Seamless and Secure Access to Digital Healthcare Records with Microsoft Entra Suite
Healthcare professionals who dedicate their skills to saving lives must also manage operational and safety challenges inherent to their roles. If you’re in charge of cybersecurity for a healthcare organization, you’re intimately familiar with the need to comply with government healthcare regulations that, for example, require securing access to systems that house patient health information (PHI), are used for overseeing controlled substances, or are necessary to enable the secure consumption of AI. Every year, hundreds of U.S. healthcare institutions fall victim to ransomware attacks, resulting in network closures and critical systems going offline, not to mention delayed medical operations and appointments.[i] Sensitive healthcare systems are very attractive targets for cyberattacks and internal misuse. Many cybercriminals gain initial access by compromising identities. Thus, the first line of defense against bad actors, whether internal or external, is to protect identities and to closely govern access permissions based on Zero Trust principles: Verify explicitly. Confirm that the individual signing into a system used to electronically prescribe controlled substances is actually the care provider they say they are. Use least privilege access. Limit a care giver’s access to systems they need to use for their job Assume breach. Discover unauthorized access and block it before an adversary can deploy ransomware. This blog is the first in a series of how Microsoft Entra Suite and the power of cloud-based security tools can protect access to sensitive healthcare assets while improving the user experience for care teams and staff. On-premises healthcare applications and cloud-based security Some of the most widely adopted healthcare applications, such as electronic health records (EHRs), began decades ago as on-premises solutions that used LDAP (Lightweight Directory Access Protocol) and Active Directory to authenticate users. As enterprises shifted from on-premises networks protected by firewalls at the network perimeter to hybrid environments that enabled “anytime, anywhere access,” these solutions became vulnerable to attackers who gained unauthorized access to hospital networks via the Internet. Cloud-based security tools introduced advantages such as centralized visibility and control, continuous monitoring, automated threat detection and response, and advanced threat intelligence based on trillions of security signals. Many existing healthcare applications, however, didn’t support the new protocols necessary to take advantage of all these benefits. Over the past several years, Microsoft has worked closely with software vendors to integrate their applications with our comprehensive identity security platform, Entra ID—which is built on modern open security standards. As a result, many healthcare applications, including the most widely deployed EHR systems, can now benefit from the advanced security capabilities available through Microsoft Entra Suite, including single sign-on (SSO), multifactor authentication (MFA), Conditional Access, Identity Protection, and Network Protection. Securing access to healthcare applications with Microsoft Entra Suite Healthcare organizations can standardize on Microsoft Entra to enable single sign-on (SSO) to their most commonly used Healthcare applications and resources, including the most widely used EHR vendors, whether they’re on-premises or in clouds from Microsoft, Amazon, Google, or Oracle. Care teams, who may use dozens of different applications during their workday, benefit from seamless and secure access to all their resources with Microsoft’s built-in advanced identity and network security controls. Not only does Microsoft Entra offer a holistic view of all users and their access permissions, but it also employs a centralized access policy engine, called Conditional Access, that combines trillions of signals from multiple sources, including identities and devices, to detect anomalous user behavior, assess risk, and make real-time access and data protection decisions that adhere to regulatory mandates and Zero Trust principles. In simple terms, this enables controls that verify who a user is and what device they are using – including when using kiosks, remote, or many-to-one workstations - to decide if it is safe to enable access. This ability to support modern authentication successfully maps the clinicians to their cloud identity and in turn, unlocks powerful user-based models for data protection with Microsoft Purview. With Microsoft Entra, healthcare organizations can enforce MFA at the application level for more granular control. They can strengthen security by requiring phishing-resistant authentication for staff, contractors, and partners, and by evaluating device health before authorizing access to resources. They can even require additional verification steps for IT admins performing sensitive actions. Moreover, Microsoft Entra ID Protection processes a vast array of signals to identify suspicious behaviors that may indicate an identity compromise. It can raise risk levels to trigger risk-based Conditional Access policies that protect users and resources from unauthorized access. For more details about risk detections in Entra ID Protection, visit our documentation. Seamless and secure access for healthcare professionals Integrating applications with Microsoft Entra ID makes it possible for healthcare professionals to work