A20AAFF9D1E240C/image-size/large?v=v2&amp;px=999" role="button" title="Picture25.png" alt="Picture25.png" /></span></SPAN></P> <P>&nbsp;</P> <H2><STRONG>Protecting legacy apps and resources with new secure hybrid access partnerships</STRONG></H2> <P>Our <A href="#" target="_blank" rel="noopener">secure hybrid access partnerships</A> allow customers to use their existing application delivery controllers and networks, VPNs and Software-Defined Perimeter apps to protect legacy, on-premises applications with Azure AD.&nbsp; <A href="#" target="_blank" rel="noopener">New secure hybrid access partners</A> that we’ve recently added include <A href="#" target="_blank" rel="noopener">Datawiza</A>, <A href="#" target="_blank" rel="noopener">Perimeter 81</A>, <A href="#" target="_blank" rel="noopener">Silverfort</A>, and <A href="#" target="_blank" rel="noopener">Strata</A>. Let’s take a closer look at how Silverfort is helping customers protect their legacy, on-premises apps.</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Silverfort</STRONG></FONT></P> <P>In addition to connecting legacy, on-premises apps, partners like Silverfort can help discover, prioritize and then migrate apps and resources that may be hosted on-prem or in multi-cloud environments to Azure AD. &nbsp;Once applications are discovered and prioritized, customers can leverage Silverfort to connect these apps and resources in Azure AD and apply single sign-on and Conditional Access policies across on-prem and multi-cloud workloads.&nbsp; Watch our Ignite session <A href="#" target="_blank" rel="noopener">Prevent attacks by protecting your applications with Azure Active Directory</A> to learn more about our integration with Silverfort.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture26.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/260277i9CD36A1BDD3037C6/image-size/large?v=v2&amp;px=999" role="button" title="Picture26.png" alt="Picture26.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Strengthen security with Conditional Access authentication context</STRONG></H2> <P>This week we also announced public preview of <STRONG>Azure AD Conditional Access authentication context</STRONG>.&nbsp; Conditional Access authentication context enables customers to apply different policies for different data and actions within an application. This adds data segmentation and stronger policies on high business impact or sensitive data. For example, instead of asking for multi-factor authentication every time a user needs to log into an app with sensitive data, you can ask for a step-up authentication for a specific action that they need to perform – like downloading confidential data. With the public preview we are adding support to several Microsoft services and third-party SaaS and line-of-business apps. Two partners that have built authentication context integrations are <A href="#" target="_blank" rel="noopener">LumApps</A> and <A href="#" target="_self">Powell Software</A>:</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>LumApps</STRONG><EM>&nbsp;</EM></FONT></P> <P><LI-VIDEO vid="https://youtu.be/MJSVHj3Twfw" align="center" size="large" width="600" height="338" uploading="false" thumbnail="https://i.ytimg.com/vi/MJSVHj3Twfw/hqdefault.jpg" external="url"></LI-VIDEO></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Powell Software</STRONG></FONT></P> <P><LI-VIDEO vid="https://www.youtube.com/watch?v=pNtXDdRd7zo&amp;feature=youtu.be" align="center" size="large" width="600" height="338" uploading="false" thumbnail="https://i.ytimg.com/vi/pNtXDdRd7zo/hqdefault.jpg" external="url"></LI-VIDEO></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Simplifying identity management to the apps and platforms you use</STRONG></H2> <P>The applications and services that our customers depend on extend across clouds and platforms. It’s why we are committed to ensure that our identity solutions work seamlessly and securely across platforms and extend to all clouds and apps. Our team continues to add new pre-integrated apps to our <A href="#" target="_blank" rel="noopener">Azure AD app gallery</A> and we have built deeper integrations with popular apps so you can get the most out of the tools that your organization already uses. Some integrations that we’ve recently added and updated include:</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>AWS Single sign-on</STRONG></FONT></P> <P>The <A href="#" target="_blank" rel="noopener">AWS Single Sign-on (AWS SSO) application</A> is now available in the Azure AD app gallery. The AWS SSO application makes it easy to centrally manage access to multiple AWS accounts and provides users with seamless access to all their assigned AWS accounts and resources from one place. As a pre-integrated application in the Azure AD app gallery, you can <A href="#" target="_blank" rel="noopener">quickly connect Azure AD to AWS SSO</A> and <A href="#" target="_blank" rel="noopener">manage access to AWS centrally</A>.&nbsp; Additionally, end users can sign into AWS SSO using their Azure AD credentials to access all their assigned AWS resources.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture27.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/260279iEB3D9BC2FCF5A19F/image-size/large?v=v2&amp;px=999" role="button" title="Picture27.png" alt="Picture27.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Workday</STRONG></FONT></P> <P>We’ve added new capabilities to our existing Workday integration giving customers more ways to streamline user provisioning and sign in experience. These new capabilities include the ability to <A href="#" target="_blank" rel="noopener">writeback phone number</A> fields from Azure AD to Workday and support <A href="#" target="_blank" rel="noopener">provisioning of secondary job data and international assignment data</A> from Workday to Azure AD. In the next few weeks, we will enhance the existing <A href="#" target="_blank" rel="noopener">One-Click Single Sign-On</A> configuration by enabling IT Admins to upload the Federation Metadata XML file of Azure AD into Workday. And finally, customers can quickly setup <A href="#" target="_blank" rel="noopener">single sign-on for Workday mobile apps</A> across iOS and Android and enforce Conditional Access policies to these mobile apps.</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Get started with our partner integrations</STRONG></FONT></P> <P>Thank you to all our partners for developing solutions on our platform that have helped companies strengthen their Zero Trust defenses. We appreciate the partnership and look forward to more integrations in the future. Check out the <A href="#" target="_blank" rel="noopener">Azure AD partner page</A> to explore the partnerships you can take advantage to help you solve your identity and access needs and let us know what you think in the comments below.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Sue Bohn</P> <P>Partner Director of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN><EM>Related posts:</EM></P> <UL> <LI><A href="#" target="_self"><EM>Top 7 Microsoft Identity partnership announcements at Ignite 2020</EM></A></LI> <LI><EM><A href="#" target="_blank" rel="noopener noreferrer">10 Reasons to Love Passwordless Series</A></EM></LI> <LI><EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/-/ba-p/1994702" target="_self">TAP Public preview blog</A></EM></LI> </UL> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><EM><A href="#" target="_blank" rel="noopener nofollow noreferrer">Azure Feedback Forum</A></EM></LI> </UL> Tue, 09 Mar 2021 17:30:34 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/strengthen-your-security-with-new-microsoft-identity-partner/ba-p/2115716 Sue Bohn 2021-03-09T17:30:34Z 10 Reasons to Love Passwordless #9: Onboard without a password https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-9-onboard-without-a-password/ba-p/1751774 <P><EM>In this series,&nbsp;Microsoft identity&nbsp;team members share their reasons for loving passwordless authentication (and why you should too!). Alex Weinert </EM><EM>continues the series with this post in which he describes how much customers are going to benefit from Temporary Access Pass.</EM></P> <P>&nbsp;</P> <P>We announced Temporary Access Pass at Ignite this week and it’s now in public preview. The fact that customers are excited about Temporary Access Pass (more on that later) makes me love passwordless even more.</P> <P>&nbsp;</P> <P>Getting rid of passwords is about more than just how we sign in. When you’re someone like me who encourages customers to make passwordless a reality, you answer questions like:</P> <P>&nbsp;</P> <UL> <LI>“How can we onboard a new employee on their first day at work when we are truly a passwordless organization? Today, we hand a temporary password to the employee.”</LI> <LI>“How do users sign in if they lose their FIDO2 security key? Today, we just ask them to reset their password.”</LI> </UL> <P>&nbsp;</P> <P>One of the reasons I love passwordless is that it gives us the opportunity to make onboarding and recovery so much better! No more answering a long list of knowledge questions that are easy to guess (like your dog’s name), so you (and the attacker) can use them one day to gain access to your account.</P> <P>&nbsp;</P> <P>We created Temporary Access Pass to solve these problems. Temporary Access Pass allows users to register for passwordless authentication methods and recover access to their account using a time-limited passcode.</P> <P>&nbsp;</P> <H1>How customers are using Temporary Access Pass</H1> <P>Every organization has its own unique, well-established employee onboarding and identity verification processes. Temporary Access Pass integrates seamlessly into these processes using the Microsoft Graph APIs. Our private preview customers love it:</P> <P>&nbsp;</P> <P><EM>“Temporary Access Pass is a critical technology feature that will enable our global employee base to securely onboard FIDO2 security keys in a manner that adheres to the NIST authentication assurance level 3 guidelines that we are bound to” ~ Temporary Access Pass preview customer.</EM></P> <P>&nbsp;</P> <P>An aerospace customer with a hybrid environment wanted to let employees use FIDO2 security keys with Azure Active Directory-connected applications. Employees previously needed to use passwords and multi-factor authentication to register the FIDO2 key on their account. Now, employees login to the company’s internal identity management tool using a SmartCard. Using the Microsoft Graph APIs, the tool will issue a one-time Temporary Access Pass. The user will use the pass to register a FIDO2 key - with no enterprise passwords required.</P> <P>&nbsp;</P> <P>We also have enhanced the Authenticator app registration experience for phone sign-in. Users can now sign in to their Azure AD accounts directly in the app, without scanning a QR code on the Security Info page in Azure AD.</P> <P>&nbsp;</P> <P><EM>“Temporary Access Pass allows us onboarding to phone sign-in with the Authenticator app quickly and without knowledge of the user’s password or Azure ADmultifactor authentication methods” ~ Private preview customer</EM></P> <P>&nbsp;</P> <P>Another organization that participated in the private preview prefers phone sign-in with the Microsoft Authenticator app for authentication for Office 365, replacing its existing multifactor authentication server implementation. On the first day at work, a new employee’s identity is verified by their colleagues. After the identity verification, the employee goes to the company’s internal portal, where they are issued a new Temporary Access Pass for their account. The employee installs the Authenticator app and registers phone sign-in directly from their app by signing in with the pass. From then on, the user can start using the app for every sign-in.</P> <P>&nbsp;</P> <P>So that’s my reason for being excited about Passwordless. Make sure to read my colleague’s final post in the series coming soon. Read details about <A href="#" target="_blank" rel="noopener">Temporary Access Pass</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Check out the other posts in this series:</SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><A href="#" target="_blank" rel="noopener noreferrer">Temporary Access Pass is now in preview</A></LI> <LI><SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/identity-standards-blog/what-s-new-in-passwordless-standards-2021-edition/ba-p/2124136" target="_self">What's New in Passwordless Standards, 2021 edition!</A></SPAN></LI> <LI>10 Reasons to Love Passwordless #1:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-1-fido-rocks/ba-p/2111918" target="_blank" rel="noopener">FIDO Rocks</A></LI> <LI>10 Reasons to Love Passwordless #2:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-2-nist-compliance/ba-p/2115725" target="_blank" rel="noopener">NIST Compliance</A></LI> <LI>10 Reasons to Love Passwordless #3:<SPAN>&nbsp;</SPAN><FONT size="3"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-3-why-biometrics-and/ba-p/1751769" target="_self">Why biometrics and passwordless are a dream combination</A></FONT></LI> <LI>10 Reasons to Love Passwordless #4:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-4-secure-your-digital-estate/ba-p/2115724" target="_self">Secure your digital estate, while securing your bottom line</A></LI> <LI>10 Reasons to Love Passwordless #5:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-5-the-ease-of-use-and/ba-p/2115717" target="_self">The Ease of Use and Portability of Security Keys</A></LI> <LI>10 Reasons to Love Passwordless #6:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-6-the-passwordless-funnel/ba-p/2144513" target="_self">The Passwordless Funnel</A></LI> <LI>10 Reasons to Love Passwordless #7:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-7-authenticator-app-for-easy/ba-p/1751773" target="_self">Authenticator app for easy phone sign in</A>&nbsp;</LI> <LI>10 Reasons to Love Passwordless #8:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-8-you-won-t-get-phished/ba-p/2147056" target="_self">You won't get phished!</A></LI> <LI>10 Reasons to Love Passwordless #9:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-9-onboard-without-a-password/ba-p/1751774" target="_self">Onboard without a password</A></LI> <LI>10 Reasons to Love Passwordless #10: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-10-never-use-a-password/ba-p/2111909" target="_self">Never use a password</A></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><EM><A href="#" target="_blank" rel="noopener">LinkedIn</A></EM></LI> <LI><EM style="font-family: inherit;">Share product suggestions on the </EM><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> <P>&nbsp;</P> Thu, 19 Aug 2021 23:22:47 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-9-onboard-without-a-password/ba-p/1751774 Alex Weinert 2021-08-19T23:22:47Z Temporary Access Pass is now in public preview https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/temporary-access-pass-is-now-in-public-preview/ba-p/1994702 <P>Today we announced the <A href="#" target="_blank" rel="noopener">general availability</A> of our passwordless solution and the public preview of Temporary Access Pass in Azure Active Directory. Temporary Access Pass is a game-changer that completes the end-to-end passwordless onboarding experience for your users. It is a time-limited passcode they can use to set up security keys and the Microsoft Authenticator without ever needing to use, much less know, a password!</P> <P>&nbsp;</P> <P>I’ve invited Inbar Cizer Kobrinsky, a senior program manager on the Identity Security team, to share more details about Temporary Access Pass.</P> <P>&nbsp;</P> <P>Best Regards,</P> <P>&nbsp;</P> <P>Alex Simons (Twitter: <A href="#" target="_blank" rel="noopener">@alex_a_simons</A>)</P> <P>Corporate Vice President Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>------------------------------------------------------------</P> <P>&nbsp;</P> <P>Hi everyone!</P> <P>&nbsp;</P> <P>We created Temporary Access Pass to address many of your passwordless account onboarding and recovery scenarios. In this post, I’ll introduce you to its capabilities and share why you should try it for yourself.</P> <P>&nbsp;</P> <H1><FONT size="5">What is Temporary Access Pass?</FONT></H1> <P>For a user to truly be passwordless, they shouldn’t know or use their password, and instead use passwordless authentication methods and recovery if they lose their authentication devices.</P> <P>&nbsp;</P> <P>Temporary Access Pass is a time-limited passcode that allows users to register passwordless methods authentication and recover access to their account without a password.</P> <P>&nbsp;</P> <H1><FONT size="5">Admin experience</FONT></H1> <P>The authentication methods policy helps to harden the security around Temporary Access Pass issuance based on your needs. For example, you can limit it to specific users and groups, limit the use for a short period, or set it for one-time use. After enabling the Temporary Access Pass policy, you can then create a Temporary Access Pass for your users.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="tap1.png" style="width: 626px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259408i6C24771CC4ACBD1D/image-size/large?v=v2&amp;px=999" role="button" title="tap1.png" alt="tap1.png" /></span></P> <P><EM><SPAN style="font-family: inherit;">Temporary Access Pass authentication method policy</SPAN></EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The updated user authentication method page allows a privileged authentication administrator and an authentication administrator to create a Temporary Access Pass for a user, within the allowed limits of the Temporary Access Pass authentication methods policy.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="tap2.png" style="width: 626px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259409iC2177B08FED800A2/image-size/large?v=v2&amp;px=999" role="button" title="tap2.png" alt="tap2.png" /></span></P> <P><EM><SPAN style="font-family: inherit;">Creating a new Temporary Access Pass on a user from the Azure AD portal</SPAN></EM></P> <P>&nbsp;</P> <H1><FONT size="5">End user experience</FONT></H1> <P data-unlink="true">Once a user has a valid Temporary Access Pass, they can use it to sign in and register a FIDO2 key from the <A href="#" target="_blank" rel="noopener">My Security Info</A> page or register for <A href="#" target="_self">passwordless phone sign-in directly from the Authenticator app</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="tap3.png" style="width: 347px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259410i2D0CD10EFACBB472/image-size/large?v=v2&amp;px=999" role="button" title="tap3.png" alt="tap3.png" /></span></P> <P><EM><SPAN style="font-family: inherit;">Sign in to Azure AD with Temporary Access Pass</SPAN></EM></P> <P>&nbsp;</P> <H1><FONT size="5">Learn more</FONT></H1> <P>You can learn more about how to configure Temporary Access Pass in <A href="#" target="_blank" rel="noopener">documentation</A>.</P> <P>&nbsp;</P> <P>Some of you may have existing applications for new employee onboarding experiences. Temporary Access Pass is available through the Microsoft Graph APIs, so you can incorporate it into your existing applications. Get details on <A href="#" target="_blank" rel="noopener">TAP authentication method APIs</A> and on how to use the <A href="#" target="_blank" rel="noopener">policy APIs</A>.</P> <P>&nbsp;</P> <H1><FONT size="5">Tell us what you think</FONT></H1> <P>Give it a try and let us know if you have questions or feedback. I hope you will love it as much as we do!</P> <P>&nbsp;</P> <P>Inbar Cizer Kobrinsky (<A href="#" target="_self">@inbarck</A>),</P> <P>Senior Program Manager,</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> <P>&nbsp;</P> Tue, 02 Mar 2021 17:16:20 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/temporary-access-pass-is-now-in-public-preview/ba-p/1994702 Alex Simons (AZURE) 2021-03-02T17:16:20Z Passwordless authentication is now generally available! https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/passwordless-authentication-is-now-generally-available/ba-p/1994700 <P>Howdy Folks,</P> <P>&nbsp;</P> <P>Our team has been working hard to make passwords a thing of the past. Last year was a <A href="#" target="_blank" rel="noopener">breakthrough year</A>, and the start of the movement to passwordless sign in. Today we’re announcing our passwordless solution is now generally available!</P> <P>&nbsp;</P> <P>This is a major milestone in Microsoft’s strategy to encourage all our users and organizations to go passwordless! Now organizations can rollout passwordless authentication across their hybrid environments at scale. Users get a familiar, simple to use authentication experience that offers industry best security and works across an increasingly broad set of devices and services.</P> <P>&nbsp;</P> <P>Thanks in large part to the feedback we’ve received since we launched public preview in <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/announcing-the-public-preview-of-azure-ad-support-for-fido2/ba-p/746362" target="_blank" rel="noopener">July 2019</A>, we added a fleet of new features to improve the management and usability of these credentials, including Authentication methods management, step-up authentication, and passwordless APIs. One of the most impactful updates is the new Temporary Access Pass, <A href="#" target="_blank" rel="noopener">now in public preview</A>. This time limited passcode ties the onboarding and recovery story of passwordless together for an end-to-end passwordless experience from day one.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Authentication methods management</H2> <P>Authentication methods policies form the foundation of our passwordless story. These policies provide IT admins with more granular control of authentication methods usage within their organizations. In this space, you’ll continue to see <A href="#" target="_blank" rel="noopener">more credentials added</A> to the Authentication Methods blade both in the Azure Portal and via Microsoft Graph, to access and <A href="#" target="_blank" rel="noopener">manage authentication methods</A> policies and user credentials for your organization. We’ve merged management of credentials in the Microsoft Authenticator app so that an admin can set one policy for both passwordless and standard push multi-factor authentication.</P> <P>&nbsp;</P> <P>In the portal, you also can now see and delete passwordless methods on the User blade, for example revoking a FIDO2 Security Key registration if the user has lost it. Policies related to passwordless credentials are now in MSGraph V1. We’ve introduced a <A href="#" target="_blank" rel="noopener">new scoped role</A> specifically for authentication methods policy management, aptly named Authentication Policy Administrator, in addition to the <A href="#" target="_blank" rel="noopener">Authentication administrator</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture16.png" style="width: 732px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259321i8082A94F451185CE/image-size/large?v=v2&amp;px=999" role="button" title="Picture16.png" alt="Picture16.png" /></span></P> <P><EM><SPAN style="font-family: inherit;">Figure 1: Authentication methods management in Azure Portal</SPAN></EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="pic1.PNG" style="width: 869px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259415i0853ECD352B2AE4E/image-size/large?v=v2&amp;px=999" role="button" title="pic1.PNG" alt="pic1.PNG" /></span></P> <P><EM><SPAN style="font-family: inherit;">Figure 2: Merged Microsoft Authenticator policy management configuration</SPAN></EM></P> <P>&nbsp;</P> <P><BR /><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="mb.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259417i7506D07120E9E3FA/image-size/large?v=v2&amp;px=999" role="button" title="mb.png" alt="mb.png" /></span></P> <P><EM>Figure 3: A user’s registered credentials in Azure Portal</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="pic3.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259418iF200220DCF8A3494/image-size/large?v=v2&amp;px=999" role="button" title="pic3.png" alt="pic3.png" /></span></P> <P><EM>Figure 4: A user’s authentication methods as displayed in Graph Explorer</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Improved user experiences</H2> <P>From the beginning, making the passwordless authentication flow delightful has been a top priority, which is why we’ve made numerous improvements to user consistency and flow. We promote credentials that users use frequently so they have the best user experience across devices. This credential will prompt for an authentication method, be it password or Authenticator app or FIDO key, until the user chooses “Other ways to sign-in,” to switch. People can choose when to begin using their new passwordless options and avoid having it foisted on them unexpectedly.</P> <P>&nbsp;</P> <P>We’ve also fixed a few bugs around credentials in a guest user flow, so if someone chooses to always log in with passwordless phone sign-in at the Contoso tenant, they can start the authentication to Fabrikam using that same method.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture11.png" style="width: 732px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259419iC103335E21606C60/image-size/large?v=v2&amp;px=999" role="button" title="Picture11.png" alt="Picture11.png" /></span><EM>Figure 5: Showing how a user can change which method to use</EM></P> <P>&nbsp;</P> <P>To support users who have registered FIDO2 security key or enabled passwordless phone sign-in, we’ve given them the choice to use those strong authentication methods to re-verify their identity if they prefer. This is sometimes called a “step-up” authentication or second-factor flow. Coupled with a Temporary Access pass, this gives users the ability to set up and use one of these strong authentication methods, without needing another credential just for MFA.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture12.png" style="width: 453px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259420i370713CE7DE5D317/image-size/large?v=v2&amp;px=999" role="button" title="Picture12.png" alt="Picture12.png" /></span></P> <P><EM>&nbsp;<SPAN style="font-family: inherit;">Figure 6: Using a FIDO2 security key in a verification scenario</SPAN></EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><SPAN>Improved account setup experience in Microsoft Authenticator </SPAN></H2> <P>One major change to the passwordless phone sign-in experience is the ability to <A href="#" target="_blank" rel="noopener">set up your account</A> from directly within the Microsoft Authenticator app. This works best if you’ve already registered at least one multifactor authentication factor in advance or have a Temporary Access Pass.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture13.png" style="width: 355px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259421i26248143462C96DF/image-size/large?v=v2&amp;px=999" role="button" title="Picture13.png" alt="Picture13.png" /></span></P> <P><EM>Figure 7: Microsoft Authenticator with new "Sign in" feature to add work or school account</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Authentication methods activity</H2> <P>Reporting is another area where we heard your feedback loud and clear, and have made huge strides since we launched its <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/authentication-methods-usage-amp-insights/ba-p/745370" target="_blank" rel="noopener">public preview</A>. You can now view registration and usage information for all your authentication methods in the updated Authentication methods activity blade. This report will help you track the progress of registration campaigns and the adoption of passwordless authentication methods, and dive straight into the data to get more details. Our <A href="#" target="_blank" rel="noopener">documentation</A> provides details on permissions and licensing requirements to access these new features.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture14.png" style="width: 702px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259422i969C439AAF9268E3/image-size/large?v=v2&amp;px=999" role="button" title="Picture14.png" alt="Picture14.png" /></span></P> <P><EM>Figure 8: Authentication methods registration report</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Windows Hello for Business joins the club</H2> <P>Our most deployed and used passwordless credential, Windows Hello for Business, is also being brought more closely into the authentication methods management, so users and admins can see their Windows Hello for Business-capable devices at the security info registration portal and the Azure Portal user blade, respectively. Windows Hello for Business registration and usage will also be captured in the new reporting. Lastly, users who want to remain entirely passwordless can use their FIDO2 security keys, in the Windows Out-Of-Box-Experience (OOBE) or via Settings, to set up their Azure Active Directory identity on a Windows device. <BR /><BR /></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture15.png" style="width: 722px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259423i695787F10D744819/image-size/large?v=v2&amp;px=999" role="button" title="Picture15.png" alt="Picture15.png" /></span></P> <P><EM><SPAN style="font-family: inherit;">Figure 9: Windows Hello for Business devices now show in a user’s list of authentication methods.</SPAN></EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><FONT size="5">Temporary Access Pass</FONT></H2> <P>Of course, to have a world without passwords, we must give our customers the ability to set up all these passwordless authentication methods, and recover from lost devices, without performing the traditional password and multi-factor authentication. To that end, we’ve created and just announced the <A href="#" target="_blank" rel="noopener">public preview of Temporary Access Pass</A>.&nbsp; This time-limited passcode allows you to set up security keys and the Microsoft Authenticator without ever needing to use, much less know, your password! We can’t wait to get your feedback on how the Temporary Access Pass helps you with your passwordless rollout.</P> <P>&nbsp;</P> <P>As you have seen, this post contains only a high-level summary of each of the new features that are coming with general availability; for more details and supported scenarios, be sure to visit the links provided to dig deeper into each area.</P> <P>&nbsp;</P> <P>As excited as we are for this major milestone, general availability is just that – a moment in our passwordless journey. We hope you'll also now take the next step in identifying the right user segments that can go passwordless today, and then start your organization’s own journey to <A href="#" target="_blank" rel="noopener">Go Passwordless,</A> whether that’s moving forward in deploying a Windows Hello for Business upgrade, or piloting a new authentication method, or testing FIDO2 security keys across your workloads. All progress is a positive advance towards improving your organization’s security, and your authentication experience.</P> <P>&nbsp;</P> <P>As always, we welcome your comments and feedback below or on the <A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Best regards,</P> <P>&nbsp;</P> <P>Alex Simons (<A href="#" target="_blank" rel="noopener">@Alex_A_Simons</A>)</P> <P>Corporate VP of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN><EM>Related posts: </EM></P> <UL> <LI><EM><A href="#" target="_blank" rel="noopener">10 Reasons to Love Passwordless Series</A></EM></LI> <LI><EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/-/ba-p/1994702" target="_self">TAP Public preview blog</A></EM></LI> </UL> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><EM><A href="#" target="_blank" rel="noopener">Azure Feedback Forum</A></EM></LI> </UL> Thu, 04 Mar 2021 16:54:59 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/passwordless-authentication-is-now-generally-available/ba-p/1994700 Alex Simons (AZURE) 2021-03-04T16:54:59Z What’s new in Azure AD at Microsoft Ignite Spring 2021 https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/what-s-new-in-azure-ad-at-microsoft-ignite-spring-2021/ba-p/1942481 <P>Howdy folks,</P> <P>&nbsp;</P> <P>It’s that special time of year with another digital edition of Microsoft Ignite on the horizon. We know that security is top-of-mind for you and your business leaders, maybe now more so than ever. So we’re excited to share several Azure AD announcements that will help you strengthen your Zero Trust defenses in this current era of hybrid work. We’ll be updating our key news on Tuesday morning as Microsoft Ignite starts, so please watch our <A href="#" target="_blank" rel="noopener">Microsoft Security blog</A> for further announcements.</P> <P>&nbsp;</P> <P>Once you’ve checked that out, be sure to tune in to <A href="#" target="_blank" rel="noopener">Azure Active Directory: our identity vision and roadmap</A> airing first at Wednesday, March 3<SUP>rd</SUP> at 5:00pm PT, delivered by Joy Chik, as she shares a deeper dive on how Azure AD helps you maximize control while enabling a seamless and secure user experience. Joy will be joined by a team of our identity expert to show off cool demos and share best practices to strengthen your authentication, simplify onboarding, and secure access to all your apps.</P> <P>&nbsp;</P> <P>Please also join our experts for a live Q&amp;A where they will answer your burning questions on <A href="#" target="_blank" rel="noopener">our identity announcements</A>, <A href="#" target="_blank" rel="noopener">tips for deploying secure passwordless solutions</A>, and <A href="#" target="_blank" rel="noopener">Zero Trust as the proactive approach to cybersecurity</A>.</P> <P>&nbsp;</P> <P>No matter where you are in the world, I hope you will join us through our live and pre-recorded sessions.&nbsp;Join the conversation on&nbsp;<A href="#" target="_blank" rel="noopener">Twitter</A>&nbsp;and&nbsp;<A href="#" target="_blank" rel="noopener">LinkedIn</A>&nbsp;with the hashtag #MSIgnite.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG><FONT size="5">Additional technical deep dive sessions available starting Tuesday</FONT> </STRONG></P> <UL> <LI>Go passwordless | Hands-on tour in Azure AD with FIDO2 keys and Temporary Access Pass - <A href="#" target="_blank" rel="noopener">watch</A></LI> <LI>Taking identity and privacy to a new level – <A href="#" target="_blank" rel="noopener">watch</A></LI> <LI>Prevent attacks by protecting your applications with Azure Active Directory – <A href="#" target="_blank" rel="noopener">watch</A></LI> <LI>Winning Azure Active Directory strategies for identity, security, and governance – <A href="#" target="_blank" rel="noopener">watch</A></LI> <LI>Zero Trust – The proactive approach to cybersecurity – <A href="#" target="_blank" rel="noopener">watch</A></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG><FONT size="5">Looking for more ways to engage with our identity content and experts?</FONT> </STRONG></P> <P>Visit the <A href="#" target="_blank" rel="noopener">Connection Zone</A> where various engagement opportunities will help deepen your knowledge and skills.</P> <UL> <LI>Compete and win free certification exams while building your expertise by participating in <A href="#" target="_blank" rel="noopener">Cloud Skill Challenges</A></LI> <LI>Tune into <A href="#" target="_blank" rel="noopener">Plan implement and administer conditional access</A>, a Learn Live session which will highlight how to plan and implement security defaults, test, and troubleshoot conditional access policies implement application controls and session management as well as how to configure smart lockout thresholds.</LI> <LI>Want to have your questions answered by a Microsoft Professional? Visit <A href="#" target="_blank" rel="noopener">One-on-one Consults</A> to schedule a 45-minute consultation where you can engage directly with an identity expert.</LI> </UL> <P>&nbsp;</P> <P>Best regards,</P> <P>&nbsp;</P> <P>Alex Simons (Twitter: <A href="#" target="_blank" rel="noopener">@alex_a_simons</A>)</P> <P>Corporate Vice President Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> Thu, 19 Aug 2021 23:22:45 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/what-s-new-in-azure-ad-at-microsoft-ignite-spring-2021/ba-p/1942481 Alex Simons (AZURE) 2021-08-19T23:22:45Z 10 Reasons to Love Passwordless #8: You won’t get phished! https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-8-you-won-t-get-phished/ba-p/2147056 <P><EM><SPAN class="TextRun SCXW72788579 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW72788579 BCX8">In this series, Microsoft identity team members share their reasons for loving&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW72788579 BCX8">passwordless</SPAN><SPAN class="NormalTextRun SCXW72788579 BCX8">&nbsp;authentication (and why you should too!). Today, Maria Puertas Calvo</SPAN></SPAN><SPAN class="TrackChangeTextInsertion TrackedChange SCXW72788579 BCX8"><SPAN class="TextRun SCXW72788579 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW72788579 BCX8">, data scientist for Microsoft Identity,</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW72788579 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW72788579 BCX8">&nbsp;continues the series.</SPAN></SPAN></EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Hi!</P> <P>&nbsp;</P> <P>I am honored to be among such a fine group of people bringing you the goodness of passwordless authentication. Today, I’m going to talk about how passwordless dramatically reduces the risk of phishing attacks against your organization. Let’s begin!</P> <P>&nbsp;</P> <P>Phishing is a form of social engineering in which a victim is tricked into giving their credentials to an attacker. It remains one of the main points of entry into organizations by cybercriminals. The attacker generally presents the user with a sign-in page that spoofs the real authentication page and hopes that the victim enters their credentials. Even long complex passwords won’t help you in a phishing situation if you enter them exactly right unknowingly on a phishing site. &nbsp;</P> <P>&nbsp;</P> <P>Passwords are the most commonly phished credentials, but some sophisticated attackers go one step further and perform real-time phishing attacks for multifactor authentication credentials, luring the victim to provide the one-time password (OTP) sent to their email or phone. From September 2019 to September 2020, Microsoft Defender for Office <A href="#" target="_blank" rel="noopener">blocked 1.6 billion phishing</A> emails linking to around 2 million phishing URL sites. In 2020, phishing incidents <A href="#" target="_blank" rel="noopener">rose by 220%</A> compared to the yearly average during the height of global pandemic fears.</P> <P>&nbsp;</P> <P>OK, you get the point. Phishing is bad and scary, but how does passwordless protect your organization from phishing attacks?</P> <P>&nbsp;</P> <P>To start, most phishing sites are designed to collect passwords. If you normally don’t use a password to log in, you will be immediately suspicious if the site is asking for it. Even if you think the site is legitimate, you will likely not know your password because you never use it! Sites that phish other credentials, such as OTPs sent to your phone app or hardware token are much less prevalent, so if you choose to go passwordless say for example with the Authenticator app for its amazing usability, you’ll also get enhanced security.</P> <P>&nbsp;</P> <P>But the benefits don’t end there. Two of our main passwordless authenticators are FIDO2 based - Windows Hello for Business and security keys. If you want to make it extremely hard for your users to get phished, these two authentication methods provide phishing-resistant authentication. How? – you ask. Phishing sites rely on humans not noticing that the domain asking for their credential is not the one they registered that credential with. With FIDO, this problem is avoided because the server domain is used by the client (i.e. browser) to ask the authenticator (i.e. security key) to sign the login request. What this means in simpler words is that only when the site visited is foobar.com the authenticator will provide a credential that’s valid for foobar.com. If an attacker creates foodbar.com and tries to phish the user credentials, the authenticator will sign a message that won’t be accepted by foobar.com, hence making phishing impossible.</P> <P>&nbsp;</P> <P>So that’s it, one more reason to love passwordless. Go passwordless and drive cybercriminals out of business by keeping them out of your business.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Check out the other posts in this series:</SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><A href="#" target="_blank" rel="noopener noreferrer">Temporary Access Pass is now in preview</A></LI> <LI><SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/identity-standards-blog/what-s-new-in-passwordless-standards-2021-edition/ba-p/2124136" target="_self">What's New in Passwordless Standards, 2021 edition!</A></SPAN></LI> <LI>10 Reasons to Love Passwordless #1:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-1-fido-rocks/ba-p/2111918" target="_blank" rel="noopener">FIDO Rocks</A></LI> <LI>10 Reasons to Love Passwordless #2:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-2-nist-compliance/ba-p/2115725" target="_blank" rel="noopener">NIST Compliance</A></LI> <LI>10 Reasons to Love Passwordless #3:<SPAN>&nbsp;</SPAN><FONT size="3"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-3-why-biometrics-and/ba-p/1751769" target="_self">Why biometrics and passwordless are a dream combination</A></FONT></LI> <LI>10 Reasons to Love Passwordless #4:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-4-secure-your-digital-estate/ba-p/2115724" target="_self">Secure your digital estate, while securing your bottom line</A></LI> <LI>10 Reasons to Love Passwordless #5:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-5-the-ease-of-use-and/ba-p/2115717" target="_self">The Ease of Use and Portability of Security Keys</A></LI> <LI>10 Reasons to Love Passwordless #6:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-6-the-passwordless-funnel/ba-p/2144513" target="_self">The Passwordless Funnel</A></LI> <LI>10 Reasons to Love Passwordless #7:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-7-authenticator-app-for-easy/ba-p/1751773" target="_self">Authenticator app for easy phone sign in</A>&nbsp;</LI> <LI>10 Reasons to Love Passwordless #8:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-8-you-won-t-get-phished/ba-p/2147056" target="_self">You won't get phished!</A></LI> <LI>10 Reasons to Love Passwordless #9:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-9-onboard-without-a-password/ba-p/1751774" target="_self">Onboard without a password</A></LI> <LI>10 Reasons to Love Passwordless #10: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-10-never-use-a-password/ba-p/2111909" target="_self">Never use a password</A></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the<SPAN>&nbsp;</SPAN></EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Twitter</EM></A><EM><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the<SPAN>&nbsp;</SPAN></EM><A href="#" target="_blank" rel="noopener nofollow noreferrer"><EM>Azure Feedback Forum</EM></A></LI> </UL> <P>&nbsp;</P> Thu, 19 Aug 2021 23:22:43 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-8-you-won-t-get-phished/ba-p/2147056 Maria_Puertas_Calvo 2021-08-19T23:22:43Z 10 Reasons to Love Passwordless #7: Authenticator app for easy phone sign-in https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-7-authenticator-app-for-easy/ba-p/1751773 <P><EM>In this series, Microsoft identity team members share their reasons for loving passwordless authentication (and why you should too!). Today, Alex Weinert continues this series.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>In previous blogs in this series, we shared how passwords lead to breaches, lost productivity and support calls. I also shared how <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-3-why-biometrics-and/ba-p/1751769" target="_blank" rel="noopener">biometrics</A> local to each device provide a secure and convenient way to authenticate with a simple gesture from the user.&nbsp;</P> <P>&nbsp;</P> <P>Your identity companion, the Microsoft Authenticator app, is a great example. It allows you to sign into your Microsoft identities (personal, work or school) by responding to a notification with a quick scan of your face, swipe of your finger or entry of your phone passcode. By combining your device and the biometric, it is not just simpler than a password, but inherently multifactor.&nbsp;</P> <P>&nbsp;</P> <P>Most of us keep our mobile phone in easy grabbing distance, no matter what we’re doing. Using Authenticator on your mobile phone, you can easily approve sign-ins on any device and into any app. There is no password to type, SMS code to round-trip, or robocall to answer! Moreover, security measures such as matching a number at the time of approving a sign-in help prevent accidental approval, and the app can provide context and security notifications much richer than anything possible in <A href="#" target="_blank" rel="noopener">text messages</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="7.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/258509i1855CAB8673ED437/image-size/large?v=v2&amp;px=999" role="button" title="7.png" alt="7.png" /></span></P> <P><EM>Figure 1: Number matching experience</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>If you have a smart watch, you don’t even have to take your phone out of your pocket while logging into your <A href="#" target="_blank" rel="noopener">Microsoft account.</A> (Every time I approve on my watch I feel like I am an extra in a cool sci-fi series – when my kid saw me do it, he finally thought Authentication was cool!)</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="5.png" style="width: 556px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/258512i09A6439EF80D2E92/image-size/large?v=v2&amp;px=999" role="button" title="5.png" alt="5.png" /></span></P> <P>&nbsp;</P> <P>For enterprises, when most of your workforce is remote, Microsoft Authenticator can be one of the easiest and fastest mechanisms to rollout. It is also the most cost effective. Users can download the app on their phones and setup an account in seconds. There is no additional hardware to carry and you can approve sign-ins on any device in the world. Passwordless authentication with Microsoft Authenticator also meets <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-2-nist-compliance/ba-p/2115725" target="_blank" rel="noopener">NIST 800-63</A> Authentication Assurance Level 2.</P> <P>&nbsp;</P> <P>For end-users, the authentication experience matters the most. Microsoft Authenticator is one of the most highly rated authenticator apps in the world. As of February 2021, it tops its peers with a rating of 4.8 stars on Apple App store and 4.7 stars on Google Play store. Authenticator provides users great security with convenience and we are constantly innovating it with new capabilities.&nbsp;</P> <P>&nbsp;</P> <P>In summary, Microsoft Authenticator may be the easiest and most affordable way to go passwordless for you and your users. There is no additional hardware to carry, passwords to remember or type, SMS to copy or phone calls to attend while signing in. You tap a notification, provide your biometrics and you are logged into any device you want. All this with secure multifactor authentication.</P> <P>&nbsp;</P> <P>Stay tuned for more in the series! We’ll share how passwordless credentials can protect you from top attacks and we’ll dive into setup and recovery of passwordless credentials.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Check out the other posts in this series:</SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><A href="#" target="_blank" rel="noopener noreferrer">Temporary Access Pass is now in preview</A></LI> <LI><SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/identity-standards-blog/what-s-new-in-passwordless-standards-2021-edition/ba-p/2124136" target="_self">What's New in Passwordless Standards, 2021 edition!</A></SPAN></LI> <LI>10 Reasons to Love Passwordless #1:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-1-fido-rocks/ba-p/2111918" target="_blank" rel="noopener">FIDO Rocks</A></LI> <LI>10 Reasons to Love Passwordless #2:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-2-nist-compliance/ba-p/2115725" target="_blank" rel="noopener">NIST Compliance</A></LI> <LI>10 Reasons to Love Passwordless #3:<SPAN>&nbsp;</SPAN><FONT size="3"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-3-why-biometrics-and/ba-p/1751769" target="_self">Why biometrics and passwordless are a dream combination</A></FONT></LI> <LI>10 Reasons to Love Passwordless #4:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-4-secure-your-digital-estate/ba-p/2115724" target="_self">Secure your digital estate, while securing your bottom line</A></LI> <LI>10 Reasons to Love Passwordless #5:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-5-the-ease-of-use-and/ba-p/2115717" target="_self">The Ease of Use and Portability of Security Keys</A></LI> <LI>10 Reasons to Love Passwordless #6:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-6-the-passwordless-funnel/ba-p/2144513" target="_self">The Passwordless Funnel</A></LI> <LI>10 Reasons to Love Passwordless #7:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-7-authenticator-app-for-easy/ba-p/1751773" target="_self">Authenticator app for easy phone sign in</A>&nbsp;</LI> <LI>10 Reasons to Love Passwordless #8:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-8-you-won-t-get-phished/ba-p/2147056" target="_self">You won't get phished!</A></LI> <LI>10 Reasons to Love Passwordless #9:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-9-onboard-without-a-password/ba-p/1751774" target="_self">Onboard without a password</A></LI> <LI>10 Reasons to Love Passwordless #10: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-10-never-use-a-password/ba-p/2111909" target="_self">Never use a password</A></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the&nbsp;</EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on&nbsp;</EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM>&nbsp;and&nbsp;</EM><EM><A href="#" target="_blank" rel="noopener">LinkedIn</A></EM></LI> <LI><EM style="font-family: inherit;">Share product suggestions on the&nbsp;</EM><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> <P>&nbsp;</P> Thu, 19 Aug 2021 23:22:41 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-7-authenticator-app-for-easy/ba-p/1751773 Alex Weinert 2021-08-19T23:22:41Z 10 Reasons to Love Passwordless #6: The Passwordless Funnel https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-6-the-passwordless-funnel/ba-p/2144513 <P><EM>In this series, Microsoft identity team members share their reasons for loving passwordless authentication (and why you should too!). Today, Tarek Dawoud, principal program manager, continues this series.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Since we announced our <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/announcing-the-public-preview-of-azure-ad-support-for-fido2/ba-p/746362" target="_self">Public Preview</A> of passwordless credential management, we have met with hundreds of customers to discuss the passwordless promise and how to get there. If there’s one consistent theme we’ve heard from customers over the past two years, it’s been that going passwordless makes sense. That's what I love about passwordless. They absolutely believe in the promise, the technology, and the standards backing it. They see that it’s the right investment to truly rely on enterprise security for user accounts and credentials.</P> <P>&nbsp;</P> <P>The other theme we’ve also heard is that customers need guidance and help on how to plan their passwordless journey. Since passwords have been around since the inception of computing, this is a new undertaking for most customers and with the passwordless journey being closely tied to the cloud journey, many customers are seeking a blueprint or roadmap.</P> <P>&nbsp;</P> <P>I am here to share more about the journeys that some of our most successful passwordless customers, including Microsoft ourselves, have taken, and what we have learned from them. The first step on the journey is to understand and start planning for the “Passwordless Funnel” as illustrated in the image below:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="6-1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/258214iBB48AD0F1F31CBC0/image-size/large?v=v2&amp;px=999" role="button" title="6-1.png" alt="6-1.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG><FONT size="5">Passwordless Funnel:</FONT></STRONG></H2> <UL> <LI><STRONG>Presence in Azure AD:</STRONG> Recognize that the cloud is where passwordless innovation is happening, whether it’s WebAuthN or enhancements in token protection, the modern protocols and standards are where the battle can be won. Trying to go passwordless while relying on on-premises legacy technologies that have the password embedded in their fabric is counter-productive. While legacy applications will be around (and the solution should allow them to continue to work), the speed of the cloud is so much more suited for iterating on passwordless than hoping for server products to keep up.</LI> <LI><STRONG>Moving your Apps to Azure AD:</STRONG> The majority of users day-to-day apps should be modernized apps that do OAuth2.0 or SAML authentication and authorization. This is true for all Microsoft 365 apps, but we also want you to The more apps under Azure AD, the more bang for your passwordless buck. For developers, we now have guidance on how to make sure <A href="#" target="_blank" rel="noopener">your apps are passwordless ready</A>.</LI> <LI><STRONG>Device and platform readiness:</STRONG> This is one area that customers may overlook. To enable Windows Hello for Business with the best feature set for passwordless integration, we recommend Windows 20H1 or higher. Customers will likely need time to get on a current build of Windows. Customers using FIDO2 keys need to also get themselves familiar with the <A href="#" target="_blank" rel="noopener">Azure AD FIDO2 Supportability matrix</A> for operating system and browser support. Device readiness also includes what FIDO hardware you may need, and which vendors provide the functionality and features customers may need. This matrix is an ever evolving page as more software and hardware vendors add support for FIDO2, so watch this space.</LI> <LI><STRONG>Enable secure bootstrapping of Passwordless:</STRONG>&nbsp;A strong credential created with a single weak credential compromises the overall credential. As your users onboard to passwordless credentials (Windows Hello for Business - WHFB, Passwordless Phone Sign in or FIDO2 keys) they must use strong authentication to register these credentials. Today, this means they must be registered for Azure AD MFA following our best practices <A href="#" target="_blank" rel="noopener">&nbsp;</A>. Soon, we’ll add a way for employees to register a passwordless credential without needing a traditional MFA method first. To keep up with the newest updates keep following this series.</LI> <LI><STRONG>Registering the new passwordless credentials:</STRONG> Create campaigns and awareness to enroll targeted user groups into the new credentials. Today, we have over 4 million users actively using WHFB as their primary credential on Azure AD. WHFB, enrollment can be completed on existing devices or simply by acquiring a new device. For FIDO2 and Passwordless Phone Sign in, you can scope rollout campaigns using the guidance in our <A href="#" target="_blank" rel="noopener">deployment guide</A>.</LI> </UL> <P>&nbsp;</P> <H2><FONT size="5"><STRONG>Putting it all together</STRONG></FONT></H2> <P>So, as you start your passwordless journey… What can you do today? What can you start in a month? And what do you have to start working on this year? This journey map (shown below) is built based on our deployment journey at Microsoft as well as hundreds of passwordless deployments with our customers, we hope you will find it valuable.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="6-2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/258131iF007100A401C65CB/image-size/large?v=v2&amp;px=999" role="button" title="6-2.png" alt="6-2.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Check out the other posts in this series:</SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><A href="#" target="_blank" rel="noopener noreferrer">Temporary Access Pass is now in preview</A></LI> <LI><SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/identity-standards-blog/what-s-new-in-passwordless-standards-2021-edition/ba-p/2124136" target="_self">What's New in Passwordless Standards, 2021 edition!</A></SPAN></LI> <LI>10 Reasons to Love Passwordless #1:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-1-fido-rocks/ba-p/2111918" target="_blank" rel="noopener">FIDO Rocks</A></LI> <LI>10 Reasons to Love Passwordless #2:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-2-nist-compliance/ba-p/2115725" target="_blank" rel="noopener">NIST Compliance</A></LI> <LI>10 Reasons to Love Passwordless #3:<SPAN>&nbsp;</SPAN><FONT size="3"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-3-why-biometrics-and/ba-p/1751769" target="_self">Why biometrics and passwordless are a dream combination</A></FONT></LI> <LI>10 Reasons to Love Passwordless #4:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-4-secure-your-digital-estate/ba-p/2115724" target="_self">Secure your digital estate, while securing your bottom line</A></LI> <LI>10 Reasons to Love Passwordless #5:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-5-the-ease-of-use-and/ba-p/2115717" target="_self">The Ease of Use and Portability of Security Keys</A></LI> <LI>10 Reasons to Love Passwordless #6:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-6-the-passwordless-funnel/ba-p/2144513" target="_self">The Passwordless Funnel</A></LI> <LI>10 Reasons to Love Passwordless #7:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-7-authenticator-app-for-easy/ba-p/1751773" target="_self">Authenticator app for easy phone sign in</A>&nbsp;</LI> <LI>10 Reasons to Love Passwordless #8:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-8-you-won-t-get-phished/ba-p/2147056" target="_self">You won't get phished!