Executive Order 14028 (EO 14028), Improving the Nation’s Cybersecurity directs the federal government to improve its efforts to identify, protect against, and respond to malicious cyber campaigns and their actors through bold changes and significant investments in cybersecurity. The Office of Management and Budget (OMB) released the Federal Zero Trust Strategy Memorandum M-22-09 adding specific guidance where federal agencies should focus their efforts with regards to identity, specifically, (1) A centralized cloud-based identity solution, (2) Strengthening authentication by implementing phishing-resistant multifactor authentication (MFA) and (3) Include device signals in authorization decisions.
Many agencies are struggling to implement these requirements by the deadline without severely disrupting their business. Since the announcement, we’ve been diligently working to make it faster and easier for our customers to deploy Azure Active Directory (Azure AD), part of the Microsoft Entra family, features to meet EO 14028 requirements. We’re excited to share how Azure AD can support your scenarios so your organization can meet EO 14028 requirements.
In the first part of this article, we’ll walk you through our top five curated tips and tricks, and how you can leverage them for your migration. In the second half we’ll share some of our deployment best practices we’ve developed that have been instrumental to minimize risk and maintain business continuity, all while consolidating identity providers (IDPs) and moving to phishing-resistant MFA.
Top five tips to ensure requirements are met
Over the last year, we’ve released several features to extend the capabilities of Azure AD and ensure they also meet EO 14028 requirements. Here are our top five tips and tricks and how you can use them:
Consolidate your identity providers and use Azure AD certificate-based authentication (CBA). Historically, federal agencies and customers who wanted to use CBA had to federate Azure AD with other IDPs (such as AD FS). Now, Azure AD CBA eliminates the need to federate, making it easier for you to consolidate your Identity Providers (IdPs) and move to the cloud faster (Azure AD CBA as a central IdP meets the federal requirement).
Phishing-resistant MFA for your Azure Virtual Desktop users. We’ve implemented RDS AAD Auth to authenticate a user to an Azure AD-joined device or to a Hybrid Azure AD-joined device. This means that any authentication method supported by Azure AD can be used to authenticate to Azure Virtual Desktop, and Windows 365.
Phishing-resistant MFA on mobile (iOS, Android). Users can now authenticate on mobile devices using certificates stored on security keys. Unlike software certificates installed on the mobile device, these certificates are hardware protected and require an activation factor making them a true MFA solution. This solution also eliminates the need to issue certificates for every mobile device since the user can roam with the same security key across multiple devices.
Now let’s dive into some actual customer deployment scenarios to help you with your migration even more.
Customer deployment story
We’ve worked with countless customers in various stages to help them maintain business continuity and minimize risk and disruption to their users while deploying their EO 14028 solutions. We’ve seen agencies with many 10's of thousands of users and devices do this as quickly within a few days. Below are the best practices we’ve refined over the last few years that will help you as well:
Moving CBA from on-premises IdP to Azure AD. Switching CBA from on-premises IdP to a cloud IdP can be disruptive if the only options are to move users to another domain or to move all users at once. Azure AD supports a staged rollout approach providing federal agencies the ability to granularly pilot and then move to Azure AD CBA en masse, mitigating the risk and disruption to your business and your users. To do this, designate a test group of users to start authenticating using Azure AD CBA in the cloud. Once you’ve validated everything is working as expected, gradually migrate your users in phases until all your users are migrated. After all users have been migrated it is safe to cut over to cloud authentication.
To conclude, Microsoft is very committed to helping our US government customers meet the EO 14028 requirements by the September 2024 deadline. We have more features lined up to further assist you, make your migration easier and help you achieve your Zero Trust goals. To get started, here are some helpful resources: