Earlier this year we announced the general availability of Microsoft Entra External ID, our next-gen CIAM solution which enables organizations to build pixel-perfect consumer UX into their apps paired with enterprise-grade security and compliance. We’re committed to rolling out innovative features regularly, driven by customer feedback, to simplify and improve the everyday workflows of admins and developers. For instance, don’t miss our recent announcement of the general availability of Native Authentication for creating pixel-perfect mobile applications.
Today, we shift our focus to the vital aspect of security, providing comprehensive insights on building an end-to-end identity security strategy with Microsoft Entra External ID. In doing so, we aim to demonstrate how these robust security measures not only protect your business but also enhance the trust and satisfaction of your app’s end-users as they can rest assured their user-experiences are seamless and secure. Now, let's turn to Principal Product Manager, Pawan Nrisimha, who will dive into External ID’s built-in, enterprise-grade security controls.
Microsoft Entra External ID’s built-in, enterprise-grade security controls
Microsoft Entra External ID’s end-to-end multi-layered security strategy starts with core protection as the built-in foundation of this stack, extending the core security controls you leverage for your workforce with Microsoft Entra ID to external users. With a single click, you then get to opt in to robust layers of real-time and offline protection to ensure all your users are guarded with enterprise grade security. Today’s focus is on the built-in core protection capabilities such as Brute force protection, common networking HTTP Protection, Account Protection and Access Control are enabled by default when you create an External tenant.
Figure 1: Microsoft Entra ID built-in, enterprise-grade security controls.
As one of the largest providers of Identity services we have a front row seat to the increasingly frequent Identity attacks against our customers’ applications. For instance, we observed a rise of DDoS attacks, reaching approximately 4,500 attacks per day in June across all our customers. External ID ensures that attempts to overwhelm your service with excessive requests are effectively mitigated. When you create an external tenant with Microsoft Entra External ID, robust security measures are enabled by default to help protect your applications against these rising cyber threats. By default, External ID also helps safeguard your end-users from password spray attacks, which have surged to 7,000 blocked per second this year. All our built-in core security controls ensure your applications are protected from unauthorized access attempts that could potentially compromise sensitive user data.
Figure 2: Number of blocked requests vs. total traffic. During this time period, close to 55% of requests were attacks and were blocked.
This graph shows a real customer facing a massive DDoS attack, with attackers flooding the servers with overwhelming requests. Microsoft Entra External ID’s built-in DDoS protection detects abnormal traffic patterns and activates mitigation protocols, filtering out malicious traffic and allowing legitimate requests to ensure services remain uninterrupted.
Similarly, in a Slow Loris attack seen in the graph below, Microsoft Entra External ID defends by identifying and terminating idle connections before they cause harm. This robust protection handles a high volume of concurrent requests without impacting service quality, ensuring your apps remain secure and maintain customer trust. (Internal Microsoft Data)
Figure 3: Example of a Slow Loris attacking being blocked.
Please be assured that we continuously update our systems to remain ahead of potential threats.
Detect and mitigate risks with Conditional Access:
So far, we’ve spoken about core protections that are ON by default when you create an External tenant. To further enhance your online apps’ security, you can customize Conditional Access policies to trigger multifactor authentication (MFA) -- which drastically reduces the risk of compromise by 99.22% (2023 Microsoft Digital Defense Report), preventing unauthorized access and offering robust defense against threats like phishing and account takeovers. Learn more about the various MFA methods you can configure in External tenants.
Figure 4: MFA for external users.
Up next: Build out your advanced end-to-end CIAM security strategy
You now have an idea about the default security capabilities at tenant creation. As you start understanding your own identity security story and advanced threats, we want you to opt in to the following end-to-end premium security capabilities in External ID. Over the next few months, we will release a comprehensive External ID security blog series on integrating Web Application Firewall (WAF), sign-up fraud protection, sign-in account-take-over protection, and finally, a SIEM/SOAR tool for offline threat hunting.
Don't wait—start building secure, beautiful, and frictionless apps in minutes with Microsoft Entra External ID. Visit aka.ms/TryExternalID to get started now.
Pawan Nrisimha
Principal Product Manager
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Updated Nov 20, 2024
Version 4.0
AnkurPatel
Microsoft
Microsoft
