Guidance on using Azure AD to meet Zero Trust Architecture and MFA requirements

Published Jun 23 2021 09:00 AM 7,811 Views
Microsoft

Hello,

 

With the recent Executive Order on Improving the Nation’s Cybersecurity mandating Zero Trust Architecture and multifactor authentication, you may be wondering what those requirements are and how you can use the tools you have in Azure AD to meet the standards. 

 

I am excited to share with you new guidance within our public documentation. This guidance is tailored to help you meet government and industry identity requirements using Azure Active Directory. Microsoft documents how we as a company meet many of these standards. While you can leverage our compliance, there are often “shared responsibilities” beyond what Microsoft accreditation provides. This new prescriptive guidance is designed to help you meet these identity requirements using Azure Active Directory. You can also check out the guides for cloud and Zero Trust modernization from Microsoft Federal: Mapping the Cybersecurity Executive Order Milestones”.

 

As an example, let us consider meeting FedRAMP High controls IA-2 (1-4). To understand these requirements, one would have to start with FedRAMP Security Controls Baseline, dive into NIST SP 800-53 Rev. 4 which builds on NIST SP 800-63 Rev. 3 which in turn builds on NIST FIPS 140-2. You get the idea…lots of “light” reading. Alternatively, one could leverage the standards & compliance section which provides prescriptive guidance for meeting this control by:

(a) configuring Conditional Access (CA) policies to require MFA,

(b) configuring device management policies and CA policies such that sign-in to these managed devices would require MFA,

(c) viable MFA options meeting NIST Authentication Assurance Level (AAL) 3 as required by FedRAMP High and

(d) use of PIM to eliminate privileged local access without PIM activation.

 

I am happy to announce the first two content sets under the new standards & compliance area: Configure Azure Active Directory to meet NIST Authenticator Assurance Levels

 

We have started with NIST 800-63 – Digital Identity Guidelines which is a well understood framework for digital identities that many other standards and regulations use as a building block.

 

This guidance details how you can use Azure Active Directory to meet NIST Authentication Assurance Levels (AAL) and maps these AAL’s to all available authentication methods.

 

Configure Azure Active Directory to meet FedRAMP High Impact level

 

Many US federal agencies as well as cloud solution providers (CSPs) delivering cloud services to these agencies must meet requirements of the FedRAMP program. We anchored our guidance around the FedRAMP High baseline to cover the most stringent set of identify related controls. This approach allows customers who need to adhere to lower FedRAMP baselines to use this guidance as well.

 

US Government agencies will soon be required to have fully adopted multifactor authentication. Check out our resources to Enable MFA in your organization to verify explicitly as part of your Zero Trust approach.

 

We would love to hear more from all of you on what standards, regulations, or other compliance frameworks with identity requirements you would like to meet with Azure Active Directory. We will continue to review standards, regulations, or other compliance frameworks and where appropriate, produce guidance to help our customers meet their identity requirements using Azure Active Directory.

 

 

Learn more about Microsoft identity:

%3CLINGO-SUB%20id%3D%22lingo-sub-1751676%22%20slang%3D%22en-US%22%3EGuidance%20on%20using%20Azure%20AD%20to%20meet%20Zero%20Trust%20Architecture%20and%20MFA%20requirements%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1751676%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20the%20recent%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.whitehouse.gov%252Fbriefing-room%252Fpresidential-actions%252F2021%252F05%252F12%252Fexecutive-order-on-improving-the-nations-cybersecurity%252F%26amp%3Bdata%3D04%257C01%257Cmelmay%2540microsoft.com%257C014302c20d1c427cf76b08d92b898004%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637588691842976881%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DPmjGgNsgjZO2y8aurIR5zC6djdg5YYph%252F9YZqPrpFWg%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EExecutive%20Order%20on%20Improving%20the%20Nation%E2%80%99s%20Cybersecurity%20%3C%2FA%3Emandating%20Zero%20Trust%20Architecture%20and%20multifactor%20authentication%2C%20you%20may%20be%20wondering%20what%20those%20requirements%20are%20and%20how%20you%20can%20use%20the%20tools%20you%20have%20in%20Azure%20AD%20to%20meet%20the%20standards.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20excited%20to%20share%20with%20you%20new%20guidance%20within%20our%20public%20documentation.%20This%20guidance%20is%20tailored%20to%20help%20you%20meet%20government%20and%20industry%20identity%20requirements%20using%20Azure%20Active%20Directory.%20Microsoft%20documents%20how%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcompliance%2Fregulatory%2Foffering-home%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ewe%20as%20a%20company%3C%2FA%3E%20meet%20many%20of%20these%20standards.%20While%20you%20can%20leverage%20our%20compliance%2C%20there%20are%20often%20%E2%80%9Cshared%20responsibilities%E2%80%9D%20beyond%20what%20Microsoft%20accreditation%20provides.%20This%20new%20prescriptive%20guidance%20is%20designed%20to%20help%20you%3CSTRONG%3E%20meet%20these%20identity%20requirements%20using%20Azure%20Active%20Directory.%26nbsp%3B%3C%2FSTRONG%3EYou%20can%20also%20check%20out%20the%20guides%20for%20cloud%20and%20Zero%20Trust%20modernization%20from%20Microsoft%20Federal%3A%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fcloudblogs.microsoft.com%252Findustry-blog%252Fmicrosoft-in-business%252F%253Fp%253D58830%2526preview%253D1%2526_ppp%253D5e675dbc64%26amp%3Bdata%3D04%257C01%257Cv-kualex%2540microsoft.com%257Cdc8bc01c87414cd00f9408d937427332%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637601580811502590%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DpwN9JVtes0WDrRY0UGeK%252Fzk%252BXyOG%252B0THntgNafCvQBk%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EMapping%20the%20Cybersecurity%20Executive%20Order%20Milestones%3C%2FA%3E%E2%80%9D.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20an%20example%2C%20let%20us%20consider%20meeting%20FedRAMP%20High%20controls%20IA-2%20(1-4).%20To%20understand%20these%20requirements%2C%20one%20would%20have%20to%20start%20with%20%3CA%20href%3D%22https%3A%2F%2Fwww.fedramp.gov%2Fassets%2Fresources%2Fdocuments%2FFedRAMP_Security_Controls_Baseline.xlsx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EFedRAMP%20Security%20Controls%20Baseline%3C%2FA%3E%2C%20dive%20into%20%3CA%20href%3D%22https%3A%2F%2Fcsrc.nist.gov%2Fpublications%2Fdetail%2Fsp%2F800-53%2Frev-4%2Ffinal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENIST%20SP%20800-53%20Rev.%204%3C%2FA%3E%20which%20builds%20on%20%3CA%20href%3D%22https%3A%2F%2Fpages.nist.gov%2F800-63-3%2Fsp800-63-3.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENIST%20SP%20800-63%20Rev.%203%3C%2FA%3E%20which%20in%20turn%20builds%20on%20%3CA%20href%3D%22https%3A%2F%2Fcsrc.nist.gov%2Fpublications%2Fdetail%2Ffips%2F140%2F2%2Ffinal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENIST%20FIPS%20140-2%3C%2FA%3E.%20You%20get%20the%20idea%E2%80%A6lots%20of%20%E2%80%9Clight%E2%80%9D%20reading.%20Alternatively%2C%20one%20could%20leverage%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAzureADStandards%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Estandards%20%26amp%3B%20compliance%20section%3C%2FA%3E%20which%20provides%20prescriptive%20guidance%20for%20meeting%20this%20control%20by%3A%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E(a)%20configuring%20Conditional%20Access%20(CA)%20policies%20to%20require%20MFA%2C%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E(b)%20configuring%20device%20management%20policies%20and%20CA%20policies%20such%20that%20sign-in%20to%20these%20managed%20devices%20would%20require%20MFA%2C%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E(c)%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2F10-reasons-to-love-passwordless-2-nist-compliance%2Fba-p%2F2115725%22%20target%3D%22_blank%22%3Eviable%20MFA%20options%20meeting%20NIST%20Authentication%20Assurance%20Level%3C%2FA%3E%20(AAL)%203%20as%20required%20by%20FedRAMP%20High%20and%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E(d)%20use%20of%20PIM%20to%20eliminate%20privileged%20local%20access%20without%20PIM%20activation.%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EI%20am%20happy%20to%20announce%20the%20first%20two%20content%20sets%20under%20the%20new%20standards%20%26amp%3B%20compliance%20area%3A%26nbsp%3B%3C%2FSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAzureADNISTAAL%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20Azure%20Active%20Directory%20to%20meet%20NIST%20Authenticator%20Assurance%20Levels%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EWe%20have%20started%20with%20NIST%20800-63%20%E2%80%93%20Digital%20Identity%20Guidelines%20which%20is%20a%20well%20understood%20framework%20for%20digital%20identities%20that%20many%20other%20standards%20and%20regulations%20use%20as%20a%20building%20block.%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EThis%20guidance%20details%20how%20you%20can%20use%20Azure%20Active%20Directory%20to%20meet%20NIST%20Authentication%20Assurance%20Levels%20(AAL)%20and%20maps%20these%20AAL%E2%80%99s%20to%20all%20available%20authentication%20methods.%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAzureADFedRAMPHigh%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20Azure%20Active%20Directory%20to%20meet%20FedRAMP%20High%20Impact%20level%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EMany%20US%20federal%20agencies%20as%20well%20as%20cloud%20solution%20providers%20(CSPs)%20delivering%20cloud%20services%20to%20these%20agencies%20must%20meet%20requirements%20of%20the%20FedRAMP%20program.%20We%20anchored%20our%20guidance%20around%20the%20FedRAMP%20High%20baseline%20to%20cover%20the%20most%20stringent%20set%20of%20identify%20related%20controls.%20This%20approach%20allows%20customers%20who%20need%20to%20adhere%20to%20lower%20FedRAMP%20baselines%20to%20use%20this%20guidance%20as%20well.%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUS%20Government%20agencies%20will%20soon%20be%20required%20to%20have%20fully%20adopted%20multifactor%20authentication.%20Check%20out%20our%20resources%20to%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsecurity%2Fbusiness%2Fidentity-access-management%2Fmfa-multi-factor-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEnable%20MFA%3C%2FA%3E%20in%20your%20organization%20to%20verify%20explicitly%20as%20part%20of%20your%20Zero%20Trust%20approach.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20would%20love%20to%20hear%20more%20from%20all%20of%20you%20on%20what%20standards%2C%20regulations%2C%20or%20other%20compliance%20frameworks%20with%20identity%20requirements%20you%20would%20like%20to%20meet%20with%20Azure%20Active%20Directory.%20We%20will%20continue%20to%20review%20standards%2C%20regulations%2C%20or%20other%20compliance%20frameworks%20and%20where%20appropriate%2C%20produce%20guidance%20to%20help%20our%20customers%20meet%20their%20identity%20requirements%20using%20Azure%20Active%20Directory.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ELearn%20more%20about%20Microsoft%20identity%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CEM%3EReturn%20to%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fbg-p%2FIdentity%22%20target%3D%22_blank%22%3EAzure%20Active%20Directory%20Identity%20blog%20home%3C%2FA%3E%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EJoin%20the%20conversation%20on%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fazuread%2Fstatus%2F1278418103903363074%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ETwitter%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ELinkedIn%3C%2FA%3E%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EShare%20product%20suggestions%20on%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EAzure%20Feedback%20Forum%3C%2FA%3E%3C%2FEM%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1751676%22%20slang%3D%22en-US%22%3E%3CP%3ENew%20guidance%20within%20our%20public%20documentation%20has%20been%20tailored%20to%20help%20meet%20industry%20and%20government%20requirements.%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Version history
Last update:
‎Aug 19 2021 04:23 PM
Updated by:
www.000webhost.com