Executive Order 14028 (EO 14028), Improving the Nation’s Cybersecurity directs the federal government to improve its efforts to identify, protect against, and respond to malicious cyber campaigns and their actors through bold changes and significant investments in cybersecurity. The Office of Management and Budget (OMB) released the Federal Zero Trust Strategy Memorandum M-22-09 adding specific guidance where federal agencies should focus their efforts with regards to identity, specifically, (1) A centralized cloud-based identity solution, (2) Strengthening authentication by implementing phishing-resistant multifactor authentication (MFA) and (3) Include device signals in authorization decisions.
Many agencies are struggling to implement these requirements by the deadline without severely disrupting their business. Since the announcement, we’ve been diligently working to make it faster and easier for our customers to deploy Azure Active Directory (Azure AD), part of the Microsoft Entra family, features to meet EO 14028 requirements. We’re excited to share how Azure AD can support your scenarios so your organization can meet EO 14028 requirements.
In the first part of this article, we’ll walk you through our top five curated tips and tricks, and how you can leverage them for your migration. In the second half we’ll share some of our deployment best practices we’ve developed that have been instrumental to minimize risk and maintain business continuity, all while consolidating identity providers (IDPs) and moving to phishing-resistant MFA.
Top five tips to ensure requirements are met
Over the last year, we’ve released several features to extend the capabilities of Azure AD and ensure they also meet EO 14028 requirements. Here are our top five tips and tricks and how you can use them:
- Consolidate your identity providers and use Azure AD certificate-based authentication (CBA). Historically, federal agencies and customers who wanted to use CBA had to federate Azure AD with other IDPs (such as AD FS). Now, Azure AD CBA eliminates the need to federate, making it easier for you to consolidate your Identity Providers (IdPs) and move to the cloud faster (Azure AD CBA as a central IdP meets the federal requirement).
- Phishing-resistant MFA for your Azure Virtual Desktop users. We’ve implemented RDS AAD Auth to authenticate a user to an Azure AD-joined device or to a Hybrid Azure AD-joined device. This means that any authentication method supported by Azure AD can be used to authenticate to Azure Virtual Desktop, and Windows 365.
- Phishing-resistant MFA on mobile (iOS, Android). Users can now authenticate on mobile devices using certificates stored on security keys. Unlike software certificates installed on the mobile device, these certificates are hardware protected and require an activation factor making them a true MFA solution. This solution also eliminates the need to issue certificates for every mobile device since the user can roam with the same security key across multiple devices.
- Enforce phishing-resistant MFA for all your users. Use pre-configured authentication strengths (or define your own custom authentication strength) as a control in conditi... to allow granular access to specific resources, actions and applications for your users and groups. Configure cross-tenant access settings to require phishing resistant authentication for your external users who are coming from other Azure tenants. And, if you have users coming from other Microsoft Clouds, configure Microsoft clouds settings for B2B collaboration to apply the same phishing resistant policies to these users.
- Leverage device signals for authorization. Configure conditional access policy to require Hybrid Azure AD Join or compliant device. Configure cross-tenant access settings for B2B collaboration to require the same for external users.
Now let’s dive into some actual customer deployment scenarios to help you with your migration even more.
Customer deployment story
We’ve worked with countless customers in various stages to help them maintain business continuity and minimize risk and disruption to their users while deploying their EO 14028 solutions. We’ve seen agencies with many 10's of thousands of users and devices do this as quickly within a few days. Below are the best practices we’ve refined over the last few years that will help you as well:
- Moving CBA from on-premises IdP to Azure AD. Switching CBA from on-premises IdP to a cloud IdP can be disruptive if the only options are to move users to another domain or to move all users at once. Azure AD supports a staged rollout approach providing federal agencies the ability to granularly pilot and then move to Azure AD CBA en masse, mitigating the risk and disruption to your business and your users. To do this, designate a test group of users to start authenticating using Azure AD CBA in the cloud. Once you’ve validated everything is working as expected, gradually migrate your users in phases until all your users are migrated. After all users have been migrated it is safe to cut over to cloud authentication.
- Gradually enforce phishing-resistant MFA. Configure authentication methods policy and scope the use of individual authentication methods to specific groups, reducing the overall availability of non-phishing-resistant methods. For scenarios where non-phishing-resistant methods are still needed—such as legacy apps or interoperability—configure conditional access policies with authentication strength control restricting the level of access granted when authentication is done with such methods.
- Quickly add device signal as part of authorization decision. Configure Hybrid Azure AD Join (HAADJ) and configure Intune to work with a device compliance partner. Create conditional access policies requiring Hybrid/compliant devices to quickly bring device signal into your authorization decision. We’ve seen agencies with 10's of thousands of devices do this within a few days.
To conclude, Microsoft is very committed to helping our US government customers meet the EO 14028 requirements by the September 2024 deadline. We have more features lined up to further assist you, make your migration easier and help you achieve your Zero Trust goals. To get started, here are some helpful resources:
