Howdy folks,

I’m so excited to share today’s news! We just turned on the ability to securely sign in with your Microsoft account using a standards-based FIDO2 compatible device—no username or password required! FIDO2 enables users to leverage standards-based devices to easily authenticate to online services—in both mobile and desktop environments. This is available now in United States and will roll out globally over the next few weeks.

This combination of ease of use, security, and broad industry support is going to be transformational both at home and in the modern workplace. Every month, more than 800 million people use a Microsoft account to create, connect, and share from anywhere to Outlook, Office, OneDrive, Bing, Skype, and Xbox Live for work and play. And now they can all benefit from this simple user experience and greatly improved security.

Starting today, you can use a FIDO2 device or Windows Hello to sign in to your Microsoft account using the Microsoft Edge browser.

Watch this quick video showing how it works:

Microsoft has been on a mission to eliminate passwords and help people protect their data and accounts from threats. As a member of the Fast Identity Online (FIDO) Alliance and the World Wide Web Consortium (W3C), we’ve been working with others to develop open standards for the next generation of authentication. I’m happy to share that Microsoft is the first Fortune 500 company to support password-less authentication using the the WebAuthn and FIDO2 specifications, and Microsoft Edge supports the widest array of authenticators compared to other major browsers.

If you want to know more details on how it works and how to get started, keep reading on.

Get started

To sign in with your Microsoft Account using a FIDO2 security key:

1. If you haven’t already, make sure you update to Windows 10 October 2018.
2. Go to the Microsoft account page on Microsoft Edge and sign in as you normally would.
3. Select Security > More security options and under Windows Hello and security keys, you’ll see instructions for setting up a security key. (You can purchase a security key from one of our partners, including Yubico and Feitian Technologies that support the FIDO2 standard.*)
4. Next time you sign in, you can either click More Options > Use a security key or type in your username. At that point, you’ll be asked to use a security key to sign in.

And as a reminder, here’s how to sign in with your Microsoft account using Windows Hello:

1. Make sure you’ve updated to Windows 10 October 2018.
2. If you haven’t already, you’ll need to set up Windows Hello. If you have Windows Hello set up, you’re good to go!
3. Next time you sign in on Microsoft Edge, you can either click More Options > Use Windows Hello or a security key or type in your username. At that point, you’ll be asked to use Windows Hello or a security to sign in.

If you need more help, check out our detailed help article about how to get set up.

*There are a couple of optional features in the FIDO2 spec that we believe are fundamental to security, so only keys that have implemented those features will work. Read What is a Microsoft-compatible security key? to learn more.

How does it work?

Under the covers, we implemented the WebAuthn and FIDO2 CTAP2 specifications into our services to make this a reality.

Unlike passwords, FIDO2 protects user credentials using public/private key encryption. When you create and register a FIDO2 credential, the device (your PC or the FIDO2 device) generates a private and public key on the device. The private key is stored securely on the device and can only be used after it has been unlocked using a local gesture like biometric or PIN. Note that your biometric or PIN never leaves the device. At the same time that the private key is stored, the public key is sent to the Microsoft account system in the cloud and registered with your user account.

When you later sign in, the Microsoft account system provides a nonce to your PC or FIDO2 device. Your PC or device then uses the private key to sign the nonce. The signed nonce and metadata is sent back to the Microsoft account system, where it is verified using the public key. The signed metadata as specified by the WebAuthn and FIDO2 specs provides information, such as whether the user was present, and verifies the authentication through the local gesture. It’s these properties that make authentication with Windows Hello and FIDO2 devices not “phishable” or easily stolen by malware.

How do Windows Hello and FIDO2 devices implement this? Based on the capabilities of your Windows 10 device, you will either have a built-in secure enclave, known as a hardware trusted platform module (TPM) or a software TPM. The TPM stores the private key, which requires either your face, fingerprint, or PIN to unlock it. Similarly, a FIDO2 device, like a security key, is a small external device with its own built-in secure enclave that stores the private key and requires the biometric or PIN to unlock it. Both options offer two-factor authentication in one step, requiring both a registered device and a biometric or PIN to successfully sign in.

Check out this article on our Identity Standards blog, which goes into all the technical details around the implementation.

What’s next

We have tons of great things coming out as part of our efforts to reduce and even eliminate the use of passwords. We are currently building the same sign-in experience from a browser with security keys for work and school accounts in Azure Active Directory. Enterprise customers will be able to preview this early next year, where they will be able to allow their employees to set up their own security keys for their account to sign in to Windows 10 and the cloud.

Furthermore, as more browsers and platforms start supporting the WebAuthn and FIDO2 standards, the password-less experience—available on Microsoft Edge and Windows today—will be hopefully available everywhere!

Stay tuned for more details early next year!

Best Regards,
Alex Simons (@Twitter: @Alex_A_Simons)
CVP of Program Management
Microsoft Identity Division

The post Secure password-less sign-in for your Microsoft account using a security key or Windows Hello appeared first on Microsoft 365 Blog.

Every day, everyone in the Microsoft Identity Division comes to work focused on helping you, our customers, make your employees, partners, and customers more productive and to make it easier for you to securely manage access to your enterprise resources.

So, I was pretty excited to learn that Microsoft was recently recognized as a 2018 Gartner Peer Insights Customers’ Choice for Access Management, Worldwide.

In the announcement, Gartner explained, “The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings.” To ensure fair evaluation, Gartner maintains rigorous criteria for recognizing vendors with a high customer satisfaction rate.

Receiving this recognition is incredibly energizing. It’s a strong validation that we’re making a positive impact for our customers and that they value the innovations we added to Azure Active Directory (Azure AD) this year.

To receive this recognition, a vendor must have a minimum of 50 published reviews with an average overall rating of 4.2 stars or higher.

Here are few quotes from the reviews our customers wrote for us:

“Azure AD is fast becoming the single solution to most of our identity and access problems.”
—Enterprise Security Architect in the Transportation Industry. Read full review.

“Azure Active Directory is making great strides to become a highly available and ubiquitous directory service.”
—Chief Technology Officer in the Services Industry. Read full review.

“[Microsoft] has been a great partner in our implementing an identity solution [that] met the needs of our multiple agencies and provided us with a roadmap to continue to move forward with SSO and integration of our legacy and newly developed application. We were also able to set a standard for our SaaS application authentication and access.”
—Director of Technology in the Government Industry. Read full review.

Read more reviews for Microsoft.

Today, more than 90,000 organizations in 89 countries use Azure AD Premium and we manage over eight billion authentications per day. Our engineering team works around the clock to deliver high reliability, scalability, and satisfaction with our service, so being recognized as a Customers’ Choice is pretty motivating for us. It’s been exciting to see the amazing things many of our customers are doing with our identity services.

On behalf of everyone working on Azure AD, I want to say thank you to our customers for this recognition! We look forward to building on the experience and trust that led to us being named a Customers’ Choice!

The Gartner Peer Insights Customers’ Choice logo is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice distinctions are determined by the subjective opinions of individual end-user customers based on their own experiences, the number of published reviews on Gartner Peer Insights, and overall ratings for a given vendor in the market, as further described here, and are not intended in any way to represent the views of Gartner or its affiliates.

Best Regards,

Alex Simons (@Twitter: @Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division

The post Microsoft named a 2018 Gartner Peer Insights Customers’ Choice for Access Management appeared first on Microsoft 365 Blog.

Some great news to share with you today! For the second year in a row, Gartner has positioned Microsoft in the Leaders Quadrant in the 2018 Magic Quadrant for Access Management, Worldwide, based on our completeness of vision and ability to execute in the access management market. Find out why in a complimentary copy of the report here.

According to Gartner, Leaders show evidence of strong execution for anticipated requirements related to technology, methodology, or means of delivery. Leaders also show evidence of how access management plays a role in a collection of related or adjacent product offerings.

Furthest in Vision in Leaders Quadrant

Microsoft is positioned the furthest in completeness of Vision in the Leaders Quadrant, for the second straight year. We believe our jump up in Execution also illustrates how important it is for us to execute on a strategy that can help organizations where they are at today and prepare them for the identity needs of tomorrow.

At Microsoft, we champion conditional access policies and threat protection for identities as critical capabilities for a world-class identity and access management solution. As part of a rich ecosystem with Windows 10, Office 365 and EMS, we’ve worked hard to integrate security policies across products to give you visibility and control over the full user experience. We’ve also taken in the insights and feedback from our customers this year to improve the experience and make it even easier to get all your identities in one place. We are committed to providing innovative and comprehensive identity and access management solutions for your employees, partners, and customers.

We could not have continued to be a leader in this space without the input and support from our customers and partners – thank you!

