Some great news to share with you today! For the second year in a row, Gartner has positioned Microsoft in the Leaders Quadrant in the 2018 Magic Quadrant for Access Management, Worldwide, based on our completeness of vision and ability to execute in the access management market. Find out why in a complimentary copy of the report here.

According to Gartner, Leaders show evidence of strong execution for anticipated requirements related to technology, methodology, or means of delivery. Leaders also show evidence of how access management plays a role in a collection of related or adjacent product offerings.

Furthest in Vision in Leaders Quadrant

Microsoft is positioned the furthest in completeness of Vision in the Leaders Quadrant, for the second straight year. We believe our jump up in Execution also illustrates how important it is for us to execute on a strategy that can help organizations where they are at today and prepare them for the identity needs of tomorrow.

At Microsoft, we champion conditional access policies and threat protection for identities as critical capabilities for a world-class identity and access management solution. As part of a rich ecosystem with Windows 10, Office 365 and EMS, we’ve worked hard to integrate security policies across products to give you visibility and control over the full user experience. We’ve also taken in the insights and feedback from our customers this year to improve the experience and make it even easier to get all your identities in one place. We are committed to providing innovative and comprehensive identity and access management solutions for your employees, partners, and customers.

We could not have continued to be a leader in this space without the input and support from our customers and partners – thank you!

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Important note:

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Vision + Execution: Microsoft named a leader again in Gartner MQ for Access Management appeared first on Microsoft 365 Blog.

As long as we’ve had passwords, people have tried to guess them. In this blog, we’re going to talk about a common attack which has become MUCH more frequent recently and some best practices for defending against it. This attack is commonly called password spray.

In a password spray attack, the bad guys try the most common passwords across many different accounts and services to gain access to any password protected assets they can find. Usually these span many different organizations and identity providers. For example, an attacker will use a commonly available toolkit like Mailsniper to enumerate all of the users in several organizations and then try “P@$$w0rd” and “Password1” against all of those accounts. To give you the idea, an attack might look like:

This attack pattern evades most detection techniques because from the vantage point of an individual user or company, the attack just looks like an isolated failed login.

For attackers, it’s a numbers game: they know that there are some passwords out there that are very common. Even though these most common passwords account for only 0.5-1.0% of accounts, the attacker will get a few successes for every thousand accounts attacked, and that’s enough to be effective.

They use the accounts to get data from emails, harvest contact info, and send phishing links or just expand the password spray target group. The attackers don’t care much about who those initial targets are—just that they have some success that they can leverage.

The good news is that Microsoft has many tools already implemented and available to blunt these attacks, and more are coming soon. Read on to see what you can do now and in the coming months to stop password spray attacks.

Four easy steps to disrupt password spray attacks

Step 1: Use cloud authentication

In the cloud, we see billions of sign-ins to Microsoft systems every day. Our security detection algorithms allow us to detect and block attacks as they’re happening. Because these are real time detection and protection systems driven from the cloud, they are available only when doing Azure AD authentication in the cloud (including Pass-Through Authentication).

Smart Lockout

In the cloud, we use Smart Lockout to differentiate between sign-in attempts that look like they’re from the valid user and sign-ins from what may be an attacker. We can lock out the attacker while letting the valid user continue using the account. This prevents denial-of-service on the user and stops overzealous password spray attacks. This applies to all Azure AD sign-ins regardless of license level and to all Microsoft account sign-ins.

Tenants using Active Directory Federation Services (ADFS) will be able to use Smart Lockout natively in ADFS in Windows Server 2016 starting in March 2018—look for this ability to come via Windows Update.

IP Lockout

IP lockout works by analyzing those billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems. With that analysis, IP lockout finds IP addresses acting maliciously and blocks those sign-ins in real-time.

Attack Simulations

Now available in public preview, Attack Simulator as part of Office 365 Threat Intelligence enables customers to launch simulated attacks on their own end users, determine how their users behave in the event of an attack, and update policies and ensure that appropriate security tools are in place to protect your organization from threats like password spray attacks.

Things we recommend you do ASAP:

1. If you’re using cloud authentication, you’re covered
2. If you’re using ADFS or another hybrid scenario, look for an ADFS upgrade in March 2018 for Smart Lockout
3. Use Attack Simulator to proactively evaluate your security posture and make adjustments

Step 2: Use multi-factor authentication

A password is the key to accessing an account, but in a successful password spray attack, the attacker has guessed the correct password. To stop them, we need to use something more than just a password to distinguish between the account owner and the attacker. The three ways to do this are below.