more securely with fewer disruptions when they access medical records and treat patients, even when they’re working offsite, such as at a patient’s home or as part of a mobile medical unit. Microsoft Entra supports the strict protocols for electronic prescribing of controlled substances (EPCS). The EPCS mandate requires that healthcare providers authenticate their identities before they can prescribe controlled substances electronically. This means that each provider must have a unique user identity that can be verified through secure methods such as Multi-Factor Authentication (MFA). This helps prevent unauthorized access and ensures that only authorized individuals can issue prescriptions. The Health Insurance Portability and Accountability Act (HIPAA) also has specific obligations for access and identity to ensure the security and privacy of protected health information (PHI). Microsoft Entra Suite has a variety of controls to help meet these obligations that we will explore in additional blogs. Phishing-resistant authentication methods, which rely on biometrics and hardware tokens, significantly reduce the risk of unauthorized access to sensitive systems and data. These methods, which include passkeys, are practically impossible for cybercriminals to compromise, unlike passwords or SMS-based MFA. By eliminating passwords altogether, healthcare providers can better protect patient data, reduce the risk of violating HIPAA regulations, and prevent cyber and ransomware attacks that could disrupt healthcare operations. You can experience the benefits of Microsoft Entra ID, MFA, Conditional Access, and Entra ID Protection as part of the Microsoft Entra Suite, the industry’s most comprehensive Zero Trust access solution for the workforce. The Microsoft Entra Suite provides everything needed to verify users, prevent overprivileged permissions, improve detections, and enforce granular access controls for all users and resources. Get started with the Microsoft Entra Suite with a free 90-day trial. For additional details, please reach out to your Microsoft Representative. Read more on this topic Electronic Prescriptions for Controlled Substances (EPCS) - Azure Compliance | Microsoft Learn Conditional Access adaptive session lifetime policies - Microsoft Entra ID | Microsoft Learn Overview of Microsoft Entra authentication strength - Microsoft Entra ID | Microsoft Learn Microsoft Entra ID Epic Connector – Edgile Use data connectors to import and archive third-party data in Microsoft 365 | Microsoft Learn Learn more about Microsoft Entra Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. Microsoft Entra News and Insights | Microsoft Security Blog Microsoft Entra blog | Tech Community Microsoft Entra documentation | Microsoft Learn Microsoft Entra discussions | Microsoft Community [i] Microsoft Corporation. Microsoft Digital Defense Report 2024: The foundations and new frontiers of cybersecurity. p.3. Microsoft, October 2024.Active Directory is 25 Years Old. Do You Still Manage It Like It's 1999?
Hi, I’m Liz Tesch, a Cloud Solutions Architect on the Microsoft Incident Response Critical Action Team (MIRCAT). My colleagues and I specialize in helping customers with incident response and compromise recovery. In our work with customers who’ve been the victim of a cyberattack, we often see Active Directories that are 20+ years old and clients who still administer them like it's 1999. Overview Previewed in 1999 and officially released in the Spring of 2000, Active Directory is 25 years old. For those of us who remember the early years of AD, much of what we learned back in the days of the MCSE certification still stands and gives us a solid foundation for identity administration and security. However, in 1999/2000, the threat landscape looked entirely different than it does now. Ransomware was not a thing, and as AD admins our concerns were mainly managing accounts and giving our users the access they needed to work. So, if you're still managing Active Directory like you were taught to in the early years - or if you were trained to manage AD by someone else who learned it early on - you may be unintentionally putting your organization at risk of cyberattacks. Let's take a closer look at what that means, why it's a problem, and what we can do about it. Issues Location-Based AD Structure As a sysadmin in the early days of AD, chances are you were taught to organize your Directory using location-based organizational units (OUs) like the picture on the left shows. Back then it made sense because we didn't have high-speed connections between most locations, and we had to take replication times into consideration a lot more often than we do today. The problem with organizing AD this way is that it makes it challenging to effectively manage AD with Group Policy. For example, say you want to apply a Group Policy to all Tier 1 Servers in your organization, but you have 50 location-based OUs that have servers in them. Now you have to apply that GPO to 50 different OUs. (You may also need to employ WMI filtering to restrict policy use to certain servers in those 50 OUs.) Some clients find it challenging even to locate where in AD all their Tier 1 servers are, they're so spread out in different location-based OUs. Every organization is different, but if you can, consider alternative designs such as organizing assets based on function, business unit, or importance to the business instead of using location alone. Over-Privileged Service Accounts Threat actors love service accounts