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Important note:

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Vision + Execution: Microsoft named a leader again in Gartner MQ for Access Management appeared first on Microsoft 365 Blog.

As long as we’ve had passwords, people have tried to guess them. In this blog, we’re going to talk about a common attack which has become MUCH more frequent recently and some best practices for defending against it. This attack is commonly called password spray.

In a password spray attack, the bad guys try the most common passwords across many different accounts and services to gain access to any password protected assets they can find. Usually these span many different organizations and identity providers. For example, an attacker will use a commonly available toolkit like Mailsniper to enumerate all of the users in several organizations and then try “P@$$w0rd” and “Password1” against all of those accounts. To give you the idea, an attack might look like:

This attack pattern evades most detection techniques because from the vantage point of an individual user or company, the attack just looks like an isolated failed login.

For attackers, it’s a numbers game: they know that there are some passwords out there that are very common. Even though these most common passwords account for only 0.5-1.0% of accounts, the attacker will get a few successes for every thousand accounts attacked, and that’s enough to be effective.

They use the accounts to get data from emails, harvest contact info, and send phishing links or just expand the password spray target group. The attackers don’t care much about who those initial targets are—just that they have some success that they can leverage.

The good news is that Microsoft has many tools already implemented and available to blunt these attacks, and more are coming soon. Read on to see what you can do now and in the coming months to stop password spray attacks.

Four easy steps to disrupt password spray attacks

Step 1: Use cloud authentication

In the cloud, we see billions of sign-ins to Microsoft systems every day. Our security detection algorithms allow us to detect and block attacks as they’re happening. Because these are real time detection and protection systems driven from the cloud, they are available only when doing Azure AD authentication in the cloud (including Pass-Through Authentication).

Smart Lockout

In the cloud, we use Smart Lockout to differentiate between sign-in attempts that look like they’re from the valid user and sign-ins from what may be an attacker. We can lock out the attacker while letting the valid user continue using the account. This prevents denial-of-service on the user and stops overzealous password spray attacks. This applies to all Azure AD sign-ins regardless of license level and to all Microsoft account sign-ins.

Tenants using Active Directory Federation Services (ADFS) will be able to use Smart Lockout natively in ADFS in Windows Server 2016 starting in March 2018—look for this ability to come via Windows Update.

IP Lockout

IP lockout works by analyzing those billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems. With that analysis, IP lockout finds IP addresses acting maliciously and blocks those sign-ins in real-time.

Attack Simulations

Now available in public preview, Attack Simulator as part of Office 365 Threat Intelligence enables customers to launch simulated attacks on their own end users, determine how their users behave in the event of an attack, and update policies and ensure that appropriate security tools are in place to protect your organization from threats like password spray attacks.

Things we recommend you do ASAP:

1. If you’re using cloud authentication, you’re covered
2. If you’re using ADFS or another hybrid scenario, look for an ADFS upgrade in March 2018 for Smart Lockout
3. Use Attack Simulator to proactively evaluate your security posture and make adjustments

Step 2: Use multi-factor authentication

A password is the key to accessing an account, but in a successful password spray attack, the attacker has guessed the correct password. To stop them, we need to use something more than just a password to distinguish between the account owner and the attacker. The three ways to do this are below.

Risk-based multi-factor authentication

Azure AD Identity Protection uses the sign-in data mentioned above and adds on advanced machine learning and algorithmic detection to risk score every sign-in that comes in to the system. This enables enterprise customers to create policies in Identity Protection that prompt a user to authenticate with a second factor if and only if there’s risk detected for the user or for the session. This lessens the burden on your users and puts blocks in the way of the bad guys. Learn more about Azure AD Identity Protection here.

Always-on multi-factor authentication

For even more security, you can use Azure MFA to require multi-factor authentication for your users all the time, both in cloud authentication and ADFS. While this requires end users to always have their devices and to more frequently perform multi-factor authentication, it provides the most security for your enterprise. This should be enabled for every admin in an organization. Learn more about Azure Multi-Factor Authentication here, and how to configure Azure MFA for ADFS.

Azure MFA as primary authentication

In ADFS 2016, you have the ability use Azure MFA as primary authentication for passwordless authentication. This is a great tool to guard against password spray and password theft attacks: if there’s no password, it can’t be guessed. This works great for all types of devices with various form factors. Additionally, you can now use password as the second factor only after your OTP has been validated with Azure MFA. Learn more about using password as the second factor here.