Risk-based multi-factor authentication

Azure AD Identity Protection uses the sign-in data mentioned above and adds on advanced machine learning and algorithmic detection to risk score every sign-in that comes in to the system. This enables enterprise customers to create policies in Identity Protection that prompt a user to authenticate with a second factor if and only if there’s risk detected for the user or for the session. This lessens the burden on your users and puts blocks in the way of the bad guys. Learn more about Azure AD Identity Protection here.

Always-on multi-factor authentication

For even more security, you can use Azure MFA to require multi-factor authentication for your users all the time, both in cloud authentication and ADFS. While this requires end users to always have their devices and to more frequently perform multi-factor authentication, it provides the most security for your enterprise. This should be enabled for every admin in an organization. Learn more about Azure Multi-Factor Authentication here, and how to configure Azure MFA for ADFS.

Azure MFA as primary authentication

In ADFS 2016, you have the ability use Azure MFA as primary authentication for passwordless authentication. This is a great tool to guard against password spray and password theft attacks: if there’s no password, it can’t be guessed. This works great for all types of devices with various form factors. Additionally, you can now use password as the second factor only after your OTP has been validated with Azure MFA. Learn more about using password as the second factor here.

Things we recommend you do ASAP:

1. We strongly recommend enabling always-on multi-factor authentication for all admins in your organization, especially subscription owners and tenant admins. Seriously, go do this right now.
2. For the best experience for the rest of your users, we recommend risk-based multi-factor authentication, which is available with Azure AD Premium P2 licenses.
3. Otherwise, use Azure MFA for cloud authentication and ADFS.
4. In ADFS, upgrade to ADFS on Windows Server 2016 to use Azure MFA as primary authentication, especially for all your extranet access.

Step 3: Better passwords for everyone

Even with all the above, a key component of password spray defense is for all users to have passwords that are hard to guess. It’s often difficult for users to know how to create hard-to-guess passwords. Microsoft helps you make this happen with these tools.

Banned passwords

In Azure AD, every password change and reset runs through a banned password checker. When a new password is submitted, it’s fuzzy-matched against a list of words that no one, ever, should have in their password (and l33t-sp3@k spelling doesn’t help). If it matches, it’s rejected, and the user is asked to choose a password that’s harder to guess. We build the list of the most commonly attacked passwords and update it frequently.

Custom banned passwords

To make banned passwords even better, we’re going to allow tenants to customize their banned password lists. Admins can choose words common to their organization—famous employees and founders, products, locations, regional icons, etc.—and prevent them from being used in their users’ passwords. This list will be enforced in addition to the global list, so you don’t have to choose one or the other. It’s in limited preview now and will be rolling out this year.

Banned passwords for on-premises changes

This spring, we’re launching a tool to let enterprise admins ban passwords in hybrid Azure AD-Active Directory environments. Banned password lists will be synchronized from the cloud to your on-premises environments and enforced on every domain controller with the agent. This helps admins ensure users’ passwords are harder to guess no matter where—cloud or on-premises—the user changes her password. This launched to limited private preview in February 2018 and will go to GA this year.

Change how you think about passwords

A lot of common conceptions about what makes a good password are wrong. Usually something that should help mathematically actually results in predictable user behavior: for example, requiring certain character types and periodic password changes both result in specific password patterns. Read our password guidance whitepaper for way more detail. If you’re using Active Directory with PTA or ADFS, update your password policies. If you’re using cloud managed accounts, consider setting your passwords to never expire.

Things we recommend you do ASAP:

1. When it’s released, install the Microsoft banned password tool on-premises to help your users create better passwords.
2. Review your password policies and consider setting them to never expire so your users don’t use seasonal patterns to create their passwords.

Step 4: More awesome features in ADFS and Active Directory

If you’re using hybrid authentication with ADFS and Active Directory, there are more steps you can take to secure your environment against password spray attacks.

The first step: for organizations running ADFS 2.0 or Windows Server 2012, plan to move to ADFS in Windows Server 2016 as soon as possible. The latest version will be updated more quickly with a richer set of capabilities such as extranet lockout. And remember: we’ve made it really easy to upgrade from Windows Server 2012R2 to 2016.

Block legacy authentication from the Extranet

Legacy authentication protocols don’t have the ability to enforce MFA, so the best approach is to block them from the extranet. This will prevent password spray attackers from exploiting the lack of MFA on those protocols.

Enable ADFS Web Application Proxy Extranet Lockout

If you do not have extranet lockout in place at the ADFS Web Application proxy, you should enable it as soon as possible to protect your users from potential password brute force compromise.