with Domain Admin privileges. We often see them use service accounts to hide in client environments undetected for months and as a means of getting back into the environment when they do get detected. When I was a sysadmin in the early days, Domain Admin was sometimes used as a catch-all for service accounts where we were in a hurry and we thought "Well, we don't entirely know what this account needs so let's just give it Domain Admin and we know it’ll work.” In other cases, a vendor specified that a service account needed Domain Admin, so we gave it that and never looked back. If you haven't done it in a while, review your privileged service accounts in AD and check your vendor documentation to see if Domain Admin really is still necessary. If it is, contact your vendor and push back. These days many vendors are trying to find alternative solutions to help secure their clients more effectively. For example, members of my team commonly advise customers on how you can modify your SCCM deployment to run without Domain Admin. Flat Support Structures Microsoft has a modern method of tiering infrastructure and identities that's very effective at limiting lateral movement and privilege escalation. However, we often see clients with very flat support structures that are a great help to threat actors. In one case we found that the 60+ members of a helpdesk all had Domain Admin and could reset any password in the organization. It's also common to see desktop technician accounts with Local Admin rights to every endpoint in the organization, even when their responsibilities are restricted to a given business unit or geo. Is there a way we could minimize the blast radius here? For example, maybe we could organize the helpdesk team into tiers so that only a small number of analysts have delegated access to change passwords. And how about using Group Policy or Intune scope tags to restrict desktop teams to Local Admin just within their own division or office? Deprovisioning I see two common problems with deprovisioning accounts that directly put organizations at risk for attack. For the first, I’ll come back to service accounts. We usually see clients with effective and well-maintained systems for provisioning and de-provisioning human users as part of the onboarding and off-boarding processes. However, the same is not true of service accounts. It's very normal during IR investigation and cleanup to see stale privileged service accounts in AD that belonged to applications that were retired years ago. Why are they still here and available to threat actors? Many companies also lack systems and processes to deprovision rights where something has changed, but human users have not left the company. For example, we commonly find user accounts which were given additional entitlements as part of a project that never happened, but the rights have remained for months or even years. In one case, we had a client who had documented processes and workflows for adding users to the Remote Desktop Users group when they needed remote access for a project; however, there was no process for ever removing users from that group. Eventually there were almost 200 employees with permanent remote access to most of the endpoints in the organization. Conclusion Twenty-five years after its introduction, Active Directory remains a core component of many organizations’ IT function, as well as a key factor in their cybersecurity and cyber resiliency capabilities. However, to effectively secure our organizations against sophisticated modern threat actors, it’s crucial that we recognize and change our outdated ideas about how we design and administer AD. To get started: Evaluate your Active Directory structure to make sure it’s aligned to Microsoft’s Enterprise Access Model and, if it’s not, let your Microsoft team know how we can help Review privileged service accounts in AD and check your vendor documentation to see if Domain Admin really is still necessary – push back on vendors if it is Look for opportunities to limit the number of accounts with the highest privileges, as well as the number of assets those accounts control Verify your organization has effective processes and controls for deprovisioning entitlements and accounts – both human and non-humanUnderstanding Compliance Between Commercial, Government, DoD & Secret Offerings - Feb 2025 Update
Understanding compliance between Commercial, Government, DoD & Secret Offerings: There remains much confusion as to what service supports what standards best. If you have CMMC, DFARS, ITAR, FedRAMP, CJIS, IRS and other regulatory requirements and you are trying to understand what service is the best fit for your organization then you should read this article.Grow your security skill set with the latest resources on Microsoft Learn
