Over the past year, our customers have said that one of the things they value the most about Azure AD is that we work hard to deliver a solution that provides a great user experience and enterprise-grade security. We do this by designing integrated systems that keeps both top of these priorities top of mind starting from the very first back of the napkin sketches.
This approach gives you, our customer, the ability to deliver great user experiences for your employees, customers, and partners without compromising your security posture by using Azure AD as the platform for your identity and access management strategy.
By connecting your apps, users, and devices to Azure AD, you can apply strong security and structured governance policies. Today, I’m excited to share with you how we’re helping you reduce risk, enhance control, and increase visibility. Read on for details and the summary of improvements we announced at this year’s Microsoft Ignite!
Password-less sign in with Microsoft Authenticator for Azure AD accounts
Microsoft is ending the era of passwords! This week we announced that password-less phone sign in to Azure AD accounts via Microsoft Authenticator is now available in public preview. With this capability, your employees with Azure AD accounts can use the Microsoft Authenticator app to replace passwords with a secure multi-factor authentication option that is both convenient and reduces risk.
Password-less sign in with Authenticator also makes it easier to sign in for device-based authentication tasks, such as joining or registering Windows 10 PCs to Azure AD. For more information on how to set up Microsoft Authenticator, check out our support article, Sign in with your phone, not your password and watch this short video about password-less phone sign in:
Azure AD Identity Governance
Identity links together your business needs, user experience, and security requirements. It ensures the right users will have the right access to the right resources at any time. Azure AD Identity Governance is the set of capabilities that enables you to define your access policies and monitor identity, access, and admin lifecycles. We’re developing a complete suite of governance capabilities for Azure AD, including two powerful new features: Entitlement management and My Access. Entitlement management will allow admins to create policies for resources such as groups, apps, and sites, and automate the process of granting access to employees and partners. In the My Access portal, employees and partners will be able to request access to these entitlements and business managers can approve access requests.
New Entitlements management capability within Azure AD Identity Governance.
My Access, the user experience to request access to entitlements.
These features will be in public preview by early next year. If you are interested in trying them out, you can sign up for the private preview.
Azure AD conditional access delivers Zero Trust controls
Organizations today are moving beyond the physical security perimeter and using models like Zero Trust, where every service is treated as though it were on the open internet and any access is verified using a variety of identity, device, app, location, and risk conditions. This dramatically reduces the risk of breaches and provides more granular control. Azure AD conditional access helps you achieve Zero Trust through controls that can allow, block, or limit access.
Last year, we had announced the ability to limit access to SharePoint Online through Azure AD conditional access. I’m happy to announce that we expanded the capability to SharePoint Online sites, files, or groups based on the associated Microsoft Information Protection label. The limited access will enable users to view and edit but will disallow download, print, or share.
The user notification in a SharePoint Online site labelled as “Confidential.”
Limited access policy is also now available for Exchange Online. This policy allows your users to access and read email attachments from any device while only allowing attachments to be downloaded and saved to managed devices. This helps you stay in control of your company’s data. Learn more about Azure AD conditional access.
More Multi-Factor Authentication (MFA) options and a better security posture with identity in Microsoft Secure Score
Multi-Factor Authentication (MFA) is an important security mechanism that can dramatically improve your security posture. Our numbers show that 99.9% of identity attacks have been thwarted by turning on MFA and so I’m happy to announce that we added more security baselines for identity, such as the MFA policy for admins, in Microsoft Secure Score—so you know the exact steps you need to take to stay secure over time.
Identity within the Secure Score experience.
I’m also excited to announce the ability for you to use hardware OATH tokens for MFA. This feature will be in public preview starting in October and will support hardware authentication tokens from virtually any manufacturer using the OATH TOTP 30- or 60-second standard without the need for connectors or extensions.
More controls and more visibility into risk events with Azure AD Identity Protection
We have a new and improved experience for Azure AD Identity Protection that can give you an incredible level of detail, including a security dashboard that gives you organization-level visibility into risk events.
The new Security dashboard powered by Azure AD Identity Protection.
We also built in more granular controls including the ability for admins to confirm risk events. Azure AD Identity Protection will be integrated with Azure Advanced Threat Protection (ATP) soon, so you can better partner with your security operations team and proactively prevent attacks.
Greater visibility in Azure AD Identity Protection including the ability to investigate with Azure ATP.
Connect to all your apps and users
To extend the benefits you've seen here across your environment, be sure to connect all your apps to Azure AD. With thousands of SaaS apps pre-integrated and growing, we're here to ensure that the apps you need work with Azure AD. To make this connection even easier, we’re releasing a public preview of a new configuration UI and introducing additional one-click experiences for setting up single sign-on (SSO) for your SAML apps. We also have new tools and documentation to walk you through your app migration experience and show you which apps you can easily connect today.
To sign your users into Azure AD, many of you have taken advantage of modern cloud authentication—either Pass-through Authentication or Password Hash Sync, along with Seamless SSO. We’ve heard that some of you need flexibility in migrating from federated to cloud authentication, so we’re announcing the staged authentication rollout feature to gradually migrate users rather than your entire domain at once. This feature will be in public preview in October and expect to hear more on this soon.
A clean developer experience
Monitor user activity and extract insights
Back in July, we released a public preview of the capability to route your Azure AD user activity logs into Azure Monitor. This enables you to archive these logs in an Azure storage account and stream them to a Security Information and Event Management hub for analytics. We’re going to extend the power of this feature to directly integrate these activity logs into Azure Log Analytics, which allows you to transform this data along with other Azure service activity into actionable insights. You’ll see this added to the public preview in the coming weeks.
More to come
We’re only halfway through Ignite week and you’ll see even more across Azure AD that our team’s been busy working on in upcoming sessions. You can tune in to our sessions live and on-demand on the Microsoft Ignitewebsite.
We’d love to receive any feedback or suggestions you have! We always love hearing from you!