Deploy Azure AD Connect Health for ADFS

Azure AD Connect Health captures IP addresses recorded in the ADFS logs for bad username/password requests, gives you additional reporting on an array of scenarios, and provides additional insight to support engineers when opening assisted support cases.

To deploy, download the latest version of the Azure AD Connect Health Agent for ADFS on all ADFS Servers (2.6.491.0). ADFS servers must run Windows Server 2012 R2 with KB 3134222 installed or Windows Server 2016.

Use non-password-based access methods

Without a password, a password can’t be guessed. These non-password-based authentication methods are available for ADFS and the Web Application Proxy:

1. Certificate based authentication allows username/password endpoints to be blocked completely at the firewall. Learn more about certificate based authentication in ADFS
2. Azure MFA, as mentioned above, can be used to as a second factor in cloud authentication and ADFS 2012 R2 and 2016. But, it also can be used as a primary factor in ADFS 2016 to completely stop the possibility of password spray. Learn how to configure Azure MFA with ADFS here
3. Windows Hello for Business, available in Windows 10 and supported by ADFS in Windows Server 2016, enables completely password-free access, including from the extranet, based on strong cryptographic keys tied to both the user and the device. This is available for corporate-managed devices that are Azure AD joined or Hybrid Azure AD joined as well as personal devices via “Add Work or School Account” from the Settings app. Get more information about Hello for Business.

Things we recommend you do ASAP:

1. Upgrade to ADFS 2016 for faster updates
2. Block legacy authentication from the extranet.
3. Deploy Azure AD Connect Health agents for ADFS on all your ADFS servers.
4. Consider using a password-less primary authentication method such as Azure MFA, certificates, or Windows Hello for Business.

Bonus: Protecting your Microsoft accounts

If you’re a Microsoft account user:

• Great news, you’re protected already! Microsoft accounts also have Smart Lockout, IP lockout, risk-based two-step verification, banned passwords, and more.
• But, take two minutes to go to the Microsoft account Security page and choose “Update your security info” to review your security info used for risk-based two-step verification
• Consider turning on always-on two-step verification here to give your account the most security possible.

The best defense is… following the recommendations in this blog

Password spray is a serious threat to every service on the Internet that uses passwords but taking the steps in this blog will give you maximum protection against this attack vector. And, because many kinds of attacks share similar traits, these are just good protection suggestions, period. Your security is always our utmost priority, and we’re continually working hard to develop new, advanced protections against password spray and every other type of attack out there. Use the ones above today and check back frequently for new tools to defend against the bad guys out there on the Internet.

I hope you’ll find this information useful. As always, we’d love to hear any feedback or suggestions you have.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

The post Azure AD and ADFS best practices: Defending against password spray attacks appeared first on Microsoft 365 Blog.

I hope you’ll find today’s post as interesting as I do. It’s a bit of brain candy and outlines an exciting vision for the future of digital identities.

Over the last 12 months we’ve invested in incubating a set of ideas for using Blockchain (and other distributed ledger technologies) to create new types of digital identities, identities designed from the ground up to enhance personal privacy, security and control. We’re pretty excited by what we’ve learned and by the new partnerships we’ve formed in the process. Today we’re taking the opportunity to share our thinking and direction with you. This blog is part of a series and follows on Peggy Johnson’s blog post announcing that Microsoft has joined the ID2020 initiative. If you haven’t already Peggy’s post, I would recommend reading it first.

I’ve asked Ankur Patel, the PM on my team leading these incubations to kick our discussion on Decentralized Digital Identities off for us. His post focuses on sharing some of the core things we’ve learned and some of the resulting principles we’re using to drive our investments in this area going forward.

And as always, we’d love to hear your thoughts and feedback.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

———-

Greetings everyone, I’m Ankur Patel from Microsoft’s Identity Division. It is an awesome privilege to have this opportunity to share some of our learnings and future directions based on our efforts to incubate Blockchain/distributed ledger based Decentralized Identities.

What we see

As many of you experience every day, the world is undergoing a global digital transformation where digital and physical reality are blurring into a single integrated modern way of living. This new world needs a new model for digital identity, one that enhances individual privacy and security across the physical and digital world.

Microsoft’s cloud identity systems already empower thousands of developers, organizations and billions of people to work, play, and achieve more. And yet there is so much more we can do to empower everyone. We aspire to a world where the billions of people living today with no reliable ID can finally realize the dreams we all share like educating our children, improving our quality of life, or starting a business.

To achieve this vision, we believe it is essential for individuals to own and control all elements of their digital identity. Rather than grant broad consent to countless apps and services, and have their identity data spread across numerous providers, individuals need a secure encrypted digital hub where they can store their identity data and easily control access to it.

Each of us needs a digital identity we own, one which securely and privately stores all elements of our digital identity.  This self-owned identity must be easy to use and give us complete control over how our identity data is accessed and used.

We know that enabling this kind of self-sovereign digital identity is bigger than any one company or organization. We’re committed to working closely with our customers, partners and the community to unlock the next generation of digital identity-based experiences and we’re excited to partner with so many people in the industry who are making incredible contributions to this space.

What we’ve learned

To that end today we are sharing our best thinking based on what we’ve learned from our decentralized identity incubation, an effort which is aimed at enabling richer experiences, enhancing trust, and reducing friction, while empowering every person to own and control their Digital Identity.

1. Own and control your Identity. Today, users grant broad consent to countless apps and services for collection, use and retention beyond their control. With data breaches and identity theft becoming more sophisticated and frequent, users need a way to take ownership of their identity. After examining decentralized storage systems, consensus protocols, blockchains, and a variety of emerging standards we believe blockchain technology and protocols are well suited for enabling Decentralized IDs (DID).
2. Privacy by design, built in from the ground up.
   Today, apps, services, and organizations deliver convenient, predictable, tailored experiences that depend on control of identity-bound data. We need a secure encrypted digital hub (ID Hubs) that can interact with user’s data while honoring user privacy and control.
3. Trust is earned by individuals, built by the community.
   Traditional identity systems are mostly geared toward authentication and access management. A self-owned identity system adds a focus on authenticity and how community can establish trust. In a decentralized system trust is based on attestations: claims that other entities endorse – which helps prove facets of one’s identity.
4. Apps and services built with the user at the center.
   Some of the most engaging apps and services today are ones that offer experiences personalized for their users by gaining access to their user’s Personally Identifiable Information (PII). DIDs and ID Hubs can enable developers to gain access to a more precise set of attestations while reducing legal and compliance risks by processing such information, instead of controlling it on behalf of the user.
5. Open, interoperable foundation.
   To create a robust decentralized identity ecosystem that is accessible to all, it must be built on standard, open source technologies, protocols, and reference implementations. For the past year we have been participating in the Decentralized Identity Foundation (DIF) with individuals and organizations who are similarly motivated to take on this challenge. We are collaboratively developing the following key components:
   

• Decentralized Identifiers (DIDs) – a W3C spec that defines a common document format for describing the state of a Decentralized Identifier
  
• Identity Hubs – an encrypted identity datastore that features message/intent relay, attestation handling, and identity-specific compute endpoints. 
  
• Universal DID Resolver – a server that resolves DIDs across blockchains 
  
• Verifiable Credentials – a W3C spec that defines a document format for encoding DID-based attestations.   
  

6. Ready for world scale:
   To support a vast world of users, organizations, and devices, the underlying technology must be capable of scale and performance on par with traditional systems. Some public blockchains (Bitcoin [BTC], Ethereum, Litecoin, to name a select few) provide a solid foundation for rooting DIDs, recording DPKI operations, and anchoring attestations. While some blockchain communities have increased on-chain transaction capacity (e.g. blocksize increases), this approach generally degrades the decentralized state of the network and cannot reach the millions of transactions per second the system would generate at world-scale. To overcome these technical barriers, we are collaborating on decentralized Layer 2 protocols that run atop these public blockchains to achieve global scale, while preserving the attributes of a world class DID system.
   
7. Accessible to everyone:
   The blockchain ecosystem today is still mostly early adopters who are willing to spend time, effort, and energy managing keys and securing devices. This is not something we can expect mainstream people to deal with. We need to make key management challenges, such as recovery, rotation, and secure access, intuitive and fool-proof.
   

Our next steps

New systems and big ideas, often make sense on a whiteboard. All the lines connect, and assumptions seem solid. However, product and engineering teams learn the most by shipping.

Today, the Microsoft Authenticator app is already used by millions of people to prove their identity every day. As a next step we will experiment with Decentralized Identities by adding support for them into to Microsoft Authenticator. With consent, Microsoft Authenticator will be able to act as your User Agent to manage identity data and cryptographic keys. In this design, only the ID is rooted on chain. Identity data is stored in an off-chain ID Hub (that Microsoft can’t see) encrypted using these cryptographic keys.