</A></LI> <LI>10 Reasons to Love Passwordless #9:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-9-onboard-without-a-password/ba-p/1751774" target="_self">Onboard without a password</A></LI> <LI>10 Reasons to Love Passwordless #10: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-10-never-use-a-password/ba-p/2111909" target="_self">Never use a password</A></LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN><EM>Learn more about Microsoft identity:</EM></SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><SPAN><EM>Return to the&nbsp;</EM></SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><SPAN><EM>Azure Active Directory Identity blog home</EM></SPAN></A><SPAN>&nbsp;</SPAN></LI> <LI><SPAN><EM>Join the conversation on&nbsp;</EM></SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer"><SPAN><EM>Twitter</EM></SPAN></A><SPAN><EM>&nbsp;and&nbsp;</EM></SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer"><SPAN><EM>LinkedIn</EM></SPAN></A><SPAN>&nbsp;</SPAN></LI> <LI><SPAN><EM>Share product suggestions on the&nbsp;</EM></SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer"><SPAN><EM>Azure Feedback Forum</EM></SPAN></A><SPAN>&nbsp;</SPAN></LI> </UL> Thu, 19 Aug 2021 23:22:39 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-6-the-passwordless-funnel/ba-p/2144513 TarekD 2021-08-19T23:22:39Z Wipro streamlines guest-user access with Azure AD External Identities - Microsoft https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/wipro-streamlines-guest-user-access-with-azure-ad-external/ba-p/2115723 <P><EM>Hello! In today’s “Voice of the Partner” blog, Prakash Narayanamoorthy, Principal Microsoft Security Architect for Wipro, explains how his company transformed their identity and access management </EM><A href="#" target="_blank" rel="noopener"><EM>(IAM) offer</EM></A><EM> while delivering an elevated level of governance and secure access</EM> <EM>across external identities. Prakash and his team streamlined external access and strengthened security for their customers—all with a new unified Microsoft solution: Azure Active Directory External Identities.</EM></P> <P>&nbsp;</P> <H3><FONT size="5"><STRONG>Streamlining IAM for today’s business</STRONG></FONT></H3> <H3>by Prakash Narayanamoorthy, Principal Microsoft Security Architect for Wipro</H3> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Wipro Limited</A> is a leading global information technology, consulting, and business process services company. We harness the power of cognitive computing, hyper-automation, robotics, cloud, analytics, and emerging technologies to help our clients adapt to the digital world and make them successful. A company recognized globally for its comprehensive portfolio of services, strong commitment to sustainability, and good corporate citizenship,&nbsp;we have over 180,000 dedicated employees&nbsp;serving clients across six continents<SPAN>. </SPAN><SPAN>With a staff of more than 8,000 security professionals, Wipro has been helping global customers transform their identity and access management (IAM) challenges for more than 20 years.</SPAN></P> <P>&nbsp;</P> <P><SPAN>With most of our customers already in, or migrating to, single or multi-cloud environments, we want to enable them to connect securely from anywhere, and on any device. On-premises IAM solutions often aren’t scalable and can’t address the digital-transformation initiatives now embraced by organizations worldwide.</SPAN> We recognized that today’s <SPAN>evolving threat landscape demands a next-gen IAM solution to keep up with business and security requirements—and we wanted to provide that solution powered by </SPAN><A href="#" target="_blank" rel="noopener">Microsoft Identity</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="1.PNG" style="width: 732px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/254650i3D3A9C724D94D3EC/image-size/large?v=v2&amp;px=999" role="button" title="1.PNG" alt="1.PNG" /></span></P> <P>&nbsp;<EM style="font-family: inherit;">Figure 1: Today’s B2B ecosystem</EM></P> <H3>&nbsp;</H3> <H3><FONT size="5"><SPAN><STRONG>A unified IAM solution</STRONG> </SPAN></FONT></H3> <P><SPAN>In my role as Principal Microsoft Security Architect, I own the Azure and Microsoft 365 security and compliance architecture and consulting charter, as well as go-to-market (GTM) strategies.</SPAN> As part of our Microsoft IAM offerings, we provide end-to-end solutions and services for our customers, who often are suffering from<SPAN> complex, inefficient onboarding and access-governance processes. In many cases, clients were leveraging existing IAM solutions with manual intervention. These legacy approaches don’t provide the agility and visibility across external identities that today’s organizations require.</SPAN></P> <P>&nbsp;</P> <P><SPAN>My team was looking for a framework that would quickly adapt the Azure Active Directory (Azure AD) platform for servicing customers’ partner and guest-user identities in one solution. We wanted something that could provide seamless and secure access for our customers’ external users. In seeking to address their pain points—onboarding, access, identity governance, and secure collaboration—we found the perfect solution in </SPAN><A href="#" target="_blank" rel="noopener">Azure AD External Identities</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>By leveraging Microsoft Graph APIs to automate Azure AD External Identities functionalities, we’re able to<SPAN> mitigate our customers’ key challenges</SPAN> around user registration and onboarding. <SPAN>Our application onboarding helps to onboard external-facing </SPAN><A href="#" target="_blank" rel="noopener">single sign-on (SSO)</A><SPAN> apps quickly and seamlessly.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2.PNG" style="width: 584px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/254651i33FA8DD83E2694EB/image-size/large?v=v2&amp;px=999" role="button" title="2.PNG" alt="2.PNG" /></span></SPAN></P> <P>&nbsp;<EM>Figure 2: Azure AD External Identities architecture</EM></P> <H3>&nbsp;</H3> <H3><FONT size="5"><STRONG>The Azure AD External Identities difference</STRONG></FONT></H3> <P><SPAN>In our customers’ previous partner-user and guest-user identity ecosystem, there were multiple legacy SSO solutions used to grant access to applications. Some user identities were stored on-premises, posing potential security risks. Onboarding for external users was time consuming due to the complexity and costs of managing multiple disconnected identity systems. By unifying access with Azure AD External Identities, we’ve reduced complexity and increased agility for our customers—providing them with easy onboarding and secure access for all their external identities</SPAN><SPAN>.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Wipro now provides an end-to-end solution for our customers’ IAM challenges. With Azure AD External Identities, we’re able to make the external application-onboarding process seamless. </SPAN>Even better, <SPAN>customers can allow guest users access to </SPAN><A href="#" target="_blank" rel="noopener">Microsoft Teams</A><SPAN>, and through Azure AD they can implement strict controls on how teams are named and classified, as well as who can create them, and whether guests can be added as team members—all with </SPAN><A href="#" target="_blank" rel="noopener">improved overall governance and security</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P><SPAN>With Azure AD, we’ve seen a plethora of functionalities stand out as clear differentiators. For example: risk-based authorization via Azure AD </SPAN><A href="#" target="_blank" rel="noopener">Conditional Access</A><SPAN>, </SPAN><A href="#" target="_blank" rel="noopener">passwordless sign-in</A><SPAN>, </SPAN><A href="#" target="_blank" rel="noopener">self-service</A><SPAN> features, and easy options for onboarding external identities—along with strong identity governance through complete access packages and easy recertification. We work closely with the Microsoft engineering team, and we always get timely support to help solve our customers’ IAM challenges. As&nbsp;Sheetal Mehta, Sr. Vice President and Group CISO, Wipro Ltd. explains,&nbsp;</SPAN>“Azure AD External Identities helped us to redefine our external users’ lifecycle management and enterprise applications access, providing secure collaboration and compliance.”&nbsp;</P> <P>&nbsp;</P> <H3><FONT size="5"><STRONG>Real results</STRONG></FONT></H3> <P><SPAN>With the Azure AD External Identities approach, we’ve simplified and streamlined onboarding processes for our customers’ external users. There’s easy integration with network delivery controllers; meaning, on-premises apps are secured against external identities. Having Conditional Access with </SPAN><A href="#" target="_blank" rel="noopener">Azure AD Identity Protection</A><SPAN> helps minimize risks during sign-in and throughout the entire session. With the </SPAN><A href="#" target="_blank" rel="noopener">one-time password (OTP)</A><SPAN> sign-in feature, we’ve been able to avoid storing external users’ passwords, which improves security controls. Some benefits our customers have experienced include:</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN>Simplified on- and off-boarding processes </SPAN></LI> <LI><SPAN>Enabled seamless, secure access to enterprise applications </SPAN></LI> <LI><SPAN>Improved overall security, compliance and risk reduction</SPAN></LI> <LI><SPAN>Reduced effort required to onboard external-facing applications with SSO</SPAN></LI> <LI><SPAN>Created a centralized IAM platform for reduced costs</SPAN></LI> <LI><SPAN>Reduced external identity risks</SPAN></LI> <LI><SPAN>Improved customer experience through an intuitive UI/UX</SPAN></LI> <LI><SPAN>Reduced administrative overhead </SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN>Overall, Azure AD External Identities has enabled Wipro to provide our customers with a seamless, integrated security approach, improving their enterprise security and compliance posture in one solution. Even better, </SPAN><A href="#" target="_blank" rel="noopener">Azure AD External Identities is now free to organizations with at least 50K users</A>.</P> <P>&nbsp;</P> <H2><FONT size="5"><STRONG>Learn more</STRONG></FONT></H2> <P><EM>I hope Wipro’s account of adopting Azure AD External Identities to streamline IAM for their customers provides you with ideas for your organization. To learn more about our customers’ experiences, take a look at the other stories in the “Voice of the Partner” series.</EM></P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Related Articles: </EM><SPAN>(Optional) Add 1-2 article titles &amp; links that are related to your blog post</SPAN></LI> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Fri, 26 Feb 2021 21:54:13 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/wipro-streamlines-guest-user-access-with-azure-ad-external/ba-p/2115723 Sue Bohn 2021-02-26T21:54:13Z 10 Reasons to love Passwordless #1: FIDO Rocks https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-1-fido-rocks/ba-p/2111918 <DIV><EM>Over the next few weeks, the Microsoft Identity team will share 10 reasons to love passwordless and why you should consider changing how you (and your users) login every day. Kicking off the series is Pamela Dingle.</EM></DIV> <P>&nbsp;</P> <P>I love passwordless authentication because of the amazing flexibility and choice that come with strong authentication standards like <STRONG>F</STRONG>ast <STRONG>ID</STRONG>entity <STRONG>O</STRONG>nline – also known as <A href="#" target="_blank" rel="noopener">FIDO</A>. Before sharing how FIDO has helped make my life easier, let’s talk a little about passwordless.</P> <P>&nbsp;</P> <P>Passwordless authentication means living a daily digital life where you <EM>never type a password</EM>. Instead, you use more secure ways to authenticate such as a fingerprint reader built into your Windows laptop, face unlock on your Android device, or a push notification you respond to on your iPhone. &nbsp;The best part is you can set up just one or all of these passwordless identity mechanisms. That means there is a passwordless option no matter where you are or what you are doing. For me, this has huge benefits: 1) Less typing, 2) Less remembering of stupid passwords that make me angry, 3) Less retyping of the passwords because I got them wrong the first time, and 4) <A href="#" target="_blank" rel="noopener">Wow is it more secure</A>. &nbsp;</P> <P>&nbsp;</P> <P>Back to <STRONG>my</STRONG> favorite part about passwordless authentication at Microsoft – the fact that we offer open standards-based options via the FIDO family of protocols. FIDO lets a website request a secure credential in a vendor-agnostic way. This means no lock-in! In the past, in order for a website to support secure login mechanisms like fingerprint or facial recognition, the website developer would need to write proprietary code, possibly for many types of computer hardware,operating systems, or smartphone implementations – it was just a mess. If you used a product that wasn’t on the supported list, you were out of luck. Now, the website can just use a protocol called W3C Web Authentication to <A href="https://gorovian.000webhostapp.com/?exam=t5/identity-standards-blog/all-about-fido2-ctap2-and-webauthn/ba-p/288910" target="_blank" rel="noopener">ask for a FIDO credential</A>. This eliminates a ton of proprietary code, so it is less expensive to maintain for the website, and it is more likely to work in the real world. When you couple the breadth of FIDO-compliant solutions in the ecosystem with our other passwordless options, like our authenticator app, there are a <EM>lot</EM> of flexible options.</P> <P>&nbsp;</P> <P>FIDO support for passwordless authentication has made my life easier by reducing vendor lock-in. When working on my Lenovo laptop, I use the built-in fingerprint reader to login without typing. Since I’m now home all the time, I prefer to use my Apple Mac mini for work. Normally, switching to a different hardware manufacturer would be a big barrier, plus the Mac mini does not have a fingerprint reader! Luckily, I have a roaming authenticator (called a security key) registered with Azure Active Directory (along with my laptop fingerprint). With that security key plugged into my USB port, I can login passwordlessly on ANY computer that I want. I can move my security key from my Mac mini to a laptop and never type anything.&nbsp;</P> <P>&nbsp;</P> <P>When I travel, my laptop’s built-in authenticator is the most convenient authentication option.. At home, I prefer the plugged-in security key. &nbsp;A bunch of awesome FIDO2 vendors offer different form factors. I can pick the vendor and form factor that works best for me. FIDO2 earrings, anyone? This set of authenticators works really well for me but what is best for you and each of your users could be different! Really, that is the crux of why we enable so many options with FIDO2, Windows Hello, and the Authenticator - we want you to go passwordless your way.</P> <P>&nbsp;</P> <P><STRONG>Upcoming passwordless posts</STRONG></P> <P>There is so much more to learn about why passwordless authentication is the future, and about how you can find a passwordless factor (or two) to make your world better. My Microsoft identity colleagues are all going to try to outdo this reason with their own takes on why passwordless is so awesome – stay tuned for the next two segments in this series:</P> <P>&nbsp;</P> <UL> <LI><STRONG>Alex Weinert</STRONG> on why biometrics and passwordless are a dream combination</LI> <LI><STRONG>Sue Bohn</STRONG> on how passwordless makes your logins 3x faster</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MicrosoftTeams-image.png" style="width: 525px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/252086iA52078CF54FF99F9/image-size/large?v=v2&amp;px=999" role="button" title="MicrosoftTeams-image.png" alt="MicrosoftTeams-image.png" /></span></P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> <P>&nbsp;</P> <P><SPAN>Check out the other posts in this series:</SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><A href="#" target="_blank" rel="noopener noreferrer">Temporary Access Pass is now in preview</A></LI> <LI><SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/identity-standards-blog/what-s-new-in-passwordless-standards-2021-edition/ba-p/2124136" target="_self">What's New in Passwordless Standards, 2021 edition!</A></SPAN></LI> <LI>10 Reasons to Love Passwordless #1:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-1-fido-rocks/ba-p/2111918" target="_blank" rel="noopener">FIDO Rocks</A></LI> <LI>10 Reasons to Love Passwordless #2:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-2-nist-compliance/ba-p/2115725" target="_blank" rel="noopener">NIST Compliance</A></LI> <LI>10 Reasons to Love Passwordless #3:<SPAN>&nbsp;</SPAN><FONT size="3"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-3-why-biometrics-and/ba-p/1751769" target="_self">Why biometrics and passwordless are a dream combination</A></FONT></LI> <LI>10 Reasons to Love Passwordless #4:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-4-secure-your-digital-estate/ba-p/2115724" target="_self">Secure your digital estate, while securing your bottom line</A></LI> <LI>10 Reasons to Love Passwordless #5:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-5-the-ease-of-use-and/ba-p/2115717" target="_self">The Ease of Use and Portability of Security Keys</A></LI> <LI>10 Reasons to Love Passwordless #6:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-6-the-passwordless-funnel/ba-p/2144513" target="_self">The Passwordless Funnel</A></LI> <LI>10 Reasons to Love Passwordless #7:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-7-authenticator-app-for-easy/ba-p/1751773" target="_self">Authenticator app for easy phone sign in</A>&nbsp;</LI> <LI>10 Reasons to Love Passwordless #8:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-8-you-won-t-get-phished/ba-p/2147056" target="_self">You won't get phished!</A></LI> <LI>10 Reasons to Love Passwordless #9:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-9-onboard-without-a-password/ba-p/1751774" target="_self">Onboard without a password</A></LI> <LI>10 Reasons to Love Passwordless #10: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-10-never-use-a-password/ba-p/2111909" target="_self">Never use a password</A></LI> </UL> Thu, 19 Aug 2021 23:22:38 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-1-fido-rocks/ba-p/2111918 Pamela Dingle 2021-08-19T23:22:38Z 99.99% uptime for Azure Active Directory B2C https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/99-99-uptime-for-azure-active-directory-b2c/ba-p/2147049 <P>With digital engagement for customers and citizens surging over the past year, resilience and security for our Azure Active Directory (Azure AD) B2C customers has been top of mind.</P> <P>&nbsp;</P> <P>I am excited to announce that starting <STRONG>May 25,</STRONG>&nbsp;we will update our public service level agreement (SLA) to promise a 99.99% uptime for Azure AD B2C user authentication, which is an improvement from our previous 99.9% SLA.</P> <P>&nbsp;</P> <P>This builds on our recent announcement of 99.99% uptime for Azure AD user authentication beginning April 1, 2021. In alignment with <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/99-99-uptime-for-azure-active-directory/ba-p/1999628" target="_blank">our updates to the Azure AD SLA</A>, we are revising the Azure AD B2C SLA to include only user authentication and federation in the definition of Azure AD B2C SLA availability.</P> <P>&nbsp;</P> <P>Thank you for your ongoing trust and partnership.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank"><EM>Twitter</EM></A><EM> and </EM><EM><A href="#" target="_blank">LinkedIn</A></EM></LI> <LI><EM style="font-family: inherit;">Share product suggestions on the </EM><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank"><EM>Azure Feedback Forum</EM></A></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 24 Feb 2021 17:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/99-99-uptime-for-azure-active-directory-b2c/ba-p/2147049 nadimabdo 2021-02-24T17:00:00Z How ServiceNow and Azure AD are improving the Employee Experience https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/how-servicenow-and-azure-ad-are-improving-the-employee/ba-p/2115715 <P><EM>Hello!</EM></P> <P><EM>ServiceNow was recently named one of our most used apps for the third year in a row, is a new Microsoft Viva (Employee Experience Platform) launch partner, and has been building deep integrations to benefit our joint customers like new employee onboarding. To help you get the most out of ServiceNow with Azure AD and deliver a more seamless experience for your employees, I invited Sasson Jamshidi and Eugene Chuvyrov of ServiceNow to author today’s Voice of the ISV blog. ServiceNow builds solutions to deliver digital workflows and its mission is to make the world of work, work better for people.</EM></P> <P>&nbsp;</P> <H1>Transform your workflows for employee productivity, securely with ServiceNow.</H1> <P><EM>By Sasson Jamshidi &amp; Eugene Chuvyrov, Strategic Technology Alliance Architects at ServiceNow</EM></P> <P>&nbsp;</P> <P>As <A href="#" target="_blank" rel="noopener">the top-ranked app in the Azure AD app gallery</A> by monthly active users for the third year in a row, <A href="#" target="_blank" rel="noopener">ServiceNow</A> and Microsoft have many mutual customers who deploy and use Azure AD with their ServiceNow solutions. Last July, Microsoft shared a <A href="#" target="_blank" rel="noopener">community post</A> summarizing some of the vision for our identity-related integrations. We have since built on that to make lives easier for IT and business users alike, especially to support people during the pandemic. Given Microsoft’s announcement earlier this month of the <A href="#" target="_blank" rel="noopener">new employee experience platform (EXP) with Microsoft Viva</A>, including the <A href="#" target="_blank" rel="noopener">Viva integrations with ServiceNow</A>, this blog post will focus on employee experiences we have created together. We'll follow up with a blog post in the coming months on how to best secure and manage your environment with ServiceNow and Azure AD.</P> <P><EM>&nbsp;</EM></P> <P>To get started, check out this <A href="#" target="_blank" rel="noopener">short video</A> overview of the Azure AD and ServiceNow integrations.</P> <P>&nbsp;</P> <H2>Extensibility to enable business processes</H2> <P>To streamline businesses processes and improve workflows, low-code developers can easily connect to and leverage Azure AD functionality from the ServiceNow IntegrationHub. <A href="#" target="_blank" rel="noopener">IntegrationHub</A> contains an ever-growing set of code libraries, also known as "spokes," that allow for a low-code way to work with users and groups in Azure AD.</P> <P>&nbsp;</P> <P>With ServiceNow and the <A href="#" target="_blank" rel="noopener">Azure AD spoke</A> built on Microsoft Graph, our customers can securely deliver workflows across organizations, silos, and systems. They can create a seamless enterprise system of actions that boosts productivity and enable a great employee and customer experience. This includes automation of Azure AD tasks when user requests occur in ServiceNow, which our customers see as a “single pane of glass” for getting what they need, when they need it. For example, users can interact with a <A href="#" target="_blank" rel="noopener">Virtual Agent chatbot within Microsoft Teams</A> to resolve common employee requests including password resets, Azure AD group assignments or licenses requests for applications like Office 365. Employee lifecycle events, such as enterprise onboarding and offboarding is also a top use case and we will dive into that in the next part.</P> <P>&nbsp;</P> <P>Our teams are working together to continuously update and add new workflows, so let us know if you have suggestions for how to make your lives and the lives of your employees easier!</P> <P>&nbsp;</P> <P>Learn more here<EM>:</EM> <A href="#" target="_blank" rel="noopener">Automating common ServiceNow-Microsoft workflows just got easier</A></P> <P>&nbsp;</P> <H2>Streamline workflows to increase IT and HR efficiency with onboarding</H2> <P>The combination of ServiceNow HR Service Delivery and Azure AD can help improve productivity and give customers more time to focus on strategic initiatives. The integration between ServiceNow HR Service Delivery and Azure AD helps manage identity lifecycle events like enterprise onboarding and offboarding and can streamline the employee service experience. For example, automated onboarding workflows can be automatically launched when a new employee profile is created in Azure AD. When an onboarding case is created in ServiceNow, the hiring manager receives a task to assign business roles for the new hire. Once assigned, IT teams can automatically provision the right set of resources and applications with Azure AD for a great first-day experience.</P> <P>Learn more by watching the Ignite 2020 session starting at 13:35<EM>: </EM><A href="#" target="_blank" rel="noopener">Bridge the gap between HR, IT and business with Azure Active Directory</A> or get started with the <A href="#" target="_blank" rel="noopener">new hire onboarding documentation</A>.</P> <P>&nbsp;</P> <H2>Additional ServiceNow and Microsoft integrations to improve the employee experience</H2> <P>We’re continuing to collaborate with Microsoft to deliver amazing experiences for IT admins and employees that result in productivity gains. In December, we shared <A href="#" target="_blank" rel="noopener">new native workflows</A> for managing tickets or tasks from ServiceNow in Microsoft Teams and the initiation of Teams meetings with ticket requesters directly from ServiceNow. Both of these rely on identity with Azure AD. <A href="#" target="_blank" rel="noopener">Recent announcements with Teams</A> is another example of how we’ve been able to deliver experiences that improve incident management and agent collaboration to help drive faster case resolution.</P> <P>&nbsp;</P> <H2>Get Started</H2> <P><EM>The employee experience is critical now, more than ever, so having partners like ServiceNow helping our customers with their digital workflows is an incredible value add that we look forward to improving upon together. </EM></P> <P><EM>&nbsp;</EM></P> <P><EM>To help you get started with integrating ServiceNow with Azure AD review our </EM><A href="#" target="_blank" rel="noopener"><EM>single-sign-on</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>automated user provisioning</EM></A><EM> documentation. You can also visit </EM><A href="#" target="_blank" rel="noopener"><EM>aka.ms/ServiceNow-AzureAD</EM></A><EM> to see all the latest identity and access management resources from Microsoft and ServiceNow, like this </EM><A href="#" target="_blank" rel="noopener"><EM>solution brief</EM></A><EM>.</EM></P> <P>&nbsp;</P> Thu, 19 Aug 2021 23:22:36 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/how-servicenow-and-azure-ad-are-improving-the-employee/ba-p/2115715 Sue Bohn 2021-08-19T23:22:36Z 10 Reasons to Love Passwordless #5 – The ease of use and portability of security keys https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-5-the-ease-of-use-and/ba-p/2115717 <P><SPAN><EM>In this series,&nbsp;Microsoft identity&nbsp;team members share their reasons for loving passwordless authentication (and why you should too!). In this post, Sue Bohn continues the series by sharing another benefit of passwordless.&nbsp;</EM></SPAN></P> <P>&nbsp;</P> <P>I love passwordless because of how much customers benefit from the increased security and convenience that one passwordless option offers in particular—security keys. At Microsoft Ignite 2019, we showcased <A href="#" target="_blank" rel="noopener">Azure Active Directory support for FIDO2 security key</A><SPAN>s</SPAN>. During an Ignite side chat with <A href="#" target="_blank" rel="noopener">Joey Snow</A>, I showed the audience my personalized security key with a bling decal, conveniently attached to my bracelet. It makes it so easy to quickly access it to sign into my personal or work accounts.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture1.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256805iF45EF5A7382BD8D2/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.jpg" alt="Picture1.jpg" /></span></P> <P>&nbsp;</P> <P>My security key provides not only strong authentication but also works with multiple online services in addition to Azure AD. With security keys, you simply insert the key into your Windows 10 machine (via USB, NFC, or Bluetooth), the key authenticates your identity, and you can start working right away. And it doesn’t require typing upper and lowercase letters, numbers, a special character, and your favorite emoji!! A security key is especially handy when devices are shared or when you cannot bring you phone into your place of work, such as a factory floor or retail store.&nbsp;Security keys are so portable you can even wear it!</P> <P>&nbsp;</P> <P>In the past 18 months, thousands of organizations are trying the experience. Enterprise customers have been piloting passwordless authentication with their security departments and their executive teams to increase identity protection. For example, Keepmoat Homes wanted to modernize the authentication experience for their employees and make it portable, so they chose Windows Hello for Business and Yubikeys which they say provided “the most secure form of single sign on and multifactor authentication with a frictionless end user experience.” During the US election last year, we saw security key adoption by campaigns, thinktanks, and other government entities as part of <A href="#" target="_blank" rel="noopener">Microsoft’s Account Guard program</A>. Because security key uses FIDO2 standards, it mitigates phishing attacks and offers more security to use with digital services.</P> <P>&nbsp;</P> <H2>Top security keys</H2> <P>With a growing number of people interested in using security keys for authentication, our team recognizes the need to create a robust partner ecosystem. This gives our customers more choices in form factors including biometrics. You can check out the <A href="#" target="_self">Microsoft Compatible Security Key<SPAN> partner list</SPAN></A>, a list of several devices from security key providers that have been tested with Azure Active Directory and Windows 10.</P> <P>&nbsp;</P> <P>A broad ecosystem gives our customers choice in keys that deliver a higher fit to our customers’ needs. Today our customers tell us the key form factors they most often use are USB-based factor, NFC, and smartcards. Nearly 40% of the universally used security key models have a fingerprint reader. If you’re not sure which one to select, consider these top 7 security keys vendors, based on usage with Azure AD*:</P> <P>&nbsp;</P> <OL> <LI><FONT size="4"><STRONG>Yubico</STRONG></FONT></LI> </OL> <TABLE> <TBODY> <TR> <TD width="312"> <P><STRONG>Yubico’s Yubikey 5 NFC (Near Field Communication) (</STRONG><A href="#" target="_blank" rel="noopener"><STRONG>link</STRONG></A><STRONG>)</STRONG></P> </TD> <TD width="312"> <P><STRONG>Yubico’s Security Key (</STRONG><A href="#" target="_blank" rel="noopener"><STRONG>link</STRONG></A><STRONG>)</STRONG></P> </TD> </TR> <TR> <TD width="312"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kuchinski_1-1614025827597.jpeg" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256794i830D92C8F9440184/image-size/medium?v=v2&amp;px=400" role="button" title="kuchinski_1-1614025827597.jpeg" alt="kuchinski_1-1614025827597.jpeg" /></span> <P>&nbsp;</P> </TD> <TD width="312"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kuchinski_2-1614025827628.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256796i15D9E21AC2C30FAF/image-size/medium?v=v2&amp;px=400" role="button" title="kuchinski_2-1614025827628.png" alt="kuchinski_2-1614025827628.png" /></span> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>If you are a Systems Integrator (SI) interested in building your passwordless practice, register for <A href="#" target="_blank" rel="noopener">Yubico’s System Integrator Pilot Program</A>.</P> <P>&nbsp;</P> <OL start="2"> <LI><STRONG><FONT size="4">Feitian</FONT></STRONG></LI> </OL> <TABLE> <TBODY> <TR> <TD width="312"> <P><STRONG>Feitian BioPass K27 (</STRONG><A href="#" target="_blank" rel="noopener"><STRONG>link</STRONG></A><STRONG>)</STRONG></P> </TD> <TD width="312"> <P><STRONG>Feitian ePass FIDO2 NFC Authenticator (</STRONG><A href="#" target="_blank" rel="noopener"><STRONG>link</STRONG></A><STRONG>)</STRONG></P> </TD> </TR> <TR> <TD width="312"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kuchinski_3-1614025827683.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256799i8979A8721D2EF634/image-size/medium?v=v2&amp;px=400" role="button" title="kuchinski_3-1614025827683.png" alt="kuchinski_3-1614025827683.png" /></span> <P>&nbsp;</P> </TD> <TD width="312"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kuchinski_4-1614025827694.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256797iD9FD94C188AB981A/image-size/medium?v=v2&amp;px=400" role="button" title="kuchinski_4-1614025827694.png" alt="kuchinski_4-1614025827694.png" /></span> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>Enterprise customers interested in piloting FIDO2 keys can register for <A href="#" target="_blank" rel="noopener">Feitian’s Pilot Program</A>.</P> <P>&nbsp;</P> <OL start="3"> <LI><STRONG><FONT size="4">Ensurity</FONT></STRONG></LI> </OL> <TABLE> <TBODY> <TR> <TD width="623"> <P><STRONG>Ensurity ThincC (</STRONG><A href="#" target="_blank" rel="noopener"><STRONG>link</STRONG></A><STRONG>)</STRONG></P> </TD> </TR> <TR> <TD width="623"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kuchinski_5-1614025827712.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256798i462B25813C10C10A/image-size/medium?v=v2&amp;px=400" role="button" title="kuchinski_5-1614025827712.png" alt="kuchinski_5-1614025827712.png" /></span> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>&nbsp;</P> <OL start="4"> <LI><STRONG><FONT size="4">Thales</FONT></STRONG></LI> </OL> <TABLE> <TBODY> <TR> <TD width="623"> <P><STRONG>Thales IDCore FIDO2 Authenticator (</STRONG><A href="#" target="_blank" rel="noopener"><STRONG>link</STRONG></A><STRONG>)</STRONG></P> </TD> </TR> <TR> <TD width="623"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kuchinski_6-1614025827718.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256800i8CF0C56BD63B9813/image-size/medium?v=v2&amp;px=400" role="button" title="kuchinski_6-1614025827718.png" alt="kuchinski_6-1614025827718.png" /></span> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>&nbsp;</P> <OL start="5"> <LI><STRONG><FONT size="4">TrustKey (Formerly eWBM)</FONT></STRONG></LI> </OL> <TABLE> <TBODY> <TR> <TD width="623"> <P><STRONG>TrustKey G310 (</STRONG><A href="#" target="_blank" rel="noopener"><STRONG>link</STRONG></A><STRONG>)</STRONG></P> </TD> </TR> <TR> <TD width="623"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kuchinski_7-1614025827750.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256802i11932595C129CCC1/image-size/medium?v=v2&amp;px=400" role="button" title="kuchinski_7-1614025827750.png" alt="kuchinski_7-1614025827750.png" /></span> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>&nbsp;</P> <OL start="6"> <LI><FONT size="4"><STRONG>AuthenTrend</STRONG></FONT></LI> </OL> <TABLE width="624"> <TBODY> <TR> <TD width="312"> <P><STRONG>AuthenTrend ATKey.Pro FIDO2 (</STRONG><A href="#" target="_blank" rel="noopener"><STRONG>link</STRONG></A><STRONG>)</STRONG></P> </TD> <TD width="312"> <P><STRONG>AuthenTrend ATKey.Card (</STRONG><A href="#" target="_blank" rel="noopener"><STRONG>link</STRONG></A><STRONG>)</STRONG></P> </TD> </TR> <TR> <TD width="312"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kuchinski_8-1614025827759.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256801iC9AFB954B3C427F8/image-size/medium?v=v2&amp;px=400" role="button" title="kuchinski_8-1614025827759.png" alt="kuchinski_8-1614025827759.png" /></span> <P>&nbsp;</P> </TD> <TD width="312"> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kuchinski_9-1614025827800.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256804i910B724804DDB65C/image-size/medium?v=v2&amp;px=400" role="button" title="kuchinski_9-1614025827800.png" alt="kuchinski_9-1614025827800.png" /></span> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>Small business customers interested in piloting AuthenTrend’s FIDO2 key and card can register <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <OL start="7"> <LI><STRONG><FONT size="4">HID Global</FONT></STRONG></LI> </OL> <TABLE> <TBODY> <TR> <TD width="623"> <P><STRONG>HID Cresendo C2300 (</STRONG><A href="#" target="_blank" rel="noopener"><STRONG>link</STRONG></A><STRONG>)</STRONG></P> </TD> </TR> <TR> <TD width="623"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kuchinski_10-1614025827803.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/256803iEB572334499E2496/image-size/medium?v=v2&amp;px=400" role="button" title="kuchinski_10-1614025827803.png" alt="kuchinski_10-1614025827803.png" /></span> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H2>Get in touch!</H2> <P>I hope you find this blog useful, and perhaps I inspired you to glam up your own security key! Please get in touch with me (<A href="#" target="_blank" rel="noopener">@Sue_Bohn</A>) and our <A href="#" target="_blank" rel="noopener">Security Key partners</A> if would like more information about the ease of use and portability of FIDO2 security keys and how they might work in your own organization.</P> <P>&nbsp;</P> <P>Cheers,</P> <P>Sue</P> <P><EM>&nbsp;</EM></P> <P><EM>*Based on Security Key usage with Azure Active Directory is as of Feb 2021. We highlight up to two keys per brand. Microsoft takes privacy seriously. We remove all personal data and organization-identifying data, such as company name, from the data before using it to produce reports. We never use customer content such as the content of an email, chat, document, or meeting to produce reports.</EM></P> <P><EM>&nbsp;</EM></P> <P>&nbsp;</P> <P><EM>&nbsp;</EM><SPAN>Check out the other posts in this series:</SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><A href="#" target="_blank" rel="noopener noreferrer">Temporary Access Pass is now in preview</A></LI> <LI><SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/identity-standards-blog/what-s-new-in-passwordless-standards-2021-edition/ba-p/2124136" target="_self">What's New in Passwordless Standards, 2021 edition!</A></SPAN></LI> <LI>10 Reasons to Love Passwordless #1:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-1-fido-rocks/ba-p/2111918" target="_blank" rel="noopener">FIDO Rocks</A></LI> <LI>10 Reasons to Love Passwordless #2:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-2-nist-compliance/ba-p/2115725" target="_blank" rel="noopener">NIST Compliance</A></LI> <LI>10 Reasons to Love Passwordless #3:<SPAN>&nbsp;</SPAN><FONT size="3"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-3-why-biometrics-and/ba-p/1751769" target="_self">Why biometrics and passwordless are a dream combination</A></FONT></LI> <LI>10 Reasons to Love Passwordless #4:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-4-secure-your-digital-estate/ba-p/2115724" target="_self">Secure your digital estate, while securing your bottom line</A></LI> <LI>10 Reasons to Love Passwordless #5:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-5-the-ease-of-use-and/ba-p/2115717" target="_self">The Ease of Use and Portability of Security Keys</A></LI> <LI>10 Reasons to Love Passwordless #6:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-6-the-passwordless-funnel/ba-p/2144513" target="_self">The Passwordless Funnel</A></LI> <LI>10 Reasons to Love Passwordless #7:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-7-authenticator-app-for-easy/ba-p/1751773" target="_self">Authenticator app for easy phone sign in</A>&nbsp;</LI> <LI>10 Reasons to Love Passwordless #8:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-8-you-won-t-get-phished/ba-p/2147056" target="_self">You won't get phished!</A></LI> <LI>10 Reasons to Love Passwordless #9:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-9-onboard-without-a-password/ba-p/1751774" target="_self">Onboard without a password</A></LI> <LI>10 Reasons to Love Passwordless #10: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-10-never-use-a-password/ba-p/2111909" target="_self">Never use a password</A></LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN><EM>Learn more about Microsoft identity:</EM></SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><SPAN><EM>Return to the&nbsp;</EM></SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><SPAN><EM>Azure Active Directory Identity blog home</EM></SPAN></A><SPAN>&nbsp;</SPAN></LI> <LI><SPAN><EM>Join the conversation on&nbsp;</EM></SPAN><A href="#" target="_blank" rel="noopener"><SPAN><EM>Twitter</EM></SPAN></A><SPAN><EM>&nbsp;and&nbsp;</EM></SPAN><A href="#" target="_blank" rel="noopener"><SPAN><EM>LinkedIn</EM></SPAN></A><SPAN>&nbsp;</SPAN></LI> <LI><SPAN><EM>Share product suggestions on the&nbsp;</EM></SPAN><A href="#" target="_blank" rel="noopener"><SPAN><EM>Azure Feedback Forum</EM></SPAN></A><SPAN>&nbsp;</SPAN></LI> </UL> Thu, 19 Aug 2021 23:22:34 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-5-the-ease-of-use-and/ba-p/2115717 Sue Bohn 2021-08-19T23:22:34Z February identity updates – GA of Azure AD My Apps user-based collections and more https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/february-identity-updates-ga-of-azure-ad-my-apps-user-based/ba-p/1994719 <P>Howdy folks,</P> <P>&nbsp;</P> <P>I'm excited to share the latest Active Azure Directory news, including feature updates, support deprecation, and new capabilities that will streamline administrator, developer, and user experiences. These updates show our commitment to simplifying identity and access management, while also enhancing the customization and controls you need.</P> <P>&nbsp;</P> <P><STRONG><FONT size="5">Intuitive user experiences</FONT></STRONG><BR /><BR /></P> <UL> <LI><STRONG>GA of user-based collections in Azure AD My Apps </STRONG>–With the general availability of user-based collections in Azure AD <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/help-your-workforce-discover-and-connect-to-all-their-apps-with/ba-p/1144694" target="_blank" rel="noopener">My Apps</A>, users <A href="#" target="_blank" rel="noopener">can now create and manage their own personalized app collections</A> while freeing IT resources and time for other tasks.<BR /><BR />With My Apps <A href="#" target="_blank" rel="noopener">collections</A>, you can create tabs organized by app function, role, or other categories that make it easier to discover and access apps. These collections can also be surfaced in the Office portal, if organizations want to combine broad app launch within their Office productivity hub. Since the public preview, this will now be available by default in all tenants and no special URL is required.</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/254335iFE16EEFF6CCD84D4/image-size/large?v=v2&amp;px=999" role="button" title="1.PNG" alt="1.PNG" /></span></P> <P><EM>User-based collections in Azure AD My Apps, now generally available.</EM></P> <P><EM>&nbsp;</EM></P> <P>&nbsp;</P> <P><STRONG><FONT size="5">Security </FONT></STRONG></P> <P>&nbsp;</P> <UL> <LI><A href="#" target="_self">GA of new risk detections</A> <STRONG>in Azure AD Identity Protection</STRONG> –<SPAN> Three new risk detections—the Microsoft Cloud App Security (MCAS)<EM> New Country, Activity from Anonymous IP Address,</EM> and <EM>Suspicious Inbox Forwarding Rules</EM>—are now generally available.</SPAN><SPAN>&nbsp;These signals are integrated from MCAS to influence both sign-in and user risk in Identity Protection. </SPAN>Customers <SPAN>currently using MCAS don’t need to take any additional steps for these </SPAN><A href="#" target="_blank" rel="noopener">three new risk detections</A><SPAN> to flow into Identity Protection. They can be found in the risky sign-ins blade, risk detections blade, and the risk history tab of the risky users report.</SPAN><BR /><BR />This integration expands the surface area of our detections with insight into intrasession activity, improves our signal quality, and delivers on our One Microsoft value by leveraging signals across the Microsoft ecosystem. <SPAN>There is also a link back to the MCAS UI in the risk details so that admins can investigate further if necessary.</SPAN><SPAN>&nbsp;You can now see all the MCAS detections that Identity Protection has consumed by filtering on “Microsoft Cloud App Security” as the source in either the risky sign-ins or risk detections blades.</SPAN><BR /><BR /></LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MCAS to IDP.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/254337iD1DBA66EA49E7D4C/image-size/large?v=v2&amp;px=999" role="button" title="MCAS to IDP.png" alt="MCAS to IDP.png" /></span></P> <P>&nbsp;<EM style="font-family: inherit;">Alerts in MCAS automatically flow into Azure AD Identity Protection.</EM></P> <P><EM>&nbsp;</EM></P> <P><STRONG><FONT size="5">Reminders</FONT></STRONG><BR /><BR /></P> <UL> <LI><STRONG>Support for unmanaged Azure Active Directory accounts ending in October 2021</STRONG>– We previously shared that Microsoft would no longer support the redemption of invitations using unmanaged Azure Active Directory accounts starting March 31, 2021. Based on your feedback, we are delaying the transition from March 31, 2021 to October 31, 2021. <STRONG>S</STRONG><STRONG>tarting October 31, 2021</STRONG>, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. To prepare for this, you are encouraged to opt into&nbsp;<A href="#" target="_blank" rel="noopener">email one-time passcode authentication</A>, which was <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/collaborate-with-anyone-in-any-organization-with-any-email/ba-p/1751711" target="_blank" rel="noopener">made generally available</A> earlier this year.<BR /><BR /></LI> <LI><STRONG>Deprecation of Azure AD Connect sync old versions</STRONG> – We recently announced that we will no longer support old versions of Azure AD Connect sync (versions published before May 5, 2018 – 1.1.751.0 and older) to ensure customers are using versions with additional security and performance benefits. To minimize service disruption, upgrade to a newer version of Azure AD Connect sync <STRONG>before February 29, 2024</STRONG>. For help with your update, refer to our <A href="#" target="_blank" rel="noopener">migration guide</A>, reach out to our <A href="#" target="_blank" rel="noopener">community experts</A><SPAN>,</SPAN> or open up a technical <A href="#" target="_blank" rel="noopener">support request</A>.</LI> </UL> <P>&nbsp;</P> <P>As always, we’d love to hear your feedback or suggestions in the comments or on Twitter (<A href="#" target="_blank" rel="noopener">@AzureAD</A>). I also invite you to join me and other Microsoft leaders at <A href="#" target="_blank" rel="noopener"><STRONG>Microsoft Ignite, March 2-4</STRONG>.</A> Registration is free and includes access to sessions covering important topics in our industry, such as the Zero Trust security model, decentralized identities, going passwordless, and more.</P> <P><BR />Alex Simons (<A href="#" target="_blank" rel="noopener">@Alex_A_Simons</A>)</P> <P>Corporate VP of Program Management</P> <P>Microsoft Identity Division</P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Related Articles: <FONT color="#000000"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-1-fido-rocks/ba-p/2111918" target="_self">Check out our 10 reasons to love passwordless series</A></FONT></EM></LI> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><EM><A href="#" target="_blank" rel="noopener">LinkedIn</A></EM></LI> <LI><EM style="font-family: inherit;">Share product suggestions on the </EM><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> <P>&nbsp;</P> Fri, 19 Feb 2021 17:36:35 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/february-identity-updates-ga-of-azure-ad-my-apps-user-based/ba-p/1994719 Alex Simons (AZURE) 2021-02-19T17:36:35Z Decentralized digital identities and blockchain: The future as we see it https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/decentralized-digital-identities-and-blockchain-the-future-as-we/ba-p/1994714 <P class=""><STRONG>First published on&nbsp;February 12, 2018</STRONG></P> <P class="">&nbsp;</P> <P class="">Howdy folks,</P> <P class="">&nbsp;</P> <P>I hope you’ll find today’s post as interesting as I do. It’s a bit of brain candy and outlines an exciting vision for the future of digital identities.</P> <P>&nbsp;</P> <P>Over the last 12 months we’ve invested in incubating a set of ideas for using Blockchain (and other distributed ledger technologies) to create new types of digital identities, identities designed from the ground up to enhance personal privacy, security and control. We’re pretty excited by what we’ve learned and by the new partnerships we’ve formed in the process. Today we’re taking the opportunity to share our thinking and direction with you. This blog is part of a series and follows on Peggy Johnson’s<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">blog post announcing that Microsoft has joined the ID2020 initiative</A>. If you haven’t already Peggy’s post, I would recommend reading it first.</P> <P>&nbsp;</P> <P>I’ve asked Ankur Patel, the PM on my team leading these incubations to kick our discussion on Decentralized Digital Identities off for us. His post focuses on sharing some of the core things we’ve learned and some of the resulting principles we’re using to drive our investments in this area going forward.</P> <P>&nbsp;</P> <P>And as always, we’d love to hear your thoughts and feedback.</P> <P>&nbsp;</P> <P>Best Regards,</P> <P>Alex Simons (Twitter:<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">@Alex_A_Simons</A>)</P> <P>Director of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>-----------------------------------------------</P> <P>&nbsp;</P> <P>Greetings everyone, I’m Ankur Patel from Microsoft’s Identity Division. It is an awesome privilege to have this opportunity to share some of our learnings and future directions based on our efforts to incubate Blockchain/distributed ledger based Decentralized Identities.</P> <P>&nbsp;</P> <H3>What we see</H3> <P>As many of you experience every day, the world is undergoing a global digital transformation where digital and physical reality are blurring into a single integrated modern way of living. This new world needs a new model for digital identity, one that enhances individual privacy and security across the physical and digital world.</P> <P>&nbsp;</P> <P>Microsoft’s cloud identity systems already empower thousands of developers, organizations and billions of people to work, play, and achieve more. And yet there is so much more we can do to empower everyone. We aspire to a world where the billions of people living today with no reliable ID can finally realize the dreams we all share like educating our children, improving our quality of life, or starting a business.</P> <P>&nbsp;</P> <P>To achieve this vision, we believe it is essential for individuals to own and control all elements of their digital identity. Rather than grant broad consent to countless apps and services, and have their identity data spread across numerous providers, individuals need a secure encrypted digital hub where they can store their identity data and easily control access to it.</P> <P>&nbsp;</P> <P><SPAN><EM>Each of us needs a digital identity we own, one which securely and privately stores all elements of our digital identity.&nbsp; This self-owned identity must be easy to use and give us complete control over how our identity data is accessed and used.</EM></SPAN></P> <P>&nbsp;</P> <P>We know that enabling this kind of self-sovereign digital identity is bigger than any one company or organization. We’re committed to working closely with our customers, partners and the community to unlock the next generation of digital identity-based experiences and we’re excited to partner with so many people in the industry who are making incredible contributions to this space.</P> <P>&nbsp;</P> <H3><STRONG>What we’ve learned</STRONG></H3> <P>To that end today we are sharing our best thinking based on what we’ve learned from our decentralized identity incubation, an effort which is aimed at enabling richer experiences, enhancing trust, and reducing friction, while empowering every person to own and control their Digital Identity.</P> <P>&nbsp;</P> <OL> <LI><STRONG>Own and control your Identity.</STRONG><SPAN>&nbsp;</SPAN>Today, users grant broad consent to countless apps and services for collection, use and retention beyond their control. With data breaches and identity theft becoming more sophisticated and frequent, users need a way to take ownership of their identity. After examining decentralized storage systems, consensus protocols, blockchains, and a variety of emerging standards we believe blockchain technology and protocols are well suited for enabling Decentralized IDs (DID).</LI> <LI><STRONG>Privacy by design, built in from the ground up.</STRONG><SPAN><BR /></SPAN>Today, apps, services, and organizations deliver convenient, predictable, tailored experiences that depend on control of identity-bound data. We need a secure encrypted digital hub (ID Hubs) that can interact with user’s data while honoring user privacy and control.</LI> <LI><STRONG>Trust is earned by individuals, built by the community.</STRONG><SPAN><BR /></SPAN>Traditional identity systems are mostly geared toward authentication and access management. A self-owned identity system adds a focus on authenticity and how community can establish trust. In a decentralized system trust is based on attestations: claims that other entities endorse – which helps prove facets of one’s identity.</LI> <LI><SPAN><STRONG>Apps and services built with the user at the center.</STRONG><BR /></SPAN>Some of the most engaging apps and services today are ones that offer experiences personalized for their users by gaining access to their user’s Personally Identifiable Information (PII). DIDs and ID Hubs can enable developers to gain access to a more precise set of attestations while reducing legal and compliance risks by processing such information, instead of controlling it on behalf of the user.</LI> <LI><SPAN><STRONG>Open, interoperable foundation.</STRONG><BR /></SPAN>To create a robust decentralized identity ecosystem that is accessible to all, it must be built on standard, open source technologies, protocols, and reference implementations. For the past year we have been participating in the<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Decentralized Identity Foundation (DIF)</A><SPAN>&nbsp;</SPAN>with individuals and organizations who are similarly motivated to take on this challenge. We are collaboratively developing the following key components<SPAN>:<BR /></SPAN></LI> </OL> <UL> <LI><A href="#" target="_blank" rel="noopener"><SPAN>Decentralized Identifiers</SPAN></A><SPAN>&nbsp;(DIDs) –&nbsp;</SPAN>a W3C spec that defines a common document format for describing the state of a Decentralized Identifier<SPAN><BR /></SPAN></LI> <LI><A href="#" target="_blank" rel="noopener"><SPAN>Identity Hubs</SPAN></A><SPAN>&nbsp;–&nbsp;</SPAN>an encrypted identity datastore that features message/intent relay, attestation handling, and identity-specific compute endpoints.&nbsp;<SPAN><BR /></SPAN></LI> <LI><A href="#" target="_blank" rel="noopener"><SPAN>Universal DID Resolver</SPAN></A><SPAN>&nbsp;–&nbsp;</SPAN>a server that resolves DIDs across blockchains&nbsp;<SPAN><BR /></SPAN></LI> <LI><A href="#" target="_blank" rel="noopener"><SPAN>Verifiable Credentials</SPAN></A><SPAN>&nbsp;–&nbsp;</SPAN>a W3C spec that defines a document format for encoding DID-based attestations.&nbsp;&nbsp;&nbsp;<SPAN><BR /></SPAN></LI> </UL> <OL start="6"> <LI><SPAN><STRONG>Ready for world scale:</STRONG><BR /></SPAN>To support a vast world of users, organizations, and devices, the underlying technology must be capable of scale and performance on par with traditional systems. Some public blockchains (Bitcoin [BTC], Ethereum, Litecoin, to name a select few) provide a solid foundation for rooting DIDs, recording DPKI operations, and anchoring attestations. While some blockchain communities have increased on-chain transaction capacity (e.g. blocksize increases), this approach generally degrades the decentralized state of the network and cannot reach the millions of transactions per second the system would generate at world-scale. To overcome these technical barriers, we are collaborating on decentralized Layer 2 protocols that run atop these public blockchains to achieve global scale, while preserving the attributes of a world class DID system.<SPAN><BR /></SPAN></LI> <LI><SPAN><STRONG>Accessible to everyone:</STRONG><BR /></SPAN>The blockchain ecosystem today is still mostly early adopters who are willing to spend time, effort, and energy managing keys and securing devices. This is not something we can expect mainstream people to deal with. We need to make key management challenges, such as recovery, rotation, and secure access, intuitive and fool-proof.<SPAN><BR /></SPAN></LI> </OL> <H3>&nbsp;</H3> <H3><STRONG>Our next steps</STRONG></H3> <P>New systems and big ideas, often make sense on a whiteboard. All the lines connect, and assumptions seem solid. However, product and engineering teams learn the most by shipping.</P> <P>Today, the Microsoft Authenticator app is already used by millions of people to prove their identity every day. As a next step we will experiment with Decentralized Identities by adding support for them into to Microsoft Authenticator. With consent, Microsoft Authenticator will be able to act as your User Agent to manage identity data and cryptographic keys. In this design, only the ID is rooted on chain. Identity data is stored in an off-chain ID Hub (that Microsoft can’t see) encrypted using these cryptographic keys.</P> <P>&nbsp;</P> <P>Once we have added this capability, apps and services will be able to interact with user’s data using a common messaging conduit by requesting granular consent. Initially we will support a select group of DID implementations across blockchains and we will likely add more in the future.</P> <P>&nbsp;</P> <H3><STRONG>Looking ahead</STRONG></H3> <P>We are humbled and excited to take on such a massive challenge, but also know it can’t be accomplished alone. We are counting on the support and input of our alliance partners, members of the Decentralized Identity Foundation, and the diverse Microsoft ecosystem of designers, policy makers, business partners, hardware and software builders. Most importantly we will need you, our customers to provide feedback as we start testing these first set of scenarios.</P> <P>This is our first post about our work on Decentralized Identity. In upcoming posts we will share information about our proofs of concept as well as technical details for key areas outlined above.</P> <P>We look forward to you joining us on this venture!