Keeping pace with today’s security challenges, changing business needs, and rapidly evolving technology starts with up-to-date and innovative training, which is why we’re glad to share the latest Microsoft Security skill-building resources and offerings. Advance your expertise with the refreshed Security hub on Microsoft Learn Redesigned for learners of all abilities, this centralized hub is your go-to resource for Microsoft Security skill-building content and resources. The hub is now even easier to explore for multiple focus areas and your unique learning objectives. Find expert guidance aligned to your security journey. Whether you need to build foundational security skills, gain specialized knowledge, or prove your capabilities with Microsoft Credentials, get the guidance you need. Explore the latest resources organized by security focus area. Discover advances in Zero Trust principles, identity and access, security operations, IT security, and much more. Connect with like-minded communities, colleagues, partners, and thought leaders. Join the conversation and get inspired to level up your skills and knowledge. Find the latest cybersecurity skill-building content on our Security hub. Prove your real-world technical expertise with our latest Microsoft Applied Skills Professionals who are focused on data security and threat protection can validate and differentiate their expertise by earning these new Microsoft Applied Skills: Implement information protection and data loss prevention by using Microsoft Purview. Demonstrate your ability to implement Microsoft Purview Information Protection and Microsoft Purview Data Loss Prevention, and prove that you can discover, classify, and protect sensitive data in Microsoft 365, effectively implementing data security. This Applied Skill is particularly relevant for information protection and compliance administrators and for security operations analysts. Implement retention, eDiscovery, and Communication Compliance in Microsoft Purview. To earn this Applied Skill, validate your proficiency in working with Microsoft Purview. This credential could be an especially good fit for compliance administrators who are familiar with Microsoft 365 services and Microsoft Purview and who have experience administering compliance in Microsoft 365. Defend against cyberthreats with Microsoft Defender XDR. Earn this credential by demonstrating your ability to use Microsoft Defender XDR to detect and respond to cyberthreats. Candidates for this Applied Skill should be familiar with investigating and gathering evidence about attacks on endpoints. They should also have experience using Microsoft Defender for Endpoint and Kusto Query Language (KQL). Take the most up-to-date Microsoft Security Virtual Training Days No matter the depth of your security skills, our free Microsoft Security Virtual Training Days can help you build on those skills and gain the technical abilities and knowledge that you need to enable employees to work securely and achieve more from anywhere. To keep pace with today’s fast-moving security landscape, we’ve updated three of our most popular Virtual Training Days: Modernize Your Security Operations with Microsoft Sentinel. Learn how to deploy Microsoft Sentinel security information and event management (SIEM), migrate your existing rules, and add content hub solutions, including data connectors, analytic rules, hunting queries, and workbooks. Get the details on how you can use these tools to detect, investigate, manage incidents, and hunt threats. Additionally, find out how to maximize your coverage and better manage costs. Plus, learn how Microsoft Security Copilot can help improve security operations teams’ response times, with features like guided response, natural language to KQL translation, and malicious script analysis. Implement Data Security with Microsoft Purview. Discover how to identify sensitive data, pinpoint critical data security risks, and build targeted data loss protection measures with Microsoft Purview solutions, including Information Protection, Data Loss Prevention, Insider Risk Management, and Adaptive Protection. Explore practical use cases and learn how to secure AI applications and identify organizational risks. Plus, find out how to secure your data and maintain the integrity of your information systems by using generative AI tools, including Microsoft 365 Copilot and third-party AI apps, as you implement dynamic measures to help prevent data leaks and address compliance in the era of AI. Defend Against Threats with Extended Detection and Response. Learn how to investigate and mitigate cyberthreats with Microsoft Defender XDR and Defender for Endpoint. Get an introduction to the unified security operations platform and find out how to deploy Microsoft Sentinel with Microsoft Defender XDR and Defender for Endpoint. Explore ways to optimize your security operations center using Microsoft Sentinel SIEM, learn about cyberattack mechanisms through incidents and alerts, and get the details on how to automate incident management by using Microsoft Security Copilot. Earn your wings: Microsoft Security Copilot Flight School Building on the foundational learning in Learn Live: Get started with Microsoft Security Copilot, host Ryan Munsch, Principal Tech Specialist at Microsoft, explores several intermediate technical topics in our Flight School videos—ranging from what Microsoft Security Copilot is (and what it isn’t) to key capabilities, experiences, and how to extend Copilot to your ecosystem. Each topical video is 10 mins or less, aligning to relevant learning modules on Microsoft Learn. These videos can prove especially valuable for IT pros looking to enhance their ability to process security signals and protect at the speed and scale of AI. Flight School training topics include: What is Microsoft Security Copilot? AI orchestration Standalone and embedded experiences Copilot in Microsoft Entra and Microsoft Purview Managing your plugins Prompting in Copilot Prompt engineering Using promptbooks Custom promptbooks Logic apps Extending Copilot to your ecosystem Find Flight School videos on Microsoft Learn. You can also explore Microsoft Security Copilot Flight School videos on YouTube.DIB Embraces Cloud PCs: Streamlined Compliance, Risk Mitigation, and Cost Savings