Things we recommend you do ASAP:

1. We strongly recommend enabling always-on multi-factor authentication for all admins in your organization, especially subscription owners and tenant admins. Seriously, go do this right now.
2. For the best experience for the rest of your users, we recommend risk-based multi-factor authentication, which is available with Azure AD Premium P2 licenses.
3. Otherwise, use Azure MFA for cloud authentication and ADFS.
4. In ADFS, upgrade to ADFS on Windows Server 2016 to use Azure MFA as primary authentication, especially for all your extranet access.

Step 3: Better passwords for everyone

Even with all the above, a key component of password spray defense is for all users to have passwords that are hard to guess. It’s often difficult for users to know how to create hard-to-guess passwords. Microsoft helps you make this happen with these tools.

Banned passwords

In Azure AD, every password change and reset runs through a banned password checker. When a new password is submitted, it’s fuzzy-matched against a list of words that no one, ever, should have in their password (and l33t-sp3@k spelling doesn’t help). If it matches, it’s rejected, and the user is asked to choose a password that’s harder to guess. We build the list of the most commonly attacked passwords and update it frequently.

Custom banned passwords

To make banned passwords even better, we’re going to allow tenants to customize their banned password lists. Admins can choose words common to their organization—famous employees and founders, products, locations, regional icons, etc.—and prevent them from being used in their users’ passwords. This list will be enforced in addition to the global list, so you don’t have to choose one or the other. It’s in limited preview now and will be rolling out this year.

Banned passwords for on-premises changes

This spring, we’re launching a tool to let enterprise admins ban passwords in hybrid Azure AD-Active Directory environments. Banned password lists will be synchronized from the cloud to your on-premises environments and enforced on every domain controller with the agent. This helps admins ensure users’ passwords are harder to guess no matter where—cloud or on-premises—the user changes her password. This launched to limited private preview in February 2018 and will go to GA this year.

Change how you think about passwords

A lot of common conceptions about what makes a good password are wrong. Usually something that should help mathematically actually results in predictable user behavior: for example, requiring certain character types and periodic password changes both result in specific password patterns. Read our password guidance whitepaper for way more detail. If you’re using Active Directory with PTA or ADFS, update your password policies. If you’re using cloud managed accounts, consider setting your passwords to never expire.

Things we recommend you do ASAP:

1. When it’s released, install the Microsoft banned password tool on-premises to help your users create better passwords.
2. Review your password policies and consider setting them to never expire so your users don’t use seasonal patterns to create their passwords.

Step 4: More awesome features in ADFS and Active Directory

If you’re using hybrid authentication with ADFS and Active Directory, there are more steps you can take to secure your environment against password spray attacks.

The first step: for organizations running ADFS 2.0 or Windows Server 2012, plan to move to ADFS in Windows Server 2016 as soon as possible. The latest version will be updated more quickly with a richer set of capabilities such as extranet lockout. And remember: we’ve made it really easy to upgrade from Windows Server 2012R2 to 2016.

Block legacy authentication from the Extranet

Legacy authentication protocols don’t have the ability to enforce MFA, so the best approach is to block them from the extranet. This will prevent password spray attackers from exploiting the lack of MFA on those protocols.

Enable ADFS Web Application Proxy Extranet Lockout

If you do not have extranet lockout in place at the ADFS Web Application proxy, you should enable it as soon as possible to protect your users from potential password brute force compromise.

Deploy Azure AD Connect Health for ADFS

Azure AD Connect Health captures IP addresses recorded in the ADFS logs for bad username/password requests, gives you additional reporting on an array of scenarios, and provides additional insight to support engineers when opening assisted support cases.

To deploy, download the latest version of the Azure AD Connect Health Agent for ADFS on all ADFS Servers (2.6.491.0). ADFS servers must run Windows Server 2012 R2 with KB 3134222 installed or Windows Server 2016.

Use non-password-based access methods

Without a password, a password can’t be guessed. These non-password-based authentication methods are available for ADFS and the Web Application Proxy:

1. Certificate based authentication allows username/password endpoints to be blocked completely at the firewall. Learn more about certificate based authentication in ADFS
2. Azure MFA, as mentioned above, can be used to as a second factor in cloud authentication and ADFS 2012 R2 and 2016. But, it also can be used as a primary factor in ADFS 2016 to completely stop the possibility of password spray. Learn how to configure Azure MFA with ADFS here
3. Windows Hello for Business, available in Windows 10 and supported by ADFS in Windows Server 2016, enables completely password-free access, including from the extranet, based on strong cryptographic keys tied to both the user and the device. This is available for corporate-managed devices that are Azure AD joined or Hybrid Azure AD joined as well as personal devices via “Add Work or School Account” from the Settings app. Get more information about Hello for Business.