</P> <P>&nbsp;</P> <P><SPAN>Key resources:<BR /></SPAN></P> <UL> <LI><SPAN>Follow-us at&nbsp;<A href="#" target="_blank" rel="noopener">@AzureAD</A>&nbsp;on Twitter<BR /></SPAN></LI> <LI><SPAN>Get involved with&nbsp;<A href="#" target="_blank" rel="noopener">Decentralized Identity Foundation</A>&nbsp;(DIF)<BR /></SPAN></LI> <LI><SPAN>Participate in&nbsp;<A href="#" target="_blank" rel="noopener">W3C Credentials Community Group</A><BR /></SPAN></LI> </UL> <P>&nbsp;</P> <P>Regards,</P> <P>Ankur Patel<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">(@_AnkurPatel</A>)</P> <P>Principal Program Manager</P> <P>Microsoft Identity Division</P> Thu, 19 Aug 2021 23:22:33 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/decentralized-digital-identities-and-blockchain-the-future-as-we/ba-p/1994714 Alex Simons (AZURE) 2021-08-19T23:22:33Z 10 Reasons to Love Passwordless #4: Secure your digital estate, while securing your bottom line https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-4-secure-your-digital-estate/ba-p/2115724 <P><EM>In this series, Microsoft identity team members share their reasons for loving passwordless authentication (and why you should too!). T</EM><EM>oday, Sue Bohn continues the series</EM><EM>.</EM> &nbsp;</P> <P>&nbsp;</P> <P>Hello,</P> <P>&nbsp;</P> <P>Today, I'm sharing with you my second reason to love passwordless authentication. Last time, I shared how passwordless authentication meets security assurance guidelines using crypto keys, to give you more peace of mind. This week, I’m going to talk about the real cost of passwords on productivity and how this solution addresses it.</P> <P>&nbsp;</P> <P>A <A href="#" target="_self">study</A> by one of our passwordless partners found that the average user spends more than 12 minutes each day entering or resetting passwords—that’s almost an hour every month! Multiplying that hourly loss across an organization with 15,000 members results in more than 160,000 hours of lost productivity and thousands of support calls, all due to managing passwords.&nbsp;</P> <P>&nbsp;</P> <P>Going passwordless can seem daunting, so we’ve created a powerful tool to help you get started. The <A href="#" target="_self">passwordless wizard</A> within the Microsoft 365 admin portal helps organizations determine which devices and passwordless methods fit their organization and existing infrastructure. If you’re looking for the easiest place to start with your passwordless deployment, Windows Hello for Business is baked right into Windows and requires no extra hardware.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="1.PNG" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/254102i5B970DCDB002EB9F/image-size/large?v=v2&amp;px=999" role="button" title="1.PNG" alt="1.PNG" /></span></P> <P>&nbsp;</P> <P>If your employees have PCs with biometric hardware (think fingerprint scanners, Intel RealSense or other 3D cameras), this is our premier Windows Hello for Business experience. Using biometrics, employees can log in to their PCs and enjoy single sign-on to their local and cloud-based resources, all without ever entering a password. Windows Hello logs you in <A href="#" target="_blank" rel="noopener">3x faster</A> than a password. Those who don’t have biometrics can still take advantage of these features through the use of a PIN.</P> <P>&nbsp;</P> <P>“But Sue, isn’t a PIN <EM>worse</EM> than a password?” If a user’s password is compromised, that password can be used anywhere in your digital estate where that person has access. When someone sets up a PIN within Windows Hello for Business, that PIN is tied to their specific device and can’t be used to gain access anywhere else. Once they log in with their PIN, users get the same single sign-on experience without ever having to deal with a password.</P> <P>&nbsp;</P> <P>Going passwordless means typing a password suddenly becomes very strange for your users, which can make it easier for them to recognize phishing attempts, too. If a password isn’t ever entered into a device from provisioning on day one, it makes it that much harder for a malicious actor to capture a user’s password. Add this to 160,000 hours of productivity and a sizable reduction in password-related help desk calls, all using what's already built-in to Windows 10. This might just be the easiest decision you have to make today.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Check out the other posts in this series:</SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><A href="#" target="_blank" rel="noopener noreferrer">Temporary Access Pass is now in preview</A></LI> <LI><SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/identity-standards-blog/what-s-new-in-passwordless-standards-2021-edition/ba-p/2124136" target="_self">What's New in Passwordless Standards, 2021 edition!</A></SPAN></LI> <LI>10 Reasons to Love Passwordless #1:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-1-fido-rocks/ba-p/2111918" target="_blank" rel="noopener">FIDO Rocks</A></LI> <LI>10 Reasons to Love Passwordless #2:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-2-nist-compliance/ba-p/2115725" target="_blank" rel="noopener">NIST Compliance</A></LI> <LI>10 Reasons to Love Passwordless #3:<SPAN>&nbsp;</SPAN><FONT size="3"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-3-why-biometrics-and/ba-p/1751769" target="_self">Why biometrics and passwordless are a dream combination</A></FONT></LI> <LI>10 Reasons to Love Passwordless #4:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-4-secure-your-digital-estate/ba-p/2115724" target="_self">Secure your digital estate, while securing your bottom line</A></LI> <LI>10 Reasons to Love Passwordless #5:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-5-the-ease-of-use-and/ba-p/2115717" target="_self">The Ease of Use and Portability of Security Keys</A></LI> <LI>10 Reasons to Love Passwordless #6:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-6-the-passwordless-funnel/ba-p/2144513" target="_self">The Passwordless Funnel</A></LI> <LI>10 Reasons to Love Passwordless #7:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-7-authenticator-app-for-easy/ba-p/1751773" target="_self">Authenticator app for easy phone sign in</A>&nbsp;</LI> <LI>10 Reasons to Love Passwordless #8:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-8-you-won-t-get-phished/ba-p/2147056" target="_self">You won't get phished!</A></LI> <LI>10 Reasons to Love Passwordless #9:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-9-onboard-without-a-password/ba-p/1751774" target="_self">Onboard without a password</A></LI> <LI>10 Reasons to Love Passwordless #10: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-10-never-use-a-password/ba-p/2111909" target="_self">Never use a password</A></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> <P>&nbsp;</P> Thu, 19 Aug 2021 23:22:31 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-4-secure-your-digital-estate/ba-p/2115724 Sue Bohn 2021-08-19T23:22:31Z 10 Reasons to Love Passwordless #3: Why biometrics and passwordless are a dream combination https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-3-why-biometrics-and/ba-p/1751769 <P><EM>The Microsoft identity team recently launched a series explaining </EM><EM>why</EM><EM> they </EM><EM>love </EM><EM>passwordless</EM> <EM>authentication</EM><EM> (and why you should too!)</EM><STRONG><EM>.</EM></STRONG><EM>The series kicked off with posts on FIDO and NIST compliance</EM><EM>. Alex Weinert continues the series with this post speaking to biometric authentication</EM><EM>.</EM> &nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>My turn! Pam and Sue are tough acts to follow, but here goes! I love passwordless for so many reasons (<A href="#" target="_blank" rel="noopener">I really dislike passwords</A>) – but one of the top things I love about passwordless is that we can use biometrics to make authentication so much easier and more secure. Rather than having to memorize a password (you can’t) or security answers (quick! What was your 6<SUP>th</SUP> grade teacher’s best friend’s pet’s maiden name when you had your first crush?), you can use what’s always with you – <EM>you</EM>! Biometrics let you use your face, fingerprint, or even heartbeat on some devices.</P> <P>&nbsp;</P> <P>Biometrics also provide terrific accessibility benefits, making it possible to sign in when typing in a password is not viable. It is really exciting to think about the technology in use by people or in situations where secure digital identity was previously out of reach. With biometrics, once a device is “bound”, almost any gesture can be used to authenticate. Think about the implications for folks who interact with technology in non-conventional ways, or whose job requirements make manual interactions impossible (e.g. a surgeon after scrubbing in) – with NFC and FIDO2, a tap of the token can sign you in securely.</P> <P><BR />There can be <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/biometrics-keep-your-fingers-close/ba-p/1276934" target="_blank" rel="noopener">challenges with centrally managed biometrics</A>, but properly implemented solutions like FIDO2, Windows Hello, and the Microsoft Authenticator use the biometrics as a way to access a locally stored cryptographic secret. The templates are used only to access cryptographic operations by the secure hardware (e.g. TPM). This hardware uses the template to protect operations such as by creating keypairs, releasing public keys, or signing messages with the private key. This approach is super secure, inherently multifactor and defeats many conventional <A href="#" target="_blank" rel="noopener">attacks on MFA</A>. And because you’re thinking it, most biometric systems are implemented with liveness detection to validate any biometrics presented, so just a picture wouldn’t work. &nbsp;&nbsp;</P> <P>&nbsp;</P> <P>In a typical deployment of FIDO2 and Windows Hello, a person swipes their finger, says a phrase, or looks at a camera on their device to enroll that device for authentication. Behind the scenes, the biometric data is used as an initial factor to generate a cryptographic keypair (private and public) in the hardware on that device. The private key will be used by the hardware to sign subsequent authentication requests only when the same biometric template that was used to generate it is provided again.&nbsp;</P> <P>&nbsp;</P> <P>Even if a hacker were to try to spoof my fingerprint (or face, or try to do my super-secret disco moves) with the goal of tricking the system into thinking it's me, they’d have to steal the device where the keypair resides first. &nbsp;That alone is costly, time-consuming, and rare – and even then, they’d have access only from that device, and I could quickly revoke trust in that device.</P> <P>&nbsp;</P> <P>So there you have it – I love passwordless because swiping my finger, tapping my watch or grinning goofily at my PC’s camera is easier, more secure and more FUN than remembering what the darn password I used on that service, this time was. (True confessions time – I scrambled my Microsoft account and work passwords over a year ago – I am a dyed in the wool, full-time, passwordless-only authentication addict!)</P> <P>&nbsp;</P> <P>Stay tuned for more in the series! We’ll share how passwordless credentials can protect you from top attacks and we’ll dive into different types of credentials that use biometrics, NFC, and USB to verify explicitly.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Check out the other posts in this series:</SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><A href="#" target="_blank" rel="noopener noreferrer">Temporary Access Pass is now in preview</A></LI> <LI><SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/identity-standards-blog/what-s-new-in-passwordless-standards-2021-edition/ba-p/2124136" target="_self">What's New in Passwordless Standards, 2021 edition!</A></SPAN></LI> <LI>10 Reasons to Love Passwordless #1:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-1-fido-rocks/ba-p/2111918" target="_blank" rel="noopener">FIDO Rocks</A></LI> <LI>10 Reasons to Love Passwordless #2:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-2-nist-compliance/ba-p/2115725" target="_blank" rel="noopener">NIST Compliance</A></LI> <LI>10 Reasons to Love Passwordless #3:<SPAN>&nbsp;</SPAN><FONT size="3"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-3-why-biometrics-and/ba-p/1751769" target="_self">Why biometrics and passwordless are a dream combination</A></FONT></LI> <LI>10 Reasons to Love Passwordless #4:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-4-secure-your-digital-estate/ba-p/2115724" target="_self">Secure your digital estate, while securing your bottom line</A></LI> <LI>10 Reasons to Love Passwordless #5:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-5-the-ease-of-use-and/ba-p/2115717" target="_self">The Ease of Use and Portability of Security Keys</A></LI> <LI>10 Reasons to Love Passwordless #6:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-6-the-passwordless-funnel/ba-p/2144513" target="_self">The Passwordless Funnel</A></LI> <LI>10 Reasons to Love Passwordless #7:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-7-authenticator-app-for-easy/ba-p/1751773" target="_self">Authenticator app for easy phone sign in</A>&nbsp;</LI> <LI>10 Reasons to Love Passwordless #8:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-8-you-won-t-get-phished/ba-p/2147056" target="_self">You won't get phished!</A></LI> <LI>10 Reasons to Love Passwordless #9:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-9-onboard-without-a-password/ba-p/1751774" target="_self">Onboard without a password</A></LI> <LI>10 Reasons to Love Passwordless #10: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-10-never-use-a-password/ba-p/2111909" target="_self">Never use a password</A></LI> </UL> <P><EM>&nbsp;</EM></P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> </UL> <P><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></P> <P>&nbsp;</P> Thu, 19 Aug 2021 23:22:29 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-3-why-biometrics-and/ba-p/1751769 Alex Weinert 2021-08-19T23:22:29Z 10 Reasons to Love Passwordless #2: NIST Compliance https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-2-nist-compliance/ba-p/2115725 <P><SPAN data-contrast="auto">He</SPAN><SPAN data-contrast="auto">llo</SPAN><SPAN data-contrast="auto">,&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">This is the&nbsp;</SPAN><SPAN data-contrast="auto">second&nbsp;</SPAN><SPAN data-contrast="auto">post in the “Ten Reasons to Love&nbsp;</SPAN><SPAN data-contrast="auto">Passwordless</SPAN><SPAN data-contrast="auto">” blog series.</SPAN><SPAN data-contrast="auto">&nbsp;Last time, we talked a</SPAN><SPAN data-contrast="auto">bout&nbsp;the&nbsp;</SPAN><SPAN data-contrast="auto">flexibility&nbsp;and multi-platform&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-1-fido-rocks/ba-p/2111918" target="_blank" rel="noopener"><SPAN data-contrast="none">benefits of FIDO2</SPAN></A><SPAN data-contrast="auto">&nbsp;open&nbsp;</SPAN><SPAN data-contrast="auto">standards based</SPAN><SPAN data-contrast="auto">&nbsp;technology. The second reason to love&nbsp;</SPAN><SPAN data-contrast="auto">passwordless</SPAN><SPAN data-contrast="auto">&nbsp;is</SPAN><SPAN data-contrast="auto">&nbsp;it brings the highest levels of security to your organization.&nbsp;</SPAN><SPAN data-contrast="auto">Passwordless</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">multifactor authentication (MFA)&nbsp;</SPAN><SPAN data-contrast="auto">eliminates the need to memorize passwords&nbsp;</SPAN><SPAN data-contrast="auto">and&nbsp;</SPAN><SPAN data-contrast="auto">as such&nbsp;</SPAN><SPAN data-contrast="auto">makes it 99.9% harder to compromise an account. Using&nbsp;</SPAN><SPAN data-contrast="auto">built-in crypto keys in your software or hardware</SPAN><SPAN data-contrast="auto">&nbsp;from&nbsp;</SPAN><SPAN data-contrast="auto">passwordless</SPAN><SPAN data-contrast="auto">&nbsp;solutions</SPAN><SPAN data-contrast="auto">, you&nbsp;</SPAN><SPAN data-contrast="auto">get the security assurance that meets the highest standards.</SPAN><SPAN data-contrast="auto">&nbsp;Helping our customers achieve these MFA goals is music to my ea</SPAN><SPAN data-contrast="auto">rs!</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335559685&quot;:360,&quot;335559739&quot;:60,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:60,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><STRONG><FONT size="5">Security assurance with NIST&nbsp;(800-63)&nbsp;</FONT></STRONG></P> <P><SPAN data-contrast="auto">Let’s</SPAN><SPAN data-contrast="auto">&nbsp;start with t</SPAN><SPAN data-contrast="auto">he National Institute of Standards and Technology (NIST)</SPAN><SPAN data-contrast="auto">&nbsp;which</SPAN><SPAN data-contrast="auto">&nbsp;develops the technical requirements for&nbsp;</SPAN><SPAN data-contrast="auto">US</SPAN><SPAN data-contrast="auto">&nbsp;federal agencies implementing identity solutions.&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">NIST’s</SPAN><SPAN data-contrast="none">&nbsp;800-63</SPAN><SPAN data-contrast="none">&nbsp;Digital Identity Guidelines Authentication Assurance Levels</SPAN></A><SPAN data-contrast="auto">&nbsp;(AAL) is a mature framework used by federal agencies, organization</SPAN><SPAN data-contrast="auto">s</SPAN><SPAN data-contrast="auto">&nbsp;working with federal agencies, healthcare, defense, finance, and other industry associations around the world as a baseline for a more secure identity and access management (IAM) approach. How does&nbsp;</SPAN><SPAN data-contrast="auto">passwordless</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">and multifactor&nbsp;</SPAN><SPAN data-contrast="auto">authentication align with NIST’s requirement? And how can the required&nbsp;</SPAN><SPAN data-contrast="auto">AALs</SPAN><SPAN data-contrast="auto">&nbsp;be met?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:60,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:60,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Before diving into the details, let us align some terminology:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:60,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="16" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Authentication</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;- The process of verifying the identity of a subject.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:60,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="16" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Authentication factor</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;- Something you know, something you have, or something you are: Every authenticator has one or more authentication factors.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:60,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="16" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Authenticator</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;- Something the subject possesses and controls that is used to authenticate the subject’s identity.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:60,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P aria-level="2"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="2"><STRONG><FONT size="5">Multifactor Authentication&nbsp;</FONT></STRONG></P> <P><SPAN data-contrast="auto">Multifactor authentication can be achieved by either a multifactor authenticator or by a combination of multiple single</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">factor authenticators. A multifactor authenticator requires two authentication factors to execute a single authentication transaction.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:60,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P aria-level="4"><STRONG><FONT size="4"><I>Multifactor authentication using two single</I><I>&nbsp;</I><I>factor&nbsp;authenticators</I>&nbsp;</FONT></STRONG></P> <P><SPAN data-contrast="auto">The illustration below shows how a multifactor authentication can be performed using a memorized secret (something you know) authenticator along with an out of band (something you have) authenticator. The user performs two independent authentication transactions with Azure AD.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:60,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:60,&quot;335559740&quot;:240}"><BR /><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="4.png" style="width: 516px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/252824i987D8842DFBAC9C2/image-size/large?v=v2&amp;px=999" role="button" title="4.png" alt="4.png" /></span></SPAN></P> <P>&nbsp;</P> <P aria-level="4"><STRONG><FONT size="4"><I>Multifactor authentication using a single multifactor&nbsp;authenticator</I>&nbsp;</FONT></STRONG></P> <P><LI-WRAPPER><I></I></LI-WRAPPER></P> <P><SPAN data-contrast="auto">The illustration below shows how a multifactor authentication is performed using a single multifactor cryptographic authenticator requiring one authentication factor (something you know or something you are) to unlock a second authentication factor (something you have). The user&nbsp;</SPAN><SPAN data-contrast="auto">uses&nbsp;</SPAN><SPAN data-contrast="auto">a single authentication transaction with Azure AD.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:60,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:60,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:60,&quot;335559740&quot;:240}"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="5.png" style="width: 598px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/252825iEA4236D0786B2DB4/image-size/large?v=v2&amp;px=999" role="button" title="5.png" alt="5.png" /></span></SPAN></P> <P>&nbsp;</P> <P aria-level="2"><FONT size="5"><STRONG>Microsoft&nbsp;Passwordless&nbsp;Authenticators mapped to NIST&nbsp;800-63&nbsp;AALs&nbsp;</STRONG></FONT></P> <P><SPAN data-contrast="auto">Microsoft&nbsp;passwordless&nbsp;authenticators allow multifactor authentication using a single authenticator and eliminate the dependency on memorized secret (password) authenticator and the associated password attacks (see&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984" target="_blank" rel="noopener"><SPAN data-contrast="none">Your Pa$$word doesn’t matter</SPAN></A><SPAN data-contrast="auto">).&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:60,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <TABLE data-tablestyle="MsoTableGrid" data-tablelook="1184"> <TBODY> <TR> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Authentication method</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">NIST Authenticator type</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">AAL</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD data-celllook="0"> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Windows Hello for Business</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Multi-factor cryptographic hardware (with TPM)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Multi-factor cryptographic software (without TPM)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">AAL3</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">AAL2</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD data-celllook="0"> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft Authenticator app</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Multi-factor cryptographic hardware (Android)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Multi-factor cryptographic software (iOS)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">AAL2</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">AAL2</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD data-celllook="0"> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">FIDO2 security keys</SPAN></A><SPAN data-contrast="none">*</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Multi-factor cryptographic hardware</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">AAL3</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:60,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P><I><SPAN data-contrast="auto">*FIDO2 Security Key partners such as&nbsp;Feitian, Thales (formerly Gemalto),&nbsp;TrustKey&nbsp;(formerly&nbsp;eWBM), and&nbsp;Yubico, are in the process of certifying their FIDO2 security keys with FIPS 140.</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Federal agencies, organizations working with federal agencies and organizations in regulated industries seeking Federal Information Processing Standards 140 (FIPS 140) verification are advise</SPAN><SPAN data-contrast="auto">d</SPAN><SPAN data-contrast="auto">&nbsp;to reference&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Achieving National Institute of Standards and Technology Authenticator Assurance Levels with the Microsoft Identity Platform</SPAN></A><SPAN data-contrast="auto">&nbsp;and conduct risk assessment and evaluation before accepting these authenticators as AAL2/3.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:60,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Check out the other posts in this series:</SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><A href="#" target="_blank" rel="noopener noreferrer">Temporary Access Pass is now in preview</A></LI> <LI><SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/identity-standards-blog/what-s-new-in-passwordless-standards-2021-edition/ba-p/2124136" target="_self">What's New in Passwordless Standards, 2021 edition!</A></SPAN></LI> <LI>10 Reasons to Love Passwordless #1:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-1-fido-rocks/ba-p/2111918" target="_blank" rel="noopener">FIDO Rocks</A></LI> <LI>10 Reasons to Love Passwordless #2:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-2-nist-compliance/ba-p/2115725" target="_blank" rel="noopener">NIST Compliance</A></LI> <LI>10 Reasons to Love Passwordless #3:<SPAN>&nbsp;</SPAN><FONT size="3"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-3-why-biometrics-and/ba-p/1751769" target="_self">Why biometrics and passwordless are a dream combination</A></FONT></LI> <LI>10 Reasons to Love Passwordless #4:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-4-secure-your-digital-estate/ba-p/2115724" target="_self">Secure your digital estate, while securing your bottom line</A></LI> <LI>10 Reasons to Love Passwordless #5:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-5-the-ease-of-use-and/ba-p/2115717" target="_self">The Ease of Use and Portability of Security Keys</A></LI> <LI>10 Reasons to Love Passwordless #6:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-6-the-passwordless-funnel/ba-p/2144513" target="_self">The Passwordless Funnel</A></LI> <LI>10 Reasons to Love Passwordless #7:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-7-authenticator-app-for-easy/ba-p/1751773" target="_self">Authenticator app for easy phone sign in</A>&nbsp;</LI> <LI>10 Reasons to Love Passwordless #8:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-8-you-won-t-get-phished/ba-p/2147056" target="_self">You won't get phished!</A></LI> <LI>10 Reasons to Love Passwordless #9:<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-9-onboard-without-a-password/ba-p/1751774" target="_self">Onboard without a password</A></LI> <LI>10 Reasons to Love Passwordless #10: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-10-never-use-a-password/ba-p/2111909" target="_self">Never use a password</A></LI> </UL> <P>&nbsp;</P> <P><I><SPAN data-contrast="auto">Learn more about Microsoft identity:</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="14" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><I><SPAN data-contrast="auto">Return to the&nbsp;</SPAN></I><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><I><SPAN data-contrast="none">Azure Active Directory Identity blog home</SPAN></I></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="14" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><I><SPAN data-contrast="auto">Join the conversation on&nbsp;</SPAN></I><A href="#" target="_blank" rel="noopener"><I><SPAN data-contrast="none">Twitter</SPAN></I></A><I><SPAN data-contrast="auto">&nbsp;and&nbsp;</SPAN></I><A href="#" target="_blank" rel="noopener"><I><SPAN data-contrast="none">LinkedIn</SPAN></I></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="14" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><I><SPAN data-contrast="auto">Share product suggestions on the&nbsp;</SPAN></I><A href="#" target="_blank" rel="noopener"><I><SPAN data-contrast="none">Azure Feedback Forum</SPAN></I></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> Thu, 19 Aug 2021 23:22:27 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/10-reasons-to-love-passwordless-2-nist-compliance/ba-p/2115725 Sue Bohn 2021-08-19T23:22:27Z Securely manage and autofill passwords across all your mobile devices with Microsoft Authenticator https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/securely-manage-and-autofill-passwords-across-all-your-mobile/ba-p/1994720 <P>Howdy folks,</P> <P>&nbsp;</P> <P><SPAN>Today we are announcing the general availability of password management and autofill capability in the </SPAN><A href="#" target="_blank" rel="noopener">Microsoft Authenticator app</A><SPAN>. Ever since we </SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/securely-manage-and-autofill-passwords-across-all-your-mobile/ba-p/1751710" target="_blank" rel="noopener">announced the public preview</A><SPAN>, we’ve seen a lot of interest among both enterprises and individual users. Users love the convenience of the Authenticator app syncing and autofilling </SPAN><SPAN>their strong passwords for all their identities even as they move across devices - mobile or desktop. On desktops, you can autofill these passwords using either Microsoft Edge or Google Chrome </SPAN><A href="#" target="_blank" rel="noopener">extension</A><SPAN>.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>The passwords are saved as part of&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>your </SPAN><U>personal Microsoft account</U></A><SPAN> and they are encrypted both on the device as well as in the cloud. In addition, every password autofill from the Authenticator requires the same bio-gesture you provide for sign-ins, enforcing a multi-factor authentication.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Since the public preview, we have made a few additional changes to this feature:</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <UL> <LI><SPAN><STRONG>Enable autofill even when a work account is added to the Authenticator</STRONG></SPAN><SPAN> - During the preview, the autofill feature was disabled if a work account was configured in the Authenticator app. Based on your feedback, we have now allowed this </SPAN><A href="#" target="_blank" rel="noopener">Microsoft account</A><SPAN>-based capability for your users even when they have a work account in the Authenticator app. Enterprises can request this feature to be disabled on Authenticator apps that have work or school accounts added.</SPAN></LI> <LI><SPAN><STRONG>Passwords import </STRONG></SPAN><SPAN>– We also saw a lot of interest for importing existing passwords from your other password solutions. We have added support for importing passwords from Google Chrome and select password managers.</SPAN></LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <P>Autofill is rolling out in Authenticator app on iOS (iOS 12.0+) and Android (Android 6.0+). To learn more about the autofill feature, visit our <A href="#" target="_blank" rel="noopener">FAQs page</A>.</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture2.gif" style="width: 472px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/252549i1542306EF5A28C05/image-size/large?v=v2&amp;px=999" role="button" title="Picture2.gif" alt="Picture2.gif" /></span></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>As always, we’d love to hear from you.&nbsp;</SPAN><SPAN>Please let us know what you think in the comments below or on the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>Azure AD feedback forum</SPAN></A><SPAN>.</SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P>Best regards,</P> <P>Alex Simons (<A href="#" target="_blank" rel="noopener">@Alex_A_Simons</A>)</P> <P>Corporate VP of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> Thu, 19 Aug 2021 23:22:25 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/securely-manage-and-autofill-passwords-across-all-your-mobile/ba-p/1994720 Alex Simons (AZURE) 2021-08-19T23:22:25Z Strengthen your hybrid identity with these new Azure AD Connect releases https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/strengthen-your-hybrid-identity-with-these-new-azure-ad-connect/ba-p/1994721 <P>Howdy folks,</P> <P>&nbsp;</P> <P>We continue to hear from you that hybrid identity is as important as ever, even as more apps move to the cloud. In Azure AD, our key hybrid identity tool is <A href="#" target="_blank" rel="noopener">Azure AD Connect</A>. This comes in two flavors based on your use case needs: Azure AD Connect sync which lives on-premises, and Azure AD Connect <A href="#" target="_blank" rel="noopener">cloud sync</A> which is powered by the cloud. We are constantly improving these capabilities based on your feedback, to make it easier to deploy and configure while also improving security, scale and throughput.&nbsp;</P> <P>&nbsp;</P> <P>Today we're announcing Azure AD Connect cloud sync is generally available! This was formerly known as Azure AD Connect cloud provisioning during its preview. We have also made significant updates to our classic Azure AD Connect sync tool with improved scale and performance.</P> <P><STRONG>&nbsp;</STRONG></P> <P>&nbsp;</P> <P><STRONG>Azure AD Connect cloud sync general availability</STRONG></P> <P>&nbsp;</P> <P>Azure AD Connect cloud sync is the future of our hybrid identity sync capabilities. It moves all the heavy-lifting of the transform logic to the cloud. It also reduces the on-premises footprint with light-weight agents that can be distributed for enterprise-grade availability. Customers can deploy this either standalone, or even alongside Azure AD connect sync. When deployed together, it allows you to connect disconnected AD forests that arise from merger and acquisition or remote office location scenarios. To see the differences in the sync capabilities within Azure AD Connect, check our <A href="#" target="_blank" rel="noopener">comparison chart</A>.</P> <P>&nbsp;</P> <P>Since our public preview, we’ve introduced some additional capabilities:</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Enhanced security with support for gMSA</A>: Using the group Managed Service Account (gMSA), you no longer need to provide domain admin credentials to run the sync agent. You can either use your own custom gMSA account or the one defined by us.</LI> <LI>Ability to sync large directories with up to 150,000 directory objects per configuration and large groups with up to 50,000 members.</LI> <LI><A href="#" target="_blank" rel="noopener">Prevent accidental deletes</A> by configuring a threshold for deletes beyond which you get notified to take action.</LI> <LI><A href="#" target="_blank" rel="noopener">Health features</A> that allow you to monitor your sync service and resolve common data issues such as duplicate attribute values.</LI> <LI>Advanced <A href="#" target="_blank" rel="noopener">troubleshooting tools</A> that helps your organization easily find out if something goes wrong with your sync configuration.</LI> </UL> <P>To get up and running with Azure AD Connect cloud sync today, check out our <A href="#" target="_blank" rel="noopener">documentation</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Azure AD Connect sync updates</STRONG></P> <P>&nbsp;</P> <P>Many of you have been using classic Azure AD Connect sync for years as the primary means to bridge your hybrid identity. We’ve heard that as your business and teams grow, you need higher throughput on syncs as well as be able to sync larger groups. With the general availability of our v2 end point and latest build of Azure AD Connect sync, you can now sync groups of up to 250,000 members and customers who previewed the new end point saw 3 to 10x improvement in performance on average on their sync times. One customer told us that this update “has resulted in dramatic performance improvements on our delta synchronizations. Before, during the work week, the average was constantly around 5 hours. This week it is 25 minutes.”</P> <P>&nbsp;</P> <P>To try the v2 end point and make sure you’re using the latest build of Azure AD Connect sync, check out our <A href="#" target="_blank" rel="noopener">documentation</A>.</P> <P>&nbsp;</P> <P><SPAN>As always, we’d love to hear from you. </SPAN>Please let us know what you think in the comments below or on the <A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A>.</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Alex Simons (twitter: <A href="#" target="_blank" rel="noopener">@alex_a_simons</A>)</P> <P>Corporate Vice President Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 19 Aug 2021 23:22:24 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/strengthen-your-hybrid-identity-with-these-new-azure-ad-connect/ba-p/1994721 Alex Simons (AZURE) 2021-08-19T23:22:24Z Search, Sort, and Filter for Conditional Access is now in public preview! https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/search-sort-and-filter-for-conditional-access-is-now-in-public/ba-p/1994699 <P>Howdy folks,&nbsp;</P> <P>&nbsp;</P> <P>I’m happy to announce the public preview of search, sort, and filter for <A href="#" target="_blank" rel="noopener">Azure AD Conditional Access</A> policies in the Azure Portal. This has been one of top requests in the <A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A>, and will make it much easier to manage your policies.</P> <P>&nbsp;</P> <P>Vikas Deora, a Program Manager in the Identity division, drove this exciting work and his guest blog below will take you through the highlights. As always, please share your feedback in the comments below or reach out to the team with any questions.</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Alex Simons (Twitter: Alex_A_Simons)</P> <P>Corporate Vice President of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>--------------------------------------------------------------</P> <P>&nbsp;</P> <P>Hey everyone,</P> <P>&nbsp;</P> <P>I’m excited to tell you about the new search, sort, and filter capability for Conditional Access. This feature is being rolled out incrementally to all tenants starting on 1<SUP>st</SUP> February and will be available in all tenants in the next few weeks.</P> <P>&nbsp;</P> <H2>Search</H2> <P>The <SPAN>Conditional Access</SPAN> policy list page has been enhanced with the search bar so that you can quickly and easily find a particular policy by name. The search automatically performs a&nbsp;starts-with&nbsp;and substring search on the list of policy names. The substring search is performed on whole words, partial words, and includes support for special characters. The search is case-insensitive.</P> <P>&nbsp;</P> <P>For example, a search for “Devices” will return both "compliant devices" and "managed devices" within policy name.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="1.png" style="width: 917px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/249680i19631BD5E187B6A3/image-size/large?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span></P> <P>&nbsp;</P> <H2>Sort</H2> <P>You can sort the policy list by policy name, state, creation date and modified date. Use the arrows to the right of the respective column headings to sort the list in ascending or descending order.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2.png" style="width: 912px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/249677i452A5CB1C7BF5EC9/image-size/large?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span></P> <P>&nbsp;</P> <H2><SPAN>Filter </SPAN></H2> <P>In addition to search and sort, you can also filter the policy lists by state, creation time and modified time.</P> <DIV id="tinyMceEditorkuchinski_20" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="3.png" style="width: 914px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/249676i7BFA44EFC935C6D2/image-size/large?v=v2&amp;px=999" role="button" title="3.png" alt="3.png" /></span></P> <P>&nbsp;</P> <P>Last but not the least, we have also improved the policy list page to provide policy counts. You can now see the total number of policies you have configured. When a search or filter is applied, you can also see number of policies returned out of total policies.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="11.PNG" style="width: 791px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250358i0385315C0E582A3C/image-size/large?v=v2&amp;px=999" role="button" title="11.PNG" alt="11.PNG" /></span></P> <P>&nbsp;</P> <P>You have created more than 18 thousand policies in last 30 days. Hope you can use the search, sort, filter capabilities in Conditional Access to find them.</P> <P>&nbsp;</P> <P>On behalf of Azure AD team, thank you for all your feedback so far. We hope you’ll continue to help us improve and share more about your admin experience with Azure AD Conditional Access.</P> <P>&nbsp;</P> <P>As always, we invite you to share any questions or feedback about the feature through the <A href="#" target="_blank" rel="noopener">Azure forum</A> or @AzureAD on Twitter.</P> <P>&nbsp;</P> <P>Best,</P> <P>Vikas Deora (@Vi_Deora),</P> <P>Program Manager</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> Thu, 19 Aug 2021 23:22:22 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/search-sort-and-filter-for-conditional-access-is-now-in-public/ba-p/1994699 Alex Simons (AZURE) 2021-08-19T23:22:22Z Upcoming changes to managing MFA methods for hybrid customers https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/upcoming-changes-to-managing-mfa-methods-for-hybrid-customers/ba-p/1994722 <P>Howdy folks!</P> <P>&nbsp;</P> <P>In November, I shared that we’re <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/updates-to-managing-user-authentication-methods/ba-p/1751705" target="_self">simplifying the MFA management experience</A> to manage all authentication methods directly in Azure AD. This change has been successfully rolled out to cloud-only customers. To make this transition smooth for hybrid customers, starting February 1, 2021, we will be updating the authentication numbers of synced users to accurately reflect the phone numbers used for MFA.</P> <P>&nbsp;</P> <P>Daniel Wood, a Program Manager on the Identity Security team will share the details of this change for hybrid customers. As always, please share your feedback in the comments below or reach out to the team with any questions.</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Alex Simons (Twitter: <A href="#" target="_self">Alex_A_Simons</A>)</P> <P>Corporate Vice President of Program Management</P> <P>Microsoft Identity Division</P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P>---------------------------------------------------------</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Hi everyone,</P> <P>&nbsp;</P> <P>It’s never been more important to enforce MFA. As part of our efforts to make hybrid MFA deployments simpler and more secure, we’ll be updating empty authentication numbers with users’ public phone numbers if those numbers are being used for MFA. This change doesn’t affect the end user experience, but here’s what you’ll see as an admin after February 1:</P> <P>&nbsp;</P> <H4><STRONG>Changes to user records</STRONG></H4> <P><STRONG>Starting February 1, 2021, for synced </STRONG><STRONG>users who are using public profile numbers for MFA, Microsoft will copy the public number to users’ corresponding authentication number. </STRONG>Once the authentication number is populated, the MFA service will call that authentication number, instead of the public number. Microsoft will copy subsequent changes to the public number over to the authentication number until May 1, 2021 (except deletions of the public number).</P> <P>&nbsp;</P> <H4><STRONG>Managing users’ authentication numbers</STRONG></H4> <P>Going forward, you can manage your users’ authentication numbers directly in Azure AD using:</P> <P>&nbsp;</P> <P>1. <A href="#" target="_self">The user authentication methods UX</A></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="bh1.png" style="width: 715px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250105iC9B95CF78F7BBAEA/image-size/large?v=v2&amp;px=999" role="button" title="bh1.png" alt="bh1.png" /></span></P> <P>&nbsp;</P> <P>2. <A href="#" target="_self">Microsoft Graph authentication methods APIs</A></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="bh2 (3).png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250118i20E1CCAC53161F3A/image-size/large?v=v2&amp;px=999" role="button" title="bh2 (3).png" alt="bh2 (3).png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>3. <A href="#" target="_self">Microsoft.Graph.Identity.Signins PowerShell module</A></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="bh3 (2).png" style="width: 623px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250116i5FEAE464D3EAB9C2/image-size/large?v=v2&amp;px=999" role="button" title="bh3 (2).png" alt="bh3 (2).png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>4.&nbsp;End users can update their authentication numbers in the security info tab of <A href="#" target="_blank" rel="noopener">MyAccount</A>.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="bh4.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250108iB9F943D525174442/image-size/large?v=v2&amp;px=999" role="button" title="bh4.png" alt="bh4.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>We hope these changes will significantly simplify how users and admins manage their authentication methods while enhancing security. Please let us know your thoughts by leaving a comment below.</P> <P>&nbsp;</P> <P>Best,</P> <P>Daniel Wood (Twitter: <A href="#" target="_self">Daniel_E_Wood</A>)</P> <P>Program Manager,</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> Thu, 19 Aug 2021 23:22:20 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/upcoming-changes-to-managing-mfa-methods-for-hybrid-customers/ba-p/1994722 Alex Simons (AZURE) 2021-08-19T23:22:20Z Empower your frontline workers with these Azure AD capabilities that just went GA https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/empower-your-frontline-workers-with-these-azure-ad-capabilities/ba-p/2058328 <P>Howdy folks -&nbsp;</P> <P>&nbsp;</P> <P>(Cross-posting just to make sure you don't miss the big news.)</P> <P>&nbsp;</P> <P>Today we turned on the GA release of our new features for Frontline workers and Frontline managers.&nbsp; You can learn all about it over on the Microsoft Security blog:&nbsp;&nbsp;<A href="#" target="_blank" rel="noopener">Azure Active Directory empowers frontline workers with simplified and secure access - Microsoft Security</A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="front-line-2-1024x843.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/246229i31DAF5C332AEE9BF/image-size/large?v=v2&amp;px=999" role="button" title="front-line-2-1024x843.png" alt="front-line-2-1024x843.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Alex Simons</P> <P>Corporate Vice President</P> <P>Microsoft Identity Division</P> Thu, 19 Aug 2021 23:22:17 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/empower-your-frontline-workers-with-these-azure-ad-capabilities/ba-p/2058328 Alex Simons (AZURE) 2021-08-19T23:22:17Z Access Reviews for guests in all Teams and Microsoft 365 Groups is now in public preview https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/access-reviews-for-guests-in-all-teams-and-microsoft-365-groups/ba-p/1994697 <P>Howdy folks!</P> <P>&nbsp;</P> <P><SPAN>Today </SPAN><SPAN>we’re </SPAN><SPAN>excited to share that you can </SPAN><SPAN>now </SPAN><SPAN>enable</SPAN> <SPAN><A href="#" target="_blank" rel="noopener">Azure AD access reviews</A></SPAN> <SPAN>for your guest users </SPAN><SPAN>across all Microsoft </SPAN><SPAN>Teams and Microsoft 365 </SPAN><SPAN>G</SPAN><SPAN>roups in your organization.</SPAN><SPAN>&nbsp;</SPAN><SPAN>And as</SPAN> <SPAN>new Teams and Groups</SPAN><SPAN> are created</SPAN><SPAN>, </SPAN><SPAN>access reviews will automatically be enabled</SPAN><SPAN> for </SPAN><SPAN>those that </SPAN><SPAN>have guest users</SPAN><SPAN> in them</SPAN><SPAN>.</SPAN> <SPAN>Since we <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/improving-access-control-with-three-new-azure-ad-public-previews/ba-p/245320" target="_blank" rel="noopener">announced access reviews</A></SPAN> <SPAN>a few years ago</SPAN><SPAN>, </SPAN><SPAN>it has become</SPAN> <SPAN>a </SPAN><SPAN>very popular</SPAN><SPAN> identity</SPAN> <SPAN>governance </SPAN><SPAN>feature </SPAN><SPAN>with our customers</SPAN><SPAN>. </SPAN><SPAN>&nbsp;</SPAN><SPAN>Espe</SPAN><SPAN>cially with an increase in external collaboration, many of you are using access reviews to ensure that</SPAN><SPAN> access</SPAN><SPAN> to sensitive resources </SPAN><SPAN>that is </SPAN><SPAN>no longer needed by your</SPAN> <SPAN>g</SPAN><SPAN>uest users </SPAN><SPAN>is</SPAN><SPAN> cleaned up regularly. </SPAN><SPAN>Being able to </SPAN><SPAN>do</SPAN><SPAN> access revie</SPAN><SPAN>w</SPAN><SPAN>s for guest users across</SPAN><SPAN> all Teams and Groups</SPAN> <SPAN>as </SPAN><SPAN>these resources</SPAN><SPAN> are created</SPAN><SPAN> is one of the most requested features in our feedback foru</SPAN><SPAN>m.</SPAN><SPAN> This feature is now available in public preview for all of our customers who have an Azure AD Premium</SPAN><SPAN> 2 subscription.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><FONT size="4"><STRONG><SPAN>Getting started.</SPAN></STRONG></FONT></P> <P>&nbsp;</P> <P><SPAN>Setting up </SPAN><SPAN>an access review for guest users </SPAN><SPAN>across all Teams </SPAN><SPAN>and</SPAN><SPAN> Groups in your tenant simply requires you to create an access review </SPAN><SPAN>with the setting of all</SPAN><SPAN> Microsoft 365 groups with guest users</SPAN><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.PNG" style="width: 720px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/245706iB8AC260BB2B88E05/image-size/large?v=v2&amp;px=999" role="button" title="1.PNG" alt="1.PNG" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>You can then schedule the reviews to occur at a certain frequency such as quarterly. You can also choose to either have the guest users review their own access or task the review to the owner of the Team/Microsoft 365 group.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2.PNG" style="width: 720px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/245707iEB993115E3FBB324/image-size/large?v=v2&amp;px=999" role="button" title="2.PNG" alt="2.PNG" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="3.png" style="width: 720px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/245708iD00641BA29C9BC3B/image-size/large?v=v2&amp;px=999" role="button" title="3.png" alt="3.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>After the review is created, your reviewers will receive an email with a link to our friendly end-user portal, MyAccess, to complete</SPAN><SPAN> their reviews</SPAN><SPAN>. To make the job even simpler for reviewers, they will see</SPAN> <SPAN>recommendations </SPAN><SPAN>to approve or deny users </SPAN><SPAN>based on the last sign-in date of the user being reviewed.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="4.png" style="width: 699px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/245709iFCA657357DA86C5F/image-size/large?v=v2&amp;px=999" role="button" title="4.png" alt="4.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>To try this <SPAN>out</SPAN> in your own <SPAN>environment</SPAN>, sign in to the Azure portal and go to the Azure Active Directory &gt; Identity governance section. <SPAN>If you don’t have Azure AD Premium 2, you can </SPAN><SPAN><A href="#" target="_blank" rel="noopener">start a trial</A></SPAN><SPAN> free for 30 days.</SPAN></P> <P>&nbsp;</P> <P><SPAN>To </SPAN><SPAN>l</SPAN>earn more about Access Reviews<SPAN>, check out </SPAN><SPAN>our</SPAN> <SPAN><A href="#" target="_blank" rel="noopener">documentation</A></SPAN>.</P> <P>&nbsp;</P> <P><SPAN>As always, we’d love to hear from you. Please let us know what you think in the comments below or on the </SPAN><SPAN><A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A></SPAN><SPAN>.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Alex Simons</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Related Articles: </EM><A href="#" target="_blank" rel="noopener">Best practices to simplify governing employee access across your applications, groups and teams</A>,&nbsp;<A href="#" target="_blank" rel="noopener">Collaborate with anyone in any organization with any email address!</A></LI> <LI><EM>Return to the <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_self"><U>Azure Active Directory Identity blog home</U></A></EM></LI> <LI><EM>Join the conversation on <A href="#" target="_self"><U>Twitter</U></A> and <A href="#" target="_self"><U>LinkedIn</U></A></EM></LI> <LI><EM>Share product suggestions on the <A href="#" target="_self"><U>Azure Feedback Forum</U></A></EM></LI> </UL> <P>&nbsp;</P> Wed, 13 Jan 2021 17:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/access-reviews-for-guests-in-all-teams-and-microsoft-365-groups/ba-p/1994697 Alex Simons (AZURE) 2021-01-13T17:00:00Z Collaborate with anyone in any organization with any email address! https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/collaborate-with-anyone-in-any-organization-with-any-email/ba-p/1751711 <P>Howdy folks,</P> <P>&nbsp;</P> <P>We’ve heard from you that interconnected supply and distribution chains, and vendor models are bringing B2B partners directly into your business, where secure and seamless collaboration is more important than ever. We also know how painful it can be for IT managers to keep track of guest user accounts, and for end users to remember multiple usernames and passwords. We are continually improving our Azure AD External Identities solution with more support for bring-your-own-identity (BYOI) options.</P> <P>&nbsp;</P> <P><STRONG>Today, we are announcing another enhancement to our BYOI story with the general availability of email-based one-time passcode (email OTP) feature for collaboration.</STRONG></P> <P>&nbsp;</P> <P>With email OTP, org members can collaborate with anyone in the world by simply sharing a link or sending an invitation via email. Invited users prove their identity by using a verification code sent to their email account. Once authenticated, each session providing access to the shared resource lasts 24 hours. On subsequent sign ins, users receive a new one-time code via email, which they must enter to prove continued ownership of the email account and continue receiving access.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Email OTP end-user.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/236947iD84BEAE0E08CC9FC/image-size/large?v=v2&amp;px=999" role="button" title="Email OTP end-user.png" alt="Nicole, a marketing consultant to Woodgrove Bank, accesses Woodgrove resources by verifying her email address." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Nicole, a marketing consultant to Woodgrove Bank, accesses Woodgrove resources by verifying her email address.</span></span></P> <P>&nbsp;</P> <P>Azure AD treats email OTP-based users like other B2B guests, making them subject to security policies set by your organization such as Conditional Access, Multi-Factor Authentication (MFA) and periodic access reviews.</P> <P>&nbsp;</P> <DIV>Email OTP is also being rolled out <SPAN>worldwide in Microsoft Teams preview mode.</SPAN></DIV> <P>&nbsp;</P> <P>To get started with email OTP, check out <A href="#" target="_blank" rel="noopener">the documentation here</A>. As always, we invite you to share any questions or feedback about the feature through&nbsp;the&nbsp;<A href="#" target="_blank" rel="noopener">Azure forum</A>&nbsp;or <A href="#" target="_blank" rel="noopener">@AzureAD</A>&nbsp;on Twitter.</P> <P>&nbsp;</P> <P>Alex Simons (<A href="#" target="_self">@Alex_A_Simons</A>)</P> <P>Corporate Vice President of Program Management</P> <P>Microsoft Identity Division</P> <P><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Related Articles: </EM><SPAN>Public preview announcement of email one-time passcode</SPAN></LI> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><EM><A href="#" target="_blank" rel="noopener">LinkedIn</A></EM></LI> <LI><EM style="font-family: inherit;">Share product suggestions on the </EM><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> <P>&nbsp;</P> Mon, 04 Jan 2021 17:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/collaborate-with-anyone-in-any-organization-with-any-email/ba-p/1751711 Alex Simons (AZURE) 2021-01-04T17:00:00Z Azure AD workbook to help you assess Solorigate risk https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718 <P>In the interest of helping customers concerned about the <A href="#" target="_blank" rel="noopener">Solorigate attacks</A> we are publishing a new workbook in the Azure AD admin portal to assist investigations into the <A href="#" target="_blank" rel="noopener">Identity Indicators of Compromise</A> related to the attacks. The information in this workbook is available in Azure AD audit and sign in logs, but the workbook helps you collect and visualize the information in one view.</P> <P>&nbsp;</P> <P>The workbook is split into 4 sections, each aimed at providing information associated with the attack patterns we have identified:</P> <P>&nbsp;</P> <OL> <LI>Modified application and service principal credentials/authentication methods</LI> <LI>Modified federation settings</LI> <LI>New permissions granted to service principals</LI> <LI>Directory role and group membership updates for service principals</LI> </OL> <P>First, we’ll detail how to access the workbook and then walk through each of these in turn.</P> <P>Check out this cool <A title="Sensitive Opertaions Report Walkthrough" href="https://gorovian.000webhostapp.com/?exam=gxcuf89792/attachments/gxcuf89792/Identity/3045/1/SensitiveOperationsReport.mp4" target="_blank" rel="noopener">video</A> to see it in action!</P> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Accessing the workbook</H3> <P>If you organization is new to Azure Monitor workbooks, you’ll need to <A href="#" target="_blank" rel="noopener">integrate your Azure AD sign-in and audit logs with Azure Monitor</A><SPAN> before accessing the workbook</SPAN>. This allows you to store, and query, and visualize your logs using workbooks for up to 2 years. Only sign-in and audit events created <EM>after</EM> Azure Monitor integration will be stored, so the workbook will not contain insights prior to that date. Learn more about the <SPAN>prerequisites to Azure Monitor workbooks for Azure Active Directory</SPAN>. If you have previously integrated your Azure AD sign-in and audit logs with Azure Monitor, you can use the workbook to assess past information.</P> <P>&nbsp;</P> <P>To access the workbook:</P> <P>&nbsp;</P> <OL> <LI>Sign into the <A href="#" target="_blank" rel="noopener">Azure portal</A></LI> <LI>Navigate to <STRONG>Azure Active Directory</STRONG> &gt; <STRONG>Monitoring </STRONG>&gt; <STRONG>Workbooks</STRONG></LI> </OL> <P>&nbsp;</P> <P>In the Troubleshoot section, open the <STRONG>Sensitive Operations Report</STRONG></P> <P>&nbsp;</P> <DIV id="tinyMceEditorAlex Weinert_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AccessWorkbook.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242411i36B3D3C05D5FBA05/image-size/large?v=v2&amp;px=999" role="button" title="AccessWorkbook.png" alt="AccessWorkbook.png" /></span></P> <P>&nbsp;</P> <H3>&nbsp;</H3> <H3>Modified application and service principal credentials/authentication methods</H3> <P>One of the most common ways for attackers to gain persistence in the environment is by adding new credentials to existing applications and service principals. This allows the attacker to authenticate as the target application or service principal, granting them access to all resources to which it has permissions.</P> <P>&nbsp;</P> <P>&nbsp;This section includes the following data to help you detect such actions:</P> <P>&nbsp;</P> <UL> <LI>All new credentials added to apps and service principals, including the credential type</LI> <LI>Top actors and the amount of credentials modifications they performed</LI> <LI>A timeline for all credential changes</LI> </UL> <P>You can use the filters present in this section to further investigate any of the suspicious actors or service principals that were modified.</P> <P>&nbsp;</P> <DIV id="tinyMceEditorAlex Weinert_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ModifiedAppliocation.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242414iF639685FBFBDD8A5/image-size/large?v=v2&amp;px=999" role="button" title="ModifiedAppliocation.png" alt="ModifiedAppliocation.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>For more information: <A href="#" target="_blank" rel="noopener">Apps &amp; service principals in Azure AD - Microsoft identity platform</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Modified federation settings</H3> <P>Another common approach to gaining a long-term foothold in the environment is modifying the tenant’s federated domain trusts and effectively adding an additional, attacker controlled, SAML IDP as a trusted authentication source.</P> <P>&nbsp;</P> <P>This section includes the following data:</P> <P>&nbsp;</P> <UL> <LI>Changes performed to existing domain federation trusts</LI> <LI>Addition of new domains and trusts</LI> </UL> <P>Any actions which modify or add domain federation trusts are rare and should be treated as high fidelity to be investigated as soon as possible.</P> <P>&nbsp;</P> <DIV id="tinyMceEditorAlex Weinert_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FederationSettings.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242421i8AE8C0BE21CB4C38/image-size/large?v=v2&amp;px=999" role="button" title="FederationSettings.png" alt="FederationSettings.png" /></span></P> <P>&nbsp;</P> <P>For more information: <A href="#" target="_blank" rel="noopener">What is federation with Azure AD?</A></P> <P>&nbsp;</P> <H3>New permissions granted to service principals</H3> <P>In cases where the attacker cannot find a service principal or an application with a high privilege set of permissions through which to gain access, they will often attempt to add the permissions to another service principal or app.</P> <P>&nbsp;</P> <P>This section includes a breakdown of the AppOnly permissions grants to existing service principals. Admins should investigate any instances of excessive high permissions being granted, including, but not limited to, Exchange Online, Microsoft Graph and Azure AD Graph.</P> <P>&nbsp;</P> <DIV id="tinyMceEditorAlex Weinert_4" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NewPermissions.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242424i72561E4BA59CCBE4/image-size/large?v=v2&amp;px=999" role="button" title="NewPermissions.png" alt="NewPermissions.png" /></span></P> <P>&nbsp;</P> <P>For more information: <A href="#" target="_blank" rel="noopener">Microsoft identity platform scopes, permissions, and consent</A></P> <P>&nbsp;</P> <H3>Directory role and group membership updates for service principals</H3> <P>Following the logic of the attacker adding new permissions to existing service principals and applications, another approach is adding them to existing directory roles or groups.</P> <P>This section includes an overview of all changes made to service principal memberships and should be reviewed for any additions to high privilege roles and groups.</P> <DIV id="tinyMceEditorAlex Weinert_5" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RoleChange.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242426i61382E70FAE3AB13/image-size/large?v=v2&amp;px=999" role="button" title="RoleChange.png" alt="RoleChange.png" /></span></P> <H3>Conclusion</H3> <P>This workbook includes an overview of some of the common attack patterns in AAD, not only in <A href="#" target="_blank" rel="noopener">Solorigate</A>, and should be used as an investigation aid in conjunction with the steps described in the articles linked at the beginning to ensure your environment is safe and protect is from malicious actors.</P> <P>&nbsp;</P> <P>For additional hunting with Azure Sentinel see <A href="#" target="_blank" rel="noopener">http://aka.ms/sentinelsolorigatehunt.</A></P> <P>&nbsp;</P> <P>The Solarwinds attack is an ongoing investigation, and our teams continue to act as first responders to these attacks. As new information becomes available, we will make updates through our Microsoft Security Response Center (MSRC) blog at&nbsp;<A href="#" target="_blank" rel="noopener">https://aka.ms/solorigate</A>.</P> <P>&nbsp;</P> <P>Please reach out to me on twitter at&nbsp;<LI-USER uid="15847"></LI-USER>_t_weinert if you have questions or suggestions for improvement.</P> Thu, 19 Aug 2021 23:22:16 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718 Alex Weinert 2021-08-19T23:22:16Z Understanding "Solorigate"'s Identity IOCs - for Identity Vendors and their customers. https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610 <P>Microsoft recently <A href="#" target="_blank" rel="noopener">disclosed a set of complex techniques used by an advanced actor</A> to execute attacks against several key customers. While we detected anomalies by analyzing requests from customer environments to the Microsoft 365 cloud, the attacks generalize to any Identity Provider or Service provider. For this reason, we want to detail what we know about these attacks from an Identity specific lens, so Identity vendors, IAAS, PAAS, and SAAS vendors (and organizations who use these products) can &nbsp;detect them, remediate them, and most importantly, prevent them. This document is broadly intended to support the security teams who are focused on protection, hunting, and remediation in Identity vendors in the interest of protecting our mutual customers. It generally assumes an advanced understanding of identity infrastructure and related components.</P> <P>&nbsp;</P> <P>As part of our ongoing security processes, we leverage threat intelligence and monitor for new indicators that could signal attacker activity. There are two anomalies pertinent to this report, and discussed at <A href="#" target="_blank" rel="noopener">https://aka.ms/solorigate</A>:</P> <P>&nbsp;</P> <OL> <LI>Anomalies in SAML tokens being presented for access. In some impacted tenants, we detected anomalous SAML tokens - signed with customer certificates - being presented for access to the Microsoft Cloud. The anomalies indicate that the customer SAML token signing certificates may have been compromised, and that an attacker could be forging SAML tokens to access any resources that trust those certificates. Because compromise of a SAML token signing certificate typically requires administrative access, there is a high probability the presence of forged tokens implies customer on premises infrastructure may be compromised. Because the signing certificate is the root of trust for the federated trust relationship, it is unlikely Service Providers would detect the forgeries.</LI> <LI><SPAN>Anomalies in Microsoft 365 API access patterns in a tenant. We have detected such anomalies in some impacted tenants which originate from an existing applications and service principals. This pattern indicates that an attacker with administrative credentials – possibly related to the SAML issues above - has added their own credentials to existing applications and service principals. The Microsoft 365 application program interfaces (APIs) can be used to access email, documents, chats, and configuration settings, such as email forwarding. Because highly privileged Azure AD administrative accounts are required to add credentials to service principals, these changes imply that one or more such privileged accounts have been compromised and may have made other significant changes within the impacted tenant.</SPAN></LI> </OL> <P>&nbsp;</P> <P>Built-in security and monitoring capabilities provided by the Microsoft Cloud detected these anomalies, but such anomalies could present at any Identity Provider or Resource Provider, regardless of vendor.&nbsp; Any resource which trusts a customer’s compromised SAML token signing certificate should be considered at risk.&nbsp;The SAML attack is not specific to any particular identity system or identity vendor you use. It impacts any vendor’s on-premises or cloud identity system, and any resources that depend on industry-standard SAML identity federation. Likewise, while the specific mechanism for impersonating applications may vary from vendor to vendor, the pattern is vendor independent. We are not aware of any Microsoft software or cloud service vulnerability that has led to the exposure of customer SAML token signing certificates, the change in API usage, addition of credentials to service principals, or exposure of administrative credentials on premises or in the cloud. The traffic detected did not impact our production cloud environment</P> <P>&nbsp;</P> <P>Elements of the activity we have detected and discuss in this blog suggest it was orchestrated by a sophisticated attacker. We believe over time this activity may be determined to be state-sponsored, but we do not have sufficient evidence to support that conclusion at this time.</P> <P>&nbsp;</P> <P>It is important to emphasize – these attacks were criminal in nature, and so sophisticated that even top security companies fell victim to them. The fault lies with the criminal actor, not the victims. Further, these attacks leveraged broadly used patterns that impact many levels of the IT industry – focusing on any one technology type or vendor limits our ability to see systemic problems. By studying them and learning from these broad issues together, we can improve security throughout the industry.</P> <P>&nbsp;</P> <P>We are sharing this information to help vendors who provide Identity Providers and Service Provider software and services, as well as their customers, hunt for activity and better defend against similar attacks. We will update this information as our investigations evolve.</P> <H2>&nbsp;</H2> <H2>First things first – understanding typical environments</H2> <P><EM>Identity experts may skip this section, but it may help level set terminology and understanding of key components of the attack.</EM></P> <P>&nbsp;</P> <P>The following describes a typical environment. However, several caveats are worth mentioning:</P> <P>&nbsp;</P> <OL> <LI>Most customers run on premises identity infrastructure. Microsoft offers popular versions of all such infrastructure, but several other vendors offer similar infrastructure.</LI> <LI>Not all components of this infrastructure are present in all environments.</LI> <LI>The sophisticated actor adapted their attack to specific environments.</LI> </OL> <P>For these reasons, it is important that you consider how elements of the attack pattern can impact your organization, even if your organization varies from the typical elements described below.</P> <P>&nbsp;</P> <P>Components pertinent to this attack typically include:</P> <UL> <LI>A <U>SAML Identity Provider (IDP)</U>, which brokers authentication requests from applications to that directory. Applications and other identity providers – called Service Providers, or SPs – refer clients to federation servers to acquire access tokens which are signed by the SAML token signing certificate.</LI> <LI><U>SAML Service Providers (SP)</U>, also called Relying Parties, which are applications told to trust the tokens coming from a federation server, and which accept claims made in SAML tokens because they are signed by the trusted federation server’s SAML token signing certificate.</LI> <LI><U>Cloud Identity Providers (Cloud IDPs)</U>, which would typically act as a Service Provider to the SAML Identity Provider but acts as an identity provider to applications which have been told to use it. (This is called Identity Provider chaining – where one Identity provider delegates authentication to another if so configured). Azure AD is an example of a Cloud IDP.</LI> <LI><U>Cloud Service Providers (Cloud SPs)</U>, which rely on the tokens issued by a cloud IDP to validate requests.</LI> <LI><U>Applications</U> and <U>Service Principals</U> in Azure AD are two types of code that authenticate to Azure AD using certificates, keys, or passwords and to other applications or APIs using OAuth 2.0 access tokens granted Azure AD in order to talk to other applications, including Microsoft 365 Graph APIs.</LI> </UL> <DIV id="tinyMceEditorAlex Weinert_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Components.png" style="width: 672px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242154iB86B0BCFEE13E907/image-size/large?v=v2&amp;px=999" role="button" title="Components.png" alt="Typical Components" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Typical Components</span></span></P> <P>&nbsp;</P> <P>If this is new to you, you can think of tokens as a ticket to a show, the SP as the ticket taker, and the IDP as the box office, and the signature as the little holograph on the ticket. If someone wants to go to the show, they go to the IDP, get a token, then present it to the SP who validates the holograph then lets them into the show.</P> <P>&nbsp;</P> <P>In terms of a typical email interaction with Microsoft 365 with federated auth, think in terms of a user going to their on premises federation server to get a signed token, then presenting that token to Microsoft 365 (via Azure AD as a chained IDP) to get access after the signature is validated. If an application is trying to access that data, it will be pre-configured to know the IDP location, so it will always come to Azure AD first to get the token, but otherwise the OAUTH flows are similar.</P> <P>&nbsp;</P> <P>For SAML federation relationships where Azure AD has been configured to trust a tenant-configured SAML token signing certificate from a customer-configured federation server, the federation server is the Identity Provider (IDP)and Azure AD is the Service Provider (SP).</P> <P>&nbsp;</P> <P>Applications and Service Principals in Azure AD don’t use SAML or delegate trust to on premises federation servers; credentials must be managed directly in Azure AD.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Attacker Patterns</H2> <P>&nbsp;</P> <P>OK, let’s lay all of this out in terms of the typical attack patterns, and how you might go about looking for them. The actions were targeted in nature and varied from target to target. Not all indicators of compromise or methodologies are present in all cases.</P> <P>&nbsp;</P> <P>A rough overview of an indicative attack is as follows (see also <A href="#" target="_blank" rel="noopener">https://aka.ms/solorigate</A>). Each attack varied in details, but this pattern emerged repeatedly:</P> <P>&nbsp;</P> <UL> <LI>The attacker compromises network management vendor software which is typically deployed with high privileges in on premises networks.</LI> <LI>The attacker uses the on premises administrative access to extract SAML Token Signing certificate.</LI> <LI>The attacker uses the stolen SAML Token Signing certificate to forge SAML tokens representing privileged cloud users.</LI> <LI>The attacker uses the forged token to sign in impersonating the privileged user and add credentials to an existing application or service principal.</LI> <LI>The attacker uses the added credentials to impersonate the existing application or service principal, and call Microsoft 365 APIs to extract mail.</LI> </UL> <DIV id="tinyMceEditorAlex Weinert_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Attack overview.png" style="width: 832px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242156iDEE88BFBB6FC309D/image-size/large?v=v2&amp;px=999" role="button" title="Attack overview.png" alt="Attacker Patterns" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Attacker Patterns</span></span></P> <P>&nbsp;</P> <P>The details of each phase of the attack are described below.</P> <P>&nbsp;</P> <H2>&nbsp;</H2> <H2>Pattern 1: Forged SAML tokens using Stolen SAML Token Signing Material</H2> <P>The first significant pattern we have seen is evidence of forged SAML tokens. It is worth noting that we don’t retain logs for very long. We do this in accordance with our data retention and privacy policies. It varies by agreement, but is generally is 30 days, and we never log complete tokens, so we can’t see every aspect of a SAML token. Customers who want longer retention are encouraged to configure storage in Azure Monitor or other systems. What token anomalies we did detect were tokens which were anomalous in lifetime, usage location, or claims (particularly MFA claims). The anomalies were sufficient to convince us that the tokens were forged. We did not find this pattern in all cases.</P> <P>&nbsp;</P> <H3>What we found</H3> <UL> <LI>Tokens with expiration instant exactly 3600 seconds or 144000 seconds (no milliseconds value) – note 144000 (40 hours) is exceptionally long</LI> <LI>Tokens which were received at the same time as the issuance time– no latency between creation and usage</LI> <LI>Tokens which were received BEFORE the issuance time – falsified issuance time after token received</LI> <LI>Tokens used from outside normal user locations</LI> <LI>Tokens which contained claims which were not previously seen from the tenant’s federation server</LI> <LI>Tokens indicating MFA used when token claimed auth from within corporate boundary where MFA not required</LI> </UL> <H3>What it implies</H3> <UL> <LI>SAML token signing certificate was exfiltrated from the customer environment and used to forge tokens by the actor.</LI> <LI>Administrative access to SAML Token Signing Certificate storage compromised, either via service administrative access or by direct device storage or memory inspection.</LI> <LI>Deep penetration of the customer environment, with administrative access to identity infrastructure or the hardware environment on which it executes.</LI> </UL> <H3>What to look for</H3> <UL> <LI>SAML Tokens received by the SP with configurations which deviate from the IDP’s configured behavior.</LI> <LI>SAML Tokens received by the SP without corresponding issuing logs at the IDP.</LI> <LI>SAML Tokens received by the SP with MFA claims but without corresponding MFA activity logs at the IDP.</LI> <LI>SAML Tokens which are received from IP addresses, agents, times, or for services which are anomalous for the requesting identity represented in the token.&nbsp;</LI> <LI>Evidence of unauthorized administrative activity.</LI> </UL> <H3>What to do</H3> <UL> <LI>Determine mechanism of certificate exfiltration and remediate (see below)</LI> <LI>Roll all SAML token signing certificates</LI> <LI>Consider reducing your reliance on prem SAML trust where possible</LI> <LI>Consider using an HSM to manage your SAML Token Signing Certificates</LI> </UL> <H2>&nbsp;</H2> <H2>Pattern 2: Illegitimate registrations of SAML Trust Relationships</H2> <P>In some cases, the SAML token forgeries described above correspond to configuration changes in the Service Provider. By impersonating a user with valid administrative credentials, the actor can change the configuration of the SAML Service Provider (in our case, Azure AD). In this case, the actor tells Azure AD to trust their certificate by, in effect, saying to the SP “There’s another SAML IDP you should trust, validate it with this public key.”</P> <H3>What we found</H3> <UL> <LI>Addition of federation trust relationships at the SP done which later resulted in SAML authentications of users with administrative privileges. The attacker took care to follow naming conventions of or impersonate existing federation server names (e.g. FED_SERVER01 exists, and they add FED_SERVERO1). The impersonated users later took actions consistent with attacker patterns described below.</LI> <LI>Token forgeries consistent with pattern 1, above.</LI> <LI>These calls came from different IP addresses for each call and user, but generally tracked back to anonymizing VPN servers.</LI> </UL> <H3>What it implies</H3> <UL> <LI>Administrative access to the Azure AD was gained.</LI> <LI>Attacker may have been unable to gain a toe-hold on premises, or was experimenting with other persistence mechanisms.</LI> <LI>Attacker may have been unable to exfiltrate tokens, possibly due to use of HSM.</LI> </UL> <H3>What to look for</H3> <UL> <LI>Anomalous administrative session associated with modification of federation trust relationships.</LI> </UL> <H3>What to do</H3> <UL> <LI>Review all federation trust relationships, ensure all are valid.</LI> <LI>Determine mechanism of administrative account impersonation (see below).</LI> <LI>Roll administrative account credentials.</LI> </UL> <H2>&nbsp;</H2> <H2>Pattern 3: Adding credentials to existing applications</H2> <P>Once the attacker was able to impersonate a privileged Azure AD admin account, they added credentials to existing applications or service principals, usually with the permissions they wanted already associated and high traffic patterns (e.g. mail archival applications). There are some cases in which we see the attacker add permissions to existing applications or service principals. We also see cases in which a new application or service principal was set up for a short while and used to add the permissions to the existing applications or service principals, possibly to add a layer of indirection (e.g. using it to add a credential to another service principal, then deleting it).</P> <H3>What we found</H3> <UL> <LI>Addition of federation trust relationships at the SP done which later resulted in SAML authentications of users with administrative privileges. The impersonated users later took actions consistent with attacker patterns described below.</LI> <LI>Service Principals added into well known administrative roles such as Tenant Admin or Cloud Application Admin.</LI> <LI>Reconnaissance to identify existing applications with application roles that have permissions to call Microsoft Graph.</LI> <LI>The applications or service principals impersonated were different from customer to customer – the actor did not have a “go to” target.</LI> <LI>The applications or service principals included both customer developer and vendor developed software.</LI> <LI>No Microsoft 365 applications or service principals were used impersonated (customer credentials cannot be added to these applications and service principals).</LI> <LI>Token forgeries consistent with pattern 1, above.</LI> </UL> <H3>What it implies</H3> <UL> <LI>Administrative access to the Azure AD was gained.</LI> <LI>Attacker did extensive recon to find unique applications which could be used to obfuscate their activity.</LI> </UL> <H3>What to look for</H3> <UL> <LI>Anomalous administrative session associated with modification of federation trust relationships.</LI> <LI>Unexpected service principals added to privileged roles in cloud environments.</LI> </UL> <H3>What to do</H3> <UL> <LI>Review all applications and service principals for credential modification activity.</LI> <LI>Review all applications and service principals for excess permissions.</LI> <LI>Remove all inactive service principals from your environment.</LI> <LI>Regularly roll creds for all applications and service principals.</LI> </UL> <H2>&nbsp;</H2> <H2>Pattern 4: Queries impersonating existing applications</H2> <P>With credentials added to an existing application or service principal, the actor proceeded to acquire an OAUTH access token for the application using the forged credentials, and call APIs with the permissions which had been assigned to that applications. Most of the API calls we detected were focused on email and document extraction, but in some cases API calls added users, or added permissions to other applications or service principals. Calls were generally very targeted, synchronizing then monitoring email for specific users.</P> <H3>What we found</H3> <UL> <LI>Application calls attempting to authenticated to Microsoft Graph resource with applicationID: "00000003-0000-0000-c000-000000000000"</LI> <LI>Impersonated calls to the Microsoft Graph Mail.Read and Mail.ReadWrite endpoints.</LI> <LI>Impersonating calls came from anomalous endpoints. These endpoints were not repeated from customer to customer. The endpoints were usually Virtual Private Server (VPS) vendors.</LI> </UL> <H3>What it implies</H3> <UL> <LI>Attacker was primarily interested in persistence and reconnaissance.</LI> <LI>Attacker was attempting to obfuscate their activity.</LI> </UL> <H3>What to look for</H3> <UL> <LI>Anomalous requests to your resources from trusted applications or service principals.</LI> <LI>Requests from service principals that added or modified groups, users, applications, service principals, or trust relationships.</LI> </UL> <H3>What to do</H3> <UL> <LI>Review all federation trust relationships, ensure all are valid.</LI> <LI>Determine mechanism of administrative account impersonation (see below).</LI> <LI>Roll administrative account credentials.</LI> </UL> <H1>&nbsp;</H1> <H1>Other Observations</H1> <P>&nbsp;</P> <P>This section relates other observations of attacker behavior.</P> <H3>&nbsp;</H3> <H3>Attacker access to on premises resources</H3> <P>Our optics into on premises behavior are limited, but here are the indicators we have as to how on premises access was gained. We recommend using on premises tools like <A href="#" target="_blank" rel="noopener">Microsoft Defender for Identity</A> (formerly Azure ATP) to detect other anomalies:</P> <UL> <LI>Compromised network management software used as command and control to place malicious binaries which exfiltrated SAML token signing certificate.</LI> <LI>Compromised vendor credentials with existing administrative access (vendor network compromised).</LI> <LI>Compromised service account credentials associated with compromised vendor software.</LI> <LI>Use of non-MFA service account.</LI> </UL> <H3>Attacker access to cloud resources</H3> <P>For administrative access to the Microsoft 365 cloud, we observed:</P> <UL> <LI>Forged SAML tokens impersonating accounts with cloud administrative privileges.</LI> <LI>Accounts without MFA required – these are easily compromised (see <A href="#" target="_blank" rel="noopener">https://aka.ms/yourpassworddoesntmatter</A>)</LI> <LI>Access from trusted vendor accounts where the attacker had compromised the vendor environment.</LI> </UL> <H1>&nbsp;</H1> <H1>Identity Attack Graph</H1> <P>&nbsp;</P> <P>This graph summarizes the vectors and combinations tracked in this document.</P> <P>&nbsp;</P> <DIV id="tinyMceEditorAlex Weinert_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Graph.png" style="width: 832px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242143i8A3336D36DBC2DC6/image-size/large?v=v2&amp;px=999" role="button" title="Graph.png" alt="Graph.png" /></span></P> <H1>&nbsp;</H1> <H1>Other Guidance</H1> <P>&nbsp;</P> <P>The following guidance may assist customers in protecting their environments.</P> <P>&nbsp;</P> <UL> <LI>We published an<A href="#" target="_self"> Azure AD Workbook</A> to help you hunt for the behaviors described in this document.</LI> <LI>To protect Microsoft 365 resources from a compromise of on-premises environments: <A href="#" target="_blank" rel="noopener">https://aka.ms/protectm365</A></LI> <LI>If your organization has been compromised, review recovery guidance from DART at <A href="#" target="_blank" rel="noopener">https://aka.ms/dartrecoveryguide</A>&nbsp;</LI> <LI>To configure for Zero Trust to increase explicit request verification, least privileged access, and assumed breach protection: <A href="#" target="_blank" rel="noopener">https://aka.ms/ztguide</A></LI> </UL> <H1>&nbsp;</H1> <H1>Stay up to date</H1> <P>&nbsp;</P> <P>The Solarwinds attack is an ongoing investigation, and our teams continue to act as first responders to these attacks. As new information becomes available, we will make updates through our Microsoft Security Response Center (MSRC) blog at&nbsp;<A href="#" target="_blank" rel="noopener">https://aka.ms/solorigate</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 19 Aug 2021 23:22:14 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610 Alex Weinert 2021-08-19T23:22:14Z Protecting Microsoft 365 from on-premises attacks https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/protecting-microsoft-365-from-on-premises-attacks/ba-p/1751754 <P>Many customers connect their private corporate networks to Microsoft 365 to benefit their users, devices, and applications. However, there are many well-documented ways these private networks can be compromised. As we have seen in <A href="#" target="_blank" rel="noopener">recent events related to the SolarWinds compromise</A>, on-premises compromise can propagate to the cloud. Because Microsoft 365 acts as the “nervous system” for many organizations, it is critical to protect it from compromised on-premises infrastructure.</P> <P>&nbsp;</P> <P>This document will show you how to configure your systems to protect your Microsoft 365 cloud environment from on-premises compromise. We primarily focus on Azure AD tenant configuration settings, the ways Azure AD tenants can be safely connected to on-premises systems, and the tradeoffs required to operate your systems in ways that protect your cloud systems from on-premises compromise.</P> <P>&nbsp;</P> <P>We strongly recommend you implement this guidance to secure your Microsoft 365 cloud environment.</P> <P>&nbsp;</P> <H2>Understanding primary threat vectors from compromised on-premises environments</H2> <P>Your Microsoft 365 cloud environment benefits from an extensive monitoring and security infrastructure. Using machine learning and human intelligence that looks across worldwide traffic can rapidly detect attacks and allow you to reconfigure in near-real-time. In hybrid deployments that connect on-premises infrastructure to Microsoft 365, many organizations delegate trust to on-premises components for critical authentication and directory object state management decisions. Unfortunately, if the on-premises environment is compromised, these trust relationships result in attackers’ opportunities to compromise your Microsoft 365 environment.<BR /><BR /></P> <P>The two primary threat vectors are <STRONG>federation trust relationships</STRONG> and <STRONG>account synchronization. </STRONG>Both vectors can grant an attacker administrative access to your cloud.<BR /><BR /></P> <OL> <LI><STRONG>Federated trust relationships</STRONG>, such as SAML authentication, are used to authenticate to Microsoft 365 via your on-premises Identity Infrastructure. If a SAML token signing certificate is compromised, federation would allow anyone with that certificate to impersonate any user in your cloud<STRONG>. We recommend you disable federation trust relationships for authentication to Microsoft 365 when possible.<BR /><BR /></STRONG></LI> <LI><STRONG>Account synchronization</STRONG> can be used to modify privileged users (including their credentials) or groups granted administrative privileges in Microsoft 365. <STRONG>We recommend you ensure that synchronized objects hold no privileges beyond a user</STRONG> <STRONG>in Microsoft 365, </STRONG>either directly or via inclusion in trusted roles or groups. Ensure these objects have no direct or nested assignment in trusted cloud roles or groups.<BR /><BR /></LI> </OL> <H2>Principles for Protecting Microsoft 365 from on-premises compromise</H2> <P>To address the threat vectors outlined above, we recommend you adhere to the principles illustrated below: &nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SLO1.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/241815iAFF55B566995BFF1/image-size/large?v=v2&amp;px=999" role="button" title="SLO1.PNG" alt="SLO1.PNG" /></span></P> <DIV id="tinyMceEditordarlenebada_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <OL> <LI><STRONG>Fully Isolate your Microsoft 365 administrator accounts.</STRONG> They should be <UL> <LI>Mastered in Azure AD.&nbsp;&nbsp;</LI> <LI>Authenticated with Multi-factor authentication (MFA).</LI> <LI>Secured by Azure AD conditional access.</LI> <LI>Accessed only by using Azure Managed Workstations.</LI> </UL> </LI> </OL> <P class="lia-indent-padding-left-30px">These are restricted use accounts. <STRONG>There should be no on-premises accounts with administrative privileges in Microsoft 365. </STRONG>For more information see this <A href="#" target="_blank" rel="noopener">overview of Microsoft 365 administrator roles</A>. Also see <A href="#" target="_blank" rel="noopener">Roles for Microsoft 365 in Azure Active Directory</A>.<BR /><BR /></P> <OL start="2"> <LI><STRONG>Manage devices from Microsoft 365. </STRONG>Use Azure AD Join and cloud-based mobile device management (MDM) to eliminate dependencies on your on-premises device management infrastructure, which can compromise device and security controls.<BR /><BR /></LI> <LI><STRONG>No on-premises account has elevated privileges to Microsoft 365.</STRONG> Accounts accessing on-premises applications that require NTLM, LDAP, or Kerberos authentication need an account in the organization’s on-premises identity infrastructure. Ensure that these accounts, including service accounts, are not included in privileged cloud roles or groups and that changes to these accounts cannot impact the integrity of your cloud environment. Privileged on-premises software must not be capable of impacting Microsoft 365 privileged accounts or roles.<BR /><BR /></LI> <LI><STRONG>Use Azure AD cloud authentication </STRONG>to eliminate dependencies on your on-premises credentials<STRONG>. </STRONG>Always use strong authentication, such as Windows Hello, FIDO, the Microsoft Authenticator, or Azure AD MFA.<BR /><BR /></LI> </OL> <H2>Specific Recommendations</H2> <P>The following sections provide specific guidance on how to implement the principles described above.<BR /><BR /></P> <H3>Isolate privileged identities</H3> <P>In Azure AD, users with privileged roles such as administrators are the root of trust to build and manage the rest of the environment. Implement the following practices to minimize the impact of a compromise.<BR /><BR /></P> <UL> <LI>Use cloud-only accounts for Azure AD and Microsoft 365 privileged roles.</LI> <LI>Deploy <A href="#" target="_blank" rel="noopener">Azure Managed Workstations</A> for privileged access to manage Microsoft 365 and Azure AD.</LI> <LI>Deploy <A href="#" target="_blank" rel="noopener">Azure AD Privileged Identity Management</A><SPAN> (PIM)</SPAN> for just in time (JIT) access to all human accounts that have privileged roles, and require strong authentication to activate roles.</LI> <LI>Provide administrative roles the <A href="#" target="_blank" rel="noopener">least privilege possible to perform their tasks</A>.</LI> <LI>To enable a richer role assignment experience that includes delegation and multiple roles at the same time, consider using Azure AD security groups or Microsoft 365 Groups (collectively “cloud groups”) and <A href="#" target="_blank" rel="noopener">enable role-based access control</A><SPAN>. </SPAN>&nbsp;You can also use <A href="#" target="_blank" rel="noopener">Administrative Units</A> to restrict the scope of roles to a portion of the organization.</LI> <LI>Deploy <A href="#" target="_blank" rel="noopener">Emergency Access Accounts</A> and do NOT use on-premises password vaults to store credentials. &nbsp;<BR /><BR /></LI> </UL> <P>For more information, see <A href="#" target="_blank" rel="noopener">Securing privileged access</A>, which has detailed guidance on this topic. &nbsp;Also, see <A href="#" target="_blank" rel="noopener">Secure access practices for administrators in Azure AD</A>.<BR /><BR /></P> <H3>Use cloud authentication</H3> <P>Credentials are a primary attack vector. Implement the following practices to make credentials more secure.<BR /><BR /></P> <UL> <LI><A href="#" target="_blank" rel="noopener">Deploy passwordless authentication</A>: Reduce the use of passwords as much as possible by deploying passwordless credentials. These credentials are managed and validated natively in the cloud. Choose from:<BR /> <UL> <LI><A href="#" target="_blank" rel="noopener">Windows Hello for business</A></LI> <LI><A href="#" target="_blank" rel="noopener">Authenticator App</A></LI> <LI><A href="#" target="_blank" rel="noopener">FIDO2 security keys</A><BR /><BR /></LI> </UL> </LI> <LI><A href="#" target="_blank" rel="noopener">Deploy Multi-Factor Authentication</A>: Provision <A href="#" target="_blank" rel="noopener">multiple strong credentials using Azure AD MFA</A>. That way, access to cloud resources will require a credential that is managed in Azure AD in addition to an on-premises password that can be manipulated. <UL> <LI>For more information, see <A href="#" target="_blank" rel="noopener">Create a resilient access control management strategy with Azure active Directory</A>.<BR /><BR /></LI> </UL> </LI> </UL> <P><STRONG>Limitations and tradeoffs<BR /></STRONG></P> <UL> <LI>Hybrid account password management requires hybrid components such as password protection agents and password writeback agents. &nbsp;If your on-premises infrastructure is compromised, attackers can control the machines on which these agents reside. While this will not compromise your cloud infrastructure, your cloud accounts will not protect these components from on-premises compromise.</LI> <LI>On-premises accounts synced from Active Directory are marked to never expire in Azure AD, based on the assumption that on-premises AD password policies will mitigate this. If your on-premises AD is compromised and synchronization from AD connect needs to be disabled, you must set the option <A href="#" target="_blank" rel="noopener">EnforceCloudPasswordPolicyForPasswordSyncedUsers</A>.</LI> </UL> <P>&nbsp;</P> <H3>Provision User Access from the Cloud</H3> <P>Provisioning refers to the creation of user accounts and groups in applications or identity providers.</P> <DIV id="tinyMceEditordarlenebada_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SLO2.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/241816i791A3932C3E83C77/image-size/large?v=v2&amp;px=999" role="button" title="SLO2.PNG" alt="SLO2.PNG" /></span></P> <P>&nbsp;</P> <UL> <LI><STRONG>Provision from cloud HR apps to Azure AD: </STRONG>&nbsp;This enables an on-premises compromise to be isolated without disrupting your Joiner-Mover-Leaver cycle from your cloud HR apps to Azure AD.</LI> <LI><SPAN><STRONG>Cloud Applications:</STRONG></SPAN><SPAN>&nbsp;Where possible, deploy&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>Azure AD App Provisioning</SPAN></A><SPAN>&nbsp;as opposed to on-premises provisioning solutions.&nbsp;This will protect some of your SaaS apps from being poisoned with malicious user profiles&nbsp;due to&nbsp;on-premises breaches.&nbsp;</SPAN></LI> <LI><STRONG>External Identities:</STRONG> Use <A href="#" target="_blank" rel="noopener">Azure AD B2B collaboration</A><SPAN>. </SPAN>This will reduce the dependency on on-premises accounts for external collaboration with partners, customers, and suppliers. Carefully evaluate any direct federation with other identity providers. We recommend limiting B2B guest accounts in the following ways. <UL> <LI><SPAN>Limit guest access to browsing groups and other properties in the directory</SPAN><SPAN>. </SPAN> <UL> <LI><SPAN>Use the external collaboration settings to restrict guest ability to read groups they are not members of.</SPAN><SPAN>&nbsp;</SPAN></LI> </UL> </LI> <LI><SPAN>Block access to the Azure portal. You can make rare necessary exceptions.&nbsp;</SPAN><SPAN>&nbsp;</SPAN> <UL> <LI><SPAN>Create a Conditional Access policy that&nbsp;includes&nbsp;all guests and external users&nbsp;and then&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>i</SPAN>mplement a policy to block access</A><SPAN>.&nbsp;</SPAN></LI> </UL> </LI> <LI><STRONG>Disconnected Forests: </STRONG>Use <A href="#" target="_blank" rel="noopener">Azure AD Cloud Provisioning</A>. This enables you to connect to disconnected forests, eliminating the need to establish cross-forest connectivity or trusts, which can broaden the impact of an on-premises breach.<BR /><BR /></LI> </UL> </LI> </UL> <P><STRONG>Limitations and Tradeoffs:</STRONG></P> <UL> <LI>When used to provision hybrid accounts, the Azure AD &nbsp;from cloud HR systems relies on on-premises synchronization to complete the data flow from AD to Azure AD. If synchronization is interrupted, new employee records will not be available in Azure AD.</LI> </UL> <P>&nbsp;</P> <H3>Use cloud groups for collaboration and access</H3> <P>Cloud groups allow you to decouple your collaboration and access from your on-premises infrastructure.<BR /><BR /></P> <UL> <LI><STRONG>Collaboration:</STRONG> &nbsp;Use Microsoft 365 Groups and Microsoft Teams for modern collaboration. Decommission on-premises distribution lists, and <A href="#" target="_blank" rel="noopener">Upgrade distribution lists to Microsoft 365 Groups in Outlook</A><SPAN>.</SPAN></LI> <LI><STRONG>Access: </STRONG>Use Azure AD security groups or Microsoft 365 Groups to authorize access to applications in Azure AD.</LI> <LI><STRONG>Office 365 licensing: </STRONG>Use group-based licensing to provision to Office 365 using cloud-only groups. This decouples control of group membership from on-premises infrastructure.<BR /><BR /></LI> </UL> <P>Owners of groups used for access should be considered privileged identities to avoid membership takeover from on-premises compromise. Take over includes direct manipulation of group membership on-premises or manipulation of on-premises attributes that can affect dynamic group membership in Microsoft 365.<BR /><BR /></P> <H3>Manage devices from the cloud</H3> <P>Use Azure AD capabilities to securely manage devices.<BR /><BR /></P> <UL> <LI><STRONG>Use Windows 10 Workstations: </STRONG><A href="#" target="_blank" rel="noopener">Deploy Azure AD Joined</A> devices with MDM policies. Enable <A href="#" target="_blank" rel="noopener">Windows Autopilot</A> for a fully automated provisioning experience. <UL> <LI>Deprecate Windows 8.1 and earlier machines.</LI> <LI>Do not deploy Server OS machines as workstations.</LI> <LI>Use <A href="#" target="_blank" rel="noopener">Microsoft Intune</A> as the source of authority of all device management workloads.<BR /><BR /></LI> </UL> </LI> <LI><A href="#" target="_blank" rel="noopener"><STRONG>Deploy Azure Managed Workstations</STRONG></A> for privileged access to manage Microsoft 365 and Azure AD.</LI> </UL> <H3><SPAN><BR />Workloads, applications, and resources</SPAN><SPAN>&nbsp;</SPAN></H3> <UL> <LI><SPAN><STRONG>On-premises SSO systems:&nbsp;</STRONG></SPAN><SPAN>Deprecate any&nbsp;on-premises&nbsp;federation and Web Access Management infrastructure and configure applications to use Azure AD.&nbsp;</SPAN><SPAN>&nbsp;</SPAN></LI> <LI><SPAN><STRONG>SaaS and LOB applications that support modern authentication protocols:&nbsp;&nbsp;</STRONG></SPAN><A href="#" target="_blank" rel="noopener">Use Azure AD for single sign-on</A><SPAN>.&nbsp;The more apps you&nbsp;configure to use&nbsp;Azure AD&nbsp;for authentication,&nbsp;the less risk in&nbsp;the case&nbsp;of an on-premises&nbsp;compromise</SPAN><SPAN>.</SPAN></LI> <LI><SPAN><STRONG>Legacy Applications&nbsp;</STRONG></SPAN><SPAN>&nbsp;</SPAN> <UL> <LI>Authentication,&nbsp;authorization, and remote access to legacy applications that do not support modern authentication can be enabled via&nbsp;<A href="#" target="_blank" rel="noopener">Azure AD Application Proxy</A>. &nbsp;They can also be enabled through a network or application delivery controller solution using&nbsp;<A href="#" target="_blank" rel="noopener"> secure hybrid access partner integrations</A>.&nbsp;&nbsp;&nbsp;</LI> <LI><SPAN>Choose a VPN vendor that supports modern authentication and integrate its authentication with Azure AD.&nbsp;In the case of an on-premises compromise, you can use Azure AD to disable or block access by disabling the VPN. </SPAN></LI> </UL> </LI> <LI><STRONG>Application and workload servers &nbsp;</STRONG> <UL> <LI>Applications or resources that required servers can be migrated to Azure IaaS and use <A href="#" target="_blank" rel="noopener">Azure AD Domain Services</A> (Azure AD DS) to decouple trust and dependency on AD on-premises. To achieve this decoupling, virtual networks used for Azure AD DS should not have connection to corporate networks.</LI> <LI>Follow the guidance of the <A href="#" target="_blank" rel="noopener">credential tiering</A><SPAN>.</SPAN> <SPAN>Application Servers are typically considered Tier 1 assets.</SPAN></LI> </UL> </LI> </UL> <H3><BR />Conditional Access Policies</H3> <P>Use Azure AD Conditional Access to interpret signals and make authentication decisions based on them. For more information, see the <A href="#" target="_blank" rel="noopener">Conditional Access deployment plan.</A></P> <UL> <LI><A href="#" target="_blank" rel="noopener">Legacy Authentication Protocols</A>:<STRONG> &nbsp;</STRONG>Use Conditional Access to <A href="#" target="_blank" rel="noopener">block legacy authentication</A> protocols whenever possible. Additionally, disable legacy authentication protocols at the application level using application-specific configuration. <UL> <LI>See specific details for&nbsp; <A href="#" target="_blank" rel="noopener">Exchange Online</A> and&nbsp; <A href="#" target="_blank" rel="noopener">SharePoint Online</A>.</LI> </UL> </LI> <LI>Implement the recommended <A href="#" target="_blank" rel="noopener">Identity and device access configurations. </A></LI> <LI>If you are using a version of Azure AD that does not include Conditional Access, ensure that you are using the <A href="#" target="_blank" rel="noopener">Azure AD security defaults</A>. <UL> <LI>For more information on Azure AD feature licensing, see the <A href="#" target="_blank" rel="noopener">Azure AD pricing guide</A>.</LI> </UL> </LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <H3>Monitoring &nbsp;&nbsp;</H3> <P>Once you have configured your environment to protect your Microsoft 365 from an on-premises compromise, <A href="#" target="_blank" rel="noopener">proactively monitor</A> the environment.<BR /><BR /></P> <P><STRONG>Scenarios to Monitor</STRONG></P> <P>Monitor the following key scenarios, in addition to any scenarios specific to your organization. For example, you should proactively monitor access to your business-critical applications and resources.</P> <UL> <LI><STRONG>Suspicious&nbsp;activity</STRONG>: All&nbsp;<A href="#" target="_blank" rel="noopener">Azure AD risk events</A>&nbsp;should be monitored for suspicious activity. <A href="#" target="_blank" rel="noopener">Azure AD Identity Protection</A>&nbsp;is natively integrated with Azure Security Center. <UL> <LI>Define the network&nbsp;<A href="#" target="_blank" rel="noopener">named locations</A>&nbsp;to avoid noisy detections on location-based signals.&nbsp;</LI> </UL> </LI> </UL> <UL> <LI><STRONG>User Entity Behavioral Analytics (UEBA)&nbsp;alerts</STRONG><U>:</U>&nbsp;Use UEBA to get insights on anomaly detection. <UL> <LI>Microsoft Cloud App Discovery (MCAS) provides&nbsp;<A href="#" target="_blank" rel="noopener">UEBA in the cloud</A>.</LI> <LI>You can integrate&nbsp;<U>on-prem UEBA from Azure ATP</U>. MCAS reads signals from Azure AD Identity Protection.&nbsp;</LI> </UL> </LI> </UL> <UL> <LI><STRONG>Emergency access accounts activity</STRONG><U>:&nbsp;</U>Any access using&nbsp;<A href="#" target="_blank" rel="noopener">emergency access accounts</A><SPAN>&nbsp;</SPAN>should be monitored and&nbsp;<A href="#" target="_blank" rel="noopener">alerts</A>&nbsp;created for investigations. This monitoring must include:&nbsp; <UL> <LI>Sign-ins.&nbsp;</LI> <LI>Credential management.&nbsp;</LI> <LI>Any updates on group memberships.&nbsp;</LI> <LI>Application Assignments.&nbsp;</LI> </UL> </LI> </UL> <UL> <LI><STRONG>Privileged role activity</STRONG><U>:</U>&nbsp;Configure and review security&nbsp;<A href="#" target="_blank" rel="noopener">alerts generated by Azure AD PIM</A>. Monitor direct assignment of privileged roles outside PIM by generating alerts whenever a user is assigned directly.</LI> </UL> <UL> <LI><STRONG>Azure AD tenant-wide&nbsp;configurations</STRONG><U>:</U>&nbsp;Any change to tenant-wide configurations should generate alerts in the system.&nbsp;These include but are not limited to <UL> <LI>Updating custom domains&nbsp;&nbsp;</LI> <LI>Azure AD B2B allow/block list&nbsp;changes&nbsp;</LI> <LI>Azure AD B2B allowed identity providers (SAML IDPs through direct federation or social logins)&nbsp;&nbsp;</LI> <LI>Conditional Access or Risk policy changes&nbsp;</LI> </UL> </LI> <LI><STRONG>Application and&nbsp;service&nbsp;principal&nbsp;objects</STRONG><U>:</U>&nbsp; <UL> <LI>New applications or service principals that might require Conditional Access policies&nbsp;</LI> <LI>Additional credentials added to service principals</LI> <LI>Application consent activity&nbsp;</LI> </UL> </LI> <LI><STRONG>Custom&nbsp;roles</STRONG><U>:</U> <UL> <LI>Updates of the custom role definitions&nbsp;</LI> <LI>New custom roles created&nbsp;<BR /><BR /></LI> </UL> </LI> </UL> <P><STRONG>Log Management</STRONG></P> <P>Define a log storage and retention strategy,&nbsp;design,&nbsp;and implementation to facilitate a consistent toolset such as SIEM systems like Azure Sentinel, common queries, and investigation and forensics playbooks.</P> <UL> <LI><STRONG>Azure AD Logs </STRONG>Ingest logs and signal produced following consistent best practices (e.g., diagnostics settings, log retention, SIEM ingestion, etc.).&nbsp;The log strategy must include the following Azure AD logs: &nbsp; <UL> <LI>Sign-in activity&nbsp;</LI> <LI>Audit logs&nbsp;</LI> <LI>Risk events&nbsp;</LI> </UL> </LI> </UL> <P class="lia-indent-padding-left-30px">Azure AD provides&nbsp;<A href="#" target="_blank" rel="noopener">Azure Monitor integration</A>&nbsp;for the sign-in activity log and audit logs. Risk events can be ingested through&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Graph API</A>.&nbsp;You can <A href="#" target="_blank" rel="noopener">stream Azure AD logs to Azure monitor logs</A>.<BR /><BR /></P> <UL> <LI><STRONG>Hybrid Infrastructure OS Security Logs.</STRONG>&nbsp;All hybrid identity infrastructure OS logs should be archived and carefully monitored as a Tier 0 system, given the surface area implications. This includes:&nbsp; <UL> <LI>Azure AD Connect. <A href="#" target="_blank" rel="noopener">Azure AD Connect Health</A>&nbsp;must be deployed to monitor identity synchronization.</LI> <LI>Application Proxy Agents&nbsp;</LI> <LI>Password&nbsp;write-back agents&nbsp;</LI> <LI>Password Protection Gateway machines&nbsp;&nbsp;</LI> <LI>NPS that have the Azure MFA RADIUS extension&nbsp;<BR /><BR /></LI> </UL> </LI> </UL> <H2>Stay up to date</H2> <P>The Solarwinds attack is an ongoing investigation, and our teams continue to act as first responders to these attacks. As new information becomes available, we will make updates through our Microsoft Security Response Center (MSRC) blog at <A href="#" target="_blank" rel="noopener">https://aka.ms/solorigate</A>.</P> Sat, 19 Dec 2020 00:01:33 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/protecting-microsoft-365-from-on-premises-attacks/ba-p/1751754 Alex Weinert 2020-12-19T00:01:33Z 99.99% uptime for Azure Active Directory https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/99-99-uptime-for-azure-active-directory/ba-p/1999628 <P>Today, I’m pleased to announce that we are taking the next step in our commitment to the resilience and availability of Azure AD. On April 1, 2021, we will update our public service level agreement (SLA) to promise 99.99% uptime for Azure AD user authentication, an improvement over our previous 99.9% SLA. &nbsp;This change is the result of a significant and ongoing program of investment in continually raising the bar for resilience of the Azure AD service. We will also share our roadmap for the next generation of resilience investments for Azure AD and Azure AD B2C in early 2021.</P> <P>&nbsp;</P> <P>Because our identity services are vital to keep customer businesses running, resilience and security are and always will be our top priority. In the last year, we've seen a surge in demand as organizations moved workforces online and schools enabled study from home—in fact, some national education systems moved entire student populations online with Azure AD. Azure AD is now serving more than 400 million Monthly Active Users (MAU) and processing <STRONG>tens of billions</STRONG> of authentications per day. We treat every one of those authentication requests as a mission critical operation. &nbsp;</P> <P>&nbsp;</P> <P>In conversations with our customers, we learned that the most critical promise of our service is ensuring that every user can sign in to the apps and services they need without interruption. To deliver on this promise, we are updating the definition of Azure AD SLA availability to include only user authentication and federation (and removing administrative features). This focus on critical user authentication scenarios aligns our engineering investments with the vital functions that must stay healthy for customers businesses to run.</P> <P>&nbsp;</P> <P>Of course, we will continue to improve reliability in all areas of Microsoft identity services. Last year, we shared our <A href="#" target="_blank" rel="noopener">approach and architectural investments</A> to drive availability of Azure AD. I’m pleased to share significant progress completed since then.</P> <P>&nbsp;</P> <OL> <LI>We’ve made strong progress on moving the authentication services to a fine-grained fault domain isolation model -- also called “cellularized architecture”. This architecture is designed to scope and isolate the impact of many classes of failures to a small percentage of total users in the system. In the last year, we’ve increased the number of fault domains by over 5x and will continue to evolve this further over the next year.<BR /><BR /></LI> <LI>We have begun rollout of an Azure AD Backup Authentication service that runs with decorrelated failure modes from the primary Azure AD system. This backup service transparently and automatically handles authentications for participating workloads as an additional layer of resilience on top of the multiple levels of redundancy in Azure AD. You can think of this as a backup generator or uninterrupted power supply (UPS) designed to provide additional fault tolerance while staying completely transparent and automatic to you. At present, Outlook Web Access and SharePoint Online are integrated with this system. We will roll out the protections across critical Microsoft apps and services over the next few quarters.</LI> </OL> <P>&nbsp;</P> <OL start="3"> <LI>For Azure infrastructure authentication, our <A href="#" target="_blank" rel="noopener">managed identity for Azure resources</A> capabilities are now transparently integrated with regional authentication endpoints. These regional endpoints provide significant additional layers of resilience and protection, even in the event of an outage in the primary Azure AD authentication system.<BR /><BR /></LI> <LI>We’ve continued to make investments in the scalability and elasticity of the service. These investments were proven out during the early days of the COVID crisis, when we saw surging growth in demand. We were able to seamlessly scale what is already the world’s largest enterprise authentication system without impact. This included not just aggregate growth but very rapid onboarding, including entire nations moving their school systems (millions of users) online overnight.<BR /><BR /></LI> <LI>We are rolling out innovations to the authentication system such as <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/continuous-access-evaluation-in-azure-ad-is-now-in-public/ba-p/1751704" target="_blank" rel="noopener">Continuous Access Evaluation Protocol for critical Microsoft 365 services</A> (CAE). CAE both improves security by providing instant enforcement of policy changes and improves resilience by securely providing longer token lifetimes.</LI> </OL> <P>The above are just some examples of the key resilience investments we have made that have enabled us to raise the public SLA to 99.99%. We will have more to share in 2021 on the next generation of resilience investments for Azure AD and Azure AD B2C.<BR /><BR /></P> <H3>Planning for resilience in your identity estate</H3> <P>We know many customers are also asking for guidance on how best to configure and use Azure AD in the most resilient patterns – to help you understand how to build resilience into your identity and access management estate, we’ve published technical guidance that provides best practices for building resilience into the policies you create.<BR /><BR /></P> <UL> <LI>For building resilience into employee identity policies as an identity architect or admin, see <A href="#" target="_blank" rel="noopener">Build resilience in your IAM infrastructure with Azure Active Directory</A></LI> <LI>For information on resilient identity practices in app development, see <A href="#" target="_blank" rel="noopener">Increase resilience of authentication and authorization applications you develop - Microsoft identity platform</A></LI> <LI>For best practices on building resilience into your customer-facing identity systems, see <A href="#" target="_blank" rel="noopener">Build resilience in Customer Identity and Access Management using Azure AD B2C</A></LI> </UL> <P>&nbsp;</P> <P>Thank you for your ongoing trust and partnership.</P> <P>&nbsp;</P> <P>Nadim Abdo</P> <P>VP Engineering (Identity)</P> <P>&nbsp;</P> Fri, 18 Dec 2020 22:33:47 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/99-99-uptime-for-azure-active-directory/ba-p/1999628 nadimabdo 2020-12-18T22:33:47Z Empower your workforce with a personalized end-user app discovery experience https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/empower-your-workforce-with-a-personalized-end-user-app/ba-p/1994695 <P><SPAN data-contrast="auto">Howdy folks,</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">We’ve heard&nbsp;</SPAN><SPAN data-contrast="auto">from you</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">over the years that while you</SPAN><SPAN data-contrast="auto">’re&nbsp;</SPAN><SPAN data-contrast="auto">always&nbsp;</SPAN><SPAN data-contrast="auto">interested</SPAN><SPAN data-contrast="auto">&nbsp;in&nbsp;</SPAN><SPAN data-contrast="auto">capabilities</SPAN><SPAN data-contrast="auto">&nbsp;that make your own&nbsp;</SPAN><SPAN data-contrast="auto">IT</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">experiences more seamless,&nbsp;</SPAN><SPAN data-contrast="auto">you’re&nbsp;</SPAN><SPAN data-contrast="auto">even more&nbsp;</SPAN><SPAN data-contrast="auto">passionate about&nbsp;</SPAN><SPAN data-contrast="auto">creating highly productive and secure&nbsp;experiences&nbsp;for your workforce. This is more&nbsp;</SPAN><SPAN data-contrast="auto">relevant</SPAN><SPAN data-contrast="auto">&nbsp;than ever, with a recent Microsoft study revealing that identity&nbsp;</SPAN><SPAN data-contrast="auto">decision makers&nbsp;</SPAN><SPAN data-contrast="auto">like you&nbsp;</SPAN><SPAN data-contrast="auto">say that</SPAN><SPAN data-contrast="auto">&nbsp;investing in end-user experiences&nbsp;</SPAN><SPAN data-contrast="auto">is your</SPAN><SPAN data-contrast="auto">&nbsp;top&nbsp;</SPAN><SPAN data-contrast="auto">investment&nbsp;</SPAN><SPAN data-contrast="auto">priority for the next year.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Your passion&nbsp;</SPAN><SPAN data-contrast="auto">for your&nbsp;</SPAN><SPAN data-contrast="auto">workforce</SPAN><SPAN data-contrast="auto">&nbsp;is our passion</SPAN><SPAN data-contrast="auto">, and so every identity experience that we build&nbsp;</SPAN><SPAN data-contrast="auto">has a&nbsp;</SPAN><SPAN data-contrast="auto">foundation</SPAN><SPAN data-contrast="auto">&nbsp;of&nbsp;ensuring your end-users can be their most authentic and productive selves.</SPAN><SPAN data-contrast="auto">&nbsp;Last year we introduced the&nbsp;refreshed&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/help-your-workforce-discover-and-connect-to-all-their-apps-with/ba-p/1144694" target="_blank" rel="noopener"><SPAN data-contrast="none">My Apps portal</SPAN></A><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">as a one-stop destination for</SPAN><SPAN data-contrast="auto">&nbsp;app launching and discovery.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">With this refresh&nbsp;</SPAN><SPAN data-contrast="auto">we introduced&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">app collections</SPAN></A><SPAN data-contrast="auto">, which let admins build&nbsp;</SPAN><SPAN data-contrast="auto">role-based</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">and functional app categories&nbsp;</SPAN><SPAN data-contrast="auto">to&nbsp;aid with&nbsp;user discoverability in the My Apps portal</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">To take app experiences to the next level, I’m&nbsp;</SPAN><SPAN data-contrast="auto">happy</SPAN><SPAN data-contrast="auto">&nbsp;to announce the public preview of user-based collections in the My Apps portal.&nbsp;</SPAN><SPAN data-contrast="auto">Now your end-users can create their own personalized app collections without IT intervention,&nbsp;</SPAN><SPAN data-contrast="auto">allowing them&nbsp;</SPAN><SPAN data-contrast="auto">individually&nbsp;</SPAN><SPAN data-contrast="auto">to organize their work apps in whichever&nbsp;</SPAN><SPAN data-contrast="auto">intuitive&nbsp;</SPAN><SPAN data-contrast="auto">way they see fit and allowing you to&nbsp;</SPAN><SPAN data-contrast="auto">focus on other admin tasks</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="User collections - My Apps.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/241446iB08B47F7609EDB0D/image-size/large?v=v2&amp;px=999" role="button" title="User collections - My Apps.PNG" alt="User collections - My Apps.PNG" /></span></P> <P>&nbsp;</P> <H3><SPAN data-contrast="none">Getting started</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P><SPAN data-contrast="auto">To try it out, simply visit&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">https://myapplications.microsoft.com/?endUserCollections</A><SPAN data-contrast="auto">. Anyone with this&nbsp;link,&nbsp;can experiment with creating and managing collections. Once you’ve created a collection</SPAN><SPAN data-contrast="auto">&nbsp;though</SPAN><SPAN data-contrast="auto">, it’s yours</SPAN><SPAN data-contrast="auto">&nbsp;and you no longer</SPAN><SPAN data-contrast="auto">&nbsp;need to use this special link to use it.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">If you&nbsp;</SPAN><SPAN data-contrast="auto">want to share details&nbsp;</SPAN><SPAN data-contrast="auto">around app collections with your&nbsp;</SPAN><SPAN data-contrast="auto">workforce</SPAN><SPAN data-contrast="auto">, you can access user-facing documentation on the feature&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">here</SPAN></A><SPAN data-contrast="auto">.</SPAN><SPAN data-contrast="auto">&nbsp;You can also learn more about My Apps and app collections from the&nbsp;</SPAN><SPAN data-contrast="auto">admin side from our training&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">videos</SPAN></A><SPAN data-contrast="auto">&nbsp;and&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">documentation</SPAN></A><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">As always, we’d love to hear from you. Please let us know what you think in the comments below, on Twitter (<A href="#" target="_self">@AzureAD</A>), or on the </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure AD My Apps feedback forum</SPAN></A><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;<BR /><BR /></SPAN></P> <P><SPAN data-contrast="auto">Best regards,</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Alex Simons (Twitter:&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">@alex_a_simons</SPAN></A><SPAN data-contrast="auto">)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Corporate Vice President Program Management</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Microsoft Identity Division</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> Thu, 17 Dec 2020 21:00:28 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/empower-your-workforce-with-a-personalized-end-user-app/ba-p/1994695 Alex Simons (AZURE) 2020-12-17T21:00:28Z Enhanced AI for account compromise prevention https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/enhanced-ai-for-account-compromise-prevention/ba-p/1994653 <P>Hello Everyone,<BR /><BR />One of the amazing journeys I have been lucky to be a part of is developing our self-tuning algorithms for detecting attacks on accounts in real-time. Back in 2013, we got tired of the treadmill of manually adapting to attackers and committed to adaptive learning systems. Today, I want to share some cool new work the team has delivered.&nbsp; When I started fighting account compromise at Microsoft, we put a lot of effort into building and maintaining a large set of heuristic rules that ran during authentication.&nbsp; These rules effectively spotted compromise based on observed behavior, but it was easy for attackers to change their patterns and bypass those rules. This meant that we were always in reactionary mode trying to update the heuristics every time an attack pattern changed, or a new attack evolved.&nbsp; At that point, we decided that the only scalable and maintainable way to prevent current attacks and adapt to block new attacks was to apply machine learning to the area of account compromise. After much research and many iterations, we built a real-time system that uses supervised machine learning to analyze the current compromise to adapt and block attacks as they happen.&nbsp;<BR /><BR /></P> <P>Fast forward to today, we just released a re-design on the real-time machine learning compromise prevention system for Azure AD. The improved system still leverages supervised machine learning but it expands the features and process used to train the model, which provides significantly improved accuracy in Azure AD real-time risk assessment. The model flags more bad activity as risky while simultaneously reducing false alarms. This risk can be used by Azure AD Identity Protection customers as a condition in their Conditional Access policy engine to block risky sign-ins or ask for multi-factor authentication. Let’s dive into how the real-time compromise prevention system works.<BR /><BR /></P> <P>The real-time ML system leverages intelligence from many sources, including:<BR /><BR /></P> <UL> <LI>User behavior: is the user signing in from a known device, a known location, a known network?</LI> <LI>Threat intelligence: is the sign-in coming from a known bad, suspicious infrastructure<SPAN>?</SPAN></LI> <LI>Network intelligence: is the IP address part of a mobile network, a proxy, a hosting facility<SPAN>?</SPAN></LI> <LI>Device intelligence: is the device compliant or managed?<BR /><BR /></LI> </UL> <P>Known <SPAN>good or bad </SPAN>sign-ins are used to label the data<SPAN> and help </SPAN>“teach” the algorithm what is a good sign-in and what is a malicious sign-in. These known good and bad sign-ins are called labels and are a precious good when it comes to building AI systems for security. Our team has invested a lot in having good quality labels that can be used to train models and to assess the detection performance. One of our most significant assets is a team of highly trained analysts who work on data labelling by manually reviewing cases and making determinations. We also leverage other sources for labelling, such as customer feedback that we get directly from the Identity Protection UX and API, and threat intelligence sources from across Microsoft ecosystem.<BR /><BR />All this intelligence is used to <SPAN>automatically t</SPAN>rain new supervised machine learning model<SPAN>s</SPAN>, <SPAN>which are</SPAN> then deployed to the Azure AD authentication service and used to score 30 Billion authentications every day in real-time and taking just a few milliseconds per authentication. The new protection system is ever vigilant, regularly retraining the ML models dynamically adapt to changes in the bad actor ecosystem.<BR /><BR /></P> <P><SPAN>Here’s a look at h</SPAN>ow the new sign-in risk scoring system works<SPAN> – the </SPAN>classifier<SPAN> scores each login</SPAN><SPAN> in the core Identity System</SPAN><SPAN>, and then label data </SPAN><SPAN>generated </SPAN><SPAN>in the “</SPAN><SPAN>Analysis” section is used by the</SPAN> Learner to<SPAN> generate an improved model, then the whole cycle starts again:</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="darlenebada_0-1608141654092.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/241138iED73DAD5EC2AE409/image-size/large?v=v2&amp;px=999" role="button" title="darlenebada_0-1608141654092.png" alt="darlenebada_0-1608141654092.png" /></span></P> <P>&nbsp;</P> <P>We are so excited about the improvement this new system provides and we want to show you the data. You can see Precision-Recall curves for the previous scoring system and the newly improved system in the chart below. Precision indicates the percentage of the sign-ins flagged as risky that are actually bad sign-ins. A recall is a measure of the percentage of all bad sign-ins that are flagged as risky. Each point in each line represents the precision and recall at a specific score. The score is the probability or confidence level that the model has about the sign-in being bad. In summary, the higher the precision and higher the recall, the better the model performs.<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="darlenebada_1-1608141654114.jpeg" style="width: 905px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/241139iCE898EAFC91E2104/image-dimensions/905x613?v=v2" width="905" height="613" role="button" title="darlenebada_1-1608141654114.jpeg" alt="darlenebada_1-1608141654114.jpeg" /></span></P> <P>&nbsp;</P> <P>This is just one of the exciting new Identity Protection features our team has been working on. Our team continues to work with our customers, partners, and teams across Microsoft to offer customers the best Identity protection systems.<SPAN> If you want to find out more information about how machine learning systems like this works, be sure to check out a recent session from the </SPAN>Ignite<SPAN> conference entitled </SPAN><A href="#" target="_self"><SPAN>“</SPAN>The science behind Azure Active Directory Identity Protection<SPAN>”</SPAN></A><SPAN>.&nbsp;<BR /><BR /></SPAN></P> <P>On the behalf of Azure AD team, t<SPAN>hank</SPAN> you for all your feedback far. We hope you’ll continue to help us improve and share more about your experience with Azure AD Identity Protection.&nbsp; And be sure to follow us on Twitter (<A href="#" target="_self">@AzureAD</A>) to get the latest updates on Identity security.<BR /><BR /></P> <P><SPAN>Maria Puertas Calvo</SPAN> (<A href="#" target="_self">@Maria_puertas_</A>)</P> <P><SPAN>Principal Lead Data Scientist </SPAN></P> <P>Microsoft Identity Division&nbsp;</P> Fri, 18 Dec 2020 18:02:12 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/enhanced-ai-for-account-compromise-prevention/ba-p/1994653 Maria_Puertas_Calvo 2020-12-18T18:02:12Z 5 Identity partnership updates to wrap up 2020 https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/5-identity-partnership-updates-to-wrap-up-2020/ba-p/1751669 <P class="lia-align-left"><SPAN data-contrast="none">As we wrap up the end of the year,&nbsp;</SPAN><SPAN data-contrast="none">I</SPAN><SPAN data-contrast="none">&nbsp;wanted to share my gratitude for all the partners that have contributed&nbsp;</SPAN><SPAN data-contrast="none">in</SPAN><SPAN data-contrast="none">&nbsp;helping our customers&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/top-5-ways-your-azure-ad-can-help-you-enable-remote-work/ba-p/1144691" target="_blank" rel="noopener"><SPAN data-contrast="none">rapidly enable a secure remote workforce</SPAN></A><SPAN data-contrast="none">. From securing applications to rolling out passwordless solutions or ensuring seamless collaboration across organizations, our partners have been critical in helping our customers adapt to a new way of work.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P class="lia-align-left"><SPAN data-contrast="none">We built Microsoft identity as a platform to bring together all your tools, apps, and services—whether or not we built them—to allow you to deliver better experiences for you and your employees. We now have&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">over 3,400 applications in our Azure AD app gallery</SPAN></A><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">and&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">deep&nbsp;</SPAN><SPAN data-contrast="none">partner integrations across categories</SPAN></A><SPAN data-contrast="none">.&nbsp; &nbsp;</SPAN></P> <P class="lia-align-left">&nbsp;</P> <P class="lia-align-left lia-indent-padding-left-30px"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Identity Strategic Alliances Categories + Logos - EXTERNAL_v04.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240719iCFA133B35CF6BA3B/image-size/large?v=v2&amp;px=999" role="button" title="Identity Strategic Alliances Categories + Logos - EXTERNAL_v04.jpg" alt="Identity Strategic Alliances Categories + Logos - EXTERNAL_v04.jpg" /></span></SPAN></P> <P class="lia-align-center">&nbsp;</P> <P class="lia-align-left">We’ve seen amazing progress in our partner ecosystem and wanted to share 5 recent integrations with partners as we wrap 2020.<BR /><BR /></P> <H2 class="lia-align-left">Simplifying identity management and access to your apps</H2> <P class="lia-align-left">As employees continue to work remotely, they need secure, seamless access to all types of applications from cloud apps to on-premises apps. That’s why we continue to partner with software providers to integrate with Azure AD to simplify and secure application access. Last month we added over <A href="#" target="_blank" rel="noopener">52 new federated applications</A> and <A href="#" target="_blank" rel="noopener">9 new provisioning connectors</A> in our Azure AD app gallery for you to quickly enable single sign-on and automate user provisioning.<BR /><BR /></P> <H4><STRONG>HashiCorp Terraform SSO</STRONG></H4> <P>One new federated application that has been recently added to our Azure AD app gallery is <A href="#" target="_blank" rel="noopener">Terraform Cloud</A> from HashiCorp. Terraform Cloud provides infrastructure automation-as-a-service for the open source project Terraform. Many of our customers have adopted Terraform as a mechanism to automate the provisioning of resources in their Azure environments. Terraform Cloud helps customers manage infrastructure provisioning, collaborate across teams, and provide governance and security across an organization. By integrating with Azure AD, Terraform Cloud customers can easily secure and manage organizational access to their Terraform environment. Users can get the convenience of single sign-on for Terraform Cloud, and admins can assign each user to the Terraform Cloud team with the appropriate permissions for their role in minutes. You can learn more and sign up for Terraform Cloud for free at <A href="#" target="_blank" rel="noopener">terraform.io/cloud</A>.</P> <P class="lia-indent-padding-left-30px"><BR /><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Hashicorp.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240720i9DD00CDEB19A41F3/image-size/large?v=v2&amp;px=999" role="button" title="Hashicorp.png" alt="Hashicorp.png" /></span></P> <P>&nbsp;</P> <H4><STRONG>Adobe rolls out support for SCIM-based provisioning</STRONG></H4> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/top-7-microsoft-identity-partnership-announcements-at-ignite/ba-p/1257352" target="_blank" rel="noopener">At Microsoft Ignite</A>, Adobe announced a private preview of SCIM standard-based app provisioning integration for its core <A href="#" target="_blank" rel="noopener">Adobe Identity Management platform</A>. The updated admin experience makes it easier to manage user lifecycles across Adobe Creative Cloud, Adobe Document Cloud, and Adobe Experience Cloud. We are excited to announce that this integration is now publicly available for all Adobe and Azure AD customers. Get started setting this up by going to the documentation <A href="#" target="_blank" rel="noopener">here</A>.</P> <DIV id="tinyMceEditordarlenebada_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Azure AD GIF_v02 (1).gif" style="width: 720px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240337i9560E2FD0126CA4C/image-size/large?v=v2&amp;px=999" role="button" title="Azure AD GIF_v02 (1).gif" alt="Azure AD GIF_v02 (1).gif" /></span></P> <H2><BR />Protect legacy applications through new secure hybrid access partnerships</H2> <P>To help customers secure and manage access to their legacy authentication-based apps, we continue to expand our secure hybrid access partnerships. Our <A href="#" target="_blank" rel="noopener">secure hybrid access partnerships</A> allow our customers to use their existing application delivery networks, VPNs and software defined perimeter solutions to secure access to legacy applications.<BR /><BR /></P> <H4><STRONG>Pulse Secure SSO</STRONG></H4> <P class="lia-align-left">One new solution that we recently added is <A href="#" target="_blank" rel="noopener">Pulse Connect Secure</A>. Pulse Connect Secure is a VPN solution that provides secure, authenticated access for remote and mobile users from any web-enabled device to corporate resources. With our integration, employees can easily sign-in to Pulse Connect Secure with their Azure AD credentials to access legacy application and admins can secure access to Pulse Connect Secure.</P> <DIV id="tinyMceEditordarlenebada_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="app4.png" style="width: 625px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240308iD371F8DC14690673/image-size/large?v=v2&amp;px=999" role="button" title="app4.png" alt="app4.png" /></span></P> <P>&nbsp;</P> <H2>Enabling the move to passwordless</H2> <P>Weak passwords are a vulnerable attack vector for bad actors, which is why we are such strong advocates of passwordless technologies. According to <A href="#" target="_blank" rel="noopener">Forrester</A>, passwordless technology is top security trend that customers are evaluating to ensure secure yet easy to use experiences.&nbsp; To help customers adopt passwordless&nbsp;methods, including FIDO2&nbsp;security keys, we’ve worked with hardware partners like Yubico to pilot a program to accelerate deployment of passwordless solutions through our services partners.<BR /><BR /></P> <H4><STRONG>Yubico Passwordless Pilot Program</STRONG></H4> <P class="lia-align-left">Services&nbsp;partners like System Integrators are an important&nbsp;catalyst to help customers accelerate their passwordless deployment.&nbsp;That’s why we’ve partnered with Yubico to provide services partners the ability to nominate their customers to pilot YubiKeys. Services partners can leverage our <A href="#" target="_blank" rel="noopener">joint pilot program</A> and receive 25 YubiKeys to deploy with customers.&nbsp; Here’s what one partner, Metsys, who has participated in the pilot program and deployed YubiKeys for Groupe Bel had to say:<BR /><BR /></P> <P class="lia-align-left lia-indent-padding-left-30px"><EM>"The passwordless campaign run by Microsoft and Yubico is the opportunity to show our customers the benefits of the YubiKeys in the Microsoft environment: a simplified user experience for a maximum level of security"- </EM>Laurent Cayatte, President of Metsys<BR /><BR /></P> <H3><STRONG>New FIDO2 security keys from VinCSS</STRONG></H3> <P>We are always seeking new partnerships with FIDO2 security key vendors who enhance our ability to provide customers with passwordless authentication options. We’ve recently added <A href="#" target="_blank" rel="noopener">VinCSS</A>, the cybersecurity affiliate of VinGroup in Vietnam, to our <A href="#" target="_blank" rel="noopener">list of FIDO2 security key vendors</A> that are compatible with our passwordless experience.&nbsp; With this latest addition, customers in Vietnam and Asia Pacific have another FIDO2 solution to go passwordless.<BR /><BR /></P> <H3><STRONG>See you next year!</STRONG></H3> <P>Look out next month for another update on how our partners are contributing to help enable a secure remote workforce and ensuring seamless access to all your apps and resources. Be sure to check out the <A href="#" target="_blank" rel="noopener">Azure AD partner page</A> to learn more about all the partnerships we have to help you with solving your identity needs.</P> <P>&nbsp;</P> <P>Have a great holiday season and Happy New Year!</P> <P>&nbsp;</P> <P>Best Regards,</P> <P>Sue Bohn</P> <P>Partner Director of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> Tue, 15 Dec 2020 18:59:20 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/5-identity-partnership-updates-to-wrap-up-2020/ba-p/1751669 Sue Bohn 2020-12-15T18:59:20Z Securely manage and autofill passwords across all your mobile devices with Microsoft Authenticator https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/securely-manage-and-autofill-passwords-across-all-your-mobile/ba-p/1751710 <P>Howdy folks,<BR /><BR /></P> <P><SPAN>Today we are announcing the public preview of password management and autofill capability in the <A href="#" target="_self">Microsoft Authenticator app</A>. </SPAN><SPAN>For any sites or apps you visit on your mobile device, Authenticator will help you autofill strong passwords without having to remember them. </SPAN><SPAN>These passwords can be synced across mobile and desktop, so you can seamlessly autofill passwords as you move across devices. This is </SPAN><SPAN>currently only available for </SPAN><A href="#" target="_blank" rel="noopener">Microsoft accounts (MSA)</A><SPAN> and not for Azure AD based work or school accounts.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Rajat Luthra, one of our program managers in the Identity team, has written a guest blog post diving into details of this new capability. You can see his blog post below.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P>As always, we’d love to hear from you. Please let us know what you think in the comments below or on the <A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A>.</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Alex Simons (<A href="#" target="_blank" rel="noopener">@Alex_A_Simons</A>)</P> <P>Corporate VP of Program Management</P> <P>Microsoft Identity Division</P> <P>------------------------------------------</P> <P>&nbsp;</P> <P>Hi everyone!<BR /><BR /></P> <P>I’m excited to share that Microsoft Authenticator can now securely store and autofill passwords on apps and sites you visit on your mobile device. Once you make Authenticator an autofill provider, it will offer to save your passwords when you enter them on a site or app’s login page. Your synced passwords are protected on mobile with multi-factor authentication.&nbsp;<SPAN>These passwords are synced using your </SPAN><U><A tabindex="-1" title="https://go.microsoft.com/fwlink/?linkid=2144423" href="#" target="_blank" rel="noreferrer noopener">Microsoft account (outlook.com, hotmail.com, live.com, etc.)</A></U><SPAN>,</SPAN>&nbsp;making them also available on your desktop with Microsoft Edge and the new <A href="#" target="_blank" rel="noopener">Google Chrome extension</A>.<BR /><BR /></P> <P>While passwordless and multi-factor authentication is the way to go for security, we understand many sites still require passwords and some don’t even support multi-factor authentication. <A href="#" target="_blank" rel="noopener">In a previous blog</A>, we showed how no human generated password can be unique enough to beat attackers. That’s where Authenticator can help! Since you no longer need to remember passwords, Authenticator can autofill complex and unique passwords for you.<BR /><BR /></P> <P>Here’s a sneak peek of autofill experience on iOS. A similar experience exists for Android.</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">When you visit a site or app for which you have saved a password, Authenticator offers to autofill it.<BR /><BR /></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture5.jpg" style="width: 368px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240636i2DCA3AA47E09619F/image-dimensions/368x747?v=v2" width="368" height="747" role="button" title="Picture5.jpg" alt="Picture5.jpg" /></span></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">When you visit a site or app where your username and password is not saved, “Passwords” text appears on top of keyboard, clicking on which lets you save password in Authenticator.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="T3.PNG" style="width: 754px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240659i7DD372CBF9FD77BE/image-size/large?v=v2&amp;px=999" role="button" title="T3.PNG" alt="T3.PNG" /></span></P> <P>&nbsp;</P> <P><STRONG>Getting started</STRONG></P> <DIV><SPAN>To use the autofill feature and sync passwords, use your </SPAN><U><A tabindex="-1" title="https://go.microsoft.com/fwlink/?linkid=2144423" href="#" target="_blank" rel="noreferrer noopener">Microsoft account (MSA)</A></U><SPAN> and follow these simple steps.&nbsp;</SPAN>We've provided iOS screenshots below – the feature is available on both iOS and Android.</DIV> <P>&nbsp;</P> <OL> <LI>Open your Authenticator app, go to Settings --&gt; Beta --&gt; Autofill, and turn the toggle ON. Once you toggle ON Autofill in Settings, the Passwords tab will appear.<BR /><BR /></LI> </OL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="T4.PNG" style="width: 414px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240792iA72D6C9EB933EF0D/image-dimensions/414x793?v=v2" width="414" height="793" role="button" title="T4.PNG" alt="T4.PNG" /></span></P> <P>&nbsp;</P> <OL start="2"> <LI>Then, go to the Passwords tab, and sign-in using your Microsoft account or sync passwords from a Microsoft account already added to your Authenticator app.</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="T5.PNG" style="width: 339px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240639iD1F346D558B88A28/image-size/large?v=v2&amp;px=999" role="button" title="T5.PNG" alt="T5.PNG" /></span></P> <P>&nbsp;</P> <OL start="3"> <LI>Finally, make Authenticator the default autofill provider on your phone.</LI> </OL> <UL> <LI>iOS: Open Settings --&gt; Search for “Autofill Passwords” --&gt; Click on “Autofill Passwords” --&gt; Select “Authenticator”</LI> <LI>Android: Open Settings --&gt; Search for “Autofill” --&gt; Select “Auto-fill service” --&gt; Click on “Auto-fill service” on next screen --&gt; Select “Authenticator”</LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <OL start="4"> <LI>You can sync and autofill these passwords in Microsoft Edge. If you also use Google Chrome on desktop, you can sync and autofill the same passwords using the <A href="#" target="_blank" rel="noopener">Google Chrome extension</A>.</LI> </OL> <P>&nbsp;</P> <P><STRONG>Prerequisites</STRONG></P> <P>Autofill experience is rolling out in Authenticator app on iOS (iOS 12.0 and above) and Android (Android 6.0 and above). To learn more about the autofill feature, visit our <A href="#" target="_blank" rel="noopener">FAQs page</A>.<BR /><BR /></P> <P>Autofill only works with <A href="#" target="_blank" rel="noopener">Microsoft accounts (MSA)</A>, and is currently <STRONG>disabled for enterprise users</STRONG> who are using the Authenticator app for <A href="#" target="_blank" rel="noopener">Phone sign-in</A> or multi-factor authentication on their enterprise accounts. To allow enterprise users to use this feature on their Authenticator app, <A href="#" target="_blank" rel="noopener">click here</A>.</P> <P>&nbsp;</P> <P>We look forward to your feedback!</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Rajat Luthra (<A href="#" target="_blank" rel="noopener">@_luthrarajat</A>)</P> <P>Senior Program Manager</P> <P>Microsoft Identity Security &amp; Protection</P> Wed, 16 Dec 2020 16:47:31 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/securely-manage-and-autofill-passwords-across-all-your-mobile/ba-p/1751710 Alex Simons (AZURE) 2020-12-16T16:47:31Z Automate user provisioning for more applications with our new partnership with Aquera https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/automate-user-provisioning-for-more-applications-with-our-new/ba-p/1751668 <P>Today we’re announcing a partnership with Aquera to support more of your user provisioning needs. Through our partnership with Aquera, Azure AD or on-premises AD users can be mastered and continually synchronized from over 25 HR applications, and users can be provisioned to over 300 applications, broadening the number of applications you can use for both inbound and outbound user provisioning.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Aquera Diagram_v02.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/244566i687461DBF2D539C0/image-size/large?v=v2&amp;px=999" role="button" title="Aquera Diagram_v02.png" alt="Aquera Diagram_v02.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Automated user provisioning from HR apps with the Aquera HR Onboarding Bridge </STRONG></P> <P>We’ve heard from our customers that they want their cloud and on-premises HR applications integrated with Azure AD to simplify new employee onboarding and managing the identity lifecycle. Aquera expands Azure AD’s HR provisioning capabilities from two native integrations with <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/say-good-bye-to-custom-scripts-and-simplify-your-workforce/ba-p/320540" target="_blank" rel="noopener">Workday</A> and <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/automated-user-provisioning-from-sap-successfactors-is-now-ga/ba-p/1257370" target="_blank" rel="noopener">SAP SuccessFactors</A> to a broad array of HR applications.</P> <P>&nbsp;</P> <P>With the Aquera HR Onboarding Bridge you can now integrate with <A href="#" target="_blank" rel="noopener">over 25 HR applications</A> to onboard and synchronize users to Azure AD or on-premises AD. The Aquera HR Onboarding Bridge allows you to import users and attributes in near real-time from multiple HR applications to Azure AD or on-premises AD as well as writeback any attribute back to the HR application.</P> <P>&nbsp;</P> <P>We will continue to integrate more HR applications directly with Azure AD but for HR applications not currently supported, you can use the Aquera HR Onboarding Bridge.&nbsp; <A href="#" target="_blank" rel="noopener">Applications supported with the Aquera HR Onboarding Bridge</A> include ADP Enterprise HR, Bamboo HR, Ceridian Dayforce, Cornerstone OnDemand HR Suite, Namely, UltiPro and more. Here’s what&nbsp;Landmark Health&nbsp;had to say&nbsp;about their experience using&nbsp;the Aquera Onboarding Bridge with Azure AD:&nbsp;<BR /><BR /></P> <P class="lia-align-center"><EM>“The ADP to Active Directory / Azure AD Sync Bridge from Aquera enables us to integrate our HR and IT processes by automating user provisioning from ADP Workforce Now to Active Directory. This platform is helping us power the end-to-end identity lifecycle; saving our HR and IT teams time, improving security and positively impacting employee productivity.” –JT Hedges, Director of HR Technologies at Landmark Health</EM></P> <P>&nbsp;</P> <P><STRONG>Use Azure AD to manage and secure more applications with the Aquera SCIM Gateway</STRONG></P> <P>The Aquera SCIM gateway can help you automatically provision user accounts to an additional 300 cloud and on-premises applications such as Epic, SAP ECC and more. The Aquera SCIM Gateway provides out-of-the-box and built on-demand connectors that you can use to automatically create, update, or deactivate user accounts in target applications that are not already integrated with Azure AD.</P> <P>&nbsp;</P> <P>To automate user provisioning from Azure AD to a specific application, we first recommend you use the <A title="150+ provisioning connectors" href="#" target="_self">150<SPAN>+ provisioning connectors</SPAN></A> available in our Azure AD app gallery. For applications not yet available in our Azure AD app gallery, you can use the Aquera SCIM Gateway. We’ll continue to add more provisioning connectors directly in our Azure AD app gallery and you can request new ones to be added by <A href="#" target="_blank" rel="noopener">submitting a request in our Application Network Portal.</A>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Getting started:</STRONG></P> <P>&nbsp;</P> <P>To use Aquera’s HR Onboarding Bridge or the SCIM gateway with Azure AD, customers will need an Aquera subscription that can be obtained directly from Aquera. You can learn more about Aquera and these solutions through their Azure Marketplace listings:</P> <P>&nbsp;</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Aquera HR Onboarding Bridge for Azure AD</A></LI> <LI><A href="#" target="_blank" rel="noopener">Aquera SCIM Gateway for Azure AD by Aquera</A></LI> </UL> <P>&nbsp;</P> <P><SPAN>As always, we’d love&nbsp;to hear from you.&nbsp;Please let us know what you think in the comments below or on the </SPAN><A href="#" target="_blank" rel="noopener"><SPAN>Azure AD feedback forum</SPAN></A><SPAN>.</SPAN><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P>Best regards,</P> <P>Sue Bohn</P> <P>Partner Director of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> Wed, 06 Jan 2021 22:49:58 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/automate-user-provisioning-for-more-applications-with-our-new/ba-p/1751668 Sue Bohn 2021-01-06T22:49:58Z Azure AD Application Proxy now natively supports apps that use header-based authentication https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-ad-application-proxy-now-natively-supports-apps-that-use/ba-p/1751707 <P>Howdy folks,&nbsp;</P> <P>&nbsp;</P> <P>It’s awesome to hear from many of you that Azure AD <A href="#" target="_blank" rel="noopener">Application Proxy</A> helps you in providing secure remote access to critical on-premises applications and reducing load from existing VPN solutions. We’ve also heard about the need for Application Proxy to support more of your applications, including those that use headers for authentication, such as Peoplesoft, NetWeaver Portal, and WebCenter.</P> <P>&nbsp;</P> <P>Today we’re announcing the public preview of Application Proxy support for applications that use header-based authentication. Using this preview, you can benefit from: &nbsp;<BR /><BR /></P> <UL> <LI><STRONG>Wide list of attributes and transformations for header based auth:</STRONG> All header values available are based on standard claims that are issued by Azure AD. This means that all attributes and transformations available for configuring claims for SAML or OIDC applications are also available to be used as header values.&nbsp;</LI> <LI><STRONG>Secure and seamless access:</STRONG> These apps benefit from all the capabilities of Application Proxy, including single sign-on as well as enforcing pre-authentication and Conditional Access policies like requiring Multi-Factor Authentication (MFA) or using a compliant device before users can access these apps.</LI> <LI><STRONG>No changes to your apps are needed: </STRONG>You can use your existing Application Proxy connectors and no added software needs to be installed.<BR /><BR /></LI> </UL> <P>Thanks to all the customers who have provided feedback in developing this capability. Here’s what one customer had to say about their experience using Application Proxy for their header-based authentication:</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><EM>“App Proxy header-based auth support allowed us to migrate our header-based workloads to Azure AD, moving us one step closer to a unified view for application access and authentication. We have been able to retire our 3<SUP>rd</SUP> party header-based auth tools and simplify our SSO landscape. And it’s saved us a small fortune! Thank you.” – Barney Delaney, IAM Architect, Mondelez<BR /><BR /></EM></P> <H2>Getting started</H2> <P><BR />To connect a header-based authentication application to Application Proxy, you’ll need to make sure you have Application Proxy enabled in your tenant and have at least one connector installed. For steps on how to do install a connector, follow our tutorial <A href="#" target="_self">here.</A><BR /><BR /></P> <OL> <LI>First add a new application and configure Application Proxy for remote access by filling out the fields: <OL class="lia-list-style-type-lower-alpha"> <LI><STRONG>Name</STRONG>: Display name for the application</LI> <LI><STRONG>Internal URL</STRONG>: The URL used to access the application from inside your private network. This can be at the root path of the app or as granular as needed.</LI> <LI><STRONG>External URL</STRONG>: The URL used to access the application remotely from the internet.</LI> <LI><STRONG>Pre-authentication</STRONG>: Set to Azure Active Directory which ensures that all users must authenticate to access the app and Conditional Access policies are enforced.</LI> <LI><STRONG>Connector Group</STRONG>: Select the connector group with line of site to the application.<BR /><BR /></LI> </OL> </LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="01hba.png" style="width: 726px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/233233iF43DD487E5E0E851/image-size/large?v=v2&amp;px=999" role="button" title="01hba.png" alt="01hba.png" /></span></P> <P>&nbsp;</P> <OL start="2"> <LI>Enable <STRONG>header-based authentication </STRONG>as the single sign-on mode for the application. You can configure any attribute synced to Azure AD as a header. You can also use transformations to craft the exact header value the application needs.</LI> </OL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="002hba.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/233234i7EC3FC09F7E29EEC/image-size/large?v=v2&amp;px=999" role="button" title="002hba.jpg" alt="002hba.jpg" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="004hba.png" style="width: 945px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/233235i6DA19E63F39214B6/image-size/large?v=v2&amp;px=999" role="button" title="004hba.png" alt="004hba.png" /></span></P> <P>&nbsp;</P> <OL start="3"> <LI>After configuration, the app can now be launched from the <A href="#" target="_blank" rel="noopener">My Apps portal</A> just like any other cloud application or directly via the external URL.</LI> </OL> <DIV id="tinyMceEditorDBada_3" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="005hba.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/233236iE33A0E9438E38D6B/image-size/large?v=v2&amp;px=999" role="button" title="005hba.png" alt="005hba.png" /></span></P> <P>&nbsp;</P> <P>In just a few steps, you've enabled the app for remote access from any browser or device, enabled single sign-on for header-based authentication, and protected the app with any Conditional Access policies you've assigned to the app. To learn more, check out our <A href="#" target="_blank" rel="noopener">technical documentation</A>.<BR /><BR /></P> <P>Making it easier to connect your header-based authentication applications to Azure AD is just another step we are taking to helping you <A href="#" target="_blank" rel="noopener">secure and manage all the apps</A> your organization uses. We are excited to keep releasing new functionality and updates to make this journey even easier based on your feedback and suggestions.<BR /><BR /></P> <P>As always, we’d love to hear from you. Please let us know what you think in the comments below or on the <A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A>.<BR /><BR /></P> <P>Best regards,</P> <P>Alex Simons (twitter:&nbsp;<A href="#" target="_blank" rel="noopener">@alex_a_simons</A>)</P> <P>Corporate Vice President Program Management</P> <P>Microsoft Identity Division</P> Tue, 01 Dec 2020 17:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-ad-application-proxy-now-natively-supports-apps-that-use/ba-p/1751707 Alex Simons (AZURE) 2020-12-01T17:00:00Z Simple and secure customization with B2C user flows https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/simple-and-secure-customization-with-b2c-user-flows/ba-p/1751709 <P><SPAN data-contrast="none">Howdy folks,</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:276}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">In this&nbsp;</SPAN><SPAN data-contrast="none">unusual year</SPAN><SPAN data-contrast="none">, organizations&nbsp;</SPAN><SPAN data-contrast="none">have doubled down on</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">digital engagement with&nbsp;</SPAN><SPAN data-contrast="none">their&nbsp;</SPAN><SPAN data-contrast="none">customer</SPAN><SPAN data-contrast="none">s</SPAN><SPAN data-contrast="none">&nbsp;and are prioritizing</SPAN><SPAN data-contrast="none">&nbsp;th</SPAN><SPAN data-contrast="none">e&nbsp;</SPAN><SPAN data-contrast="none">security</SPAN><SPAN data-contrast="none">&nbsp;and&nbsp;</SPAN><SPAN data-contrast="none">customization of</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">their&nbsp;</SPAN><SPAN data-contrast="none">user experience</SPAN><SPAN data-contrast="none">s</SPAN><SPAN data-contrast="none">. We’ve kept this</SPAN><SPAN data-contrast="none">&nbsp;top&nbsp;</SPAN><SPAN data-contrast="none">of&nbsp;mind&nbsp;as we&nbsp;</SPAN><SPAN data-contrast="none">evolve our</SPAN><SPAN data-contrast="none">&nbsp;vision&nbsp;</SPAN><SPAN data-contrast="none">for</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Active Directory (Azure AD) External Identities</SPAN></A><SPAN data-contrast="none">, making&nbsp;</SPAN><SPAN data-contrast="none">customization&nbsp;</SPAN><SPAN data-contrast="none">of identity experiences&nbsp;</SPAN><SPAN data-contrast="none">easier than ever</SPAN><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:276}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">Today&nbsp;</SPAN><SPAN data-contrast="none">we're</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">announcing</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">new ways you can customize your B2C apps.</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">Once again,&nbsp;</SPAN><SPAN data-contrast="none">we’ve got</SPAN><SPAN data-contrast="none">&nbsp;Partner Group PM Manager</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">Robin</SPAN><SPAN data-contrast="none">&nbsp;Goldstein</SPAN><SPAN data-contrast="none">&nbsp;on the blog to tell you more.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:276}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">As always,&nbsp;</SPAN><SPAN data-contrast="none">w</SPAN><SPAN data-contrast="none">e</SPAN><SPAN data-contrast="none">&nbsp;hope you’ll try out the new features and share feedback through the </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure forum</SPAN></A><SPAN data-contrast="none"> or by&nbsp;following </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">@AzureAD</SPAN></A><SPAN data-contrast="none"> on Twitter. </SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:276}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Regards,</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559731&quot;:360,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Alex</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559740&quot;:240}">&nbsp;(<A href="#" target="_self">@Alex_A_Simons</A>)</SPAN></P> <P><SPAN data-contrast="none">------------------------------------</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:276}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">Hi everyone,</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:276}">&nbsp;<BR /><BR /></SPAN></P> <P><SPAN data-contrast="none">At Ignite, we announced&nbsp;</SPAN><SPAN data-contrast="none">a step forward&nbsp;</SPAN><SPAN data-contrast="none">in</SPAN><SPAN data-contrast="none">&nbsp;our&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/evolving-azure-ad-for-every-user-and-any-identity-with-external/ba-p/1257361" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Active Directory (Azure AD)&nbsp;</SPAN><SPAN data-contrast="none">External Identities</SPAN></A><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">&nbsp;journey&nbsp;</SPAN><SPAN data-contrast="none">with&nbsp;</SPAN><SPAN data-contrast="none">the addition of&nbsp;</SPAN><SPAN data-contrast="auto">Conditional Access and Identity Protection to&nbsp;</SPAN><SPAN data-contrast="auto">Azure AD B2C</SPAN><SPAN data-contrast="auto">, extending Microsoft’s world-class security to help you protect customer and citizen identities.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">Today</SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">we are</SPAN><SPAN data-contrast="auto">&nbsp;excited to announce two&nbsp;</SPAN><SPAN data-contrast="auto">more&nbsp;</SPAN><SPAN data-contrast="auto">features that&nbsp;</SPAN><SPAN data-contrast="auto">make&nbsp;</SPAN><SPAN data-contrast="auto">it easier to design secure and seamless customer</SPAN><SPAN data-contrast="auto">-</SPAN><SPAN data-contrast="auto">facing experiences</SPAN><SPAN data-contrast="auto">&nbsp;in</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">Azure AD B2C</SPAN><SPAN data-contrast="auto">:&nbsp;</SPAN><SPAN data-contrast="none">API connectors</SPAN><SPAN data-contrast="none">,</SPAN><SPAN data-contrast="none">&nbsp;and&nbsp;</SPAN><SPAN data-contrast="none">phone sign</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">up and sign</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">in&nbsp;</SPAN><SPAN data-contrast="none">for&nbsp;</SPAN><SPAN data-contrast="none">user flow</SPAN><SPAN data-contrast="none">s</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:276}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H2 aria-level="1"><SPAN data-contrast="none">Extend</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">and secure&nbsp;</SPAN><SPAN data-contrast="none">user&nbsp;</SPAN><SPAN data-contrast="none">experience</SPAN><SPAN data-contrast="none">s</SPAN><SPAN data-contrast="none">&nbsp;with API connectors&nbsp;</SPAN><SPAN data-contrast="none">in&nbsp;</SPAN><SPAN data-contrast="none">Azure AD B2C</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P aria-level="1"><SPAN data-contrast="auto"><BR />API connectors allow you to leverage web APIs to integrate with external cloud systems&nbsp;</SPAN><SPAN data-contrast="auto">to&nbsp;</SPAN><SPAN data-contrast="auto">customize&nbsp;</SPAN><SPAN data-contrast="auto">your identity user&nbsp;</SPAN><SPAN data-contrast="auto">experience</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-contrast="auto">Earlier in the year, we&nbsp;</SPAN><SPAN data-contrast="auto">shared how you&nbsp;could&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/customize-external-identities-self-service-sign-up-with-web-api/ba-p/1257364" target="_blank" rel="noopener"><SPAN data-contrast="none">customize External Identities self-service sign-up with web APIs in Azure AD</SPAN></A><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="auto">to enable&nbsp;</SPAN><SPAN data-contrast="auto">common&nbsp;</SPAN><SPAN data-contrast="auto">use cases like approva</SPAN><SPAN data-contrast="auto">ls and&nbsp;</SPAN><SPAN data-contrast="auto">data validation</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-contrast="auto">You can now use the preview of&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>API connectors for Azure AD B2C</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">to enable those</SPAN><SPAN data-contrast="auto">&nbsp;same</SPAN><SPAN data-contrast="auto">&nbsp;scenarios and more.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559738&quot;:240,&quot;335559739&quot;:225,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="1">&nbsp;</P> <P><SPAN data-contrast="auto">If you’ve been using Azure AD B2C already, you may be familiar with the ability to use REST API’s in your custom policies. With API connectors for user flows, you can now enjoy similar flexibility using</SPAN><SPAN data-contrast="auto">&nbsp;our&nbsp;</SPAN><SPAN data-contrast="auto">next-generation preview</SPAN><SPAN data-contrast="auto">&nbsp;user flows</SPAN><SPAN data-contrast="auto">&nbsp;which are also in public preview.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="admin-experience.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238377i50077231F1B590D2/image-size/large?v=v2&amp;px=999" role="button" title="admin-experience.jpg" alt="Azure Portal experience adding an API connector to a user flow in Azure AD B2C" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Azure Portal experience adding an API connector to a user flow in Azure AD B2C</span></span></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Here are&nbsp;</SPAN><SPAN data-contrast="auto">some</SPAN><SPAN data-contrast="auto">&nbsp;more great&nbsp;</SPAN><SPAN data-contrast="auto">examples of&nbsp;</SPAN><SPAN data-contrast="auto">scenarios you can enable with API connectors</SPAN><SPAN data-contrast="auto">:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;<BR /><BR /></SPAN></P> <H2 aria-level="2"><SPAN data-contrast="none">Protect against automated fraud and&nbsp;</SPAN><SPAN data-contrast="none">abuse.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="auto"><BR />Protecting against bots and automated attacks on publicly exposed sign-up experiences is</SPAN><SPAN data-contrast="auto">&nbsp;critical to&nbsp;</SPAN><SPAN data-contrast="auto">your</SPAN><SPAN data-contrast="auto">&nbsp;security&nbsp;</SPAN><SPAN data-contrast="auto">posture</SPAN><SPAN data-contrast="auto">. With API connectors</SPAN><SPAN data-contrast="auto">&nbsp;and a&nbsp;</SPAN><SPAN data-contrast="auto">bit of</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">JavaScript, you</SPAN><SPAN data-contrast="auto">&nbsp;can</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">add</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">any&nbsp;</SPAN><SPAN data-contrast="auto">CAPTCHA&nbsp;</SPAN><SPAN data-contrast="auto">or fraud detection and abuse&nbsp;</SPAN><SPAN data-contrast="auto">service</SPAN><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">such as Arkose</SPAN><SPAN data-contrast="auto">&nbsp;Labs Platform</SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;to your</SPAN><SPAN data-contrast="auto">&nbsp;sign-up experience to&nbsp;</SPAN><SPAN data-contrast="auto">help prevent fraudulent signups</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:276}">&nbsp;<BR /><BR /></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="arkose-captcha.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238378iE2B64BC895FCD9D3/image-size/large?v=v2&amp;px=999" role="button" title="arkose-captcha.jpg" alt="Figure 1. A sign-up experience using the Arkose Labs Platform to protect against automated fraud and abuse." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 1. A sign-up experience using the Arkose Labs Platform to protect against automated fraud and abuse.</span></span></P> <P><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:276,&quot;335559991&quot;:360}">&nbsp;</SPAN></P> <H2 aria-level="2"><SPAN data-contrast="none">Use</SPAN><SPAN data-contrast="none">&nbsp;invitation&nbsp;</SPAN><SPAN data-contrast="none">code</SPAN><SPAN data-contrast="none">s</SPAN> <SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259,&quot;469777462&quot;:[4610],&quot;469777927&quot;:[0],&quot;469777928&quot;:[1]}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="auto"><BR />Another way to protect your sign-up experiences is to</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">limit it</SPAN><SPAN data-contrast="auto">&nbsp;to certain audiences</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-contrast="auto">Using</SPAN><SPAN data-contrast="auto">&nbsp;API connectors</SPAN><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">you can&nbsp;</SPAN><SPAN data-contrast="auto">provision invitation codes for specific audiences&nbsp;</SPAN><SPAN data-contrast="auto">and</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">require users to&nbsp;</SPAN><SPAN data-contrast="auto">enter&nbsp;a&nbsp;</SPAN><SPAN data-contrast="auto">valid code during sign-up</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:276}">&nbsp;<BR /><BR /></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="invitation-code.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238381i5C6A4808C2626459/image-size/large?v=v2&amp;px=999" role="button" title="invitation-code.jpg" alt="Figure 2. A user flow that limits sign-ups to users with an invitation code." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 2. A user flow that limits sign-ups to users with an invitation code.</span></span><BR /><BR /></P> <H2 aria-level="2"><SPAN data-contrast="none">Perform identity&nbsp;</SPAN><SPAN data-contrast="none">verification</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="auto"><BR />Verifying</SPAN><SPAN data-contrast="auto">&nbsp;or&nbsp;</SPAN><SPAN data-contrast="auto">affirming&nbsp;</SPAN><SPAN data-contrast="auto">your user’s identity&nbsp;</SPAN><SPAN data-contrast="auto">can&nbsp;</SPAN><SPAN data-contrast="auto">also&nbsp;</SPAN><SPAN data-contrast="auto">reduce</SPAN><SPAN data-contrast="auto">&nbsp;the risk&nbsp;</SPAN><SPAN data-contrast="auto">of</SPAN><SPAN data-contrast="auto">&nbsp;fraudulent&nbsp;</SPAN><SPAN data-contrast="auto">signups by</SPAN><SPAN data-contrast="auto">&nbsp;malicious actors.&nbsp;</SPAN><SPAN data-contrast="auto">Using</SPAN><SPAN data-contrast="auto">&nbsp;API connectors, you can integrate</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">solutions from&nbsp;</SPAN><SPAN data-contrast="auto">IDology</SPAN><SPAN data-contrast="auto">, Experian,&nbsp;</SPAN><SPAN data-contrast="auto">or</SPAN><SPAN data-contrast="auto">&nbsp;other providers to&nbsp;</SPAN><SPAN data-contrast="auto">veri</SPAN><SPAN data-contrast="auto">fy</SPAN><SPAN data-contrast="auto">&nbsp;user information&nbsp;</SPAN><SPAN data-contrast="auto">based on user attributes collected at sign-up.</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:276}">&nbsp;<BR /><BR /></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="identity-verification.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238383i92E4969CFAD6C422/image-size/large?v=v2&amp;px=999" role="button" title="identity-verification.png" alt="Figure 3. A sign-up flow that collects user information and uses it to verify a user’s identity." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 3. A sign-up flow that collects user information and uses it to verify a user’s identity.</span></span></P> <P>&nbsp;</P> <P><LI-WRAPPER><I></I></LI-WRAPPER></P> <P><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">To&nbsp;</SPAN><SPAN data-contrast="auto">get started</SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">check out&nbsp;</SPAN><SPAN data-contrast="auto">the&nbsp;</SPAN><SPAN data-contrast="auto">great</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">samples</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">of these scenarios&nbsp;</SPAN><SPAN data-contrast="auto">our</SPAN><SPAN data-contrast="auto">&nbsp;team put together</SPAN><SPAN data-contrast="auto">&nbsp;and learn&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">how to&nbsp;</SPAN><SPAN data-contrast="none">add an API connector to a user flow</SPAN></A><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <H2 aria-level="1"><SPAN data-contrast="none">Simplify access with&nbsp;</SPAN><SPAN data-contrast="none">phone sign-up and sign-in user&nbsp;</SPAN><SPAN data-contrast="none">flows</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="auto"><BR />Round</SPAN><SPAN data-contrast="auto">i</SPAN><SPAN data-contrast="auto">ng out our improvements to user flows</SPAN><SPAN data-contrast="auto">&nbsp;in</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">Azure AD B2C</SPAN><SPAN data-contrast="auto">, you can</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">now&nbsp;</SPAN><SPAN data-contrast="auto">enable users to</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">sign-up and sign-in</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">to your app&nbsp;</SPAN><SPAN data-contrast="auto">using their phone&nbsp;</SPAN><SPAN data-contrast="auto">number</SPAN><SPAN data-contrast="auto">&nbsp;(</SPAN><SPAN data-contrast="auto">phone-based&nbsp;</SPAN><SPAN data-contrast="auto">SUSI)</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">This reduces the need for&nbsp;</SPAN><SPAN data-contrast="auto">additional</SPAN><SPAN data-contrast="auto">&nbsp;passwords and&nbsp;</SPAN><SPAN data-contrast="auto">makes</SPAN><SPAN data-contrast="auto">&nbsp;the experience much easier on mobile devices.