Controlling the Uncontrollable, Component 4: Authentication
First published on CloudBlogs on Mar 17, 2016
A major theme of the work done by my team emphasizes Microsoft’s perspective that
the control plane
for your enterprise. In the past we used to build perimeters around organizations and those perimeters were one of the primary defensive boundaries. Well, as more data and more apps move to the cloud that
perimeter has evaporated
– and identity has become the new
Your efforts to
control the uncontrollable
starts with being able to authenticate and authorize access to your organization’s resources. More on this in the video below.
This is an area where Microsoft has invested for
is used by
90% of the world’s 2,000 biggest companies
, and 95% of all organizations – and we’ve further extended this foundation to the cloud with Azure AD which authenticates
1.3 billion access requests per day
. I have to say,
Azure Active Directory
is simply an incredible service! I really recommend bookmarking
that team’s blog
Building this type of hyper-scale identity and access infrastructure required integration and investment that few other companies could deliver. Doing this has been a big priority and a foundational component for all of Microsoft. .
To put Azure AD in perspective, as of December 30th, there are
8.24 million tenants
in Azure AD and over
550 million users
. This volume has increased from 4.9m and 430m just nine months ago.
To put this Azure AD usage into perspective, here are a few key data points:
A minority of the 8.24m tenants have user accounts.
But, because they are comparatively large, those tenants account for
of all the identities in Azure AD.
Of those larger accounts, just
use a 3rd party or homegrown solution to keep their identities in sync with their on-premises AD (
Okta, Ping, etc.).
of those authentications are completed by a 3rd party identity service, 3rd party federation server or custom solution.
Don’t believe anyone who tells you that your best option is to use a 3rd party solution (
Okta, Ping) because “everyone is doing it.”
Everyone is definitely
“doing it” – it is a very small minority.
If you’d like to dig into these numbers in greater detail, check out
A big priority for any IT team is balancing access to company resources (like e-mail), while simultaneously protecting and managing that access. This is an area where Azure AD Premium (AADP) and EMS really provide some incredible services, like
Multi-factor authentication (MFA) is a simple concept and, here at Microsoft, every one of our employees use it on a regular basis. You’ve probably come across it, too – if, for example, you use Outlook or Xbox Live.
How MFA works is simple:
When you need access to a resource you ask Azure AD for access.
Azure AD then prompts you to authenticate.
When you do successfully authenticate, you’re then prompted to provide one or more additional factors of authentication before the authentication is completed.
These additional factors can be a phone call, a text message with a code you then enter, or a code you enter provided by the Azure Authenticator app on your device.
This provides maximum flexibility while being much easier to roll out than a second “hard factor” such as a token or smart card.
This second factor of authentication should be a core component of your security moving forward. With MFA, you can block an attacker from accessing corporate content even if they have a valid username and password.
Not all apps (including Outlook 2013 or prior versions, iOS, and many Android built-in mail clients) support MFA, however. In these cases, Azure AD will issue the user a per-app password that can be used for that app. In this scenario you could choose
to issue per-app passwords, thus preventing these clients being used.
This is another reason why
you should use Outlook for corporate e-mail on
of you devices. The current Outlook on Windows, iOS, and Android
have the EMS MFA integrated.
What makes Azure AD so remarkable is its global, hyper-scale presence. This kind of worldwide coverage means that every time anyone authenticates successfully (or unsuccessfully) that action is identified along with details about where and what that authentication attempt was attempting access. Azure AD provides you with
real-time reporting based on machine learning in the cloud
on these access attempts – for example, if access attempts for a single identity are coming in from different regions of the world simultaneously.
While, in our opinion, all of the features listed above are great – we are constantly looking for ways to make it our solutions easier to use. With that in mind, just last week we announced
Azure AD Identity Protection
which takes everything noted above and adds adaptive, threat-based management that’s wholly unique to Microsoft. This means that now, whenever your users authenticate, the threat level of their circumstances are evaluated – and, based on your requirements, they might be blocked or require additional factors of authentication. The value of this kind of protection is incredible.
To learn a lot more about how Azure AD can protect your organization and spot compromised accounts,
check out this post
With Azure AD and EMS you can take advantage of features like Azure AD MFA and Identity Protection the moment you synchronize your on-prem AD with Azure AD. If you’re already using Office 365, adding EMS isn’t just easy – it supercharges your entire infrastructure.