Howdy folks,
It’s Build week at Microsoft and it is exciting to see a wide audience, from developers to students to startups, from around the world participate in the virtual sessions at Build. We see continued interest in the topic of remote and hybrid work - a trend that has accelerated in the last year. We expect that hybrid work will be the norm and it will fundamentally change the cybersecurity landscape. Many of you are getting prepared for this by embracing the Zero Trust security approach. We’re continuing to invest deeply in the Microsoft identity platform to empower developers to lead this Zero Trust adoption.
Use the Zero Trust principles to build your applications.
Zero Trust is a holistic security strategy that follows three simple principles - verify explicitly, use least privileged access, and assume breach. While each organization will design their own Zero Trust roll-out strategy based on their unique business needs, the most common approach is to start with a strong cloud identity. This is where developers can easily embrace Zero Trust principles across every layer – from strong authentication policies to least privileged permissions and continuous access evaluation.
First principle: Verify explicitly
We recommend that our customers authenticate users and authorize access based on all available data points. When developers build applications using Microsoft Authentication Libraries (MSAL) and choose modern protocols like OpenID Connect and OAuth, these applications benefit from Zero Trust controls like Conditional Access policies. These controls allow IT admins and security personnel to verify things, such as use of strong authentication during sign-in, whether a compliant device is being used and that the user behavior is consistent with known patterns. They can even assess real-time sign-in risk or accumulated user risk and decide whether to grant access, require multifactor authentication or ask a user to reset their password.
We continue to add more security features to support this Zero Trust principle. Developers should make their apps ready to comply with Zero Trust policies and controls that organizations prioritize as they roll out Zero Trust strategies. MSAL makes it simple for apps to work seamlessly when controls like Conditional Access authentication context policies are enabled. With these policies, IT administrators can require users to provide strong authentication just-in-time when performing critical tasks, like changing settings in the Azure portal. Using MSAL and Microsoft Graph SDK, applications can benefit from built-in capabilities like Continuous Access Evaluation. Continuous Access Evaluation lets Azure AD continually evaluate active user sessions and revoke access in near real-time when access conditions change, such as when a device is lost.
We also recommend to customers that they verify the applications they deploy come from a source they trust. Using Publisher Verification, developers can make this verification easy for their customers.
Second principle: Use least privileged access
This principle – use least privileged access – is essential for reducing the number of users that have access to critical data and minimizing the blast radius in breach situations. To ensure that apps only access the data that is necessary, we recommend that developers use a tool like Graph Explorer to understand the minimal permissions for the API they use when integrating apps with Microsoft Graph. With incremental consent, developers can always request additional permissions as needed.
We also recommend that developers define app roles such as readers, contributors and administrators when integrating their applications with the Microsoft Identity platform. This lets customers adhere to the principle of least privileged access when using these applications. When developers make their apps ready to use with Azure AD’s Privileged Identity Management (PIM), it allows IT administrators to enable just-in-time access to the critical app roles.
Third principle: Assume breach
This principle encourages developers to assume that users are accessing apps on open networks and the breaches can affect their apps. By integrating with the Microsoft identity platform, applications can automatically get the benefits of sign-in and audit logs available to IT administrators. In the event of a breach, this enables organizations to identify which applications or resources were accessed with metadata such as user, IP address, or location. We also recommend that developers log access at a per-object level along with this metadata, which allows auditors to identify exactly what data was exfiltrated and remediate issues without downtime.
How to build Zero Trust-ready apps
To learn more, check out the new guidance for developers we’ve published to the Zero Trust Resource Center. It includes new development and integration resources for developing Zero Trust-ready apps.
Join us live, or watch on-demand
No matter where you are in the world, you can join us at Build 2021. There are plenty of live and pre-recorded sessions. To register, attend, and interact with us during these sessions, see below:
Breakout sessions
- BRK234: Build a Zero Trust-ready app starting with the Microsoft identity platform.
- BRK244: Learn three new ways to enrich your productivity apps with Microsoft Graph tools and data.
Technical session
- TS04: Enable the next generation of productivity experiences for hybrid work.
Community connections
- Ask the Experts: Build a Zero Trust-ready app.
- Ask the Experts: Build B2C apps with External Identities.
- Product roundtable: Use managed identities in Azure to securely connect to cloud services.
- Product roundtable: Azure Active Directory developer experience: Service identities improvement.
- 1:1 Consults: Meet with an expert on the Microsoft identity platform.
On-demand sessions
- Best practices to build secure B2C apps with Azure Active Directory External Identities.
- Down with sign-ups, just sign-in (Decentralized Identities)
Best regards,
Alex Simons (@Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division
Learn more about Microsoft identity:
- Return to the Azure Active Directory Identity blog home
- Join the conversation on Twitter and LinkedIn
- Share product suggestions on the Azure Feedback Forum