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">Like other credentials and identity providers, setting up&nbsp;</SPAN><SPAN data-contrast="auto">phone-based</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">SUSI</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">for a user flow&nbsp;</SPAN><SPAN data-contrast="auto">can be done</SPAN><SPAN data-contrast="auto">&nbsp;with just a few clicks.</SPAN><SPAN data-contrast="auto">&nbsp;This feature is now being rolled out worldwide.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">To get started</SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;you can&nbsp;</SPAN><SPAN data-contrast="auto">set</SPAN><SPAN data-contrast="auto">&nbsp;up a user flow</SPAN><SPAN data-contrast="auto">&nbsp;in the admin portal</SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">using</SPAN><SPAN data-contrast="auto">&nbsp;the</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">combined&nbsp;</SPAN><SPAN data-contrast="auto">phone/email sign-up</SPAN><SPAN data-contrast="auto">&nbsp;option now&nbsp;</SPAN><SPAN data-contrast="auto">under local accounts in</SPAN><SPAN data-contrast="auto">&nbsp;the identity&nbsp;</SPAN><SPAN data-contrast="auto">providers</SPAN><SPAN data-contrast="auto">&nbsp;blade</SPAN><SPAN data-contrast="auto">:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">End-users</SPAN><SPAN data-contrast="auto">&nbsp;will see the option to use their phone number</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">as well as</SPAN><SPAN data-contrast="auto">&nbsp;a link</SPAN><SPAN data-contrast="auto">&nbsp;to</SPAN><SPAN data-contrast="auto">&nbsp;change their phone number&nbsp;</SPAN><SPAN data-contrast="auto">when they get a new phone.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">C</SPAN><SPAN data-contrast="auto">onfigure whether&nbsp;</SPAN><SPAN data-contrast="auto">to&nbsp;</SPAN><SPAN data-contrast="auto">collect a recovery email from users during&nbsp;sign-up&nbsp;</SPAN><SPAN data-contrast="auto">or</SPAN><SPAN data-contrast="auto">&nbsp;sign-in</SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;to&nbsp;</SPAN><SPAN data-contrast="auto">make it easier for</SPAN><SPAN data-contrast="auto">&nbsp;user</SPAN><SPAN data-contrast="auto">s&nbsp;</SPAN><SPAN data-contrast="auto">to&nbsp;</SPAN><SPAN data-contrast="auto">reset their&nbsp;</SPAN><SPAN data-contrast="auto">account</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;<BR /></SPAN></LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Final_IDP.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/237884i50AED08C79388167/image-size/large?v=v2&amp;px=999" role="button" title="Final_IDP.PNG" alt="Admin experience for&nbsp;customizing&nbsp;identity providers settings&nbsp;on&nbsp;a&nbsp;user flow (left) and the resulting end user experience (right)." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Admin experience for&nbsp;customizing&nbsp;identity providers settings&nbsp;on&nbsp;a&nbsp;user flow (left) and the resulting end user experience (right).</span></span></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Final_Recovery.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/237885iF1BD8740C8A50368/image-size/large?v=v2&amp;px=999" role="button" title="Final_Recovery.PNG" alt="Admin experience for configuring the recovery email prompt during sign-up and sign in&nbsp;(left) and the resulting end user experience (right)." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Admin experience for configuring the recovery email prompt during sign-up and sign in&nbsp;(left) and the resulting end user experience (right).</span></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">User flows with phone</SPAN><SPAN data-contrast="auto">-based</SPAN><SPAN data-contrast="auto">&nbsp;SUSI can also be managed using graph APIs</SPAN><SPAN data-contrast="auto">&nbsp;to&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">view, add, and delete local accounts</SPAN></A><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-contrast="auto">Check out the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">documentation</SPAN></A><SPAN data-contrast="auto">&nbsp;to learn&nbsp;</SPAN><SPAN data-contrast="auto">more.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">On behalf of the Azure AD External Identities crew,&nbsp;</SPAN><SPAN data-contrast="none">thank you for&nbsp;</SPAN><SPAN data-contrast="none">your</SPAN><SPAN data-contrast="none">&nbsp;feedback so far. We hope you’ll</SPAN><SPAN data-contrast="none">&nbsp;try out both</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">preview features and share&nbsp;</SPAN><SPAN data-contrast="none">more about how</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">you are&nbsp;</SPAN><SPAN data-contrast="none">customizing</SPAN><SPAN data-contrast="none">&nbsp;you</SPAN><SPAN data-contrast="none">r B2C user experiences</SPAN><SPAN data-contrast="none">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Robin Goldstein</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">(</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">@Robingo_MS</SPAN></A><SPAN data-contrast="none">)</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">Partner Group</SPAN><SPAN data-contrast="none">&nbsp;PM Manager</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">Microsoft Identity Division</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">Learn more about Microsoft identity:</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:360,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><I><SPAN data-contrast="auto">Related Articles:</SPAN></I><I><SPAN data-contrast="auto">&nbsp;</SPAN></I><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/customize-external-identities-self-service-sign-up-with-web-api/ba-p/1257364" target="_blank" rel="noopener"><I><SPAN data-contrast="none">API connectors available in preview for External Identities guest users</SPAN></I></A><I><SPAN data-contrast="auto">;</SPAN></I><I><SPAN data-contrast="auto">&nbsp;</SPAN></I><SPAN aria-label="Rich text content control"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">B2C p</SPAN><SPAN data-contrast="none">hone sign-in and sign-up using custom policies</SPAN></A><SPAN data-contrast="none">&nbsp;GA announcement</SPAN></SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><I><SPAN data-contrast="auto">Return to the&nbsp;</SPAN></I><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><I><SPAN data-contrast="none">Azure Active Directory Identity blog home</SPAN></I></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><I><SPAN data-contrast="auto">Join the conversation on&nbsp;</SPAN></I><A href="#" target="_blank" rel="noopener"><I><SPAN data-contrast="none">Twitter</SPAN></I></A><I><SPAN data-contrast="auto">&nbsp;and&nbsp;</SPAN></I><A href="#" target="_blank" rel="noopener"><I><SPAN data-contrast="none">LinkedIn</SPAN></I></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><I><SPAN data-contrast="auto">Share product suggestions on the&nbsp;</SPAN></I><A href="#" target="_blank" rel="noopener"><I><SPAN data-contrast="none">Azure Feedback Forum</SPAN></I></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> Mon, 07 Dec 2020 18:23:43 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/simple-and-secure-customization-with-b2c-user-flows/ba-p/1751709 Alex Simons (AZURE) 2020-12-07T18:23:43Z Customize and configure shared devices for Firstline Workers at scale https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/customize-and-configure-shared-devices-for-firstline-workers-at/ba-p/1751708 <P>Howdy folks,<BR /><BR /></P> <P>Firstline Workers have been at the forefront of our economy over the past several months as they perform critical jobs like maintaining critical supply chains, serving as first responders, and caring for the most vulnerable. It is more important than ever to empower these workers with tools and technology designed to support their unique scenarios.</P> <P>&nbsp;</P> <P>One example of a specific Firstline scenario is the need be able to share tablets or mobile devices between shifts while maintaining security and compliance. In April, we <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/empower-firstline-workers-from-day-one-with-enhanced-identity/ba-p/1097771" target="_blank" rel="noopener">announced the preview of shared device sign-out</A> for Android and iOS. Once a device is provisioned into a shared device mode, Firstline Workers can sign out of all web browser sessions and applications that have been configured to support this feature, such as Microsoft Teams, with a single click.<BR /><BR /></P> <P>So today I am excited to announce three new preview capabilities that make it easier to set up and customize how Firstline Workers use shared devices.<BR /><BR /></P> <UL> <LI><STRONG>Provisioning shared devices at scale with Microsoft Endpoint Manager – </STRONG>&nbsp;Microsoft Intune and Configuration Manager are now part of a unified management platform known as <A href="#" target="_blank" rel="noopener">Microsoft Endpoint Manager</A>. You can choose to enroll your Android Enterprise (AE) dedicated devices into Microsoft Intune with Azure AD shared mode automatically configured.</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AndroidFLW-SharedMode-IntuneProfile.PNG" style="width: 667px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/235587i6D8960DE8AEBFCE8/image-dimensions/667x365?v=v2" width="667" height="365" role="button" title="AndroidFLW-SharedMode-IntuneProfile.PNG" alt="Pick the enrollment profile in Intune console for “Android Enterprise dedicated device with Azure AD shared mode" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Pick the enrollment profile in Intune console for “Android Enterprise dedicated device with Azure AD shared mode</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.PNG" style="width: 670px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/235590iF7FFDD45B2082B5A/image-dimensions/670x442?v=v2" width="670" height="442" role="button" title="2.PNG" alt="Pick up a new device (or factory reset) and just get started on enrollment. Just following a few on-screen steps, you can complete the enrollment." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Pick up a new device (or factory reset) and just get started on enrollment. Just following a few on-screen steps, you can complete the enrollment.</span></span></P> <P>&nbsp;</P> <UL> <LI><STRONG>Device-based Conditional Access for shift workers – </STRONG>You can now enforce Zero Trust security policies using device compliance to secure corporate data for users signing in and out of apps on shared devices.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Android-FLW-RequireCADevicePolicy.PNG" style="width: 670px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/235588i1C812F5D6C38EDC6/image-dimensions/670x421?v=v2" width="670" height="421" role="button" title="Android-FLW-RequireCADevicePolicy.PNG" alt="Android-FLW-RequireCADevicePolicy.PNG" /></span></P> <P>&nbsp;</P> <UL> <LI><STRONG>Customized sign-in experience with Microsoft Managed Home Screen</STRONG> <STRONG>–</STRONG> You can now use Managed Home Screen to provide a simple sign-in and sign-out experience across all apps, including Microsoft Teams, that participate with shared device sign-out. Customize a single screen for users to easily sign-in, configure a session PIN for the duration of the shift, and configure timers for automatic sign-out for added security. To see the full list of configurations available with Managed Home Screen, see the <A href="#" target="_blank" rel="noopener">documentation</A>.</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="4.PNG" style="width: 685px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/235591i70EDE9784B1118AF/image-dimensions/685x349?v=v2" width="685" height="349" role="button" title="4.PNG" alt="Customize the device sign-in experience for any Firstline Worker." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Customize the device sign-in experience for any Firstline Worker.</span></span></P> <P>&nbsp;</P> <P>Check out our <A href="#" target="_blank" rel="noopener">documentation on how to enroll in shared device mode</A> to get started today.</P> <P>&nbsp;</P> <P>As always, we hope you’ll try out the new features and share feedback through&nbsp;the&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=Azure%20Forums&nbsp;" target="_blank" rel="noopener">Azure<SPAN> Forums</SPAN></A> or by following&nbsp;<A href="#" target="_blank" rel="noopener">@AzureAD&nbsp;</A>on Twitter.&nbsp;</P> <P>&nbsp;</P> <P>Best regards,</P> <P>&nbsp;</P> <P>Alex Simons (<A href="#" target="_self">@Alex_A_Simons</A>)&nbsp;</P> <P>Corporate Vice President of Program Management&nbsp;</P> <P>Microsoft Identity Division&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM>&nbsp;</P> <UL> <LI><EM>Related Articles:</EM> <A href="https://gorovian.000webhostapp.com/?exam=t5/intune-customer-success/intune-public-preview-enroll-android-enterprise-dedicated/ba-p/1820093" target="_blank" rel="noopener">Enrolling Android Enterprise dedicated devices into Azure AD shared mode</A><EM>; </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/intune-customer-success/how-to-setup-microsoft-managed-home-screen-on-dedicated-devices/ba-p/1388060" target="_blank" rel="noopener">How to setup Microsoft Managed Home Screen on Dedicated devices in multi-app kiosk mode</A></LI> <LI><EM>Return to the&nbsp;</EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A>&nbsp;</LI> <LI><EM>Join the conversation on&nbsp;</EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM>&nbsp;and&nbsp;</EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A>&nbsp;</LI> <LI><EM>Share product suggestions on the&nbsp;</EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A>&nbsp;</LI> </UL> <P>&nbsp;</P> Mon, 23 Nov 2020 17:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/customize-and-configure-shared-devices-for-firstline-workers-at/ba-p/1751708 Alex Simons (AZURE) 2020-11-23T17:00:00Z It's Time to Hang Up on Phone Transports for Authentication https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752 <P>In my blog <A href="#" target="_blank">Your Pa$$word doesn't matter</A>, I laid out the key password vulnerabilities, and in response to a gazillion “but other creds can be compromised, too” DMs and emails, I wrote <A href="#" target="_blank">All our creds are belong to us</A>, where I outlined vulnerabilities in credentials other than passwords and highlighted the promise of passwordless, cryptographically protected creds like FIDO, Windows Hello, and the Authenticator App.<BR /><BR /></P> <P>Today, I want to do what I can to convince you that it’s time to start your <STRONG>move away from the SMS and voice</STRONG> Multi-Factor Authentication (MFA) mechanisms. These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages. Plan your move to passwordless strong auth now – the authenticator app provides an immediate and evolving option.<BR /><BR /></P> <P>It bears repeating, however, that <STRONG>MFA is essential</STRONG> – we are discussing <EM>which </EM>MFA method to use, not <EM>whether </EM>to use MFA. Quoting an earlier blog, “Multi-factor Authentication (MFA) is the least you can do if you are at all serious about protecting your accounts. Use of&nbsp;anything&nbsp;beyond the password significantly increases the costs for attackers, which is why&nbsp;the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”<BR /><BR /></P> <H2>The Usual Suspects</H2> <P><BR />It’s worth noting that every mechanism to exploit a credential can be used on PSTN – OTP. Phish? Check. Social? Check. Account takeover? Check. Device theft? Check. Your PSTN account has all the vulnerabilities of every other authenticator and a host of other issues specific to PSTN.<BR /><BR /></P> <H2>Not Adaptable</H2> <P><BR />Because so many devices rely on receiving PSTN messages, the format of the messages is limited – we can’t make the messages richer, or longer, or do much of anything beyond sending the OTP in a short text message or a phone call. One of the significant advantages of services is that we can adapt to user experience expectations, technical advances, and attacker behavior in real-time. Unfortunately, the SMS and voice formats aren’t adaptable, so the experiences and opportunities for innovations in usability and security are very limited.<BR /><BR /></P> <H2>Transmitted in the Clear</H2> <P><BR />When SMS and voice protocols were developed, they were designed without encryption. From a practical usability perspective, we can’t overlay encryption onto these protocols because users would be unable to read them (there are other reasons too, like message bloat, which have prevented these from taking hold over the existing protocols). What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device. As I said in the earlier “All Your Creds” blog, “an attacker can deploy a&nbsp;<A href="#" target="_blank">software-defined-radio to intercept messages</A>, or a nearby&nbsp;<A href="#" target="_blank">FEMTO</A>, or use an&nbsp;<A href="#" target="_blank">SS7 intercept service</A>&nbsp;to eavesdrop on the phone traffic.” This is a substantial and unique vulnerability in PSTN systems that is available to determined attackers.<BR /><BR /></P> <H2>Easy to Social Engineer</H2> <P><BR />It’s worth noting that most PSTN systems are backed by online accounts and rich customer support infrastructure. Sadly, customer support agents are vulnerable to charm, coercion, bribery, or extortion. If these social engineering efforts succeed, customer support can provide access to the SMS or voice channel. While social engineering attacks impact email systems as well, the major email systems (e.g. Outlook, Gmail) have a more developed “muscle” for preventing account compromise via their support ecosystems. This leads to everything from message intercept, to call forwarding attacks, to SIM jacking.</P> <P>&nbsp;</P> <H2>Subject to Mobile Operator Performance</H2> <P><BR />Unfortunately, PSTN systems are not 100% reliable, and reporting is not 100% consistent. &nbsp;This is region and carrier dependent, but the path a message takes to you may influence how long it takes to get and whether you get it at all. In some cases, carriers report delivery when delivery has failed, and in others, delivery of messages can take a long enough time that users assume messages have been unable to get through. In some regions, delivery rates can be as low as 50%! Because SMS is “fire and forget,” the MFA provider has no real-time signal to indicate a problem and has to rely on statistical completion rates or helpdesk calls to detect problems. This means signal to users to offer alternatives or warn of an issue is difficult to provide.</P> <P>&nbsp;</P> <H2>Subject to Changing Regulations</H2> <P><BR />Due to the increase in spam in SMS formats, regulators have required regulations on identifying codes, transmit rates, message content, permission to send, and response to messages like “STOP.” Unfortunately, however, these regulations change rapidly and are inconsistent from region to region and can (and have) resulted in major delivery outages. More outages, more user frustration.<BR /><BR /></P> <H2>Limited Context</H2> <P><BR />In practical terms, the text or voice mediums limit how much information can be communicated to a user – SMS carries 160 characters, 70 if not using GSM, and once we get into languages which require encoding, the practical limit without message splitting is only around half that. Phishing is a serious threat vector, and we want to empower the user with as much context as possible (or, using Windows Hello or FIDO, make phishing impossible) – SMS and voice formats restrict our ability to deliver the context under which authentication is being requested.<BR /><BR /></P> <H2>Authentication Evolved</H2> <P><BR />Ok, to recap: you’re GOING to use MFA. Which MFA? Well, for most users on their mobile devices, we believe the right answer is app-based authentication. For us, that means the <A href="#" target="_blank">Microsoft Authenticator</A>. The Authenticator uses encrypted communication, allowing bi-directional communication on authentication status, and we’re currently working on adding even more context and control to the app to help users keep themselves safe. In just the last year, we’ve added app lock, hiding notifications from the lock screen, sign-in history in the app, and more – and this list will have grown by the time you plan your deployment, and keep growing while SMS and voice keep sitting still.<BR /><BR /></P> <P>Hang up on PSTN and pick up the Microsoft Authenticator – your users will be happier and more secure because you did.<BR /><BR />Stay safe out there,<BR /><BR /></P> <P>Alex (Twitter:&nbsp;<A href="#" target="_self">@alex_t_weinert</A>)</P> Tue, 10 Nov 2020 17:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752 Alex Weinert 2020-11-10T17:00:00Z Updates to managing user authentication methods https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/updates-to-managing-user-authentication-methods/ba-p/1751705 <P>Howdy folks!</P> <P>&nbsp;</P> <P>I’m excited to share today some super cool new features for managing users’ authentication methods: a new experience for admins to manage users’ methods in Azure Portal, and a set of new APIs for managing FIDO2 security keys, Passwordless sign-in with the Microsoft Authenticator app, and more.</P> <P>Michael McLaughlin, one of our Identity team program managers, is back with a new guest blog post with information about the new UX and APIs. <STRONG>If your organization uses Azure AD Connect to synchronize user phone numbers, this post contains important updates for you.</STRONG></P> <P>As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure Active Directory (Azure AD) feedback forum.</P> <P>&nbsp;</P> <P>Best Regards,</P> <P>Alex Simons (Twitter: <A href="#" target="_self">Alex_A_Simons</A>)</P> <P>Corporate Vice President Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>--------------</P> <P>&nbsp;</P> <P>Hi everyone!</P> <P>&nbsp;</P> <P>In April I told you about <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/manage-your-authentication-phone-numbers-and-more-in-new/ba-p/1257359" target="_blank" rel="noopener">APIs for managing authentication phone numbers and passwords</A>, and promised you more was coming. Here’s what we’ve been doing since then!</P> <P>&nbsp;</P> <H2>New User Authentication Methods UX</H2> <P><BR />First, we have a new user experience in the Azure AD portal for managing users’ authentication methods. You can add, edit, and delete users’ authentication phone numbers and email addresses in this delightful experience, and, as we release new authentication methods over the coming months, they’ll all show up in this interface to be managed in one place. Even better, this new experience is built entirely on Microsoft Graph APIs so you can script all your authentication method management scenarios.</P> <DIV id="tinyMceEditorDBada_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorDBada_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="devontorres_blog.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/232353i07CD358B48D8E56F/image-size/large?v=v2&amp;px=999" role="button" title="devontorres_blog.PNG" alt="devontorres_blog.PNG" /></span></P> <H2><BR />Updates to Authentication Phone Numbers</H2> <P><BR />As part of our ongoing usability and security enhancements, we’ve also taken this opportunity to simplify how we handle phone numbers in Azure AD. Users now have two distinct sets of numbers:<BR /><BR /></P> <UL> <LI>Public numbers, which are managed in the user profile and never used for authentication.</LI> <LI>Authentication numbers, which are managed in the new authentication methods blade and always kept private.<BR /><BR /></LI> </UL> <P>This new experience is now fully enabled for all cloud-only tenants and will be rolled out to Directory-synced tenants by May 1, 2021.<BR /><BR /></P> <P><STRONG>Importantly for Directory-synced tenants, this change will impact which phone numbers are used for authentication. Admins currently prepopulating users’ public numbers for MFA will need to update authentication numbers directly. </STRONG>Read about how to <A href="#" target="_blank" rel="noopener">manage updates to your users’ authentication numbers here</A>.<BR /><BR /></P> <H2>New Microsoft Graph APIs</H2> <P><BR />In addition to all the above, we’ve released <A href="#" target="_blank" rel="noopener">several new APIs</A> to beta in Microsoft Graph! Using the authentication method APIs, you can now:<BR /><BR /></P> <UL> <LI>Read and remove a user’s FIDO2 security keys</LI> <LI>Read and remove a user’s Passwordless Phone Sign-In capability with Microsoft Authenticator</LI> <LI>Read, add, update, and remove a user’s email address used for Self-Service Password Reset<BR /><BR /></LI> </UL> <P>We’ve also added new APIs to manage your authentication method policies for FIDO2 and Passwordless Microsoft Authenticator.<BR /><BR /></P> <P>Here’s an example of calling GET all methods on a user with a FIDO2 security key:</P> <H3><BR />Request:</H3> <P>GET <A href="#" target="_blank" rel="noopener">https://graph.microsoft.com/beta/users/{{username}}/authentication/methods</A></P> <P>&nbsp;</P> <H3>Response:</H3> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="auth1.JPG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/232096i141CE8D82018E82E/image-size/large?v=v2&amp;px=999" role="button" title="auth1.JPG" alt="auth1.JPG" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Auth2.JPG" style="width: 933px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/232097i49C39557F1013960/image-size/large?v=v2&amp;px=999" role="button" title="Auth2.JPG" alt="Auth2.JPG" /></span></P> <P>&nbsp;</P> <P>We’re continuing to invest in the authentication methods APIs, and we encourage you to use them via Microsoft Graph or the <A href="#" target="_blank" rel="noopener">Microsoft Graph PowerShell module</A> for your authentication method sync and pre-registration needs. As we add more authentication methods to the APIs, you’ll be easily able to include those in your scripts too!<BR /><BR /></P> <P>We have several more exciting additions and changes coming over the next few months, so stay tuned!<BR /><BR /></P> <P>All the best,</P> <P>Michael McLaughlin</P> <P>Program Manager</P> <P>Microsoft Identity Division</P> Mon, 09 Nov 2020 17:37:56 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/updates-to-managing-user-authentication-methods/ba-p/1751705 Alex Simons (AZURE) 2020-11-09T17:37:56Z Advancing Password Spray Attack Detection https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/advancing-password-spray-attack-detection/ba-p/1276936 <P>Hey folks,<BR /><BR /></P> <P>In this blog, I am going to tell you about an amazing addition to our family of credential compromise detection capabilities – this one uses our machine learning technology and global signal to create incredibly accurate detection of a nuanced attack called “password spray.” This is a great example of where worldwide, multi-tenant detection combines with rapidly evolving detection technology to keep you safe from this very common attack.<BR /><BR /></P> <H2>Understanding Password Spray</H2> <P><BR />Password spray is one of the most popular attacks, accounting for more than a third of account compromise in organizations. In these attacks, bad actors try a few common passwords against many accounts from different organizations. Instead of trying <EM>many passwords against one user</EM>, they try to defeat lockout and detection by trying <EM>many users against one password</EM>. Effective forms of this attack are "low and slow,” where the bad actor uses thousands of IP addresses (such as from a botnet) to attack many tenants with a few common passwords. From any one tenant’s view, there are so few login attempts with such poor consistency that the attack is undetectable. A customer might only see one or two failed logins happen from these types of attacks once a day, so the attacks get lost in the noise of normal login patterns. They also bypass traditional protection like password lockout and malicious IP blocking. Password spray attacks have a 1 percent success rate for accounts (unless they use <A href="#" target="_blank" rel="noopener">password protection</A> - please use it!).<BR /><BR /></P> <P>It is only when we look <STRONG>across</STRONG> the tenants around the world and evaluate the complete picture of logins that we can reliably detect the patterns.&nbsp;The following chart shows a password spray attack that was observed on our system:<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DBada_0-1603483682309.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/228843i25235666CC1E2AEA/image-size/large?v=v2&amp;px=999" role="button" title="DBada_0-1603483682309.png" alt="DBada_0-1603483682309.png" /></span></P> <P>&nbsp;</P> <P>Each color tracks a different password hash for login attempts with incorrect passwords in Azure Active Directory (Azure AD). Looking across millions of tenants, we can see the pattern of a password spray attack. Normally the graph would be flat and evenly dispersed as you see on the left side. The huge elevation of a single hash failing across many accounts indicates <STRONG>a single password being attempted against hundreds of thousands of usernames from many tenants</STRONG>—a password spray attack in progress. This lens extends our detections beyond traffic from a set of IP addresses (a few of these attacks have originated from millions of IP addresses) and instead correlates the patterns of authentications the bad actors are attempting.<BR /><BR /></P> <H2>The Evolution of Password Spray Detection</H2> <P><BR />To detect password sprays, we built a heuristic detection using the approach previously described.&nbsp; It worked great - by looking at the core failure in the system in our worldwide traffic we were able to notify tenants of hundreds of thousands of attacks monthly (increased user risk) so they could protect their organizations.</P> <P>&nbsp;</P> <P>But we weren’t satisfied. So our data scientists started researching the use of these patterns and additional data to train a <STRONG>new supervised machine learning system</STRONG> incorporating IP reputation, unfamiliar sign-in properties, and other deviations in account behavior. The results of this research led to this month’s release of the new password spray risk detection. This new machine learning detection yields a <STRONG>100 percent increase in recall</STRONG> over the heuristic algorithm described above&nbsp;meaning it detects <STRONG>twice the number of compromised accounts</STRONG> of the previous algorithm. It does this while maintaining the previous algorithm’s amazing <STRONG>98 percent precision</STRONG>—meaning if this algorithm says an account fell to password spray, it’s almost certain that it did.<BR /><BR /></P> <P>Azure AD Identity Protection customers will see this new risk detection in the portal and APIs for Identity Protection. The following screenshot provides a sample of the new risk detection:<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DBada_1-1603483682332.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/228844iD8FC7D04BCADF0CA/image-size/large?v=v2&amp;px=999" role="button" title="DBada_1-1603483682332.png" alt="DBada_1-1603483682332.png" /></span></P> <P>&nbsp;</P> <P>This new password spray detection is a great example of how we use intelligence gained across Microsoft’s identity systems to continuously expand and improve our protections—which you can use to automate processes in Azure AD Conditional Access, in Azure Sentinel, or through the APIs for anything you can imagine. For more information about other risk detections and how you can enable Identity Protection in your own organization, see the article, “<A href="#" target="_blank" rel="noopener">What is Identity Protection</A>?”. The team is committed to exploring and creating new and innovative approaches to protect our customers. I look forward to detailing these new protection systems for you in the future.<BR /><BR /></P> <P>Stay safe out there!</P> <P>&nbsp;</P> <P>-Alex (<A href="#" target="_self">@alex_t_weinert</A>)</P> Mon, 26 Oct 2020 19:57:43 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/advancing-password-spray-attack-detection/ba-p/1276936 Alex Weinert 2020-10-26T19:57:43Z Simplified Microsoft Account Security page is live! https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/simplified-microsoft-account-security-page-is-live/ba-p/1276935 <P>Hi all,</P> <P>&nbsp;</P> <P>More and more, your digital identity represents the gateway to all the things you care about – from your email to your bank to your favorite TV show (or XBox game – my fave is currently Sea of Thieves), so keeping your account secure is super important. That’s why I'm so excited to announce a redesign of the Microsoft account Security page which is all about making it easier to get your account security to “awesome” and keep it that way.&nbsp; Rachel Teller, a PM in Identity, drove the work and her guest blog below will take you through the highlights.</P> <P>&nbsp;</P> <P>Check out the <A href="#" target="_self">team’s work</A> and take advantage of this opportunity to make sure your security info is current - stay safe out there!</P> <P>&nbsp;</P> <P>-Alex</P> <P>--------<BR /><BR /></P> <P>Hey everyone,</P> <P>&nbsp;</P> <P>I’m Rachel, a Program Manager in the Identity Division. I’m excited to tell you about the work we did to simplify the security controls for your personal Microsoft account. Here’s a quick overview of the redesign:<BR /><BR /></P> <OL> <LI> <H3><SPAN>Easy management/visibility of enabled sign-in methods.&nbsp; <BR /></SPAN></H3> <SPAN><BR />When you</SPAN>&nbsp;<SPAN>check the </SPAN><A href="#" target="_blank" rel="noopener">security page</A><SPAN> of your Microsoft account, it’s often because you believe something is wrong-- you get an alert about a strange sign-in on your account; one of your other accounts, for which you use the same password, was hacked; your mom calls and explains that you need to enable MFA on every account and sends you into a tizzy.&nbsp; We wanted to make it as easy as possible for you to see what’s happening on your account, make the necessary changes, and be on your way.<BR /><BR /></SPAN></LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DBada_0-1603320301172.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/228375iD0B79535FBF6283A/image-size/large?v=v2&amp;px=999" role="button" title="DBada_0-1603320301172.png" alt="DBada_0-1603320301172.png" /></span></P> <P>&nbsp;</P> <OL start="2"> <LI> <H3><SPAN>Discovery of methods that make your life easier (and secretly more secure).&nbsp; <BR /></SPAN></H3> <SPAN><BR />With the exception security-minded folks like you, most people aren’t on the lookout for new sign-in/recovery methods.&nbsp; When you go to make the necessary changes to your account, we want you to be able to see all the new options available to you, and easily understand how they can simplify your sign-in experience.&nbsp; We do the work of promoting and simplifying the most secure methods, so you don’t have to spend time researching/weighing the pros and cons of what's available.<BR /><BR /></SPAN></LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DBada_1-1603320301185.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/228377iF99022EF4E27BCA3/image-size/large?v=v2&amp;px=999" role="button" title="DBada_1-1603320301185.png" alt="DBada_1-1603320301185.png" /></span></P> <H3>&nbsp;</H3> <OL start="3"> <LI> <H3>Consistent design across consumer and enterprise management.&nbsp;</H3> <BR />Now folks who use Microsoft for both personal and work/school accounts can manage their account in the same way.&nbsp; No more separate management for credentials/proofs—just one page that allows you to see what you have and how to change it.<BR /><BR /></LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DBada_2-1603320301191.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/228376iC1E3694BA7EEE4B9/image-size/large?v=v2&amp;px=999" role="button" title="DBada_2-1603320301191.png" alt="DBada_2-1603320301191.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DBada_3-1603320301195.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/228378i94B93C111B894B67/image-size/large?v=v2&amp;px=999" role="button" title="DBada_3-1603320301195.png" alt="DBada_3-1603320301195.png" /></span></P> <P>&nbsp;</P> <P>As always, please provide any feedback in the comments section below.&nbsp; We are particularly fond of praise and clap emojis.</P> <P>&nbsp;</P> <P>Best,</P> <P>Rachel Teller, Program Manager II</P> <P>Microsoft Identity Division</P> Thu, 22 Oct 2020 16:30:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/simplified-microsoft-account-security-page-is-live/ba-p/1276935 Alex Weinert 2020-10-22T16:30:00Z Azure AD provisioning, now with attribute mapping, improved performance and more! https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-ad-provisioning-now-with-attribute-mapping-improved/ba-p/1751706 <P>Howdy folks,</P> <P>&nbsp;</P> <P>We’ve made several changes to identity provisioning in Azure AD over the past several months, based on your input and feedback:<BR /><BR /></P> <UL> <LI>Easily map attributes between your on-premises AD and Azure AD.</LI> <LI>Perform on-demand user provisioning to Azure AD as well as your SaaS apps.</LI> <LI>Significantly improved sync performance in Azure AD connect.</LI> <LI>Manage your provisioning logs and receive alerts with Azure monitor.</LI> </UL> <P>&nbsp;</P> <P>And as in previous months, we continue to work with our partners to add provisioning support to more application.&nbsp;</P> <P><BR />In this blog, I’ll give you a quick overview of each of these areas.</P> <P>&nbsp;</P> <H2>Map attributes from on-premises AD to Azure AD</H2> <P>The public preview of Azure AD Connect cloud provisioning has been updated to allow you to map attributes, including data transformation, when objects are synchronized from your on-premises AD to Azure AD.<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DBada_0-1603137305538.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/227784iA2CDC0A3D7CEC124/image-size/large?v=v2&amp;px=999" role="button" title="DBada_0-1603137305538.png" alt="DBada_0-1603137305538.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Check out our documentation to learn more on <A href="#" target="_blank">mapping attributes from AD to Azure AD</A>.</P> <P>&nbsp;</P> <H2>On-demand provisioning of users</H2> <P>We’ve enabled on-demand provisioning of users to Azure AD and your SaaS apps. This is useful when you need to quickly provision a user into an app. And it is also useful for administrators when they are testing an integration for the first time. See our documentation for <A href="#" target="_blank">on-demand provisioning of users in Azure AD </A>and <A href="#" target="_blank">quickly provision a user into an app</A>.</P> <P>&nbsp;</P> <H2>Azure AD Connect with improved sync performance and faster deployment</H2> <P>The latest version of Azure AD Connect sync offers a substantial performance improvement for delta syncs and it is up to 10 times faster in key scenarios. We have also made it easier to deploy Azure AD Connect sync by allowing import and export of Azure AD Connect configuration settings. Learn more about these changes in our<A href="#" target="_blank"> documentation</A>.</P> <P>&nbsp;</P> <H2>Create custom alerts and dashboards by pushing the provisioning logs to Azure Monitor</H2> <P>You can now store their provisioning logs in Azure Monitor, analyze trends in the data using the rich query capabilities, and build visualizations on top of the data in minutes. Check out our <A href="#" target="_blank">documentation</A> on the integration.</P> <P>&nbsp;</P> <H2>New applications integrated with Azure AD for user provisioning.</H2> <P>We &nbsp;release new provisioning integrations each month. Recently, we turned on provisioning support for 8x8, SAP Analytics Cloud, and Apple Business Manager.&nbsp; Check out our documentation on <A href="#" target="_blank">8x8</A>,&nbsp; <A href="#" target="_blank">Apple Business Manager</A> and <A href="#" target="_blank">SAP Analytics cloud</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>As always, we’d love to hear any feedback or suggestions you have. Let us know what you think in the comments below or&nbsp;on&nbsp;the&nbsp;<A href="#" target="_blank">Azure AD feedback forum</A>.&nbsp;</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Alex Simons (twitter:&nbsp;<A href="#" target="_blank">@alex_a_simons</A>)</P> <P>Corporate Vice President Program Management</P> <P>Microsoft Identity Division</P> Mon, 19 Oct 2020 20:03:29 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-ad-provisioning-now-with-attribute-mapping-improved/ba-p/1751706 Alex Simons (AZURE) 2020-10-19T20:03:29Z Conditional Access APIs are generally available! https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/conditional-access-apis-are-generally-available/ba-p/1751702 <P>Howdy folks,</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Azure AD Conditional Access</A>&nbsp;can ensure that the right people have the access to resources they need from wherever they are. We’ve had a ton of requests for Conditional Access APIs to manage policy at scale. That’s why it is so cool that at Microsoft Ignite, we announced that <A href="#" target="_blank" rel="noopener">Conditional Access APIs</A> and named location APIs has reached general availability in Microsoft Graph!&nbsp;</P> <P>&nbsp;</P> <P>As you progress on your journey with Conditional Access policy governance, you'll want to shift from manually managing each policy definition in the Azure portal to something more manageable and repeatable at enterprise scale.</P> <P>&nbsp;</P> <P>Vikas Deora, one of our Identity team program managers, has written a guest blog post with information about the new APIs and how to get started.</P> <P>&nbsp;</P> <P>As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the Azure Active Directory (Azure AD) feedback forum.</P> <P>&nbsp;</P> <P>Best Regards,</P> <P>Alex Simons</P> <P>Corporate Vice President Program Management</P> <P>Microsoft Identity Division<BR /><BR /></P> <P>-------</P> <P>&nbsp;</P> <P>Hi everyone,<BR /><BR /></P> <P>My name is Vikas Deora. I’m a program manager on the identity team at Microsoft, focused on Azure AD Conditional Access.<BR /><BR /></P> <P>At Microsoft Ignite, we announced that Azure AD Conditional Access APIs and named location APIs are now generally available. We have updated the APIs based on your feedback from the private and public previews with:<BR /><BR /></P> <UL> <LI>Inclusion in the Azure AD <A href="#" target="_blank" rel="noopener">PowerShell module</A></LI> <LI>enabled app-only permissions</LI> <LI>improved error messages<BR /><BR /></LI> </UL> <P>The APIs are documented <A href="#" target="_blank" rel="noopener">here</A>. As part of the Microsoft graph, the interactions will be familiar to you – the core policy object lets you specify the conditions, controls, naming data and state for policies.<BR /><BR /></P> <H2>Get started<BR /><BR /></H2> <P>Here are some examples for you to get started using these APIs:</P> <P>&nbsp;</P> <P>If you want to create a new policy to require MFA when accessing Exchange Online from an un-trusted network:</P> <P>&nbsp;</P> <P>POST <A href="#" target="_blank" rel="noopener">https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies</A></P> <P>Content-type: applicationhttps://techcommunity.microsoft.com/json</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CAAPI5.JPG" style="width: 897px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/226164iA4E585E09C89D4CB/image-size/large?v=v2&amp;px=999" role="button" title="CAAPI5.JPG" alt="CAAPI5.JPG" /></span></P> <P>&nbsp;</P> <P>To list all policies:</P> <P>&nbsp;</P> <P>GET <A href="#" target="_blank" rel="noopener">https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies</A></P> <P>&nbsp;</P> <P>Or delete a policy:</P> <P>&nbsp;</P> <P><SPAN>DELETE </SPAN><A href="#" target="_blank" rel="noopener">https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{id}</A></P> <P>&nbsp;</P> <P>Pretty straightforward – but where it gets fun is with the automation you can pull together – read on!<BR /><BR /></P> <H2>Conditional Access API samples – treating policy just like code</H2> <P><BR />Many of you told us you wanted to be able to <EM>treat</EM> <EM>Conditional Access policies just like code</EM>, so we have put together several scripts and tutorials for you to do just that. Here are the steps you can follow:<BR /><BR /></P> <OL> <LI><STRONG>Configure</STRONG> policies in your environment using <EM>templates</EM> like those offered by your favorite IDEs. Check out this <A href="#" target="_blank" rel="noopener">tutorial</A> to get you started with some quick-start API templates, and to learn more, check out the <A href="#" target="_blank" rel="noopener">conditional access API overview</A>.</LI> <LI><STRONG>Test</STRONG> the changes in a safe environment before starting an automated safe rollout to production. <A href="#" target="_blank" rel="noopener">Try this script</A> that allows you to perform safe rollout of policies from pre-production to production with approval workflow!</LI> <LI><STRONG>Deploy </STRONG>policies gradually to your user population, allowing you to manage support impact and spot issues early. <A href="#" target="_blank" rel="noopener">Start with this script</A> for one-click policy deployment with approval workflow!</LI> <LI><STRONG>Monitor </STRONG>policy configuration and the usage of policies in your environment. You can <A href="#" target="_blank" rel="noopener">use this script</A> to trigger alerts when someone edits key Conditional Access policies. You can choose to update Teams channels, get notifications in email that you can respond to or sign-up for notifications on other channels you prefer.</LI> <LI><STRONG>Manage:</STRONG> Policies may change over time. Safely make changes to the policy and rollout in your environment. <A href="#" target="_blank" rel="noopener">Use this script</A> to back up your policies in Azure or other cloud solutions or even on-premises. Here are a few bonuses - we have <A href="#" target="_blank" rel="noopener">published a script</A> that will manage <A href="#" target="_blank" rel="noopener">emergency accounts</A> for you, and you can <A href="#" target="_blank" rel="noopener">try this script</A> to help you manage resilient security policies that will fail-over in the case of a service issue .<BR /><BR /></LI> </OL> <P>These are just a few key things customers have told us they want to do with the Conditional Access APIs, but we’d love to see a community around this where you can share your best ideas and scripts with each other! We’ve created a for Azure AD conditional access where these conversations can happen.<BR /><BR /></P> <P>If you have an interesting scenario and would like to request a sample script to do this, please share on the&nbsp;<A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A>.</P> <P>&nbsp;</P> <P>All the best,</P> <P>Vikas Deora</P> <P>Program Manager</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> Tue, 13 Oct 2020 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/conditional-access-apis-are-generally-available/ba-p/1751702 Alex Simons (AZURE) 2020-10-13T16:00:00Z Continuous Access Evaluation in Azure AD is now in public preview! https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/continuous-access-evaluation-in-azure-ad-is-now-in-public/ba-p/1751704 <P>Howdy folks,</P> <P>&nbsp;</P> <P>A few months back, we <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/moving-towards-real-time-policy-and-security-enforcement/ba-p/1276933" target="_blank" rel="noopener">introduced</A> Continuous Access Evaluation (CAE) for tenants who had not configured any Conditional Access policies. CAE provides the next level of identity security by terminating active user sessions to a subset of Microsoft services (Exchange and Teams) in real-time on changes such as account disable, password reset, and admin initiated user revocation.</P> <P>&nbsp;</P> <P>Today marks an important milestone in bringing this capability to everyone – now CAE is available in public preview for Azure AD tenants who have configured Conditional Access policies. Microsoft services, like Exchange and SharePoint, can terminate active user sessions as soon as a Conditional Access policy violation is detected. More Microsoft services, such as Dynamics and Azure, will be enabled in the future. You can turn on CAE to improve the security posture in your tenant with just a few clicks!<BR /><BR /></P> <H3><SPAN>Getting started</SPAN></H3> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>For tenants with Azure AD Premium subscription, you can configure CAE in our portal by going to </SPAN><SPAN>Azure Active Directory -&gt; Security -&gt; Continuous Access Evaluation. There you can Enable Preview and you can also choose to configure this initially for a select set of users and groups. </SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DBada_0-1602198001896.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/225230i7F6E081D5F711331/image-size/large?v=v2&amp;px=999" role="button" title="DBada_0-1602198001896.png" alt="DBada_0-1602198001896.png" /></span></P> <P>&nbsp;</P> <P>If there are no conditional access policies configured in your tenant. CAE is already enabled for all users in your tenant and there are no additional actions you need to take. This is enabled even if your tenant has no Azure AD premium subscription.</P> <P>&nbsp;</P> <P>To learn more about these changes, check out here:&nbsp;<A href="#" target="_blank" rel="noopener">continuous access evaluation</A>.</P> <P><BR />As always, we’d love to hear any feedback or suggestions you have. Let us know what you think in the comments below or&nbsp;on&nbsp;the&nbsp;<A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A>.&nbsp;</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Alex Simons (twitter: <A href="#" target="_blank" rel="noopener">@alex_a_simons</A>)</P> <P>Corporate Vice President Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN><EM>Learn more about Microsoft identity:</EM></SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><SPAN><EM>Related Articles:&nbsp;</EM></SPAN><A href="#" target="_blank" rel="noopener"><SPAN><EM>Continuous Access Evaluation</EM></SPAN></A><SPAN>&nbsp;</SPAN></LI> <LI><SPAN><EM>Return to the&nbsp;</EM></SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><SPAN><EM>Azure Active Directory Identity blog home</EM></SPAN></A><SPAN>&nbsp;</SPAN></LI> <LI><SPAN><EM>Join the conversation on&nbsp;</EM></SPAN><A href="#" target="_blank" rel="noopener"><SPAN><EM>Twitter</EM></SPAN></A><SPAN><EM>&nbsp;and&nbsp;</EM></SPAN><A href="#" target="_blank" rel="noopener"><SPAN><EM>LinkedIn</EM></SPAN></A><SPAN>&nbsp;</SPAN></LI> <LI><SPAN><EM>Share product suggestions on the&nbsp;</EM></SPAN><A href="#" target="_blank" rel="noopener"><SPAN><EM>Azure Feedback Forum</EM></SPAN></A><SPAN>&nbsp;</SPAN></LI> </UL> Fri, 09 Oct 2020 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/continuous-access-evaluation-in-azure-ad-is-now-in-public/ba-p/1751704 Alex Simons (AZURE) 2020-10-09T16:00:00Z Solving real problems for real customers https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/solving-real-problems-for-real-customers/ba-p/1756566 <P><EM>Last week, thousands of people gathered virtually to attend the Grace Hopper Celebration (GHC) of women in technology. In honor of GHC 20, we are spotlighting software industry veteran Sue Bohn, who attended the celebration. “It was very inspiring to see the depth of women in computing today and hear about their experiences,” Sue told me. “Grace Hopper once said that ‘a ship in port is safe, but that is not what ships are for.’ Seeing women today stepping out of the ‘safety zone’ to innovate and add to the profession and to the industry is really, really inspiring to me.” <SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8">Sue</SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8"><SPAN>&nbsp;</SPAN>exemplifies<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8">the spirit of trailblazers like Admiral<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8">Hoppe</SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8">r</SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8">.</SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8"><SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8">She has<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8">fundamentally chang</SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8">ed</SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8"><SPAN>&nbsp;</SPAN>how our engineering<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8">teams</SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8"><SPAN>&nbsp;</SPAN>interact with customers to make our products best in class</SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8">.</SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8"><SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW147289006 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW147289006 BCX8">She inspires me every day, and I hope her story inspires you as well</SPAN></SPAN>.</EM></P> <P>&nbsp;</P> <P><EM>–Joy Chik</EM></P> <P><EM><BR />----</EM></P> <P>&nbsp;</P> <P>“People have this idea that our job is to create technology,” says Sue Bohn, director of the Customer and Partner Success Team (CXP) in Microsoft’s identity division. “It’s not. Our job is to give people solutions to problems. And we need to solve them the right way. What we think is easy as technologists isn’t always so easy for the average person. We need to understand that customers aren’t like us.”</P> <P>&nbsp;</P> <P>Although many customer-facing teams live in product support or marketing organizations, Sue’s program managers—who dedicate themselves to solving real problems for real customers—sit within the core engineering group. “We cut the distance between customers, partners, and our engineering team,” she explains. In an era of continuous development, there’s no way to operate at cloud speed without this high-bandwidth connection.</P> <P>&nbsp;</P> <H3>Customer-driven engineering<BR /><BR /></H3> <P>Continuous, collaborative engineering is decidedly different from waterfall development, which dominated before cloud times. “When the world used to be flat,” Sue muses, customers would evaluate, buy, deploy, and then operate software. “If there was a break-fix, they’d talk to support. Then they’d fall off the end of the earth, and we’d start all over three years later.”<BR /><BR /></P> <P>For each new product cycle, customers would sign up for a Technology Access Program to give early feedback on new features. They committed to go live with their deployment in time to participate in a big, splashy product launch. Requests for new features would enter a queue for consideration in subsequent product releases. “Then,” says Sue, “we’d find customers to look at the next thing and never close the loop with the ones who gave us feedback months or years before.”<BR /><BR /></P> <P>Today, the world is round. “We’re dropping new functionality into our service every day,” Sue reports. “And so are customers.” Given this accelerated pace of change, engineers now meet with customers and partners multiple times a week to collect feedback on the latest specs. “We really are co-engineering to build what customers want, as opposed to that big bang theory every three years.”<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SueBohn1_2019_rect.jpg" style="width: 320px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/225175iEA050AED97A2F967/image-size/large?v=v2&amp;px=999" role="button" title="SueBohn1_2019_rect.jpg" alt="SueBohn1_2019_rect.jpg" /></span></P> <P>&nbsp;</P> <P>While building what customers want may seem like an obvious approach, it’s a muscle that has taken engineering culture time to strengthen. “Remember, we started as a languages company,” Sue says. “It was really easy then because the customer was us. A developer could say, ‘Self, do I like this feature? Yes,’ and keep on building. But unlike developers writing software for developers, we’re not like the end users creating orders in an ERP system or the doctor logging in to send a prescription. We no longer know who the customers are and what their needs are the way we did when we were writing for ourselves. That’s why my team exists. We have to make sure that we’re not doing what <EM>we</EM> want the customer to do, but what the <EM>customer</EM> needs to do.”<BR /><BR /></P> <H3>Putting customers before code<BR /><BR /></H3> <P>For Sue, joining the identity CXP team six years ago felt like coming home. Her work as a group program manager responsible for application compatibility in Windows had devolved, to her immense frustration, into a soulless quest to optimize bits. “This didn’t feel right to me,” she recalls. “I felt my real job was to understand which apps customers were using, how scary it was for them to upgrade their operating system, and to help them through that so they wouldn’t lose something in the process.”<BR /><BR /></P> <P>Thinking she had perhaps reached the end of the road after more than twenty years at Microsoft, Sue decided to take one last look at internal opportunities before heading out the door. She still remembers the day the following job description recaptured her imagination and her allegiance. It began,</P> <P>&nbsp;</P> <H4 class="lia-align-center"><EM>Are you looking for a product engineering role where you get to directly interact with customers and impact them every day? Are you interested in helping design the model for how Microsoft successfully works with customers to drive service usage in a cloud first world? Are you interested in an entrepreneurial opportunity leading a brand-new team that is being built as you are reading this? If you love big goals and a daring challenge, here is your opportunity to be a critical contributor to one of the company's fastest growing businesses.&nbsp;</EM></H4> <P>&nbsp;</P> <P>When Sue reached out to learn more about the role, she discovered that the hiring manager, a long-time colleague, had actually designed it with her in mind. When writing the job description, he had asked himself, “What would Sue do?”<BR /><BR /></P> <P>Sue raves, “It was just so refreshing to see that we were going to have an engineering team that was really building an understanding of the customer.”<BR /><BR /></P> <P>The CXP team began as an exercise in transactional support, helping customers deploy identity services and then sending them on their merry way. Although this objective was certainly customer-focused, the team had an ulterior motive. “We wanted to learn where the product had gaps, and we wanted to make the product better,” Sue explains. “But at the beginning, we were just trying to figure out who our customers were and what they needed.”