Aerospace and Defense Distributor Embraces Cloud PCs: Streamlined Compliance, Risk Mitigation, and Cost Savings Jaco Aerospace holds a pivotal role in the aerospace and defense industry. As a distributor, they serve a remarkably diverse clientele, including the Defense Industrial Base, airlines, Maintenance, Repair, and Overhaul (MRO) operations, general aviation, space exploration, rocketry, satellites, supersonic aircraft, lunar landers, Air-Taxi initiatives, and Defense Technology companies. This diversity brings heightened responsibilities, especially in meeting stringent compliance requirements. Beyond the standard distributor regulations, they have to adhere to rigorous standards such as the Federal Aviation Administration (FAA), the Department of Defense (DoD), AS9120, and the DoD’s Cybersecurity Maturity Model Certification (CMMC). For a detailed breakdown of these requirements, check out their whitepaper here. Early Adoption of Cloud PCs Jaco Aerospace was an early adopter of cloud technology, transitioning their operations to Cloud PCs in February 2022. They recognized the transformative potential of cloud computing for IT infrastructure and firmly believe traditional PCs will soon become a thing of the past. By integrating Cloud PCs, they enhanced their AS9120-certified quality system, prioritizing risk reduction. The decision to migrate to the cloud in a post-COVID-19 world has unlocked numerous benefits, including: Enhanced Compliance Their operating environment meets the requirements of CMMC Level 1 (self-attestation). The straightforward in-house implementation enabled them to achieve and maintain compliance with ease. Robust Cybersecurity Cloud PCs help mitigate cybersecurity risks by enabling granular control over user permissions through conditional access policies. For example, they restrict most users' access to Microsoft apps on mobile devices, ensuring sensitive data remains secure. Consistent User Experience With Cloud PCs, they deliver a uniform user experience across the organization, improving productivity and streamlining workflows for all team members. Cost Savings The reduced need for IT-related user interactions and minimal hardware changes translate to significant cost savings in both the short and long term. Increased Connectivity Employees benefit from breakneck internet speeds when connecting to Cloud PCs, ensuring smooth and uninterrupted workflows. Furthermore, as they use Microsoft Teams for all phone communication, this speed results in high-quality calls not always found in their legacy VOIP solutions. Scalable Resources Cloud PCs allow them to dynamically scale memory and RAM based on individual user requirements, providing flexibility and operational efficiency. Simplified Scalability for Growth As their business grows, onboarding new employees is seamless. In rare employee departures, they can quickly offboard them and repurpose their equipment, ensuring a smooth transition. Risk Mitigation in Action The benefits of risk mitigation are often challenging to quantify, but recent events provided a clear example of its value. Their Valencia headquarters was in an evacuation zone during the Southern California wildfires. Thanks to their cloud infrastructure, employees swiftly transitioned to working from home by taking their thin client devices. Jaco Aerospace was required to maintain uninterrupted operations as a critical part of the Defense Industrial Base during COVID-19. At that time, the absence of a cloud-based system posed significant IT challenges. In contrast, during the wildfire evacuation, their team experienced just a one-hour disruption before resuming full operations—a stark difference that underscores the agility enabled by Cloud PCs. Looking Ahead At Jaco Aerospace, they see Cloud PCs (Windows 365) as a cornerstone of their future, enabling them to stay agile, secure, and ready to tackle any challenges that come their way. Whether it’s meeting stringent compliance requirements or ensuring seamless business continuity during unexpected events, their transition to the cloud has proven to be an invaluable asset. With the upcoming release of Microsoft’s Windows 365 Link, companies shifting to a Cloud PC environment will benefit from its affordability and the streamlined process of embracing this forward-looking technology. As the industry evolves, they remain dedicated to adopting innovative solutions that enhance operational efficiency and deliver unparalleled value to their customers.Microsoft Product Placemat for CMMC - October 2024 Update
This Microsoft Tech Community Public Sector Blog post is an update of the Microsoft Product Placemat for CMMC assisting the Defense Industrial Base (DIB) for compliance with the Cybersecurity Maturity Model Certification (CMMC) from the U.S. Department of Defense (DOD).CISA, OMB, ONCD and Microsoft collaborate on new logging playbook for Federal agencies
As part of our efforts to increase security defaults and follow the principle of secure by design, we are happy to share that a feature change initiated by Microsoft engineering will enable more logging capabilities for Purview Audit (Standard). We have worked closely with the Executive Office of the President (EOP), the Office of the National Cyber Director (ONCD), and the Cybersecurity and Infrastructure Security Agency (CISA) to prioritize this effort for U.S. government customers.¿Qué es Microsoft Entra y por qué deberías elegirla para proteger tus aplicaciones?
