Home

Announcing password-less login, identity governance, and more for Azure Active Directory

Howdy folks,

 

Over the past year, our customers have said that one of the things they value the most about Azure AD is that we work hard to deliver a solution that provides a great user experience and enterprise-grade security. We do this by designing integrated systems that keeps both top of these priorities top of mind starting from the very first back of the napkin sketches.

 

This approach gives you, our customer, the ability to deliver great user experiences for your employees, customers, and partners without compromising your security posture by using Azure AD as the platform for your identity and access management strategy.

 

By connecting your apps, users, and devices to Azure AD, you can apply strong security and structured governance policies. Today, I’m excited to share with you how we’re helping you reduce risk, enhance control, and increase visibility. Read on for details and the summary of improvements we announced at this year’s Microsoft Ignite!

 

Password-less sign in with Microsoft Authenticator for Azure AD accounts

 

Microsoft is ending the era of passwords! This week we announced that password-less phone sign in to Azure AD accounts via Microsoft Authenticator is now available in public preview. With this capability, your employees with Azure AD accounts can use the Microsoft Authenticator app to replace passwords with a secure multi-factor authentication option that is both convenient and reduces risk.

 

Password-less sign in with Authenticator also makes it easier to sign in for device-based authentication tasks, such as joining or registering Windows 10 PCs to Azure AD. For more information on how to set up Microsoft Authenticator, check out our support article, Sign in with your phone, not your password and watch this short video about password-less phone sign in:

 

 

Azure AD Identity Governance

 

Identity links together your business needs, user experience, and security requirements. It ensures the right users will have the right access to the right resources at any time. Azure AD Identity Governance is the set of capabilities that enables you to define your access policies and monitor identity, access, and admin lifecycles. We’re developing a complete suite of governance capabilities for Azure AD, including two powerful new features: Entitlement management and My Access. Entitlement management will allow admins to create policies for resources such as groups, apps, and sites, and automate the process of granting access to employees and partners. In the My Access portal, employees and partners will be able to request access to these entitlements and business managers can approve access requests.

 

Azure Active Directory Ignite roll up 1.jpgNew Entitlements management capability within Azure AD Identity Governance.

Azure Active Directory Ignite roll up 2.jpgMy Access, the user experience to request access to entitlements.

These features will be in public preview by early next year. If you are interested in trying them out, you can sign up for the private preview.  

 

Azure AD conditional access delivers Zero Trust controls

 

Organizations today are moving beyond the physical security perimeter and using models like Zero Trust, where every service is treated as though it were on the open internet and any access is verified using a variety of identity, device, app, location, and risk conditions. This dramatically reduces the risk of breaches and provides more granular control. Azure AD conditional access helps you achieve Zero Trust through controls that can allow, block, or limit access.

 

Last year, we had announced the ability to limit access to SharePoint Online through Azure AD conditional access. I’m happy to announce that we expanded the capability to SharePoint Online sites, files, or groups based on the associated Microsoft Information Protection label. The limited access will enable users to view and edit but will disallow download, print, or share.

 

 

Azure Active Directory Ignite roll up 3.jpgThe user notification in a SharePoint Online site labelled as “Confidential.”

Limited access policy is also now available for Exchange Online. This policy allows your users to access and read email attachments from any device while only allowing attachments to be downloaded and saved to managed devices. This helps you stay in control of your company’s data. Learn more about Azure AD conditional access.

 

More Multi-Factor Authentication (MFA) options and a better security posture with identity in Microsoft Secure Score

 

Multi-Factor Authentication (MFA) is an important security mechanism that can dramatically improve your security posture. Our numbers show that 99.9% of identity attacks have been thwarted by turning on MFA and so I’m happy to announce that we added more security baselines for identity, such as the MFA policy for admins, in Microsoft Secure Score—so you know the exact steps you need to take to stay secure over time.

 

Azure Active Directory Ignite roll up 4.jpgIdentity within the Secure Score experience.

I’m also excited to announce the ability for you to use hardware OATH tokens for MFA. This feature will be in public preview starting in October and will support hardware authentication tokens from virtually any manufacturer using the OATH TOTP 30- or 60-second standard without the need for connectors or extensions.

 

More controls and more visibility into risk events with Azure AD Identity Protection

 

We have a new and improved experience for Azure AD Identity Protection that can give you an incredible level of detail, including a security dashboard that gives you organization-level visibility into risk events.

 

Azure Active Directory Ignite roll up 5.pngThe new Security dashboard powered by Azure AD Identity Protection.