Things we recommend you do ASAP:

1. Upgrade to ADFS 2016 for faster updates
2. Block legacy authentication from the extranet.
3. Deploy Azure AD Connect Health agents for ADFS on all your ADFS servers.
4. Consider using a password-less primary authentication method such as Azure MFA, certificates, or Windows Hello for Business.

Bonus: Protecting your Microsoft accounts

If you’re a Microsoft account user:

• Great news, you’re protected already! Microsoft accounts also have Smart Lockout, IP lockout, risk-based two-step verification, banned passwords, and more.
• But, take two minutes to go to the Microsoft account Security page and choose “Update your security info” to review your security info used for risk-based two-step verification
• Consider turning on always-on two-step verification here to give your account the most security possible.

The best defense is… following the recommendations in this blog

Password spray is a serious threat to every service on the Internet that uses passwords but taking the steps in this blog will give you maximum protection against this attack vector. And, because many kinds of attacks share similar traits, these are just good protection suggestions, period. Your security is always our utmost priority, and we’re continually working hard to develop new, advanced protections against password spray and every other type of attack out there. Use the ones above today and check back frequently for new tools to defend against the bad guys out there on the Internet.

I hope you’ll find this information useful. As always, we’d love to hear any feedback or suggestions you have.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

The post Azure AD and ADFS best practices: Defending against password spray attacks appeared first on Microsoft 365 Blog.

I hope you’ll find today’s post as interesting as I do. It’s a bit of brain candy and outlines an exciting vision for the future of digital identities.

Over the last 12 months we’ve invested in incubating a set of ideas for using Blockchain (and other distributed ledger technologies) to create new types of digital identities, identities designed from the ground up to enhance personal privacy, security and control. We’re pretty excited by what we’ve learned and by the new partnerships we’ve formed in the process. Today we’re taking the opportunity to share our thinking and direction with you. This blog is part of a series and follows on Peggy Johnson’s blog post announcing that Microsoft has joined the ID2020 initiative. If you haven’t already Peggy’s post, I would recommend reading it first.

I’ve asked Ankur Patel, the PM on my team leading these incubations to kick our discussion on Decentralized Digital Identities off for us. His post focuses on sharing some of the core things we’ve learned and some of the resulting principles we’re using to drive our investments in this area going forward.

And as always, we’d love to hear your thoughts and feedback.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

———-

Greetings everyone, I’m Ankur Patel from Microsoft’s Identity Division. It is an awesome privilege to have this opportunity to share some of our learnings and future directions based on our efforts to incubate Blockchain/distributed ledger based Decentralized Identities.

What we see

As many of you experience every day, the world is undergoing a global digital transformation where digital and physical reality are blurring into a single integrated modern way of living. This new world needs a new model for digital identity, one that enhances individual privacy and security across the physical and digital world.

Microsoft’s cloud identity systems already empower thousands of developers, organizations and billions of people to work, play, and achieve more. And yet there is so much more we can do to empower everyone. We aspire to a world where the billions of people living today with no reliable ID can finally realize the dreams we all share like educating our children, improving our quality of life, or starting a business.

To achieve this vision, we believe it is essential for individuals to own and control all elements of their digital identity. Rather than grant broad consent to countless apps and services, and have their identity data spread across numerous providers, individuals need a secure encrypted digital hub where they can store their identity data and easily control access to it.

Each of us needs a digital identity we own, one which securely and privately stores all elements of our digital identity.  This self-owned identity must be easy to use and give us complete control over how our identity data is accessed and used.

We know that enabling this kind of self-sovereign digital identity is bigger than any one company or organization. We’re committed to working closely with our customers, partners and the community to unlock the next generation of digital identity-based experiences and we’re excited to partner with so many people in the industry who are making incredible contributions to this space.

What we’ve learned

To that end today we are sharing our best thinking based on what we’ve learned from our decentralized identity incubation, an effort which is aimed at enabling richer experiences, enhancing trust, and reducing friction, while empowering every person to own and control their Digital Identity.

1. Own and control your Identity. Today, users grant broad consent to countless apps and services for collection, use and retention beyond their control. With data breaches and identity theft becoming more sophisticated and frequent, users need a way to take ownership of their identity. After examining decentralized storage systems, consensus protocols, blockchains, and a variety of emerging standards we believe blockchain technology and protocols are well suited for enabling Decentralized IDs (DID).
2. Privacy by design, built in from the ground up.
   Today, apps, services, and organizations deliver convenient, predictable, tailored experiences that depend on control of identity-bound data. We need a secure encrypted digital hub (ID Hubs) that can interact with user’s data while honoring user privacy and control.
3. Trust is earned by individuals, built by the community.
   Traditional identity systems are mostly geared toward authentication and access management. A self-owned identity system adds a focus on authenticity and how community can establish trust. In a decentralized system trust is based on attestations: claims that other entities endorse – which helps prove facets of one’s identity.
4. Apps and services built with the user at the center.
   Some of the most engaging apps and services today are ones that offer experiences personalized for their users by gaining access to their user’s Personally Identifiable Information (PII). DIDs and ID Hubs can enable developers to gain access to a more precise set of attestations while reducing legal and compliance risks by processing such information, instead of controlling it on behalf of the user.
5. Open, interoperable foundation.
   To create a robust decentralized identity ecosystem that is accessible to all, it must be built on standard, open source technologies, protocols, and reference implementations. For the past year we have been participating in the Decentralized Identity Foundation (DIF) with individuals and organizations who are similarly motivated to take on this challenge. We are collaboratively developing the following key components:
   

• Decentralized Identifiers (DIDs) – a W3C spec that defines a common document format for describing the state of a Decentralized Identifier
  
• Identity Hubs – an encrypted identity datastore that features message/intent relay, attestation handling, and identity-specific compute endpoints. 
  
• Universal DID Resolver – a server that resolves DIDs across blockchains 
  
• Verifiable Credentials – a W3C spec that defines a document format for encoding DID-based attestations.   
  

6. Ready for world scale:
   To support a vast world of users, organizations, and devices, the underlying technology must be capable of scale and performance on par with traditional systems. Some public blockchains (Bitcoin [BTC], Ethereum, Litecoin, to name a select few) provide a solid foundation for rooting DIDs, recording DPKI operations, and anchoring attestations. While some blockchain communities have increased on-chain transaction capacity (e.g. blocksize increases), this approach generally degrades the decentralized state of the network and cannot reach the millions of transactions per second the system would generate at world-scale. To overcome these technical barriers, we are collaborating on decentralized Layer 2 protocols that run atop these public blockchains to achieve global scale, while preserving the attributes of a world class DID system.
   
7. Accessible to everyone:
   The blockchain ecosystem today is still mostly early adopters who are willing to spend time, effort, and energy managing keys and securing devices. This is not something we can expect mainstream people to deal with. We need to make key management challenges, such as recovery, rotation, and secure access, intuitive and fool-proof.
   

Our next steps

New systems and big ideas, often make sense on a whiteboard. All the lines connect, and assumptions seem solid. However, product and engineering teams learn the most by shipping.

Today, the Microsoft Authenticator app is already used by millions of people to prove their identity every day. As a next step we will experiment with Decentralized Identities by adding support for them into to Microsoft Authenticator. With consent, Microsoft Authenticator will be able to act as your User Agent to manage identity data and cryptographic keys. In this design, only the ID is rooted on chain. Identity data is stored in an off-chain ID Hub (that Microsoft can’t see) encrypted using these cryptographic keys.

Once we have added this capability, apps and services will be able to interact with user’s data using a common messaging conduit by requesting granular consent. Initially we will support a select group of DID implementations across blockchains and we will likely add more in the future.

Looking ahead

We are humbled and excited to take on such a massive challenge, but also know it can’t be accomplished alone. We are counting on the support and input of our alliance partners, members of the Decentralized Identity Foundation, and the diverse Microsoft ecosystem of designers, policy makers, business partners, hardware and software builders. Most importantly we will need you, our customers to provide feedback as we start testing these first set of scenarios.

This is our first post about our work on Decentralized Identity. In upcoming posts we will share information about our proofs of concept as well as technical details for key areas outlined above.

We look forward to you joining us on this venture!

Key resources:

• Follow-us at @AzureAD on Twitter
  
• Get involved with Decentralized Identity Foundation (DIF)
  
• Participate in W3C Credentials Community Group
  

Regards,

Ankur Patel (@_AnkurPatel)

Principal Program Manager

Microsoft Identity Division

The post Decentralized digital identities and blockchain: The future as we see it appeared first on Microsoft 365 Blog.

Azure AD Conditional Access (CA) has really taken off. Organizations around the world are using it to ensure secure, compliant access to applications. Every month, Conditional Access is now used to protect over 10K organizations and over 10M active users! It’s amazing to see how quickly our customers have put it to work!

We’ve received lot of feedback about the user impact of Conditional Access. Specifically, with this much power at your fingertips, you need a way to see how CA policies will impact a user under various sign-in conditions.

We heard you, and today I am happy to announce the public preview of the “What If” tool for Conditional Access. The What If tool helps you understand the impact of the policies on a user sign-in, under conditions you specify. Rather than waiting to hear from your user about what happened, you can simply use the What If tool.

Get started

Ready to start playing with the tool? You can simply follow these steps:

• Go to Azure AD Conditional access
• Click on What If

• Select the user you want to test

• [Optional] Select app, IP address, device platforms, client app, sign-in risk as needed
• Click on “What If” and view the policies that will impact the user sign-in

Sometimes the question that you’re trying to answer is not “What policies will apply” but “Why is a policy not applying?” The tool can help you with that too! Switch to the “Policies that will not apply” tab and you can view the policy name and, more importantly, the reason why a policy didn’t apply. Isn’t that cool?

Want to learn more about the What If tool?

Tell us what you think

This is just a start. We’re already working to deliver more innovation in this area. As always, we’d love to hear any feedback or suggestions you have on this preview, or anything about Azure AD Conditional Access. We’ve even created a short survey on the What If tool for you to participate in.

We look forward to hearing from you!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

The post Public preview: “What If” tool for Azure AD conditional access policies appeared first on Microsoft 365 Blog.

If you follow the blog, you know that we support a wide array of options for connecting an on-premises directory or IAM solution to Azure AD. In fact no one in the industry gives customers as many options as we do.

So it’s not surprising that one of the questions customers ask me the most is which one I would recommend. I’m always a bit hesitant to give an answer. Over the last 6+ years working in the identity industry, I’ve learned that every organization is different and has different goals and requirements in terms of speed of deployment, security posture, ability to invest, network architecture, corporate culture, compliance requirements and work environment. That’s one of the reasons why we’ve invested in giving you options, so you can choose the one that best suits your needs. (That doesn’t mean I don’t have an opinion of course – if it was my organization, I’d definitely want to use our new Pass Through Authentication capabilities and Azure AD Connect Sync.  They are both fast to deploy and low cost to maintain. But hey, that’s just one person’s opinion!)

Rather than spend a bunch of time worrying about what I or anyone else would recommend, how about we just look at what customers are actually using? That strikes me as the best place to start.

Azure AD Momentum

I want to start by sharing some numbers about the overall use of Azure AD so you have the context for the deeper numbers below. For Azure AD overall, we continue to see strong growth in organizations using our basic cloud-based identity services and accelerating growth of Azure AD Premium.

The trend I’m the most excited about is the incredible growth in the use of Azure AD with third-party applications. With over 300k third-party applications in use every month, we’re seeing tons of organizations turn to Azure AD as their preferred cloud identity platform.

Synching users to Azure AD

Most Azure AD tenants are small organizations that don’t synchronize an on-premises AD to Azure AD. Larger organizations almost always sync, and those that do represent >50% of the 950M user accounts in Azure AD.

Here’s the latest data on how organizations synchronize users to Azure AD:

• >180K tenants sync their on-premises Windows Server Active Directory to Azure AD .
• >170K tenants use Azure AD Connect to do so.
• A small number of customers use other solutions:
  • 7% use our legacy DirSync or Azure AD Sync tools.
  • 1.9% use Microsoft Identity Manager or Forefront Identity Manager.
  • <1% use a custom or third-party solution.

Authenticating with Azure AD

The last time I blogged about authentications, the data I shared was based on authentication volumes. Your feedback to me was that this made the numbers difficult to put in context and that you were more interested in active user numbers. So, for this update I’ll share numbers based on Monthly Active Users (MAU).

As of Oct 31, there were just over 152M Monthly Active Users of Azure AD. Of those active users:

• 55% authenticated using a federation product or service.
• 24% authenticate with Password Hash Sync.
• 21% are cloud only users.
• Azure AD Pass-Through Authentication, which went GA only one month ago, already has over half a million Monthly Active Users and that number is growing at 50% per month!

Diving deeper, here’s some more interesting data:

• 46% of all active users are authenticating with AD Federation Services.
• Just over 2% of all active users are authenticating using Ping Federate. Ping is the fastest growing and most popular third-party option.
• 2% of all active users are authenticating using a third-party IDaaS service like Centrify, Okta or OneAuth.
• 1% of all active users are authenticating using a third-party Federation Server other than Ping Federate.

Key Conclusions

This is some pretty interesting data and highlights a few trends:

1. Azure AD Connect has become the standard way to synchronize between Windows Server AD and Azure AD. Over 90 percent of synching tenants now use it.
2. Azure AD Password Hash Sync has become a very popular option for our customers with tens of millions of monthly active users.
3. As larger and larger enterprises have started using Azure AD, Ping Federate has become an increasingly popular option. Our partnership with Ping has really paid off for these large customers.
4. Despite all the press coverage and market hype, other IDaaS vendors remain a very small part of the Azure AD/Office365 business.
5. Our new Pass Through Authentication option, which only GA’d a month ago is off to a good start with >500,000 MAU already! If current trends hold, sometime in the next six months to a year, it will be used by more unique users than all the other IDaaS vendors combined.

Summary

Just like last time, these numbers tell a pretty clear story. We’ve designed Azure AD to be open and standards-based so our customers can use a wide variety of third-party options. However, the majority of customers find that our “off the shelf” identity solutions meet their needs. And this number continues to grow.

Additionally, the data also shows that the level of simplicity we’ve delivered with Azure AD Connect is having a big impact. The solution is being widely adopted and is far and away the fastest growing option for connecting Windows Server AD and Azure AD/Office 365.

Hopefully you found this blog post interesting and useful! As always, we’d love to receive any feedback or suggestions you have.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

The post How organizations are connecting their on-premises identities to Azure AD appeared first on Microsoft 365 Blog.

Today I am excited to let you know that we’ve just enabled Guest Access in Microsoft Teams, built on the B2B collaboration features of Azure AD!

You can now enable partner collaboration in Teams for interactions across chat, apps, and file sharing, all with the ease of use and enterprise-grade protection Azure Active Directory has long enabled for your employees.

Now anyone with an Azure Active Directory account in any organization can be invited as a guest user in Microsoft Teams!

Customers have already created more than 8 million guest users using the B2B features of Azure AD and we’re only getting started. Adding support for Microsoft Teams has been a top customer request, so we’re excited to turn on this new capability to keep the momentum going. I hope you’ll give it a try today!

So, go ahead, log in to Teams today and invite your partners to work with you.

And as always, connect with us for any feedback, discussions, and suggestions. You know we’re listening!

Best Regards,

Alex Simons (@Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

P.S.: We are already working to add additional Azure AD capabilities in Teams, including support for external users with any corporate or consumer email account. Look for more news on that soon!

The post Azure AD B2B collaboration in Microsoft Teams appeared first on Microsoft 365 Blog.

I have great news to share with you today! Gartner released their 2017 Magic Quadrant for Access Management (AM MQ), which shows that Microsoft is placed in the leaders quadrant for our completeness of vision and ability to execute.

The AM MQ is a new MQ. It is a separate entity from the discontinued IDaaS MQ and this is the first time it has been published. Azure Active Directory is the product evaluated in the report.

Gartner 2017 Magic Quadrant for Access Management

We have worked with Gartner to make complimentary copies of the report available, which you can access here

Our opinion is that Microsoft’s amazing placement validates our vision of providing a complete identity and access management solution for employees, partners, and customers, all backed by world-class identity protection based on Microsoft’s Intelligent Security Graph. 

We believe that Gartner’s analysis says a lot about our commitment to the identity and access management space. More importantly, though, Microsoft believes it says a lot about our customers, implementation partners, and ISV partners who have worked with us, sharing their time and energy every day to ensure the products and services we build meet their needs and position them to thrive in a world increasingly driven by cloud technology.

We promise to continue delivering innovative capabilities to address your needs in the identity and access management space and to further improve our position in the leaders quadrant of the Gartner AM MQ.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

The post Azure AD makes the Leaders quadrant in Gartner’s 2017 Magic Quadrant for Access Management! appeared first on Microsoft 365 Blog.