[Blog post original - en inglés] Microsoft Entra es una familia de productos de identidad y acceso a la red, diseñados para implementar una estrategia de seguridad de Zero Trust (Confianza Cero). Forma parte del portafolio de Microsoft Security, que también incluye: Microsoft Defender para la protección contra amenazas cibernéticas y la seguridad en la nube, Microsoft Sentinel para la información de seguridad y la administración de eventos (SIEM), Microsoft Purview para el cumplimiento, Microsoft Priva para privacidad y Microsoft Intune para la administración de endpoints. Estrategia de seguridad Zero Trust La estrategia de seguridad Zero Trust es un enfoque moderno de ciberseguridad que asume que no se debe confiar en ningún usuario o dispositivo, ya sea dentro o fuera de la red, de forma predeterminada. En su lugar, cada solicitud de acceso debe verificarse y autenticarse antes de conceder acceso a los recursos. Esta estrategia está diseñada para abordar las complejidades del entorno digital moderno, incluyendo el trabajo remoto, los servicios en la nube y los dispositivos móviles. ¿Por qué utilizar Entra? Microsoft Entra ID (anteriormente conocido como Azure AD) es una solución de administración de identidades y acceso en la nube que ofrece varias ventajas sobre las soluciones locales tradicionales: Gestión unificada de identidades: Entra ofrece una solución integral para la gestión de identidades y accesos, abarcando tanto entornos híbridos como en la nube. Esto permite administrar de manera unificada las identidades de los usuarios, sus derechos de acceso y permisos, simplificando la administración y mejorando la seguridad. Experiencias de usuario fluidas: Entra admite el inicio de sesión único (SSO), permitiendo a los usuarios acceder a múltiples aplicaciones con un solo conjunto de credenciales. Esto reduce la fatiga de contraseñas y mejora la experiencia del usuario. Políticas de acceso adaptables: Entra permite una autenticación robusta y políticas de acceso adaptativo en tiempo real basadas en riesgos, sin comprometer la experiencia del usuario. Esto ayuda a proteger de manera efectiva el acceso a los recursos y datos. Integración con identidades externas: Entra External ID permite a las organizaciones administrar y autenticar de forma segura a los usuarios que no forman parte de su fuerza laboral interna, como clientes, socios y otros colaboradores externos. Esto es particularmente útil para las empresas que necesitan colaborar de manera segura con socios externos. Desafío del mercado abordado: Entra enfrenta el desafío del mercado al proporcionar una solución integral de IAM en entornos híbridos y en la nube, garantizando la seguridad, simplificando la autenticación de usuarios y permitiendo el acceso seguro a los recursos. Escalabilidad: Las soluciones en la nube como Entra pueden escalar fácilmente para adaptarse a un número creciente de usuarios y aplicaciones sin necesidad de hardware o infraestructura adicional. Rentabilidad: Mediante el uso de una solución en la nube, las organizaciones pueden reducir los costes asociados al mantenimiento de la infraestructura local, como los servidores y los equipos de red. Flexibilidad: Entra ofrece flexibilidad en términos de implementación e integración con diversas aplicaciones y servicios, tanto dentro como fuera del ecosistema de Microsoft. Seguridad: Las soluciones en la nube suelen incluir funciones de seguridad integradas y actualizaciones periódicas para protegerse contra amenazas emergentes. Entra ofrece un soporte solido para el acceso condicional y la autenticación multifactor (MFA), esenciales para proteger los datos confidenciales. Como puedes ver, hay muchas razones para explorar Entra y su conjunto de productos. Más sobre los productos Entra Microsoft Entra está diseñado para proporcionar administración de identidades y accesos, gestión de infraestructura en la nube y verificación de identidad. Funciona en: Las instalaciones. A través de Azure, AWS, Google Cloud. Aplicaciones, sitios web y dispositivos de Microsoft y de terceros. Estos son los productos y soluciones clave dentro de la familia de productos Microsoft Entra. Microsoft Entra ID: Se trata de una solución integral de gestión de identidades y accesos que incluye características como el acceso condicional, el control de acceso basado en roles, la autenticación multifactor y la protección de la identidad. Entra ID ayuda a las organizaciones a administrar y proteger identidades, garantizando un acceso seguro a aplicaciones, dispositivos y datos. Microsoft Entra Domain Services: Este producto proporciona servicios de dominio administrados, como la unión a dominio, políticas de grupo, el Protocolo Ligero de Acceso a Directorios (LDAP) y la autenticación Kerberos/NTLM. Permite a las organizaciones ejecutar aplicaciones heredadas en la nube que no pueden usar métodos de autenticación modernos o en las que no se desea que las búsquedas de directorio vuelvan siempre a un entorno local de Servicios de Dominio de Active Directory (AD DS). Puedes migrar esas aplicaciones heredadas de tu entorno local a un dominio administrado, sin necesidad de administrar el entorno de AD DS en la nube. Microsoft Entra Private Access: proporciona a los usuarios, ya sea en la oficina o trabajando de forma remota, acceso seguro a recursos privados y corporativos. Permite a los usuarios remotos conectarse a los recursos internos desde cualquier dispositivo y red, sin necesidad de una red privada virtual (VPN). El servicio ofrece acceso adaptable por aplicación basado en directivas de acceso condicional, proporcionando una seguridad más granular que una VPN. Microsoft Entra Internet Access: asegura el acceso a los servicios de Microsoft, SaaS y aplicaciones públicas de Internet, mientras protege a los usuarios, dispositivos y datos frente a las amenazas de Internet. Esto se logra a través de la puerta de enlace web segura (SWG) de Microsoft Entra Internet Access, que está centrada en la identidad, es consciente de los dispositivos y se entrega en la nube. Microsoft Entra ID Governance es una solución de gobernanza de identidades que ayuda a garantizar que las personas adecuadas tengan el acceso adecuado a los recursos correctos en el momento oportuno. Esto se logra mediante la automatización de las solicitudes de acceso, las asignaciones y las revisiones a través de la administración del ciclo de vida de la identidad. Microsoft Entra ID Protection ayuda a las organizaciones a detectar, investigar y corregir los riesgos basados en la identidad. Estos riesgos pueden integrarse en herramientas como el acceso condicional para tomar decisiones de acceso, o retroalimentar una herramienta de administración de eventos e información de seguridad (SIEM) para una mayor investigación y correlación. 7. Microsoft Entra Verified ID es un servicio de verificación de credenciales basado en estándares abiertos de identidades descentralizadas (DID). Este producto está diseñado para la verificación y gestión de identidades, garantizando que las identidades de los usuarios se verifiquen de forma segura. Admite escenarios como la verificación de credenciales laborales en LinkedIn. 8. Microsoft Entra External ID se centra en la administración de identidades externas, como clientes, socios y otros colaboradores que no forman parte de la fuerza laboral interna. Permite a las organizaciones administrar y autenticar de forma segura a estos usuarios externos, proporcionando características como experiencias de registro personalizadas, flujos de registro de autoservicio y administración de usuarios. 9. Administración de permisos de Microsoft Entra: Este producto se ocupa de la administración de permisos y controles de acceso en varios sistemas y aplicaciones, garantizando que los usuarios tengan el nivel adecuado de acceso. Permite a las organizaciones detectar, ajustar automáticamente y supervisar continuamente los permisos excesivos y no utilizados en Microsoft Azure, Amazon Web Services (AWS) y Google Cloud Platform (GCP). 10. Microsoft Entra Workload ID: Este producto ayuda a las aplicaciones, contenedores y servicios a acceder de forma segura a los recursos en la nube, proporcionando administración de identidad y acceso para la carga de trabajo. ¿Qué producto Entra elegir? Hemos explicado algunos productos importantes, pero es posible que aún te preguntes cuál elegir. Veamos algunos escenarios para ayudarte a decidir Escenario: Integración de GitHub Actions Un equipo de desarrollo usa GitHub Actions para la integración continua y las canalizaciones de implementación continua (CI/CD). Necesitan acceder de forma segura a los recursos de Azure sin administrar secretos. Producto recomendado: Entra Workload ID ¿Por qué Entra Workload ID? El identificador de carga de trabajo de Microsoft Entra admite la federación de identidades de carga de trabajo, lo que permite a GitHub Actions acceder a los recursos de Azure de forma segura mediante la federación de identidades de GitHub. Esto elimina la necesidad de administrar secretos y reduce el riesgo de fugas de credenciales. Escenario: Gestión interna del acceso de los empleados Una gran empresa necesita gestionar el acceso a sus aplicaciones y recursos internos para miles de empleados. La organización desea implementar la autenticación multifactor (MFA), las directivas de acceso condicional y el control de acceso basado en roles (RBAC) para garantizar un acceso seguro. Producto recomendado: Entra ID ¿Por qué Entra ID? Microsoft Entra ID es ideal para este escenario, ya que proporciona soluciones completas de administración de identidades y acceso, como MFA, acceso condicional y RBAC. Estas características ayudan a garantizar que solo los empleados autorizados puedan acceder a recursos confidenciales, mejorando la seguridad y el cumplimiento. Escenario: Inicio de sesión único (SSO) para aplicaciones internas Una empresa quiere agilizar el proceso de inicio de sesión de sus empleados mediante la implementación de Single Sign-On (SSO) en todas las aplicaciones internas, incluidas Microsoft 365, Salesforce y aplicaciones personalizadas. Producto recomendado: Entra ID ¿Por qué Entra ID? Microsoft Entra ID admite SSO, lo que permite a los empleados usar un único conjunto de credenciales para acceder a varias aplicaciones. Esto mejora la experiencia del usuario, reduce