Blog Post

Microsoft Entra Blog
6 MIN READ

Building Stronger Identity Solutions with New Microsoft Entra Integrations

Natee Pretikul's avatar
Apr 25, 2023

I’m excited by this year’s RSA theme of “Stronger Together.” In the Identity and Network Access Division, we believe that everyone must work together to make the world a safer place for all. Leading up to RSA this year, the team has been hard at work collaborating with a wide range of technology vendors to extend our Microsoft Entra capabilities and help our customers move forward in their Zero Trust journeys. By integrating our products together, we make better security solutions for all. Below you’ll find some highlights from the last six months of our work creating integrated solutions to add more value for our customers.  

 

FIDO2 security keys with phishing-resistant capabilities  

Phishing-resistant multifactor authentication (MFA) options, like FIDO2 security keys, provide added security to help prevent bad actors from tricking users into handing over their credentials. We continue to build integrations with partners to provide new form factors for the FIDO2 authentication experience with Azure Active Directory (Azure AD) as part of the Microsoft Entra family. Some of the latest vendors we have added include: 

 

HYPR recently released Enterprise Passkeys. The solution integrates with Azure AD to turn a smartphone into a virtual FIDO2 security key, providing phishing-resistant passwordless authentication to Azure resources without needing a hardware security key. Learn more at HYPR Enterprise Passkeys | HYPR. 

The Token Ring is a wearable device that combines biometric user verification, public-private key cryptography, secure hardware, and decentralized credential. Token has integrated with Azure AD to provide phishing-resistant FIDO2 multi-factor authentication.  

Thales launched the SafeNet eToken Fusion series, a new set of USB tokens combining FIDO2 with PKI/CBA in a single authenticator. Thales’s new tokens are designed to protect Azure AD users against account compromise and provide stronger security for access to cloud and web applications. 

 

Enforcing strong authentication methods across tenants 

Our customers sometimes need to mandate strong authentication methods for specific users for compliance reasons or to reduce risk. Azure AD makes this programmatically possible via our authentication strengths API, and security vendors can use the API to allow their customers to enforce strong authentication within their own product’s user experience. 

 

Simeon Cloud allows IT pros to apply consistent Azure AD and Intune configurations to multiple tenants in bulk. Simeon Cloud’s use of configuration as code also empowers IT administrators to monitor and maintain custom conditional access authentication strength policies. You can learn more here: What Is Azure AD Authentication Strength? New Grant Control for Azure AD (simeoncloud.com). 

 

Secure authentication management for Apple devices 

Our customers use a variety of devices, including those outside of the Windows ecosystem. jamf helps customers automate and scale Apple IT and security workflows by integrating with Azure AD.  

 

Azure AD has integrated with jamf Pro and jamf Connect to provide Apple users with a secure authentication management solution. This integration provides automated compliance management for macOS and iOS devices accessing applications set up with Azure AD authentication. With Conditional Access and Device Compliance for macOS, customers now have the ability to share inventory data from jamf Pro to Microsoft Intune, apply conditional access criteria, and offer remediation paths.  

 

Enhancing Windows device information 

Azure AD provides a central place for managing device identities and monitoring related event information. It also offers a set of 15 extension attributes with predefined names on the user and device resources. With Microsoft Graph, a single API endpoint can access rich people-centric data and insights. App developers can now extend Microsoft Graph by adding custom properties to resource instances without requiring an external data store. 

 

Tanium’s Zero Trust readiness with Azure AD now enables customers to update Azure AD Windows devices with custom extension attributes. The custom extension attributes are updated in real-time and are created based on the complete data Tanium has about every Windows device. Customers are now able to enforce fine-grained conditional access policies in Azure AD based on reliable data from fully customizable computer groups in Tanium. You can read more in their article Tanium and Azure Active Directory Integration 

 

Improving shared device access experience  

Frontline workers such as retail associates, flight crew members, and field service workers often use a shared mobile device to perform their work. With shared device mode, employees can sign in and access customer information quickly. When they're finished with their shift or task, they can sign out of the device, and it's immediately ready for use by the next employee.  

 

Customers can now streamline authentication to Microsoft Teams on Imprivata’s GroundControl app using Microsoft’s shared device mode on iOS. Two-tap sign-in simplifies log-in flow for frontline workers and automatic sign-out closes apps supporting MSAL and shared device mode. Learn more about this integration in their post Imprivata GroundControl integrates with Microsoft Shared Device Mode for simple, secure access to Teams and other application 

 

 

VMware now has a preview of Anywhere Workspace for shared device mode on Android. With VMware’s integration with shared device mode (SDM), customers can automatically provision devices into SDM, add them into Azure AD, and let users automatically sign -in and out of applications. Customers who are interested in testing this can navigate to Join VMware Anywhere Workspace Early Access™ Program! to access a detailed guide and enable the feature. 

 

Building stronger identity risk solutions by sharing risk signals 

In a Zero Trust landscape, it’s increasingly important to identify and respond to suspicious user account activity that may signal account compromise. At Microsoft Security, we process over 65 trillion signals across all types of devices, apps, platforms, and endpoints each day. Our Microsoft Graph Identity Protection APIs enable security vendors to integrate with Azure AD Identity Protection capabilities to analyze individual user risk or determine that a user has been compromised. 

 

Authomize Identity Threat Detection and Response (ITDR) platform helps protect enterprises from identity-based attacks. Authomize also leverages the Identity Protection APIs to integrate Azure AD risky user data into their identity risk score for users. You can learn more on their post: Authomize and Azure AD | Authomize.com 

Cloudflare has integrated their Cloudflare Zero Trust product suite with the Azure AD Identity Protection API. Now customers can synchronize the Azure AD risky users list with Cloudflare Access and apply more stringent Zero Trust policies to users at higher risk.  

KnowBe4 provides Security Awareness and Training Solutions. KnowBe4 has integrated Azure AD Identity Protection with their SecurityCoach product. This risky user data can be used to create detection rules for real-time coaching campaigns. 

The Netskope Cloud Exchange platform provides customers with powerful integration tools to leverage investments across their security posture. One of these integrations leverages Azure AD risky user signals to enable customers to see multiple connected systems’ risk values for individual users and groups. 

Valence helps customers protect their SaaS applications and enforce Zero Trust principles by correlating multiple data sources to provide one viewpoint into the users, externally shared files, third-party integrations, and other SaaS misconfigurations in SaaS applications. Valence now includes the risk status of users provided by Azure AD. Learn more about their integration with Azure AD in their blog article Valence Integrates With Azure AD to Reduce SaaS Supply Chain Risks By Enforcing Zero Trust Principles. 

 

New pre-integrated applications available in Azure AD Gallery 

Finally, we continue to add more pre-integrated apps in our Azure AD App gallery. These pre-built integrations make it easier for IT Admins to configure, manage, and secure their applications with Azure AD. Independent software vendors can publish an application to the Azure AD Gallery by following the instructions here. Some notable additions to our Azure AD app gallery include:  

 

 

We appreciate the collaboration across the security ecosystem and look forward to more integrations in the future. Reach out to me to share ideas or leave comments below. 

 

Best regards, 

Natee Pretikul 

Principal PM Manager, Microsoft Security  

Twitter:  @NateePretikul  

LinkedIn: https://www.linkedin.com/in/nateenew/  

 

 

Learn more about Microsoft identity: 

Updated Apr 25, 2023
Version 2.0
No CommentsBe the first to comment