We also built in more granular controls including the ability for admins to confirm risk events. Azure AD Identity Protection will be integrated with Azure Advanced Threat Protection (ATP) soon, so you can better partner with your security operations team and proactively prevent attacks.

 

Azure Active Directory Ignite roll up 6.pngGreater visibility in Azure AD Identity Protection including the ability to investigate with Azure ATP.

Connect to all your apps and users

 

To extend the benefits you've seen here across your environment, be sure to connect all your apps to Azure AD. With thousands of SaaS apps pre-integrated and growing, we're here to ensure that the apps you need work with Azure AD. To make this connection even easier, we’re releasing a public preview of a new configuration UI and introducing additional one-click experiences for setting up single sign-on (SSO) for your SAML apps. We also have new tools and documentation to walk you through your app migration experience and show you which apps you can easily connect today.

 

Azure Active Directory Ignite roll up 7.jpg

 

To sign your users into Azure AD, many of you have taken advantage of modern cloud authentication—either Pass-through Authentication or Password Hash Sync, along with Seamless SSO. We’ve heard that some of you need flexibility in migrating from federated to cloud authentication, so we’re announcing the staged authentication rollout feature to gradually migrate users rather than your entire domain at once. This feature will be in public preview in October and expect to hear more on this soon.

 

A clean developer experience

 

For developers, we continue to invest in our identity platform so it's easier to develop apps that integrate with any Microsoft identity. We're making a ton of progress toward giving you a great, simplified, end-to-end developer experience. For example, our new unified app registration portal in private preview has received positive feedback and we look forward to releasing it to public preview in the next few months. We also made enhancements to our Microsoft Authentication Libraries for JavaScript, .NET, iOS, and Android and we’ll be making enhancements to other supported platforms. If you have any feedback about the improvements we've made, we'd love to hear from you.

 

Monitor user activity and extract insights

 

Back in July, we released a public preview of the capability to route your Azure AD user activity logs into Azure Monitor. This enables you to archive these logs in an Azure storage account and stream them to a Security Information and Event Management hub for analytics. We’re going to extend the power of this feature to directly integrate these activity logs into Azure Log Analytics, which allows you to transform this data along with other Azure service activity into actionable insights. You’ll see this added to the public preview in the coming weeks.

 

More to come

 

We’re only halfway through Ignite week and you’ll see even more across Azure AD that our team’s been busy working on in upcoming sessions. You can tune in to our sessions live and on-demand on the Microsoft Ignite website.

 

We’d love to receive any feedback or suggestions you have! We always love hearing from you!

 

Best Regards,

Alex Simons (Twitter: @alex_a_simons)

Corporate VP of Program Management

Microsoft Identity Division

11 Comments
Frequent Visitor

We lost internet and DNS on all machines. We tried redeploying AAD to rejoin the machines. Now we cannot login to the machines even with local admin accounts.

This is all really exciting. :)

You mention the O365 score and MFA. It would be nice if the secure score got an injection of a brain. It's a good first step for those truly clueless, but it doesn't give credit for MFA if the user is protected by conditional access, nor does it even have the ability to measure most of its own suggestions. If this is to be turned into a game with points, they shouldn't be arbitrary.

Staged Authentication Rollout sounds awesome! I have a customer that wanted to change the identity model for 20k students but because identities had drifted over time, they were going to have to expect everyone to do SSPR in one terrible weekend. They will definitely wait for this feature!

New Contributor

Will this work in a hybrid environment? 

Hi Wayne - which features were you asking about for hybrid?

 

Hi Mike - I believe you are referring to the old version. Please check out the updated version at https://securescore.office.com/ 

I think we have addressed all of the points you've made.

 

Thanks!
Alex

New Contributor

"Hi Wayne - which features were you asking about for hybrid?"

 

Hi Alex. We us AD connect so we can log on to Office365 with our local AD credentials. In this scenario, would we be able to log on password-less using the Authenticator app?

Hi Wayne - yes, that configuration works perfectly for this.

 

Regards,

Alex

Frequent Visitor

When will the Public Preview for the Token support begin?

Do you have more Details?

Thx in advance for ur help!

Occasional Visitor

Hi Alex,

I was very excited to use the Passwordless authentication option when I saw it in Ignite this year. However, when I went through the documentation it has few restrictions, namely Only one account per tenant, device registration and biggest one is not directing to ADFS if this option is set. Can we expect it to be more flexible and controlled via some modifications?

 

Regards

AB

New Contributor

Hi Alex,

 

Any news when the staged authentication rollout feature will be available in public preview?

 

 

Regards,

Ed

Hi Ed - We are targeting Q1 CY'19 for a public preview.