la fatiga de las contraseñas y mejora la seguridad al centralizar la autenticación y la gestión del acceso. Escenario: Cargas de trabajo de Kubernetes Una organización ejecuta varias aplicaciones en clústeres de Kubernetes y necesita acceder de forma segura a los recursos de Azure desde estas cargas de trabajo. Producto recomendado: Entra Workload ID ¿Por qué Entra Workload ID? Entra Workload ID permite que las cargas de trabajo de Kubernetes accedan a los recursos de Azure sin administrar credenciales ni secretos. Al establecer una relación de confianza entre las cuentas de servicio de Azure y Kubernetes, las cargas de trabajo pueden intercambiar tokens de confianza por tokens de acceso de Microsoft Identity Platform. Escenario: Empresa de comercio electrónico, portal del cliente Una empresa de comercio electrónico quiere crear un portal de clientes en el que los usuarios puedan registrarse, iniciar sesión y gestionar sus cuentas. La empresa debe proporcionar una experiencia de registro e inicio de sesión segura y fluida para sus clientes. Producto recomendado: Entra External ID ¿Por qué Entra External ID? El identificador externo de Microsoft Entra está diseñado para administrar identidades externas, como los clientes. Ofrece características como experiencias de registro personalizadas, flujos de registro de autoservicio y autenticación segura, lo que lo convierte en la opción perfecta para crear un portal de clientes. Escenario: Colaboración de socios Una empresa de fabricación colabora con múltiples socios y proveedores externos. La empresa debe proporcionar acceso seguro a los recursos y aplicaciones compartidos y, al mismo tiempo, garantizar que solo los socios autorizados puedan acceder a datos específicos. Producto recomendado: Entra External ID ¿Por qué Entra External ID? El identificador externo de Microsoft Entra es ideal para administrar identidades externas, como asociados y proveedores. Permite a la empresa gestionar y autenticar de forma segura a los usuarios externos, proporcionando funciones como la colaboración B2B y la gestión de acceso, garantizando que solo los socios autorizados puedan acceder a los recursos necesarios. Primeros pasos con Entra ID Por último, te recomendamos algunos recursos estupendos. Microsoft Identity Platform Dev Center Plataforma con documentos, tutoriales, vídeos y más Microsoft identity platform Dev Center | Identity and access for a connected world | Microsoft Developer Aprendizaje sobre Microsoft Entra ID Aumenta tus habilidades en Microsoft Learn Introducción a Microsoft Entra ¿Qué es Microsoft Entra ID? Página de inicio con documentos oficiales que explican Entra ID: un gran lugar para comenzar ¿Qué es Microsoft Entra ID? Tutorial: Inicia sesión de usuario en Entra Node.js tutorial Tutorial: Inicio de sesión de usuarios y adquisición de un token para Microsoft Graph en una aplicación web de Node.js y Express Tutorial: Agregar inicio de sesión con Microsoft Entra Java tutorial Add sign-in with Microsoft Entra account to a Spring web app - Java on Azure | Microsoft Learn Tutorial: Registra una aplicación de Python con Entra Python tutorial Tutorial: Register a Python web app with the Microsoft identity platform - Microsoft identity platform | Microsoft Learn Tutorial: Registra una aplicación de .NET con Entra .NET Core Tutorial: Register an application with the Microsoft identity platform - Microsoft identity platform | Microsoft Learn Primeros pasos con Entra External ID One stop shop, Plataforma de identidad para programadores. Gran punto de comienzo para aprender sobre noticias, documentos, tutoriales, vídeos y más Microsoft Entra External ID | Simplify customer identity management | Microsoft Developer Tutorial: Añade autenticación a una aplicación Vanilla SPA JavaScript tutorial Tutorial: Create a Vanilla JavaScript SPA for authentication in an external tenant - Microsoft Entra External ID | Microsoft Learn Tutorial: Iniciar sesión de usuarios en Node.js aplicación JavaScript/Node.js tutorial Sign in users in a sample Node.js web application - Microsoft Entra External ID | Microsoft Learn Tutorial: Inicio de sesión de usuarios en ASP.NET Core .NET Core tutorial Sign in users to a sample ASP.NET Core web application - Microsoft Entra External ID | Microsoft Learn Iniciar sesión con usuarios en una aplicación Python Flask Python tutorial Sign in users in a sample Python Flask web application - Microsoft Entra External ID | Microsoft Learn Tutorial: Inicio de sesión de usuarios en una aplicación Node.js JavaScript/Node.js tutorial Tutorial: Prepare your external tenant to sign in users in a Node.js web app - Microsoft Entra External ID | Microsoft Learn Tutorial: Inicio de sesión de usuarios en una aplicación .NET Core .NET Core Tutorial Tutorial: Prepare your external tenant to authenticate users in an ASP.NET Core web app - Microsoft Entra External ID | Microsoft Learn Resumen y conclusiones En resumen, te presentamos Entra y algunos de sus productos dentro de una gran familia de soluciones. También te mostramos algunos escenarios y qué productos encajarían mejor en cada uno. Esperamos que hayas tenido un gran comienzo, ¡gracias por leer!