Once we have added this capability, apps and services will be able to interact with user’s data using a common messaging conduit by requesting granular consent. Initially we will support a select group of DID implementations across blockchains and we will likely add more in the future.

Looking ahead

We are humbled and excited to take on such a massive challenge, but also know it can’t be accomplished alone. We are counting on the support and input of our alliance partners, members of the Decentralized Identity Foundation, and the diverse Microsoft ecosystem of designers, policy makers, business partners, hardware and software builders. Most importantly we will need you, our customers to provide feedback as we start testing these first set of scenarios.

This is our first post about our work on Decentralized Identity. In upcoming posts we will share information about our proofs of concept as well as technical details for key areas outlined above.

We look forward to you joining us on this venture!

Key resources:

• Follow-us at @AzureAD on Twitter
  
• Get involved with Decentralized Identity Foundation (DIF)
  
• Participate in W3C Credentials Community Group
  

Regards,

Ankur Patel (@_AnkurPatel)

Principal Program Manager

Microsoft Identity Division

The post Decentralized digital identities and blockchain: The future as we see it appeared first on Microsoft 365 Blog.

Today at Microsoft Ignite, we unveiled a new vision for empowering Firstline Workers in the digital age and introduced Microsoft 365 F1—a new offering that brings together Office 365, Windows 10, and Enterprise Mobility + Security to deliver a complete, intelligent solution to empower all workers.

The modern workplace requires companies to meet new employee expectations, connect a more distributed workforce, and provide the tools that allow all employees to create, innovate, and work together to solve customer and business problems. A truly modern workplace brings out the best in employee ingenuity, creates a culture of innovation and action, and welcomes and empowers all workers from the executive team to the Firstline Workforce.

Firstline Workers comprise the majority of our global workforce. Numbering two billion people worldwide, they are the people behind the counter, on the phone, in the clinics, on the shop floor, and in the field. They are often the first to engage customers, the first to represent a company’s brand, and the first to see products and services in action. They form the backbone of many of the world’s largest industries, and without them, the ambitions of many organizations could not be brought to life.

We see an opportunity for technology to give Firstline Workers a more intuitive, immersive, and empowering experience. Microsoft is in a unique position to help companies tap into the potential of their Firstline Workforce with our commercial product offerings, spanning Microsoft 365, Dynamics 365, Microsoft IoT, Microsoft AI, and Microsoft HoloLens and the Windows Mixed Reality ecosystem.

The introduction of Microsoft 365 F1 represents a significant next step towards our vision of involving the Firstline Workforce in digital transformation by empowering every worker with technology.

Transforming the Firstline Worker experience

Microsoft 365 F1 includes the capabilities and tools to enable every worker to turn their ideas into action. It fosters culture and community, with Skype Meeting Broadcast for interactive townhall meetings and Yammer to help employees find and share best practices across the company.

Microsoft 365 F1 makes it easy to train and upskill employees, with Microsoft Stream to share dynamic, role-based content and video, and SharePoint to easily distribute onboarding and training materials and manage institutional knowledge in one secure place.

It supports firstline productivity and digitizes business processes, with Microsoft StaffHub, a purpose-built app for Firstline Workers to manage their workday and Microsoft PowerApps and Flow to automate everyday activities. Today, we’re announcing new capabilities coming to StaffHub, including the ability for employees to clock in/out and track tasks. We are also making it easier for employees to stay connected in StaffHub, by integrating messaging with Microsoft Teams, the hub for teamwork, and highlighting corporate announcements made in Yammer. Finally, we’re enabling customers to connect StaffHub to workforce management systems and other tools with the availability of general APIs.

Microsoft 365 F1 streamlines IT management, minimizes cost, and extends security to all employees and endpoints. Azure Active Directory provides management of employee identity and access; Microsoft Intune helps secure devices; and new features in Windows 10 simplify the management of Firstline Workers’ experiences, supporting locked down single purpose devices with Windows Assigned Access and automated deployment with Windows AutoPilot.

Finally, we recognize the importance of providing Firstline Workers streamlined and secure devices that minimize total cost of ownership. Today, we’re announcing new commercial devices with Windows 10 S from our OEM partners HP, Lenovo, and Acer. Starting as low as $275, these devices benefit from cloud-based identity and management and are ideal for firstline environments.

We are incredibly excited about our opportunity to empower Firstline Workers and we are just getting started!

To learn more about our vision, please visit our new Firstline Worker page and see the table below to learn what’s included in Microsoft 365 F1.

—Bryan Goode

The post All workers welcome with Microsoft 365 appeared first on Microsoft 365 Blog.