<BR /><BR /></P> <H3>Recommitting for the long haul<STRONG><BR /><BR /></STRONG></H3> <P>Early on, a seminal customer trip reshaped the team’s strategy. During a visit to Scotland, Sue and a colleague, both fans of a high-end audio system manufacturer, took a personal side trip to the company headquarters in Glasgow. “The company CTO was literally standing in the parking lot waiting for us to come,” she recalls. Over the next two hours, the CTO gave them a tour of the factory, bought them lunch, and explained the company’s customer philosophy. “Their view of a customer was someone they would keep satisfied for 20 years,” Sue recounts.<BR /><BR /></P> <P>“Audio systems are like smartphones,” she continues. “There’s always something new, and if you’re an audiophile, there’s a ‘coolness’ of having the latest thing.” At the time of her visit, the CTO offered to upgrade the motherboards of a customer’s 16-year-old amps for the difference in price between the latest equipment and what they had originally paid—with a full five-year warranty.<BR /><BR /></P> <P>“What did he just do? He made them a customer for another 20 years,” Sue marvels. “It made me reflect on why we were trying to come up with the right exit strategy for customers in our program. We had become their trusted technical advisor helping them deploy our products, and now we were trying to get rid of them to make room for more customers. I thought, ‘Why are we walking away? Why don’t we keep our customers for 20 years?’”<BR /><BR /></P> <P>Sue internalized the big “aha” from this visit, that “long-term relationships do matter. Our customer relationships shouldn’t be transactional.” This shift in mindset coincided with the industry shift to subscription-based software. In the round world, Sue’s long-time personal focus on nurturing customers was no longer radical. It had become crucial to success for a business model where consumption is king.<BR /><BR /></P> <P>Once a customer deploys Azure Active Directory, she explains, the next step is to encourage them to use multifactor authentication (MFA) and then conditional access, which makes MFA more user-friendly. “Then we can talk about identity protection. And it goes on this way, like a flywheel, of different ways we can help our customers get value from what they own and weren’t fully using.”</P> <P>The team no longer talks about exit strategies for customers participating in the CXP program. Fully deployed customers instead “graduate,” remaining on the contact list as alumni. “But we haven’t gotten to many of those because we just keep adding new capabilities,” Sue says. “So, we have more reasons to continue nurturing those relationships, and the crowd keeps growing.”<BR /><BR /></P> <H3>“What we do really matters”</H3> <P><BR />In Sue’s mind, long-term customer relationships are more fulfilling than any new algorithm or feature would be. “I’ve always been interested in what computers could do for people,” she says. She might have inherited this instinct from her mother, a teacher who long ago skied to her one-room North Dakota schoolhouse to start the stove before classes began. “She followed her students throughout their lives. When she was in her 70s and 80s, she would see something in the paper that someone had done and say, ‘That was my student.’”<BR /><BR /></P> <P>Sue feels the same sense of pride in—and responsibility for—the customers her team supports. “Every day we get up and have to realize that what we do really, really matters,” she says. “If our services don’t run, first responders can’t sign in and doctors can’t access hospital records.” In recent months, when customers have pivoted to working from home because of COVID-19, the CXP team has been on high alert, working with engineers to ensure adequate capacity for the sharp jump in cloud-based authentications.<BR /><BR /></P> <P>Facing potential work stoppages, companies mulling long-term plans to cloud-shift their operations accelerated their digital transformation in the face of COVID-19. “Customers did a bunch of work in a week that literally would’ve taken months using the standard process of rolling things out in stages,” Sue offers. “COVID took a lot of the wiggle room out. They just had to do it. There was no choice.” She believes the relationships her team has built gave customers the confidence they needed to move ahead at full speed. “They trusted the guidance we gave them,” she says. “They knew that if it didn’t work, we would stand behind it.”<BR /><BR /></P> <P>Although the round world has further evolved in response to COVID-19, Sue vows that high-fidelity communications with customers will endure. “I worry that we’ll get into a place that customer obsession is optional,” she admits. “We can't afford to do that. The world's businesses have been growing, and now suddenly we come to a screeching halt. But that doesn't mean <EM>we</EM> stop. We know our customers will change, and so will their needs. We don’t know exactly how yet, but we’d better be talking to them to find out.”</P> Thu, 08 Oct 2020 20:30:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/solving-real-problems-for-real-customers/ba-p/1756566 Joy_Chik 2020-10-08T20:30:00Z Conditional Access Office 365 Suite now in GA! https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/conditional-access-office-365-suite-now-in-ga/ba-p/1751703 <P>Howdy folks,</P> <P>&nbsp;</P> <P>Today we’re announcing GA of Conditional Access for the Office 365 Suite! This makes it a whole lot easier to configure Conditional Access policy for Office 365. With a single click, you confidently set policy on all of the Office 365 apps, including Exchange Online, SharePoint Online, and Microsoft Teams, as well as micro-services used by these well-known apps.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CAo365.png" style="width: 413px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/225032iF4283B2157B522A9/image-dimensions/413x282?v=v2" width="413" height="282" role="button" title="CAo365.png" alt="CAo365.png" /></span></P> <P>&nbsp;</P> <P>We released Conditional Access for the Office 365 Suite to public preview in February, right before many employees switched to remote work in response to COVID-19, causing organizations to quickly update their access policies. The simplified experience helped thousands of organizations make this shift, so we also added it to our <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/frequent-questions-about-using-conditional-access-to-secure/ba-p/1276932" target="_blank" rel="noopener">secure remote access guidance</A><SPAN>.</SPAN> Since February, we’ve seen the usage of this policy grow to over <STRONG>7 million active users</STRONG>.</P> <P>&nbsp;</P> <P>With the GA release, if you haven’t already updated your policies to use the Office 365 Suite, you should do so now.&nbsp; Review any policies you have targeting individual Office apps to see if they can switch to Office 365 policy targeting.</P> <P>&nbsp;</P> <P>Using the Office 365 Suite ensures your users will have consistent policy requirements across Office 365. Office 365 apps use shared services for an integrated experience, like access to files, calendar, and contact information. Inconsistent policy across these services result in end-users being interrupted or blocked at unexpected times with additional security prompts.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="cao3652.png" style="width: 488px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/225033i33C7F5428E328B52/image-dimensions/488x287?v=v2" width="488" height="287" role="button" title="cao3652.png" alt="cao3652.png" /></span></P> <P>&nbsp;</P> <P>Targeting the Office 365 Suite also means you don’t need to watch for new apps and manually update your policy as they become available—Conditional Access does that for you.</P> <P><STRONG>Share your feedback!</STRONG></P> <P>&nbsp;</P> <P>The Office 365 Suite in Conditional Access is the best way to apply policy to Office 365 apps. Here is some additional documentation so you can learn more about the&nbsp;<A href="#" target="_blank" rel="noopener">Conditional Access for the Office 365 suite</A>.</P> <P>&nbsp;</P> <P>Thank you to all our users who tried the preview and provided feedback. GA of this feature is just a start:&nbsp; we’re continuing to build richer options for Conditional Access and Office 365 so please keep the feedback coming.</P> <P>&nbsp;</P> <P>Best Regards,</P> <P>&nbsp;</P> <P>Alex Simons (Twitter: <A href="#" target="_blank" rel="noopener">@alex_a_simons</A>)</P> <P>Corporate Vice President Program Management</P> <P>Microsoft Corporation</P> Thu, 08 Oct 2020 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/conditional-access-office-365-suite-now-in-ga/ba-p/1751703 Alex Simons (AZURE) 2020-10-08T16:00:00Z Publisher verification and app consent policies are now generally available https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/publisher-verification-and-app-consent-policies-are-now/ba-p/1257374 <P>Howdy folks,</P> <P>&nbsp;</P> <P>With usage of cloud apps on the rise to enable remote work,&nbsp;<A href="#" target="_blank" rel="noopener">attackers have been looking to leverage application-based attacks</A>, such as&nbsp;<A href="#" target="_blank" rel="noopener">consent phishing</A>, to gain unwarranted access to valuable data in cloud services. To protect our customers from such attacks while continuing to foster a secure and trustworthy app ecosystem we're announcing three new updates:&nbsp;</P> <P>&nbsp;</P> <UL> <LI>General availability of publisher verification</LI> <LI>User consent updates for unverified publishers</LI> <LI>General availability of app consent policies<BR /><BR /></LI> </UL> <H2><SPAN>General availability of publ</SPAN><SPAN>isher verification<BR /></SPAN></H2> <P><BR />Last week at Microsoft Ignite, we announced that <A href="#" target="_blank" rel="noopener"><SPAN>p</SPAN>ublisher <SPAN>v</SPAN>erification</A> is now generally available. This capability allows developers to add a verified identity to their app registrations and demonstrate to customers that the app comes from an authentic source. <SPAN>We announced</SPAN> public preview at <SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/build-2020-fostering-a-secure-and-trustworthy-app-ecosystem-for/ba-p/1257360" target="_blank" rel="noopener">Build in May</A></SPAN>, and over <SPAN>700</SPAN> app publishers have <SPAN>since </SPAN>added a verified publisher to over 1300 app registrations.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DBada_0-1602024378764.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/224688iAFB7D9F29E85C8D4/image-size/large?v=v2&amp;px=999" role="button" title="DBada_0-1602024378764.png" alt="DBada_0-1602024378764.png" /></span></P> <P><SPAN><BR />For developers, </SPAN><SPAN>p</SPAN><SPAN>ublisher </SPAN><SPAN>v</SPAN><SPAN>erification allows them to distinguish their apps</SPAN><SPAN> to customers by recei</SPAN><SPAN>ving </SPAN><SPAN>a “verified” badge </SPAN><SPAN>that </SPAN><SPAN>appears on the Azure AD consent prompt</SPAN><SPAN>.<BR /><BR /></SPAN></P> <H2 style="font-family: SegoeUI, Lato, 'Helvetica Neue', Helvetica, Arial, sans-serif; color: #333333;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DBada_1-1602024378773.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/224686i5FE90F733623FB20/image-size/large?v=v2&amp;px=999" role="button" title="DBada_1-1602024378773.png" alt="DBada_1-1602024378773.png" /></span></H2> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Admins</SPAN> <SPAN>can also </SPAN><SPAN>set </SPAN><SPAN>user consent </SPAN><SPAN>poli</SPAN><SPAN>cies </SPAN><SPAN>based on if an app</SPAN><SPAN>s</SPAN><SPAN> is publisher verified helping streamline adoption. </SPAN>Developers who are building for Microsoft 365 that want to further distinguish their apps can also participate in the <A href="#" target="_blank" rel="noopener">Microsoft 365 App Certification</A> program.<BR /><BR /></P> <H2><SPAN>User consent updates for unverified publishers</SPAN></H2> <P><BR />With <SPAN>p</SPAN>ublisher <SPAN>v</SPAN>erification now generally available, we will be making changes that <SPAN>help protect users from </SPAN><SPAN>app-based attacks. </SPAN><STRONG>End users will no longer be able to consent to new multi-tenant apps registered after November 8<SUP>th</SUP>, 2020 coming from unverified publishers<U></U>.</STRONG> These apps may be flagged as risky and will be shown as unverified on the consent screen. Apps requesting basic sign-in and permissions to read user profile will not be affected, nor will<SPAN> a</SPAN>pps requesting consent in their own tenants.<BR /><BR /></P> <P><SPAN>T</SPAN>o prepare for this change if you are an app developer, <A href="#" target="_blank" rel="noopener">add a verified publisher</A> to all your multi-tenant app registrations.<BR /><BR /></P> <H2><SPAN>General availability of app consent policies</SPAN></H2> <P>&nbsp;</P> <P><SPAN>To help admins control what apps their users can consent to, we’re announcing general availability of</SPAN>&nbsp;the new&nbsp;<SPAN><A href="#" target="_blank" rel="noopener">app policies for end user consent</A></SPAN><SPAN>. </SPAN><SPAN>With </SPAN>app <SPAN>consent policies</SPAN><SPAN>, admins </SPAN><SPAN>have more controls over </SPAN><SPAN>the apps and permissions to which users can consent</SPAN>.<BR /><BR /></P> <P><SPAN>Customers can </SPAN><SPAN>manage </SPAN>settings for<SPAN> user consent </SPAN><SPAN>by choosing </SPAN><SPAN>from the following </SPAN><SPAN>built-in </SPAN>app <SPAN>consent policies</SPAN><SPAN> in the screenshot below</SPAN><SPAN>:</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="appconsent3.png" style="width: 622px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/224693i452AB25E419BAE8B/image-dimensions/622x212?v=v2" width="622" height="212" role="button" title="appconsent3.png" alt="appconsent3.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>Customers can also use Azure AD PowerShell or Microsoft Graph to&nbsp;<A href="#" target="_blank" rel="noopener">create custom consent policies</A>&nbsp;for even more control. These policies can include conditions that apply to the app, the publisher, or the permissions&nbsp;the app is requesting. Additionally, custom directory roles now support the&nbsp;<A href="#" target="_blank" rel="noopener">permission to grant consent</A>, limited by app consent policies. This can enable scenarios such as delegating the ability to consent only for some permissions, and creating least-privileged automation to manage authorization for apps.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>We recommend that customer set their policy to allow&nbsp;<A href="#" target="_blank" rel="noopener">user consent for apps</A>&nbsp;from verified publishers and&nbsp;</SPAN><SPAN>to</SPAN> configure<SPAN> the </SPAN><SPAN><A href="#" target="_blank" rel="noopener">admin consent workflow</A></SPAN> <SPAN>to streamline </SPAN><SPAN>access for end user</SPAN><SPAN>s</SPAN> who are not allowed to consent<SPAN>. </SPAN></P> <P>&nbsp;</P> <P>As always, we'd love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below. For additional best practices to protect your organization from app-based attacks, be sure to check out the resources below:&nbsp;</P> <P>&nbsp;</P> <UL> <LI><SPAN><A href="#" target="_blank" rel="noopener">Manage consent to applications and evaluate consent requests</A></SPAN></LI> <LI><SPAN><A href="#" target="_blank" rel="noopener">Protecting your remote workforce from application-based attacks like consent phishing</A></SPAN></LI> <LI><SPAN><A href="#" target="_blank" rel="noopener">Detect and Remediate Illicit Consent Grants in Office 365</A></SPAN></LI> <LI><A href="#" target="_self">Five steps to securing your identity infrastructure</A></LI> </UL> <P>&nbsp;</P> <P><SPAN>Best regards, </SPAN></P> <P><SPAN>Alex Simons (Twitter: <A href="#" target="_self">@Alex_A_Simons</A>)</SPAN></P> <P><SPAN>Corporate Vice President of Program Management</SPAN></P> <P><SPAN>Microsoft Identity Division</SPAN></P> <P>&nbsp;</P> Wed, 07 Oct 2020 21:00:07 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/publisher-verification-and-app-consent-policies-are-now/ba-p/1257374 Alex Simons (AZURE) 2020-10-07T21:00:07Z Top 7 Microsoft Identity partnership announcements at Ignite 2020 https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/top-7-microsoft-identity-partnership-announcements-at-ignite/ba-p/1257352 <P>In the past 6 months, I’ve spoken to customers around the world about the challenges associated with providing secure and seamless access for a remote workforce. Organizations need to maximize user productivity while safeguarding the business from cyber threats, but they also must reduce costs in light of today’s difficult economic conditions. To help you meet these goals, Microsoft announced <A href="#" target="_blank" rel="noopener">several new product enhancements for Ignite 2020</A>. But we can’t go at it alone. Partnerships play a key role in complementing our built-in capabilities. Today, I’d like to share 7 key ways solutions from partners working with Microsoft enable a secure, productive workforce.</P> <P>&nbsp;</P> <H2>Simplifying identity management and access to your apps<BR /><BR /></H2> <P>Software-as-a-service (SaaS) and cloud-based apps have been key enablers of user productivity—especially with so many people working from home. Out of the box, Azure AD integrates with&nbsp;leading SaaS apps, with more added every month. These integrations simplify user lifecycle management and app provisioning, allowing you to automatically create and update user identities and roles. Adobe and ServiceNow are two partners that we’ve developed integrations that can ensure employees have access to the right applications through their tenure at your organization.</P> <P>&nbsp;</P> <H3>Adobe announces support for SCIM-based provisioning.&nbsp;</H3> <P>To streamline access and administration of its business-critical apps, Adobe has announced a SCIM standard-based app provisioning integration for its core Adobe Identity Management platform. Working with Microsoft IT as a customer to get insights, Adobe has built an updated admin experience, which will make it easier to manage user lifecycles across Adobe Creative Cloud, Adobe Document Cloud, and Adobe Experience Cloud. This integration will be available for limited preview in October and generally available for customers by the end of 2020.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MSFT Ignite 2020 Blog Post_Azure SCIM Connector .jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/221587iD92F7AE48D0B3020/image-size/large?v=v2&amp;px=999" role="button" title="MSFT Ignite 2020 Blog Post_Azure SCIM Connector .jpg" alt="Screenshot of updated Adobe Admin experience to enable SCIM provisioning with Azure AD. Experience subject to change." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Screenshot of updated Adobe Admin experience to enable SCIM provisioning with Azure AD. Experience subject to change.</span></span></P> <P>&nbsp;</P> <H4>ServiceNow integrates with Azure AD to automate new hire onboarding</H4> <P>ServiceNow recently announced in their latest <A href="#" target="_blank" rel="noopener">Now Platform Paris release</A> new capabilities to automatically kick off&nbsp;the right&nbsp;onboarding&nbsp;workflows as soon as a new&nbsp;employee&nbsp;profile is created in Azure&nbsp;AD.&nbsp;IT and hiring managers can automatically provision application access for new hires through Azure AD, including from an HR system, increasing productivity for employees and support teams.&nbsp;This integration automates the whole onboarding workflow from case creation in <A href="#" target="_blank" rel="noopener">ServiceNow HR Service Delivery</A>, to role assignment by hiring manager, and application provisioning by IT based on the new hire’s role.&nbsp;<A href="#" target="_blank" rel="noopener">Learn more about ServiceNow and Azure AD’s new employee onboarding capabilities</A>.</P> <P>&nbsp;</P> <H4>Saviynt is partnering with Azure AD to provide advanced identity governance capabilities to customers</H4> <P>Saviynt is working with Microsoft and Azure AD to provide additional governance scenarios to customers. <A href="#" target="_blank" rel="noopener">Saviynt Cloud Privileged Access Management (PAM)</A> now integrates with Azure AD Privileged Identity Management and Identity Protection to create an identity led, Zero Trust security service to accelerate an enterprise’s digital transformation journey. Saviynt Cloud PAM has also extended their solution to provide privileged access for Microsoft Azure IaaS and expanded <A href="#" target="_blank" rel="noopener">governance to Azure AD B2C customers</A> (public preview coming soon). In the recent update to the <A href="#" target="_blank" rel="noopener">Saviynt for Microsoft Teams governance</A>, the solution now provides Microsoft Teams site succession management and support for Teams Private Channels. <A href="#" target="_blank" rel="noopener">Learn more about the Azure AD and Saviynt partnership</A>.</P> <P>&nbsp;</P> <H2>Enabling stronger security through passwordless, identity verification, and threat intelligence<BR /><BR /></H2> <P>With more employees working from home, we know that security is even more top of mind. This starts with securing identities. Azure AD capabilities like passwordless are designed to help protect identities with minimal impact to employees. Security operations (SecOps) teams also need greater visibility to enable them to take the right actions in remediating threats. Several recent partnerships have helped us advance these goals.</P> <P>&nbsp;</P> <H4>Illusive Networks integrates with Microsoft Security and Azure AD APIs</H4> <P>Illusive Networks <SPAN>enhances the visibility and monitoring of vulnerable privileged identities in Azure AD, </SPAN>such as redundant&nbsp;identities,&nbsp;identities with&nbsp;excessive&nbsp;privileges,&nbsp;risky practices (e.g. Azure MFA disabled), and unauthenticated identities. <A href="#" target="_blank" rel="noopener">Learn more about Illusive Networks’ new integrations across Microsoft Security products.</A></P> <P>&nbsp;</P> <H4>Yubico enables the move to passwordless</H4> <P>Weak passwords are the most vulnerable attack vector, which is why we are such strong advocates of passwordless technologies. To help reduce the reliance on passwords, we’ve developed a <A href="#" target="_blank" rel="noopener">limited time offer with Yubico</A> where qualified services partners can nominate their customers to go passwordless.&nbsp;<A href="#" target="_blank" rel="noopener">Learn more about the new program and ways we’re partnering with Yubico in the video below. </A></P> <P>&nbsp;</P> <P><IFRAME src="https://www.youtube.com/embed/otNun5mdXkM" width="560" height="315" frameborder="0" allowfullscreen="allowfullscreen" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture"></IFRAME></P> <P>&nbsp;</P> <H3>Enabling Identity Proofing and Verification capabilities to Azure AD B2C through partners</H3> <P>As more businesses move to online, they need to verify and onboard customers remotely. <A href="#" target="_self">Jumio</A> and <A href="#" target="_self">Onfido</A> now enable Azure AD B2C customers to perform identity card (passport or driver license) scanning, identity verification, and liveness detection during a user's journey.</P> <P>&nbsp;</P> <H2>Protect legacy applications through new secure hybrid access partnerships<BR /><BR /></H2> <P data-unlink="true">During the COVID-19 outbreak, our customers need to access all mission critical apps from home securely, including legacy applications. While Azure AD Application Proxy can provide remote access to your legacy apps, we know that some customers prefer to use their existing application delivery networks, VPNs, or Software Defined Perimeter solutions. That’s why <A href="#" target="_self">we're expanding our Secure Hybrid Access Partnerships&nbsp;to include new partners</A>&nbsp;such as <A href="#" target="_blank" rel="noopener">Kemp</A>, <A href="#" target="_blank" rel="noopener">Palo Alto Networks</A>, <A href="#" target="_blank" rel="noopener">Cisco AnyConnect</A><SPAN>,</SPAN> <A href="#" target="_blank" rel="noopener">Fortinet</A> and <A href="#" target="_blank" rel="noopener">Strata</A> and <A href="#" target="_blank" rel="noopener">Ping Identity</A> for Azure AD B2C customers.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="All SHA Partners New and Existing.JPG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/221588iB856E3751529F358/image-size/large?v=v2&amp;px=999" role="button" title="All SHA Partners New and Existing.JPG" alt="All SHA Partners New and Existing.JPG" /></span></P> <P>&nbsp;</P> <P>We hope all these announcements are welcome additions as you support the new realities of remote work. Please let us know any feedback you have, including any other partners you think we should be working with to improve the employee experience and security.</P> <P>&nbsp;</P> <H3>Join us virtually, on-demand for Identity Partner Sessions at Ignite 2020</H3> <P>While we wish we could have met in person this year at <A href="#" target="_blank" rel="noopener">Microsoft Ignite 2020</A>, we have a great line up of free, virtual sessions to share with you wherever you are in the world. Register for free <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>All the Microsoft Identity sessions, on-demand, can be found <A href="#" target="_blank" rel="noopener">on this Microsoft Ignite playlist</A> or the <A href="#" target="_blank" rel="noopener">Video Hub</A>. Here are my top sessions to attend that relate to our partner solutions:<BR /><BR /></P> <OL> <LI><A href="#" target="_blank" rel="noopener">Azure Active Directory: our vision and roadmap to help you secure remote access and boost employee productivity</A></LI> <LI><A href="#" target="_blank" rel="noopener">Save money by securing access to all your apps with Azure Ac​tive Directory</A></LI> <LI><A href="#" target="_blank" rel="noopener">Bridge the gap between HR, IT and business with Azure Active Directory</A></LI> <LI><A href="#" target="_blank" rel="noopener">Build experiences that customers and partners will love with Azure Active Directory External Identities</A></LI> </OL> <P>&nbsp;</P> <P>Best regards,</P> <P>Sue Bohn</P> <P>Partner Director of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> Thu, 24 Sep 2020 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/top-7-microsoft-identity-partnership-announcements-at-ignite/ba-p/1257352 Sue Bohn 2020-09-24T16:00:00Z What's new in Azure Active Directory at Microsoft Ignite 2020 https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/what-s-new-in-azure-active-directory-at-microsoft-ignite-2020/ba-p/1257373 <P><SPAN>Howdy folks,</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>I’m excited to join all of you tuning into this year’s digital edition of Microsoft Ignite.&nbsp;</SPAN><SPAN>Over the past months, we have been inspired by your resilience as many of you adapted to remote work, with identity at the heart of how you secure access and protect your users. Later this morning, my boss, Joy Chik will take the virtual stage to share </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>several exciting Azure Active Directory announcements</STRONG></A><SPAN> that have been shaped by what we learned from you.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P>Be sure to tune in to <A href="#" target="_blank" rel="noopener"><STRONG><EM>Azure Active Directory: our vision and roadmap to help you secure remote access and boost employee</EM></STRONG><EM> <STRONG>productivity</STRONG></EM></A> today, <STRONG>September 22<SUP>nd</SUP> starting at 11:30 am PT</STRONG><SPAN> to watch our latest identity features in action, with later airings for additional regions. Tomorrow, I will also be recapping our </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>latest investments in Azure Active Directory</STRONG></A><SPAN>, live on <STRONG>September 23<SUP>rd</SUP> at 12:45 pm PT.</STRONG></SPAN></P> <P><SPAN><STRONG>&nbsp;</STRONG></SPAN></P> <H2><SPAN>Join us virtually, live or on-demand</SPAN></H2> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>No matter where you are in the world, I hope you will join us through our live and pre-recorded sessions. </SPAN>Join the conversation on <A href="#" target="_blank" rel="noopener">Twitter</A> and <A href="#" target="_blank" rel="noopener">LinkedIn</A> with the hashtag #MSIgnite.</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN><STRONG>Additional live events covering our top identity news </STRONG></SPAN></P> <UL> <LI><SPAN><EM>Achieve resilience with Security, Compliance, and Identity</EM></SPAN><SPAN> first airing on Tuesday, September 22<SUP>nd</SUP> at </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>10:45am PT</STRONG></A></LI> <LI><SPAN><EM>Save money by securing access to all your apps with Azure AD</EM></SPAN><SPAN> first airing on Tuesday, September 22<SUP>nd</SUP> at </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>1:45 pm PT</STRONG></A></LI> <LI><SPAN><EM>Implementing the Zero Trust Maturity Model at Microsoft</EM></SPAN><SPAN> airing Tuesday, September 22<SUP>nd</SUP> at </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>1:45 pm PT</STRONG></A></LI> <LI><SPAN><EM>Zero Trust – the road ahead</EM></SPAN><SPAN> first airing Wednesday, September 23<SUP>rd</SUP> at </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>11:30 am PT</STRONG></A></LI> <LI><SPAN><EM>Winning Azure AD strategies for identity security and governance</EM></SPAN><SPAN> first airing on Wednesday, September 23<SUP>rd</SUP> at </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>1:45pm PT</STRONG></A></LI> <LI><SPAN><EM>Taking identity and privacy to a new level | Verifiable Credentials with decentralized identity using blockchain</EM></SPAN><SPAN> airing Wednesday, September 23<SUP>rd</SUP> at </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>2:00 pm PT</STRONG></A></LI> </UL> <P><SPAN><STRONG>&nbsp;</STRONG></SPAN></P> <P><SPAN><STRONG>On-demand sessions focused on technical deep dives and best practices</STRONG></SPAN></P> <UL> <LI><SPAN><EM>Accelerate your hybrid identity journey with Azure AD</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Assume Breach! Zero Trust attack response!</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Azure AD best practices for managing your remote workforce</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Bridge the gap between HR, IT and business with Azure AD</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Build experiences that customers and partners will love with Azure AD External Identities</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Develop secure and trustworthy apps that reach thousands of enterprise customers</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Get to least privilege in Azure AD and Microsoft 365 using RBAC and PIM</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Govern access for employees and partners with Azure AD Identity Governance</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Identity for the Firstline Workforce: Empowering IT, managers, and Firstline Workers</EM></SPAN><SPAN>&nbsp; – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Implementing Zero Trust at Microsoft</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Integrating CASB into IAM for a comprehensive identity security strategy</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Integrating on-premises resources in your Zero Trust journey</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Ninja skills: manage your Conditional Access policies at scale</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Reduce IT friction with seamless identity end-user experiences</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Reduce your on-premises authentication infrastructure with Azure AD</EM></SPAN><SPAN> – Coming soon</SPAN></LI> <LI><SPAN><EM>Simplify authentication and authorization with the Microsoft identity</EM></SPAN><SPAN> platform – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>The science behind Azure AD Identity Protection</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>The state of passwordless in the enterprise</EM></SPAN><SPAN> – </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>watch now</STRONG></A></LI> <LI><SPAN><EM>Zero Trust for all your users – employees, partners, vendors and customers </EM></SPAN><SPAN>– <STRONG><A href="#" target="_blank">watch now</A></STRONG></SPAN></LI> </UL> <P><SPAN><STRONG>&nbsp;</STRONG></SPAN></P> <P><SPAN><STRONG>Opportunities to engage with our identity experts</STRONG></SPAN></P> <UL> <LI><SPAN>After live session airings, come ask our experts your questions on our Azure AD </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>roadmap and vision</STRONG></A><SPAN>, saving money while securing </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>access to apps</STRONG></A><SPAN>, building </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>winning strategies</STRONG></A><SPAN> for identity security and governance, and the road ahead for </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>Zero Trust</STRONG></A></LI> <LI><SPAN>Meet with experts, peers, and explore your community online in the Ignite </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>Connection Zone</STRONG></A></LI> <LI><SPAN>Join the conversation on </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>Twitter</STRONG></A><SPAN> and </SPAN><A href="#" target="_blank" rel="noopener"><STRONG>LinkedIn</STRONG></A></LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Best Regards,</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Alex Simons</SPAN></P> <P><SPAN>Corporate Vice President Program Management</SPAN></P> <P><SPAN>Microsoft Identity Division</SPAN></P> Tue, 22 Sep 2020 15:15:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/what-s-new-in-azure-active-directory-at-microsoft-ignite-2020/ba-p/1257373 Alex Simons (AZURE) 2020-09-22T15:15:00Z Best practices to simplify governing employee access across your applications, groups and teams https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/best-practices-to-simplify-governing-employee-access-across-your/ba-p/1676065 <P><EM>Guest post authored by Mark Wahl, Principal Program Manager, Microsoft Identity Division</EM></P> <P>&nbsp;</P> <P>In the modern workforce, the emergence of hybrid cloud deployments and collaborative applications make it easy for employees to share information, data, and files with other internal as well as external users, helping them collaborate easily with vendors, business partners, contractors and customers. Managing all the access across different resources – Office groups, Teams, SharePoint sites, as well as your own applications and SaaS applications – is challenging. As requirements change<SPAN>&nbsp;with </SPAN>new applications <SPAN>being</SPAN> added, or users need<SPAN>ing</SPAN> additional access rights, IT staff may not know who should have access or to which applications. To succeed at scale, an identity governance process must enable all users’ access to be able to change with their needs, without burdening IT staff to be involved in each access request.</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Azure AD entitlement management</A>, a feature of <A href="#" target="_blank" rel="noopener">Azure AD identity governance</A>, helps organizations manage their access lifecycle at scale by automating request workflows, assignments, reviews, and expiration. You can empower users to request access to the resources they need<SPAN>. These</SPAN> requests and the resulting access can be approved and regularly reviewed by people across the organization who know whether someone should still have access</P> <P>&nbsp;</P> <P>Here are some common questions we’ve received from customers about how to manage employee access.</P> <P>&nbsp;</P> <P><STRONG>Question 1. In the past we’ve configured that our AD- and ADFS-connected applications were open to everyone in the directory to access, as we only had employees and vendors in our AD.&nbsp; Now that we’ve moved these applications to Azure AD, we want to lock down access to those apps and move to app assignments so that users don’t inadvertently have access.&nbsp; What are the best ways to manage application assignments to make sure users don’t have access they don’t need?</STRONG></P> <P>&nbsp;</P> <P>Azure <SPAN>Active Directory (Azure </SPAN>AD<SPAN>)</SPAN> supports multiple approaches for access management for your own applications, including SaaS apps, cloud-based federation-based apps and on-premises AD-connected applications via the Azure AD app proxy, enabling organizations to easily achieve the right balance of access policies ranging including automatic, attribute-based assignment, as well as delegated assignment.</P> <P>&nbsp;</P> <P>As described in the article <A href="#" target="_blank" rel="noopener">managing access to apps</A>, traditionally access management starts with either individual assignment, one for each user, or group-based assignment. Group<SPAN>-</SPAN>based assignment works well if you have an existing security group that you could re-use. However<SPAN>,</SPAN> keeping the membership consistent could be challenging if you have multiple applications. Suppose a user <SPAN>named </SPAN>Alice, and others in the same department as her, need access<SPAN> today</SPAN> to two apps. If there<SPAN>’</SPAN>s a group that has Alice and the other users as members, you could assign that group to those two apps. However, if Alice no longer needs one of the apps, that would require restructuring the groups to avoid audit findings of users having excessive access, and could lead to a proliferation of groups, potentially as many as there are apps.&nbsp;</P> <P>&nbsp;</P> <P>Another way to manage access to applications is for the users to receive entitlement management assignments for an access package that includes those applications&nbsp;and have those assignments set to expire or be regularly reviewed.&nbsp; Through Azure AD entitlement management in the Azure portal, an administrator or a resource owner can create an access package with one or more applications. A user can request access to that access package through the <A href="#" target="_blank" rel="noopener">myaccess.microsoft.com</A> UI, or an access package catalog owner can assign access to users in the Azure portal. You can also have users request or create assignments programmatically, through Microsoft Graph, as shown in the <A href="#" target="_blank" rel="noopener">tutorial for how to create an access package using Microsoft Graph APIs</A>. When a user is approved for access to the access package, they are assigned to the application.</P> <P>&nbsp;</P> <P>You can ensure that users do not have access indefinitely by configuring automatic access reviews as part of the policy. You could have different policies for different collections of users so that their review schedule is based on the likelihood of the user no longer needing access or the risk of inadvertent continued access.&nbsp; Each policy in an access package can have a different access review frequency for reoccurrence or different reviewers.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gov1.JPG" style="width: 559px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/219444i012C2473EE7DC495/image-size/large?v=v2&amp;px=999" role="button" title="gov1.JPG" alt="The “Create policy” screen in the Azure portal for an Azure AD access package, showing the lifecycle tab in which quarterly reviewing access reviews are required." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">The “Create policy” screen in the Azure portal for an Azure AD access package, showing the lifecycle tab in which quarterly reviewing access reviews are required.</span></span></P> <P>&nbsp;</P> <P>For example, you could have one policy that gives users in the IT department a shorter maximum duration of access as they’re performing administrative tasks and another policy from users in other departments.</P> <P>&nbsp;</P> <P><STRONG>Question 2</STRONG>.&nbsp; <STRONG>What about giving users access to Office 365 and other Microsoft applications?&nbsp; Not everyone in the directory has a license, and we don’t have relevant data in our HR system to be able to create a dynamic group of just those people who need a license.</STRONG></P> <P>&nbsp;</P> <P>For applications in Office 365 or other paid suites, users can be granted access through&nbsp;license assignment&nbsp;either directly to their user account or through a group using the group-based license assignment.&nbsp;</P> <P>&nbsp;</P> <P>Combining <A href="#" target="_blank" rel="noopener">group-based licensing</A> and entitlement management for users to request an access package that results in license assignments simplifies giving users licenses they need.</P> <P>First, in the Azure portal, create an Azure AD security group, and configure that group to give license assignments.</P> <P>&nbsp;</P> <P>Then, create an access package containing membership in that group as a resource. If you select&nbsp; to have the requestor’s manager as approver in the policy, then each requestor’s manager can decide if the requesting user has a need for the license for these applications.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gov2.JPG" style="width: 501px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/219445i3450A7144BF8ECBA/image-size/large?v=v2&amp;px=999" role="button" title="gov2.JPG" alt="The “New access package” screen in the Azure portal, for a policy configuring manager as approver." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">The “New access package” screen in the Azure portal, for a policy configuring manager as approver.</span></span></P> <P>&nbsp;</P> <P>Once a user requests and is approved, they’re automatically added to the security group, and Group-based license assignment gives them a license.</P> <P>&nbsp;</P> <P>In access packages which give licenses, you may wish to configure a long duration prior to access package expiration or a <SPAN>“</SPAN>Never” setting with access reviews<SPAN>&nbsp;</SPAN>to avoid a user inadvertently losing their access package assignment and their use of Office while on vacation or on leave.</P> <P>&nbsp;</P> <P><STRONG>Question 3.&nbsp; As we roll out Office groups and Microsoft Teams in our organizations, employees may inadvertently try to join public teams that sound <SPAN>relevant but</SPAN> aren’t the appropriate team for them. How can we cut down on unnecessary work for teams owners to approve requests and maintain their memberships?</STRONG></P> <P>&nbsp;</P> <P>An organization can publish a curated collection of teams that they want to make available for users to join by creating access packages for each one (<SPAN>t</SPAN>hey can include multiple teams in a single access package as well)<SPAN>.</SPAN> They can then configure the requestor’s manager as needed for approval, approval by a departmental list of approvers, or both.&nbsp; Once approved, the user is then added to the Office group and team, and can collaborate.</P> <P>&nbsp;</P> <P>For example, if it wasn’t known in advance everyone who might need to be a member of a team, such as for a marketing launch, the marketing department could create the team as private. Next, the team owners could manually add or share a code with those individuals who are known and likely to need to be part of that team.&nbsp;</P> <P>&nbsp;</P> <P>To bring in the rest of the necessary members from other departments who aren’t known but avoid users being added who do not have a business requirement, they could create an access package for that team.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gov3.JPG" style="width: 652px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/219446i858378EA02E40D4D/image-size/large?v=v2&amp;px=999" role="button" title="gov3.JPG" alt="The “New access package” screen in the Azure portal." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">The “New access package” screen in the Azure portal.</span></span></P> <P>&nbsp;</P> <P>If there are additional resources, such as a SharePoint Online site or applications, those could be added to the access package as well.</P> <P>&nbsp;</P> <P>The policies for the access package could scope to only allowing certain users to request access, and could also require approval by both the requestor’s manager, and by the members of a departmental group.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gov4.JPG" style="width: 853px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/219447i5F9A353B54D5D76B/image-size/large?v=v2&amp;px=999" role="button" title="gov4.JPG" alt="The “New access package” screen in the Azure portal, creating a policy for all member users to be able to request." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">The “New access package” screen in the Azure portal, creating a policy for all member users to be able to request.</span></span></P> <P>&nbsp;</P> <P>The first stage would specify the manager as approver. You can also configure a fallback approver for requestors who don’t have a manager.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gov5.JPG" style="width: 572px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/219448i2ECA9614E3E6CC1E/image-size/large?v=v2&amp;px=999" role="button" title="gov5.JPG" alt="The “New access package” screen in the Azure portal, setting the first approver stage in a multi-stage approval workflow." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">The “New access package” screen in the Azure portal, setting the first approver stage in a multi-stage approval workflow.</span></span></P> <P>&nbsp;</P> <P>And the second stage could have a different approver, such as members of a group.&nbsp;</P> <P>&nbsp;</P> <P>The assignments created through that access package could also be set to expire automatically on a predefined date, to avoid users remaining in the team indefinitely.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gov6.JPG" style="width: 570px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/219449i50B791DA567E3BA3/image-size/large?v=v2&amp;px=999" role="button" title="gov6.JPG" alt="The “New access package” screen in the Azure portal, setting the access package assignment lifecycle for the policy." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">The “New access package” screen in the Azure portal, setting the access package assignment lifecycle for the policy.</span></span></P> <P>&nbsp;</P> <P>Furthermore, additional resources that users might need access to<SPAN>,</SPAN>including access to SaaS applications, in-house developed applications, other existing security and Office groups, and SharePoint Online sites, can be added to the access package. Users with assignments to the access package will then automatically be given access to those resources as well.&nbsp;</P> <P>&nbsp;</P> <P>To find out more about Azure AD identity governance, including access reviews, privileged identity management, and how to manage the lifecycle of business partner guests see <A href="#" target="_blank" rel="noopener">What is Azure AD identity governance?</A> and <A href="#" target="_blank" rel="noopener">What is Azure AD entitlement management?</A>.&nbsp; There are also case studies for how <A href="#" target="_blank" rel="noopener">digital innovator Avanade chose Azure AD Identity Governance for streamlined, highly secure collaboration</A> and how the <A href="#" target="_blank" rel="noopener">leading energy and services company Centrica solved collaboration challenges with Azure Active Directory entitlement management</A>.</P> <P><EM>&nbsp;</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> </UL> <P>&nbsp;</P> Fri, 08 Jan 2021 23:34:33 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/best-practices-to-simplify-governing-employee-access-across-your/ba-p/1676065 AzureADTeam 2021-01-08T23:34:33Z Durham County enhances security across a hybrid environment with Azure AD and F5 BIG-IP APM https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/durham-county-enhances-security-across-a-hybrid-environment-with/ba-p/1633530 <P><EM>Hello! In today’s “Voice of the Customer” blog, Lyvon Garth, CISO, Durham County, Aaron Stone, Assistant Director and members of his team provide details about how they use Azure Active Directory (Azure AD) and F5 BIG-IP APM to apply consistent security policies across their hybrid environment. With half the county workforce working remotely, it was important to make it easy for users to access both on-premises and cloud apps while enforcing multi-factor authentication. Azure AD and BIG-IP APM enabled them to do just that.</EM></P> <P>&nbsp;</P> <H2>Reducing cybersecurity risk with Azure Active Directory and <SPAN class="Heading2Char">F5 BIG-IP APM</SPAN></H2> <P><STRONG>By Lyvon Garth, CISO, Durham County; Antonio Davis, Platform Manager, Durham County; Aaron Stone, Assistant Director, IT Operations and Infrastructure, Durham County; Monte Cooley, Network Administrator, Durham County</STRONG></P> <P>&nbsp;</P> <P>On March 6, 2020, Durham County was the victim of a ransomware attack. Fortunately for us, our threat response solution notified us quickly and we were able to shut down our systems before it spread. We did not pay a ransom, no data was stolen, and we were able to keep critical infrastructure up and running. But it was still extremely disruptive. Eighty servers and hundreds of computers needed to be rebuilt. Staff weren’t able to access all our systems and applications. To reduce the risk of this happening again, we decided to implement multi-factor authentication (MFA), which makes it more difficult for a user’s accounts to be compromised.</P> <P>&nbsp;</P> <P>Durham County is located in North Carolina. This vibrant and creative region is home to the Research Triangle Park, an innovation center anchored by three major research universities, University of North Carolina Chapel Hill, Duke University, and North Carolina State University. To meet the needs of our citizens, we are working on several digital transformation initiatives. We deployed a Transparency Portal to give people easy access to county performance metrics, budgets, and other data. We’re also digitizing all of our workflows. These efforts are paying off. In a recent report that ranks how well United States counties are using technology, <A href="#" target="_blank" rel="noopener">Durham Country tied for second place in counties with populations between 250,000-499,999</A>.</P> <P>&nbsp;</P> <H2>Improving security in a hybrid environment</H2> <P>As we made plans to implement MFA across the organization, it was important to use the same authentication solution across all our apps to simplify the process for employees. This was challenging because, although we have begun modernizing our technology, we still support about 400 legacy on-premises apps. Many of these are homegrown apps that service the specific needs of one of the 27 departments within our county.</P> <P>&nbsp;</P> <P>To complicate matters, the malware attack occurred as COVID-19 began spreading in the United States. Within a few weeks, half of Durham County staff transitioned to remote work. We needed a solution that would allow these employees and others who work in the field to easily authenticate to on-premises apps using MFA.</P> <P>&nbsp;</P> <P>We chose Azure AD as our identity and access management solution for several reasons. Improving the security of our identities is very important to us, and Azure AD security capabilities like MFA, Conditional Access, and Privileged Identity Management will help us do that. Azure AD also supports SCIM provisioning, which makes it easy to integrate software-as-a-service (SaaS) apps. The team was also already familiar with Azure AD because we use it for authentication to Office 365 apps.</P> <P>&nbsp;</P> <H2>Single sign-on across cloud and on-premises apps</H2> <P>Once we selected Azure AD, we needed to address authentication to our cloud apps and our legacy apps. Many of legacy apps do not support modern authentication standards, which made integration with Azure AD challenging. F5 BIG-IP APM provided the perfect solution. We use F5 BIG-IP APM as a VPN to our on-premises apps. It is interoperable with Azure AD, so employees can use their Azure AD credentials to single sign-on (SSO) to apps that are on-premises.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Archutecture.JPG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/216423i4BFC59440C96EF61/image-size/large?v=v2&amp;px=999" role="button" title="Archutecture.JPG" alt="Archutecture.JPG" /></span></P> <P>&nbsp;</P> <P>Once we decided on Azure AD and F5 BIG-IP APM, we contacted <A href="#" target="_blank" rel="noopener">Patriot Consulting</A> for help. Patriot Consulting was a great partner. Even before we committed to the project, they offered advice that helped us recover from the ransomware attack. With their help, we were able to get all our legacy apps onboarded to F5 BIG-IP APM in about three weeks.</P> <P>&nbsp;</P> <H2>Better protection with fine-grained security controls</H2> <P>The primary objective of our deployment was to improve security. Because we use Azure AD as the identity provider for all our apps, we can apply security controls to all of them without requiring users to sign in multiple times. The most important security control that we’ve put in place is MFA. By requiring two or more authentication factors, we significantly reduce the risk of an account compromise.</P> <P>&nbsp;</P> <P>We also use Azure AD Conditional Access policies to apply finetuned policies based on circumstances. Users that are working on the network only need to use MFA once a day to sign into all their apps. Employees outside the network use MFA each time they access an app. And users that try to sign in from outside the country are blocked entirely. Azure AD Conditional Access also uses Microsoft Mobile Endpoint Manager to check the device that employees are using. Only devices that are enrolled and managed by Mobile Endpoint Manager can access our resources. These polices make us more secure with minimal disruption to productivity.</P> <P>&nbsp;</P> <H2>Saving money with self-service password reset</H2> <P>We also anticipate cost savings from our Azure AD deployment. The service desk currently receives 100 calls per month from users who need help with their passwords. Our Chief Information Officer has mandated that we get that number down to zero. We recently rolled out self-service password reset to a pilot group of users. When these users forget a password, they can now go to a web form to change their password rather than call the service desk. So far this has reduced our calls by 80% By the end of June, we will deploy a registration process to enroll the entire county in self-service password reset and MFA.</P> <P>&nbsp;</P> <H2>Building a security culture</H2> <P>The malware event was challenging for everyone who works for the county government. But the good news is that employees are interested in helping to improve security to reduce the risk of it happening again. The security controls provided by Azure AD combined with employee engagement make it much less likely that we will suffer another attack.</P> <P>&nbsp;</P> <H2>Learn more</H2> <P><EM>If you operate a hybrid environment and want to make access to on-premises and cloud apps easier for your remote workforce, Azure AD and F5 BIG-IP APM may be the right solution. </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-ad-f5-helping-you-secure-all-your-applications/ba-p/875650" target="_blank" rel="noopener"><EM>Read how Azure AD and F5 can help you secure your apps</EM></A><SPAN><EM>.</EM></SPAN></P> <P>&nbsp;</P> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/top-5-ways-your-azure-ad-can-help-you-enable-remote-work/ba-p/1144691" target="_blank" rel="noopener">Top 5 ways Azure AD can help you enable remote work</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/developing-applications-for-secure-remote-work-with-azure-ad/ba-p/1257336" target="_blank" rel="noopener">Developing applications for secure remote work with Azure AD</A></P> <P><A href="#" target="_blank" rel="noopener">Microsoft’s COVID-19 response</A></P> Thu, 19 Aug 2021 23:22:12 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/durham-county-enhances-security-across-a-hybrid-environment-with/ba-p/1633530 Sue Bohn 2021-08-19T23:22:12Z Securing a remote workforce with Zero Trust https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/securing-a-remote-workforce-with-zero-trust/ba-p/1623996 <P><EM>Microsoft customers around the globe have responded to COVID-19 by moving their office employees to remote work. With more people working from home, identity-driven security solutions are required to help safeguard company resources. Nathan Lasnoski, Chief Technology Officer at Concurrency, has worked with many of our customers to implement a Zero Trust security strategy that puts identity protection at the center. In this “Voice of the Partner” blog, he shares how this approach has benefited global marine manufacturer, Brunswick Corporation.</EM></P> <P>&nbsp;</P> <H2>Supporting Modern Work with Zero Trust</H2> <H4>By Nathan Lasnoski, Chief Technology Officer, Concurrency</H4> <P>Concurrency is a business and technology professional services firm driving technology innovation and organizational change management. Today, like most organizations, our clients are confronting challenges associated with migrating a significant percentage of employees to remote work in response to COVID-19. This has been tough for everyone, but I’ve found that organizations that adopt a Zero Trust security model have been able to move to remote work faster and more securely.</P> <P><BR />Brunswick Corporation is a great example of a client whose investments in Zero Trust and identity modernization have made the transition to remote work smoother. Brunswick’s brands manufacture boats and marine propulsion systems. It also owns Freedom Boat Club, the world’s largest social club that allows people to get the benefits of a boat without owning one.</P> <P><BR />We got involved with Brunswick about 18 months ago. The organization needed a partner to help digitally transform its business in a way that enhances security. When COVID-19 began to spread, these efforts also made it easier and more secure for Brunswick employees to work from home. In this post, I’ll outline a few of the core tenets of Zero Trust that guided our work.</P> <P>&nbsp;</P> <H2>Zero Trust is the baseline for modern work</H2> <P>Before I dive in, I should define Zero Trust. In the traditional network security model, IT creates a wall to keep out the bad actors, while allowing largely free communications inside. This approach was mostly successful when apps were hosted almost exclusively inside the network, but organizations have moved more business assets to the cloud. Today, people are no longer tethered to a company-provided desktop in the physical workplace. They access work data from any device and any network. Employees aren’t the only users. Partners and contractors also need access. It’s no longer possible to automatically trust traffic inside the network. In a Zero Trust model, users and devices, both inside and outside the corporate network, are verified in real time before gaining access.</P> <P>&nbsp;</P> <H2>It starts with identity</H2> <P>A key component of Brunswick’s cloud journey was identity modernization. As the company shifted to a Zero Trust security model, they needed tools to verify users who wanted to use its apps and systems—whether they were inside the network accessing on-premises apps or outside the network accessing software-as-a-service (SaaS) apps.</P> <P><BR />Brunswick deployed Azure Active Directory (Azure AD) to manage identities and access. Azure AD integrates with Office 365 and thousands of non-Microsoft software-as-a-service (SaaS) apps, such as Workday, SAP, or Adobe. With Azure AD App Proxy, Brunswick can also connect on-premises apps to Azure AD. Unifying credentials into one identity lets employees sign in once using single sign-on (SSO) to use all their apps—whether Office 365, non-Microsoft, or on-premises.</P> <P><BR />With Azure AD, Brunswick can apply universal security controls, like multi-factor authentication (MFA), to all their connected apps. MFA requires at least two authentication factors at every sign-in, reducing the likelihood that an account will be compromised.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Figure 1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/215698iB3475603B05D02A0/image-size/large?v=v2&amp;px=999" role="button" title="Figure 1.png" alt="Figure 1: Azure AD allows users to sign in once and access Office 365 and non-Microsoft apps." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 1: Azure AD allows users to sign in once and access Office 365 and non-Microsoft apps.</span></span></P> <H2>Network Micro-segmentation</H2> <P>The Zero Trust approach is premised on the idea that you should “assume breach.” That’s why it’s important not to automatically trust access requests, even those that originate on the corporate network. If organizations make it easy for resources to talk to each other, they also make it easy for an attacker to move around.</P> <P><BR />When Brunswick and Concurrency migrated the Brunswick’s data center to Microsoft Azure, we implemented micro-segmentation. We isolated workloads from each other and applied security policies to each segment. In this model, systems and devices aren’t automatically connected, making it difficult for an attacker to move laterally. As Alan Mitchell, CISO of Brunswick Corporation, explained in a recent interview, “Think of micro-segmentation like a battleship with compartments that I can shut off. If water flows in, it can be limited to a specific area, and we can respond, versus worrying that the whole ship is sinking.”</P> <P>&nbsp;</P> <H2>Evaluate and enforce device compliance</H2> <P>Devices are the last frontier in a Zero Trust model, because that’s where the data lives after people successfully access it. When employees use personal or unmanaged devices for work, it becomes more challenging to make sure the devices are healthy and safe. Every user applies different security controls to their devices, downloads a variety of mobile apps, and may or may not apply security updates recommended by the manufacturer. To apply Zero Trust principles to any Android, iOS, macOS, and Windows devices requesting access to the network, Brunswick uses Microsoft Endpoint Manager to ensure that only devices that are compliant with its security standards can access corporate resources. To further protect corporate data and intellectual property, data can only be accessed using trusted apps and shared with other trusted apps.</P> <H2><BR />Protect data</H2> <P>One of the reasons that security is so challenging is that threats continually evolve. It’s impossible to secure every potential endpoint. To reduce the risk that sensitive information will be leaked, organizations protect the data itself—both at rest and in flight. Brunswick deployed Azure Information Protection and Microsoft Data Loss Prevention to classify and safeguard privileged information. Alan said, “It’s difficult to keep up with every threat vector, so we put policies, controls, and data labeling in place to make it harder for someone to copy sensitive information to a USB drive or a cloud storage device.”</P> <P>&nbsp;</P> <H2 style="font-family: SegoeUI, Lato, 'Helvetica Neue', Helvetica, Arial, sans-serif; color: #333333;">Apply Conditional Access policies</H2> <P>The reason that Brunswick selected Microsoft 365 security solutions is because the products are integrated and work together. This makes detecting and responding to incidents more effective. It also allows the company to apply Zero Trust in a consistent approach. Azure AD Conditional Access is a very important tool. With Azure AD, Microsoft Endpoint Manager, Azure Information Protection, and other Microsoft 365 solutions, Brunswick is able to create granular Conditional Access policies to control access based on context. These policies can be especially useful for a remote workforce. When users try to sign in, Azure AD Conditional Access policies use Microsoft Endpoint Manager to check the health of their device, their location, which application they are trying to access, and other risk factors. If the access request doesn’t meet Brunswick policies, Azure AD can automatically block access or force a password reset, among other actions.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Figure2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/215699iFC70474B78AA34C5/image-size/large?v=v2&amp;px=999" role="button" title="Figure2.png" alt="Figure2.png" /></span></P> <P>&nbsp;</P> <P>COVID-19 has forced many organizations to quickly deploy new technology to enable secure business continuity, but the virus has only accelerated existing trends. The office isn’t going away, but at Concurrency, we believe that as organizations move more of their infrastructure to the cloud so they can focus on product innovation, employees will take advantage of the flexibility of working from anywhere. A Zero Trust security strategy makes both possible.</P> <P>&nbsp;</P> <H2>Learn more</H2> <P><EM>A Zero Trust security strategy can help you improve security for your remote workforce. By verifying identities and devices with Azure AD Conditional Access policies, you can reduce the risk of compromise. </EM></P> <P><EM>Read more about </EM><A href="#" target="_blank" rel="noopener"><EM>Microsoft’s approach to Zero Trust</EM></A></P> <P><A href="#" target="_blank" rel="noopener"><EM>Find out how to apply Conditional Access policies</EM></A><EM>. </EM></P> Thu, 19 Aug 2021 23:22:11 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/securing-a-remote-workforce-with-zero-trust/ba-p/1623996 Sue Bohn 2021-08-19T23:22:11Z Azure Active Directory External Identities goes premium with advanced security for B2C https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-active-directory-external-identities-goes-premium-with/ba-p/1604572 <P>Howdy folks,</P> <P>&nbsp;</P> <P>Over the past six months, we have seen organizations adapt to <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/enable-remote-collaboration-quickly-and-securely-with-azure-ad/ba-p/1257334" target="_blank" rel="noopener">remote business environments</A> and engage with an <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/securely-collaborate-with-remote-partners-using-azure-ad-b2b/ba-p/1257337" target="_blank" rel="noopener">unprecedented number of</A> <A href="#" target="_blank" rel="noopener">external users</A>, and we’ve seen our own service usage growing like crazy for B2B and B2C scenarios. With this growth, we also know that security continues to be top of mind.</P> <P>&nbsp;</P> <P>Today, we are excited to announce the Public Preview of&nbsp;Conditional Access and Identity Protection for Azure Active Directory (Azure AD) B2C. We also have an update to our pricing that makes all <A href="#" target="_blank" rel="noopener">Azure AD External Identities</A> features more predictable and affordable with support for premium security features. On the blog today, we’re welcoming back Robin Goldstein, to share more about the new capabilities and pricing.</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>Alex</P> <P>&nbsp;</P> <P>-----</P> <P>&nbsp;</P> <P>Hi everyone,</P> <P>&nbsp;</P> <P>Previously, I shared our <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/evolving-azure-ad-for-every-user-and-any-identity-with-external/ba-p/1257361" target="_blank" rel="noopener">Azure AD External Identities vision</A> to make it easier to&nbsp;secure,&nbsp;manage&nbsp;and build apps for collaborating and connecting with external users. Today’s announcement, which adds Conditional Access and Identity Protection to Azure AD B2C, is another step in our journey to help organizations protect <STRONG>all </STRONG>their identities with Microsoft’s world-class security features.</P> <P>&nbsp;</P> <P><STRONG>Protect&nbsp;your&nbsp;customers, apps,&nbsp;and&nbsp;brand</STRONG>&nbsp;</P> <P>Security is essential to&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/flash-whitepaper-connect-with-secure-customer-facing-apps/ba-p/1289973" target="_blank" rel="noopener">maintaining your customers’ and consumers’ trust</A> and protecting your organization’s data. That’s why so many of our Azure AD customers rely on Azure AD Identity Protection and Azure AD Conditional Access. <A href="#" target="_blank" rel="noopener"><SPAN>Identity Protection</SPAN></A><SPAN> helps organizations automatically protect against account compromise with cloud intelligence, powered by advanced risk detection based on heuristics, User and Entity Behavior Analytics (UEBA), and machine learning (ML) from signals across the Microsoft ecosystem. </SPAN>By pairing <A href="#" target="_blank" rel="noopener"><SPAN>Conditional Access</SPAN></A> policies with the power of Identity Protection, admins can<SPAN><A tabindex="-1" target="_blank" rel="noreferrer noopener">&nbsp;automate responses to </A></SPAN><SPAN>risky authentications&nbsp;</SPAN><SPAN>with the appropriate policy action.</SPAN>&nbsp;This combination already helps Fortune 500 organizations prevent over 10 million attacks each month.</P> <P>&nbsp;</P> <P>By making risk-based Conditional Access and risk detection features of Identity Protection available in Azure AD B2C, our customers can now:</P> <P>&nbsp;</P> <UL> <LI><STRONG>Leverage intelligent insights to assess risk with B2C apps and end user accounts.</STRONG> Powered by signals from billions of monthly authentications across Azure AD and Microsoft accounts, Identity Protection real-time ML algorithms use adaptive intelligence to flag authentications as low, medium, or high risk and gets smarter and more accurate over time.&nbsp;Detections include atypical travel, anonymous IP addresses, malware-linked IP addresses, and Azure AD threat intelligence. Portal and API-based reports are also available.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RiskDetections_B2C.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/213800i856E26EA6C83F26E/image-size/large?v=v2&amp;px=999" role="button" title="RiskDetections_B2C.png" alt="RiskDetections_B2C.png" /></span><FONT size="2"><EM>Examine risk detections flagged through the portal</EM></FONT></P> <P>&nbsp;</P> <UL> <LI><STRONG>Automatically address risks by configuring adaptive authentication policies for B2C users. </STRONG>By tailoring Conditional Access policies, app developers and administrators can mitigate real-time risk by requiring multi-factor authentication (MFA) or blocking access depending on the user risk level detected, with additional controls available based on location, group, and app.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CASnapshot_B2C.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/213799i437CCB75B70896CC/image-size/large?v=v2&amp;px=999" role="button" title="CASnapshot_B2C.png" alt="CASnapshot_B2C.png" /></span></P> <P><FONT size="2"><EM>Create a Conditional Access policy based on the level of sign-in risk</EM></FONT></P> <P>&nbsp;</P> <UL> <LI><STRONG>Integrate with Azure AD B2C user flows and custom policies. </STRONG>Conditions can be triggered from built-in user flows in Azure AD B2C or can be incorporated into B2C custom policies. As with other aspects of the B2C user flow, end user experience messaging can be customized according to the organization’s voice, brand, and mitigation alternatives.</LI> </UL> <P><FONT size="2"><EM><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="B2CUserFlow.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/213803i5DD76816C3240AE5/image-size/large?v=v2&amp;px=999" role="button" title="B2CUserFlow.png" alt="B2CUserFlow.png" /></span></EM></FONT></P> <P><FONT size="2"><EM>Create a user flow in Azure AD B2C</EM></FONT></P> <P>&nbsp;</P> <P><STRONG>Get started today</STRONG></P> <P>Conditional Access and Identity Protection for Azure Active Directory (Azure AD) B2C will be progressively rolled out across Azure regions starting on September 1. To start using the new features, you will need to do a few things first:</P> <P><SPAN>&nbsp;</SPAN></P> <OL> <LI><SPAN>Link your Azure AD B2C tenant to an </SPAN><A href="#" target="_blank" rel="noopener"><SPAN>Azure subscription</SPAN></A><SPAN><U>.</U></SPAN> <SPAN>This allows you to use Azure AD premium features for Azure AD External Identities and Azure AD B2C.</SPAN></LI> <LI><SPAN>Enable Premium P2 features in your Azure AD B2C tenant. This allows you to access Identity Protection and all future Premium P2 features for Azure AD External Identities and Azure AD B2C.</SPAN></LI> <LI><SPAN>Start using the new recommended user flows in Azure AD B2C. This allows you to connect to your Conditional Access policies and all new features added to B2C user flows in the future.</SPAN></LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="B2CUserFlow2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/213801iAEB1C8BC9F83C67D/image-size/large?v=v2&amp;px=999" role="button" title="B2CUserFlow2.png" alt="B2CUserFlow2.png" /></span></P> <P><FONT size="2"><EM>Selecting and creating recommended user flows in Azure AD B2C</EM></FONT></P> <P>&nbsp;</P> <P>And of course, you can always check out our documentation to learn more about <A href="#" target="_blank" rel="noopener">setting up risk-based Conditional Access policies for Azure AD B2C</A>.</P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Pricing update</STRONG></P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Azure AD External Identities</A> features are now available as part of one unified offer based on monthly active usage. Whether you use Azure AD B2C, B2B collaboration or the <A href="#" target="_blank" rel="noopener">new self-service sign-up</A> features in Azure AD, securing and managing external users is more affordable than ever, with the first 50,000 monthly active users free at both the Premium P1 and Premium P2 tiers. For more information on the new offer with pricing details click <U><A href="#" target="_self">here</A></U>. For documentation to set up your tenants for this offer, click <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>As always, we hope you’ll try out the new features and share feedback through&nbsp;the&nbsp;<A href="#" target="_blank" rel="noopener">Azure forum</A>&nbsp;or by following&nbsp;<A href="#" target="_blank" rel="noopener">@AzureAD</A>&nbsp;on Twitter.&nbsp;</P> <P>&nbsp;</P> <P>Thanks!</P> <P>&nbsp;</P> <P>Robin</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Related Articles: Learn more about the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/evolving-azure-ad-for-every-user-and-any-identity-with-external/ba-p/1257361" target="_blank" rel="noopener"><EM>Azure AD External Identities features</EM></A><EM> announced at Build 2020 and public preview of </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/customize-external-identities-self-service-sign-up-with-web-api/ba-p/1257364" target="_blank" rel="noopener"><EM>web API integrations</EM></A></LI> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 19 Aug 2021 23:22:09 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-active-directory-external-identities-goes-premium-with/ba-p/1604572 Alex Simons (AZURE) 2021-08-19T23:22:09Z Assigning groups to Azure AD roles is now in public preview! https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/assigning-groups-to-azure-ad-roles-is-now-in-public-preview/ba-p/1257372 <P>Howdy folks,</P> <P>&nbsp;</P> <P>Today, we’re excited to share that you can assign groups to Azure Active Directory (Azure AD) roles, now in public preview. Role delegation to groups is one of the most requested features in our <A href="#" target="_blank" rel="noopener">feedback forum</A>. Currently this is available for Azure AD groups and Azure AD built-in roles, and we’ll be extending this in the future to on-premises groups as well as Azure AD custom roles.</P> <P>&nbsp;</P> <P><SPAN>To use this feature, you’ll need to create an Azure AD group and enable it to have roles assigned. This can be done by anyone who is either a Privileged Role Administrator or a Global Administrator.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Group roles 1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/212285i030927403CBAA20B/image-size/large?v=v2&amp;px=999" role="button" title="Group roles 1.png" alt="Group roles 1.png" /></span></P> <P>&nbsp;</P> <P>After that, any<SPAN> of the Azure AD built-in roles, such as </SPAN><SPAN>Teams Administrator or SharePoint Administrator, can have groups assigned to them.</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="group roles 2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/212286i18F19F1766FF17C3/image-size/large?v=v2&amp;px=999" role="button" title="group roles 2.png" alt="group roles 2.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>The owner of the group can then manage group memberships and control who can get the role, allowing you to</SPAN><SPAN>&nbsp;effectively delegate&nbsp;the&nbsp;administration of Azure AD roles</SPAN><SPAN> and</SPAN> <SPAN>reduce</SPAN><SPAN> the dependency on Privileged Role Administrator </SPAN><SPAN>or </SPAN><SPAN>Global Administrator.</SPAN><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>You can also use this along with <A href="#" target="_blank" rel="noopener">Privileged Identity Management (PIM)</A> to enable just-in-time role assignment for the group. With this integration, each member of the group activates their role separately when needed and their access is revoked when the role assignment expires.</SPAN><SPAN> </SPAN><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>We’ve also added a new preview capability in PIM called Privileged Access Groups. Turning on this capability will allow you to enhance the security of group management, such as just-in-time group ownership and requiring an approval workflow for adding members to the group.</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="group roles 3.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/212287i77F611DB575B26B4/image-size/large?v=v2&amp;px=999" role="button" title="group roles 3.png" alt="group roles 3.png" /></span></SPAN></P> <P>&nbsp;</P> <P>Assigning groups to Azure AD roles requires an Azure AD Premium P1 license. Privileged Identity Management requires Azure AD Premium P2 license. To learn more about these changes, check out our&nbsp;<A href="#" target="_blank" rel="noopener"><SPAN>documentation&nbsp;</SPAN></A>on this topic:</P> <P>&nbsp;</P> <UL> <LI><SPAN><A href="#" target="_blank" rel="noopener">Use groups to manage role assignments</A></SPAN></LI> <LI><SPAN><A href="#" target="_blank" rel="noopener">Manage Privileged access groups</A></SPAN></LI> </UL> <P>&nbsp;</P> <P>As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the&nbsp;<A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A>.</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Alex Simons (<A href="#" target="_blank" rel="noopener">@Alex_A_Simons</A>)</P> <P>Corporate VP of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> Thu, 13 Aug 2020 21:00:01 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/assigning-groups-to-azure-ad-roles-is-now-in-public-preview/ba-p/1257372 Alex Simons (AZURE) 2020-08-13T21:00:01Z New study by Forrester shows customers who deploy Azure AD can benefit from a 123% ROI. https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/new-study-by-forrester-shows-customers-who-deploy-azure-ad-can/ba-p/1587340 <DIV><SPAN style="font-family: inherit;">According to a new study,&nbsp;The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, investing in identity can not only help you accelerate your Zero Trust journey,&nbsp;it can also save you money and deliver more value. </SPAN><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_self">Read more about the new Forrester TEI study on the Microsoft Security blog.</A></DIV> Thu, 13 Aug 2020 18:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/new-study-by-forrester-shows-customers-who-deploy-azure-ad-can/ba-p/1587340 AzureADTeam 2020-08-13T18:00:00Z Conditional Access policies now apply to all client applications by default https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/conditional-access-policies-now-apply-to-all-client-applications/ba-p/1257371 <P>Howdy folks,<BR /><BR /></P> <P>When it comes to securing your organization, nothing is more effective than <A href="#" target="_blank" rel="noopener">enabling multi-factor authentication</A> (MFA) for your users. Whether using traditional methods like phone or token codes, or modern passwordless methods like the Authenticator, Windows Hello, or FIDO, MFA reduces the probability of account compromise by more than 99.9%. As part of adopting MFA, you should <A href="#" target="_blank" rel="noopener">block legacy authentication</A> endpoints that can’t support MFA. Legacy authentication protocols like POP, SMTP, IMAP, and MAPI can’t enforce MFA, making them preferred entry points for adversaries attacking your organization.</P> <P><BR />Organizations use Azure AD Conditional Access to enforce Zero-Trust Least-Privileged Access policies. Conditional Access allows you to determine access based on explicitly verified signals collected during the user’s sign-in, such as the client app, device health, session risk, or IP address. This is the best mechanism to block legacy authentication, but a recent analysis showed fewer than 16% of organizations with Conditional Access have policies that apply to sign-ins using legacy authentication protocols.<BR /><BR /></P> <P>To help organizations more easily achieve a secure Zero Trust posture, we’re announcing 2 updates to help customers block legacy authentication:<BR /><BR /></P> <OL> <LI>New Conditional Access policies will apply to legacy authentication clients by default.</LI> <LI>The <A href="#" target="_blank" rel="noopener">client apps condition</A>, including improvements to the client apps admin experience, is now in General Availability.<BR /><BR /></LI> </OL> <P>Daniel Wood, a program manager on the Conditional Access team, has written a blog to explain how these changes can help secure your organization. As always, please share your feedback below or reach out to&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=mailto:intelligentaccesspm@microsoft.com" target="_blank" rel="noopener">intelligentaccesspm@microsoft.com</A> with any questions.<BR /><BR /></P> <P>Best regards,</P> <P>Alex Simons (<SPAN><A href="https://gorovian.000webhostapp.com/?exam=twitter.com/alex_a_simons" target="_blank" rel="noopener">@Alex_A_Simons</A></SPAN>)</P> <P>Corporate Vice President of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>-------</P> <P>Hi everyone,</P> <P>&nbsp;</P> <P>Today, I’m excited to announce we’re taking a big step forward in helping to make organizations more secure by changing the default Conditional Access configuration for new policies to apply to all client apps—including legacy authentication clients.</P> <P>&nbsp;</P> <P>We’ve simplified the admin experience to make it easier for admins to create policies targeting modern authentication clients and legacy authentication clients. By default, all new Conditional Access policies will apply to all client app types when the client apps condition is not configured. Sign-ins from legacy authentication clients don’t support MFA and don’t pass device state information to Azure AD, so they will be blocked by Conditional Access grant controls, such as requiring MFA or compliant devices. If you have accounts which <EM>must</EM> use legacy authentication, you can grant them policy exceptions to keep them from being blocked.</P> <P>&nbsp;</P> <P>If you want to create a Conditional Access policy that only targets legacy authentication clients, switch the client apps Configure toggle to Yes and deselect Browser and Mobile apps and desktop clients, leaving Exchange ActiveSync and Other clients selected.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="clientapp1.jpg" style="width: 474px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/211780i0DE7DEF5DB555F87/image-dimensions/474x690?v=v2" width="474" height="690" role="button" title="clientapp1.jpg" alt="clientapp1.jpg" /></span></P> <P>&nbsp;</P> <P>And for those of you who <A href="#" target="_blank" rel="noopener">manage your policies using the Microsoft Graph API</A>, we’ve simplified the <A href="#" target="_blank" rel="noopener">client apps schema</A> with the release of the new Conditional Access API in v1.0 to match the new UX. Here’s an example of the new default configuration for the client apps condition when you create a new policy using the API.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="clieantapp4.png" style="width: 634px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/211561i609A976EB8017CB6/image-dimensions/634x354?v=v2" width="634" height="354" role="button" title="clieantapp4.png" alt="clieantapp4.png" /></span></P> <P>&nbsp;</P> <H2>What about my existing Conditional Access policies?</H2> <P>If you have existing Conditional Access policies, they will continue to apply to the same client apps with no change. However, if you view an existing policy, we’ve made it easier to see which client apps are selected by removing the Configure Yes/No toggle. Existing policies where the client apps condition was not configured now look like this:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="clientapp2.jpg" style="width: 472px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/211781i4947FEED3BBF7A60/image-dimensions/472x767?v=v2" width="472" height="767" role="button" title="clientapp2.jpg" alt="clientapp2.jpg" /></span></P> <P>&nbsp;</P> <H2>Understanding client app usage in your organization</H2> <P>Before creating a new policy, it’s good to understand who’s using legacy authentication in your organization. To see which client apps and protocols are being used in your organization during sign-in, simply navigate to the Sign-ins page and filter the results by client app type.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="client app 3.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/211782i821811CA5FEACA0B/image-size/large?v=v2&amp;px=999" role="button" title="client app 3.jpg" alt="client app 3.jpg" /></span></P> <P>&nbsp;</P> <H3>Share your feedback!</H3> <P>We hope that these changes make it easier for admins to secure their organizations by blocking legacy authentication. As always, please share your feedback below or reach out to</P> <DIV><A href="https://gorovian.000webhostapp.com/?exam=mailto:daniel.wood@microsoft.com" target="_blank">daniel.wood@microsoft.com</A> with any questions.</DIV> <P>&nbsp;</P> <P>Thanks,</P> <P>Daniel Wood (<A href="#" target="_self">@Daniel_E_Wood</A>)</P> <P>Program Manager</P> <P>Microsoft Identity Division</P> Thu, 13 Aug 2020 16:26:07 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/conditional-access-policies-now-apply-to-all-client-applications/ba-p/1257371 Alex Simons (AZURE) 2020-08-13T16:26:07Z Automated user provisioning from SAP SuccessFactors is now GA https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/automated-user-provisioning-from-sap-successfactors-is-now-ga/ba-p/1257370 <P>Howdy folks,</P> <P>&nbsp;</P> <P>Today, we’re announcing the general availability of user provisioning from SAP SuccessFactors to Azure AD. In addition, SAP and Microsoft have been working closely together to enhance existing integrations between Azure AD and SAP Cloud Identity Services of the SAP Cloud Platform, making it easier to manage and secure your SAP applications.</P> <P>&nbsp;</P> <H2>User provisioning from SAP SuccessFactors to Azure AD is now generally available<BR /><BR /></H2> <P>With the integration between Azure AD and SAP SuccessFactors, you can now automate user access to applications and resources so that a new hire can be up and running with full access to the necessary applications on day one. The integration also helps you reduce dependencies on IT helpdesk for on-boarding and off-boarding tasks.<BR /><BR /></P> <P>Thanks to your feedback on our <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/ring-in-the-new-year-with-automated-user-provisioning-from-sap/ba-p/1063603" target="_blank" rel="noopener">public preview</A>, we’ve added these new capabilities:<BR /><BR /></P> <UL> <LI>With enhanced attribute support, you can now include any SAP SuccessFactors Employee Central attributes associated with <EM>Person, Employment and Foundation</EM> objects in your <A href="#" target="_blank" rel="noopener">provisioning rules and attribute mapping</A>.</LI> <LI>Using flexible mapping rules, you can now <A href="#" target="_blank" rel="noopener">handle different HR scenarios</A> such as worker conversion, rehire, concurrent assignment, and global assignment.</LI> <LI>In addition to email, we now support <A href="#" target="_blank" rel="noopener">writeback</A> of phone numbers, username, and login method from Azure AD to SAP SuccessFactors.</LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <P>We’d like to say a special thank you to SAP SuccessFactors team who helped us enhance the integration. Here’s what they had to say:<BR /><BR /></P> <P class="lia-align-center"><EM>“Enabling end-to-end user lifecycle management is critical. The Azure AD and SAP SuccessFactors integration will help streamline HR and IT processes to help our joint customers save time, improve security, and enable employee productivity.“ – Lara Albert, VP, Solution Marketing, SAP SuccessFactors</EM></P> <P>&nbsp;</P> <P>We’d like to also thank our preview customers and partners who provided great feedback on different aspects of this integration! Here’s what one of our system integrator partners, <A href="#" target="_blank" rel="noopener">Olikka</A>, had to say:</P> <P>&nbsp;</P> <P class="lia-align-center"><EM>“Inbound provisioning from SAP SuccessFactors to Azure AD and on-premises Active Directory has helped us reduce the time customers need to spend on-boarding/off-boarding and adjusting access through the employee lifecycle. The integration that Microsoft has delivered means that we can avoid building complex custom connectors and managing on-premises infrastructure. This enables Olikka to get the customer up and running quickly while leveraging their existing Azure AD subscription.” – Chris Friday, Senior Project Consultant, Olikka</EM></P> <P class="lia-align-center">&nbsp;</P> <P class="lia-align-center"><EM><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SAP1.png" style="width: 816px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/210076iE389002EAEEDEC2F/image-size/large?v=v2&amp;px=999" role="button" title="SAP1.png" alt="SAP1.png" /></span></EM></P> <P class="lia-align-center">&nbsp;</P> <H2>Using Azure AD to manage and secure your SAP applications<BR /><BR /></H2> <P>Our new provisioning integration between Azure AD and SAP Cloud Identity Services allows you to spend less time creating or managing accounts for individual SAP applications. With this integration, you can now use Azure AD to automatically provision user accounts for SAP Analytics Cloud. In the coming months, we will expand this support to additional SAP applications like SAP S/4HANA, SAP Fieldglass, and SAP Marketing Cloud.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SAP2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/210077i3C0E11B76C3ED5E2/image-size/large?v=v2&amp;px=999" role="button" title="SAP2.png" alt="SAP2.png" /></span></P> <P>&nbsp;</P> <P>We’re also enabling <A href="#" target="_blank" rel="noopener">One-click SSO</A> to simplify the configuration and setup of single sign-on with SAP Cloud Identity Services. One-click SSO allows you to quickly setup single sign-on between Azure AD and SAP Cloud Platform without needing to copy and paste values from different admin portals.</P> <P>&nbsp;</P> <H3>Learn more</H3> <P>User provisioning from SAP SuccessFactors to Azure AD requires an <A href="#" target="_blank" rel="noopener">Azure AD P1 license</A>, all other features referenced in this blog are available across all licensing tiers. To get started with these integrations, read our <A href="#" target="_blank" rel="noopener">SAP identity integration</A> documentation.</P> <P>&nbsp;</P> <P>SAP Cloud Platform is also available on Azure regions around the globe to complement your SAP S/4HANA on Azure implementations, providing low latency and ease of integration. Learn more about SAP solutions on Azure at <A href="#" target="_blank" rel="noopener">www.microsoft.com/sap</A> and explore our <A href="#" target="_blank" rel="noopener">SAP on Azure use cases</A> to get started.</P> <P>&nbsp;</P> <P>Together, our integrations with SAP allow you to manage and protect access to all your critical SAP landscape. As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the&nbsp;<A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A>.<BR /><BR />Best regards,</P> <P><BR />Alex Simons (@Alex_A_Simons)</P> <P>Corporate VP of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <H3><EM>Learn more about Microsoft identity:</EM></H3> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Thu, 06 Aug 2020 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/automated-user-provisioning-from-sap-successfactors-is-now-ga/ba-p/1257370 Alex Simons (AZURE) 2020-08-06T16:00:00Z Johnson Controls simplifies remote access to legacy, on-prem apps with Azure AD and F5 BIG-IP APM https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/johnson-controls-simplifies-remote-access-to-legacy-on-prem-apps/ba-p/1257351 <P><EM>For organizations that operate a hybrid environment with a mix of on-premises and cloud apps, shifting to remote work in response to COVID-19 has not been easy. VPN solutions can be clumsy and slow, making it difficult for users to access legacy apps based on-premises or in private clouds. For today’s “Voice of the Customer” post, Nitin Aggarwal, Global Identity Security Engineer at Johnson Controls, describes how his organization overcame these challenges using the rich integration between Azure Active Directory (Azure AD) and F5 BIG-IP</EM> Access Policy Manager (F5 BIG-IP APM).</P> <P>&nbsp;</P> <H2>Enabling remote work in a hybrid environment</H2> <H4>By Nitin Aggarwal, Global Identity Security Engineer, Johnson Controls<BR /><BR /></H4> <P>&nbsp;</P> <P>Johnson Controls is the world’s largest supplier of building products, technologies, and services. For more than 130 years, we’ve been making buildings smarter and transforming the environments where people live, work, learn and play. In response to COVID-19, Johnson Controls moved 50,000 non-essential employees to remote work in three weeks. As a result, VPN access increased by over 200 percent and usage spiked to 100 percent throughout the day. People had trouble sharing and were forced to sign in multiple times. To address this challenge, we enabled capabilities in F5 and Azure AD to simplify access to our on-premises apps and implement better security controls.&nbsp;<BR /><BR /></P> <H2>Securing a hybrid infrastructure<BR /><BR /></H2> <P>Our organization relies on a combination of hybrid and software-as-a-solution (SaaS) apps, such as Zscaler and Workday, to conduct business-critical work. Our hybrid application set contains some legacy apps that are built on a code base that can’t be updated. One example is a directory access app that we use to look up employee information like first name, last name, global ID, and phone number. It’s critical that we keep this data protected, yet we also need to make our apps available to employees working offsite.</P> <P>&nbsp;</P> <P>Johnson Controls uses Azure AD to make over 150 Microsoft and non-Microsoft SaaS apps accessible from anywhere. Many of our legacy apps, however, use header-based authentication, which does not easily integrate with modern authentication standards. To enable single sign-on (SSO) to legacy apps for workers inside the network, we used a Web Access Management (WAM) solution. Remote workers used a VPN. The long-term strategy is to modernize these apps, eliminate them, or migrate them to Azure. In the meantime, we need to make them more accessible.<BR /><BR /></P> <P>About five months ago we began an initiative to enable authentication to our legacy apps using Azure AD. We wanted to make access easier and apply security controls, including conditional access. Initially we planned to rewrite the authentication model to support Azure AD, but all these apps use different code. Some were built with .NET. Others were written in Java or Linux. It wasn’t possible to apply a single approach and quickly modernize authentication. &nbsp;<BR /><BR /></P> <H2>Migrating legacy apps to Azure AD in less than one hour<BR /><BR /></H2> <P>When our Microsoft team learned about our issues with our on-premises apps, they suggested we talk to F5. Johnson Controls uses F5 for load balancing, and F5 offers a product, F5 BIG-IP Access Policy Manager (F5 BIG-IP APM), that leverages the load-balancing solution to easily integrate with Azure AD. It requires no timely development work, which was exactly what we were looking for.</P> <P>If an app is already behind the F5 load balancer and the right team is in place, it can take as little as one hour to migrate apps to Azure AD authentication using F5 BIG-IP APM. We just needed to create the appropriate configurations in F5 and Azure AD. Once the apps are onboarded, whenever a user signs in, they are redirected to Azure AD. Azure AD authenticates the user, sends the attributes back to the legacy app and inserts them in the header. For users, the experience is the same whether they are accessing an on-premises app or a cloud app. They sign in once using SSO and gain access to both cloud and legacy apps. It’s completely seamless.<BR /><BR /></P> <P>We started the onboarding process in November. After we moved to remote work in response to the epidemic, we accelerated the schedule. So far, we’ve migrated about 30 apps. We have 15 remaining.&nbsp;</P> <P>&nbsp;</P> <H2>Implementing a Zero Trust security strategy<BR /><BR /></H2> <P>With authentication for our apps handled by Azure AD, we can put in place the right security controls. Our security strategy is driven by a Zero Trust model. We don’t automatically trust anything that tries to access the network. As we move workloads to the cloud and enable remote work, it’s important to verify the identity of devices, users and services that try to connect to our resources.<BR /><BR /></P> <P>To protect our identities, we’ve enabled a conditional access policy in conjunction with multi-factor authentication (MFA). When users are inside the network on a domain-joined device or connected via VPN, they can access with just a password. Anybody outside the networks must use MFA to gain access. We are also using Azure AD Privileged Identity Management to protect global administrators. With Privileged Identity Manager, users who want to access sensitive resources sign in using a different set of credentials from the ones they use for routine work. This makes it less likely that those credentials will be compromised.<BR /><BR /></P> <P>With Azure AD, we also benefit from Microsoft’s scale and availability. Before we migrated our apps from the WAM to Azure AD, there were frequently problems with access related to the WAM. With Azure AD we no longer worry about downtime. Remote work is easier for employees, and we feel more secure.<BR /><BR /></P> <H3>Support enabling remote work</H3> <P><EM>If your organization relies on legacy apps for business-critical work, I hope you’ve found this blog useful. In the coming months, as you continue to support employees working from home, refer to the following resources for tips on improving the experience for you and your employees.</EM></P> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/top-5-ways-your-azure-ad-can-help-you-enable-remote-work/ba-p/1144691" target="_blank" rel="noopener">Top 5 ways you Azure AD can help you enable remote work</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/developing-applications-for-secure-remote-work-with-azure-ad/ba-p/1257336" target="_blank" rel="noopener">Developing applications for secure remote work with Azure AD</A></P> <P><A href="#" target="_blank" rel="noopener">Microsoft’s COVID-19 response</A></P> <P>&nbsp;</P> Wed, 05 Aug 2020 14:48:04 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/johnson-controls-simplifies-remote-access-to-legacy-on-prem-apps/ba-p/1257351 Sue Bohn 2020-08-05T14:48:04Z Microsoft Authenticator app lock now enabled by default https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/microsoft-authenticator-app-lock-now-enabled-by-default/ba-p/1257368 <P>Howdy folks,</P> <P>&nbsp;</P> <P>We’re always listening to your feedback about Microsoft Authenticator and what we can do to make the app more secure and easier for end users. A few years ago, we released our App Lock feature in response to feedback that you wanted to make sure your app was secured by a PIN or biometric. Last month, we expanded App Lock’s protection. Now, if App Lock is enabled, when you approve any notification, you’ll also have to provide your PIN or biometric.</P> <P>&nbsp;</P> <P>With our latest release, as part of our effort to make your sign-in experience even more secure, App Lock will be enabled by default if you’ve set up a PIN or biometric on your device.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="authapp1.png" style="width: 562px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/209121i6A634EFB57011D43/image-size/large?v=v2&amp;px=999" role="button" title="authapp1.png" alt="authapp1.png" /></span></P> <P>&nbsp;</P> <H2>Try it out<BR /><BR /></H2> <P>If you don’t have the Microsoft Authenticator app yet, <A href="#" target="_blank" rel="noopener">get it here</A>. You’ll need to be on version 6.4.22+ on iOS to try this out.</P> <P>&nbsp;</P> <P>We’ve been rolling out this feature to iOS TestFlight starting today, and we’ll be gradually rolling out to all users over the next few weeks. The update will come to Android next month.</P> <P>&nbsp;</P> <H2>How different notifications will work<BR /><BR /></H2> <P><EM><STRONG>Azure AD and MSA MFA notifications</STRONG><BR /><BR /></EM></P> <P>Currently, when the notification arrives on the phone, you can click approve/deny from the lock screen. However, when app lock is enabled, you will have to launch the app (on iOS) or launch a dialog (on Android) before you can click approve/deny, and you’ll also need to provide an additional PIN/bio gesture to successfully authenticate. Thus, even if you leave your phone unlocked on your desk and walk away, a passerby cannot approve the notification for you.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="authapp2.png" style="width: 462px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/209122iBE22DB26633F020D/image-size/large?v=v2&amp;px=999" role="button" title="authapp2.png" alt="authapp2.png" /></span></P> <P>&nbsp;</P> <P><STRONG><EM>Enterprise on-premise MFA notifications that already require a PIN</EM></STRONG></P> <P>&nbsp;</P> <P>The flow will remain as it is today. After you interact with the notification, you will need to provide your MFA pin (not your device pin). In subsequent approvals, you will have the option to use your device bio gesture instead of your MFA pin.</P> <P>&nbsp;</P> <P><STRONG><EM>Azure AD and MSA Phone sign-in notifications</EM></STRONG></P> <P>&nbsp;</P> <P>The flow will remain as it is today.</P> <P>&nbsp;</P> <H2>Additional questions</H2> <P><BR />If you have questions, check out our <A href="#" target="_blank" rel="noopener">FAQ page</A>.<BR /><BR /></P> <P>Also, we want to hear from you! Feel free to leave comments down below or reach out to us on Twitter (<A href="#" target="_blank" rel="noopener">@AzureAD</A>)</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Alex Simons (<A href="#" target="_blank" rel="noopener">@Alex_A_Simons</A>)</P> <P>Corporate VP of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Mon, 03 Aug 2020 18:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/microsoft-authenticator-app-lock-now-enabled-by-default/ba-p/1257368 Alex Simons (AZURE) 2020-08-03T18:00:00Z End users can now report “This wasn’t me” for unusual sign-in activity https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/end-users-can-now-report-this-wasn-t-me-for-unusual-sign-in/ba-p/1257369 <P>Howdy folks,</P> <P><BR />I’m excited to announce the General Availability of <A href="#" target="_blank" rel="noopener">Azure AD My Sign-Ins</A>—a new feature that allows enterprise users to review their sign-in history to check for any unusual activity. As we discussed in the Public Preview <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/users-can-now-check-their-sign-in-history-for-unusual-activity/ba-p/916066" target="_blank" rel="noopener">blog post</A>, the My Sign-Ins page empowers users to see:<BR /><BR /></P> <UL> <LI>If anyone is trying to guess their password.</LI> <LI>If an attacker successfully signed in to their account from a strange location.</LI> <LI>What apps the attacker accessed.<BR /><BR /></LI> </UL> <P>The newest addition to this page allows end users to report “This wasn’t me” or “This was me” on unusual activities. Robyn Hicock, who managed this feature, wrote a guest blog post where she dives into the details on this update. You’ll find her blog post below.</P> <P>&nbsp;</P> <P>As always, we’d love to hear any feedback or suggestions you may have. Please let us know what you think in the comments below or on the <A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A>.</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Alex Simons (@Alex_A_Simons)</P> <P>Corporate VP of Program Management</P> <P>Microsoft Identity Division</P> <P>&nbsp;</P> <P>-----------------------------------------------------</P> <P>&nbsp;</P> <P>Hi everyone!</P> <P>&nbsp;</P> <P>I’m super excited to share details about the updates we’ve made to the <A href="#" target="_blank" rel="noopener">My Sign-Ins</A> page. We heard your feedback during the Public Preview and learned that users want to easily determine whether a sign-in was theirs or not.</P> <P>&nbsp;</P> <H2>Unusual activity<BR /><BR /></H2> <P>We now highlight suspicious activities that we’ve detected with <A href="#" target="_blank" rel="noopener">Identity Protection</A> at the top. For example, if a risky sign-in was automatically detected, it would get bubbled up to the top under a new section for “Unusual activity”:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SI1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/209470i23BA0F1E928BF50E/image-size/large?v=v2&amp;px=999" role="button" title="SI1.png" alt="SI1.png" /></span></P> <P>&nbsp;</P> <P>We also added “This wasn’t me” and “This was me” buttons for unusual activities. If a user chooses “This wasn’t me”, then they would see this dialog:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SI2.png" style="width: 347px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/209471i8CB963AA74E45171/image-size/large?v=v2&amp;px=999" role="button" title="SI2.png" alt="SI2.png" /></span></P> <P>&nbsp;</P> <P>They would then be taken to the <A href="#" target="_blank" rel="noopener">Security info</A> page to review and update their authentication methods. To learn more about managing security info, check out the blog post for <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/combined-mfa-and-password-reset-registration-is-now-generally/ba-p/1257355" target="_blank" rel="noopener">Combined MFA and password reset registration</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SI3.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/209472iED9C3E4512C0872D/image-size/large?v=v2&amp;px=999" role="button" title="SI3.png" alt="SI3.png" /></span></P> <P>&nbsp;</P> <P>If a user chooses “This was me”, then they would see this dialog:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SI4.png" style="width: 347px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/209473i7E107DB9B82166FF/image-size/large?v=v2&amp;px=999" role="button" title="SI4.png" alt="SI4.png" /></span></P> <P>&nbsp;</P> <P>The end user feedback will help improve the accuracy of our risk detection systems. We will study the user feedback before allowing user reporting to change the risk states in <A href="#" target="_blank" rel="noopener">Identity Protection</A>. You can monitor what your users are choosing by checking the <A href="#" target="_blank" rel="noopener">audit logs</A>, and use that information to help you decide whether to confirm or dismiss the risk.</P> <P>&nbsp;</P> <H2>Recent activity<BR /><BR /></H2> <P>If a user doesn’t have any suspicious sign-ins, then they’ll just see the “Recent activity” section. Users can also review their normal sign-ins and report if anything looks strange by clicking “Look unfamiliar? Secure your account”.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SI5.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/209474i1115DE7F5DDF4660/image-size/large?v=v2&amp;px=999" role="button" title="SI5.png" alt="SI5.png" /></span></P> <P>&nbsp;</P> <P>Users can also see if anyone else is trying to guess their password. In that case, they’d see an “Unsuccessful sign-in” like this:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SI6.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/209475i7CF744BF754BDA37/image-size/large?v=v2&amp;px=999" role="button" title="SI6.png" alt="SI6.png" /></span></P> <P>&nbsp;</P> <H2>Searching and Filtering<BR /><BR /></H2> <P>We also heard your feedback about better filtering to sort through all the noise. Now you can use the Search bar at the top to look at only the “Unsuccessful” sign-ins.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SI7.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/209476i131CFB497A04F3A6/image-size/large?v=v2&amp;px=999" role="button" title="SI7.png" alt="SI7.png" /></span></P> <P>&nbsp;</P> <P>You can also use the Search bar to filter for other details like the app, browser, location, operating system, etc.</P> <P>&nbsp;</P> <P>Finally, we made My Sign-Ins more mobile-friendly too!</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SI8.png" style="width: 516px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/209477iB55614C1A970CF67/image-dimensions/516x776?v=v2" width="516" height="776" role="button" title="SI8.png" alt="SI8.png" /></span></P> <P>&nbsp;</P> <P>If you’re curious about your personal email too, we have similar features in the Recent Activity page for consumer Microsoft Accounts at: <A href="#" target="_blank" rel="noopener">https://account.live.com/activity</A> - Check it out!<BR /><BR /></P> <H3>Feedback</H3> <P>As always, we’d love to hear your feedback and suggestions. Please let us know what you think in the comments below or on the <A href="#" target="_blank" rel="noopener">Azure AD feedback forum</A>.</P> <P>&nbsp;</P> <P>Thanks!</P> <P>Robyn Hicock (<A href="#" target="_blank" rel="noopener">@Robyn.Hicock</A>)</P> <P>Senior Program Manager</P> <P>Microsoft Identity Security and Protection Team</P> <P>&nbsp;</P> <P><EM>Learn more about Microsoft identity:</EM></P> <UL> <LI><EM>Related Articles<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/users-can-now-check-their-sign-in-history-for-unusual-activity/ba-p/916066" target="_blank" rel="noopener">: Users can now check their sign-in history for unusual activity</A></EM></LI> <LI><EM>Return to the </EM><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/bg-p/Identity" target="_blank" rel="noopener"><EM>Azure Active Directory Identity blog home</EM></A></LI> <LI><EM>Join the conversation on </EM><A href="#" target="_blank" rel="noopener"><EM>Twitter</EM></A><EM> and </EM><A href="#" target="_blank" rel="noopener"><EM>LinkedIn</EM></A></LI> <LI><EM>Share product suggestions on the </EM><A href="#" target="_blank" rel="noopener"><EM>Azure Feedback Forum</EM></A></LI> </UL> Mon, 03 Aug 2020 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/end-users-can-now-report-this-wasn-t-me-for-unusual-sign-in/ba-p/1257369 Alex Simons (AZURE) 2020-08-03T16:00:00Z Azure AD Mailbag: Identity protection https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-ad-mailbag-identity-protection/ba-p/1257350 <P><EM>Greetings! </EM></P> <P>&nbsp;</P> <P><EM>We're back with another mailbag, this time focusing on your common questions regarding Azure AD Identity Protection. Security is always top of mind and Identity Protection helps you strike a balance between the usability required for end users to be productive while protecting access to resources. We’ve got some really great questions from folks looking to improve the effectiveness of their alerts and to increase their overall security posture. We even have a sample script for you! I’ll let Sarah, Rohini and Mark take it away.</EM></P> <P>&nbsp;</P> <P><EM>-----</EM></P> <P>&nbsp;</P> <P>Hey y’all, <A href="#" target="_blank" rel="noopener">Mark</A> back again for another mailbag. You’ve been asking some really great questions around Azure AD Identity Protection. So good, in fact, I’ve kept putting this off for an embarrassingly long time. Then I called in for some help from some excellent feature PMs <A href="#" target="_blank" rel="noopener">Sarah Handler</A> and <A href="#" target="_blank" rel="noopener">Rohini Goyal</A>.</P> <P>&nbsp;</P> <H3>Question 1: I want to bulk dismiss a lot of Users that have risk. How can I do this?</H3> <P>Make sure that before you bulk dismiss users, you’ve already remediated them or determined that they’re not at risk. Then we have a GraphAPI call you can make to dismiss the <A href="#" target="_blank" rel="noopener">user risk.</A> We’ve put together a little sample script to help you with doing bulk dismissal.</P> <P>&nbsp;</P> <P>We've provided a <A href="#" target="_self">sample PowerShell script</A> and examples to enumerate risky users, filter the results, and dismiss the risk for the collection.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mailbag731.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/209453i878D3E3E0C88C388/image-size/large?v=v2&amp;px=999" role="button" title="mailbag731.png" alt="mailbag731.png" /></span></P> <P>&nbsp;</P> <H3>Question 2: How do we detect TOR or anonymous VPN? Is it based off exit node or are there ways to bypass this?</H3> <P>We detect anonymizers in a few ways. For Tor, we continually update&nbsp;the list of Tor exit nodes. For VPNs, we use various third-party intelligence to determine whether an anonymizer has been used.</P> <P>&nbsp;</P> <H3>Question 3: How should we handle false positives?</H3> <P>There are two ways to address false positives: giving feedback on false positive detections that occur and reducing the number of false positives that get generated. If while investigating risky sign-ins you find a detection to be a false positive, you should mark “confirm safe” on the risky sign-in. There are two ways to prevent false positives in Identity Protection. The first is to enable sign-in risk policies for your users. When a user is prompted for a sign-in risk policy with MFA and passes the MFA prompt, it gives feedback to the system that the legitimate user signed in and helps to familiarize the sign-in properties for future ones. The second is to mark common locations that you trust as trusted locations in Azure AD.</P> <P>&nbsp;</P> <H3>Question 4: What is the best practice for allowing listing of known locations?</H3> <P>First, you want to make sure you’re putting in your public egress end points. This helps with our detection algorithms. We’ve recently increased the named locations to 195 named locations with 2,000 IP ranges per location. You can read more in our <A href="#" target="_blank" rel="noopener">docs</A>.</P> <P>&nbsp;</P> <P>But we know that many times networking teams make changes and don’t notify the Azure AD Admins. It’s good to have a process to work through the Sign-In logs and look for IP ranges that are not part of your named locations and add those as well as remove IPs that no longer are your egress point.</P> <P>&nbsp;</P> <H3>Question 5: Does AAD Leaked credentials connect to Troy Hunt’s <A href="#" target="_blank" rel="noopener">Have I been Pwned</A> API? Do I need to supplement with other scans?</H3> <P>Leaked credentials detection does not connect to Troy Hunt’s “Have I been Pwned”. Troy does an excellent job with his service correlating and collecting public dumps. Leaked credentials alerts take into account those public dumps as well as non-public dumps we call out in our docs, <A href="#" target="_blank" rel="noopener">more info here</A>. If you want to supplement the Azure AD leaked credentials alerting with other feeds, that is entirely up to you.</P> <P>&nbsp;</P> <H3>Question 6: When I turn on Password Hash Sync does the leaked credential alert on existing ones or only on leaks going forward?</H3> <P>Leaked credentials will only detect on leaks going forward. When we find clear text username and passwords pairs, we don’t keep them. We process them through and delete them. We’ve updated our <A href="#" target="_blank" rel="noopener">documentation</A> to call this out and provided <A href="#" target="_blank" rel="noopener">more info</A>.</P> <P>&nbsp;</P> <P>We hope you've found this post and this series to be helpful. For any questions you can reach us at&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=mailto:AskAzureADBlog@microsoft.com" target="_blank" rel="noopener">AskAzureADBlog@microsoft.com&nbsp;</A>,&nbsp;the&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Forums&nbsp;</A>and on Twitter&nbsp;<A href="#" target="_blank" rel="noopener">@AzureAD&nbsp;</A>,&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=mailto:twitter.com/markmorow" target="_blank" rel="noopener">@MarkMorow</A>, <A href="#" target="_blank" rel="noopener">@Sue_Bohn</A>, and&nbsp;<A href="#" target="_blank" rel="noopener">@Alex_A_Simons</A></P> <P>&nbsp;</P> <P>-Rohini Goyal, Sarah Handler and Mark Morowczynski</P> <P>&nbsp;</P> Mon, 03 Aug 2020 14:14:19 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-active-directory-identity/azure-ad-mailbag-identity-protection/ba-p/1257350 Sue Bohn 2020-08-03T14:14:19Z