Passwords remain a major source of risk; they’re difficult to manage and easy to steal. Along with weaker forms of multifactor authentication, they’re also highly vulnerable to phishing: AI-powered campaigns drive click-through rates as high as 54%.¹ In response, Microsoft is expanding passkey adoption across our ecosystem. We’re reducing reliance on legacy authentication and strengthening account recovery so it won’t become a backdoor for cyberattackers.

Passkey adoption continues to grow industry wide

Passkey adoption is accelerating: FIDO Alliance estimates 5 billion passkeys already in use worldwide.² Across Microsoft’s consumer services, including OneDrive, Xbox, and Copilot, hundreds of millions of users sign in with passkeys every day.

There are many reasons to choose passkeys as the standard authentication method over passwords. Sign-in success rates are significantly higher than with passwords, and exposure to credential-based attacks is significantly lower.³ Organizations and individual users alike prefer the simpler, more secure sign-in experience passkeys offer.⁴

Inside Microsoft, we’ve eliminated weaker authentication methods and rolled out phishing-resistant authentication, covering 99.6% of users and devices in our environment.⁵ It’s made signing in a lot simpler: no codes to enter, no extra prompts to manage, just a straightforward experience for everyone.

Product updates across sign-in and recovery

Across Microsoft, we’ve been steadily building passkey support into every layer of the identity experience from consumer accounts to enterprise access with Microsoft Entra, and from device-based authentication like Windows Hello to Microsoft’s password manager. This work ensures people can create and use passkeys wherever they sign in, with a consistent, phishing-resistant experience across devices, apps, and environments.

To make passkeys more accessible, we’re expanding where and how people can use them:

• Synced passkeys and passkey profiles in Microsoft Entra ID make it easier to scale passwordless sign-in across diverse environments. We’re expanding flexibility in cloud passkey management, including support for larger and more complex policies, and transitioning tenants to a unified passkey profile model.
• Entra passkeys on Windows make it simple for users to create and use device-bound passkeys directly on personal or unmanaged Windows devices using Windows Hello, and will be generally available in late May 2026.
• Passkeys for Microsoft Entra External ID will be generally available late May 2026, so your customer-facing applications can offer a more seamless, consumer-grade sign-in experience.
• Passkey-preferred authentication in Microsoft Entra ID (preview) detects registered methods and prompts the strongest one first. If a passkey is registered, that’s what the user sees—immediately. 
• On the consumer side, with Microsoft Password Manager, users can now save and sync passkeys across devices signed in with their Microsoft account, with support for iOS and Android rolling out soon through Microsoft Edge. 

Account recovery also plays a critical role in maintaining the integrity of identity systems. Historically, it’s been vulnerable to cyberattackers who try to hijack the recovery process, for example by impersonating legitimate users and requesting new credentials.

Microsoft Entra ID account recovery, generally available today, strengthens security for recovery flows by enabling users to regain access to their accounts through a robust identity verification process. Users can regain access after losing all authentication methods by using government-issued ID and biometric face checks. At general availability, we are expanding our identity verification ecosystem with two new partners—1Kosmos and CLEAR1—joining our existing partners Au10tix, IDEMIA, and TrueCredential. 

Removing phishable credentials from user accounts

Strengthening authentication is important, but reducing risk means eliminating phishable credentials entirely. Microsoft is continuing to phase out legacy methods and move users toward phishing-resistant authentication. Starting in January 2027, security questions will be removed as a password reset option in Microsoft Entra ID due to their susceptibility to guessing and social engineering.

The rationale is straightforward: improving strong methods while removing weak ones shrinks the attack surface. This is increasingly urgent as AI agents act on behalf of users. If an identity is compromised, cyberattackers can leverage those agents to access systems, execute workflows, and operate within existing permissions. Organizations need to address this risk quickly.

A more secure and usable future

Last year, Microsoft joined dozens of organizations in taking the Passkey Pledge, a commitment to accelerating the adoption of phishing-resistant authentication and to moving beyond passwords. Since then, we’ve seen meaningful progress, from hundreds of millions of better-protected consumer accounts to large-scale deployments across organizations like our own.

What once felt like a long-term shift is finally gaining real momentum: authentication is becoming simpler, safer, and passwordless.

For a more in-depth perspective on how cyberattackers try to bypass authentication through fallback methods and recovery flows—and how to address those gaps—read our companion post.

Getting started

Organizations that want to strengthen their identity security posture can enable passkeys for their users and extend policy protections across both sign-in and recovery scenarios.

Get started with a phishing-resistant passwordless authentication deployment in Microsoft Entra ID.

Individuals can create and use passkeys for their personal accounts for better security and convenience.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2025.

²FIDO Alliance reports mainstream global usage on World Passkey Day. FIDO Alliance, 2026.

³Synced passkeys and high assurance account recovery, Microsoft Entra blog. December 16, 2025.

⁴FIDO Alliance Champions Widespread Passkey Adoption and a Passwordless Future on World Passkey Day 2025, FIDO News Center. May 1, 2025.

⁵Microsoft Security and Future Initiative (SFI) Progress Report—November 2025.

The post World Passkey Day: Advancing passwordless authentication appeared first on Microsoft Security Blog.

Staying ahead of the evolving cyberthreat landscape

Every day, Microsoft processes more than 100 trillion signals from our services. Together with insights from researchers, law enforcement, and cybersecurity teams, these signals reveal how quickly the threat landscape continues to evolve.

We’ve observed nation-state actors and organized cybercrime groups joining forces to deploy generative AI that automates cyberattacks at unprecedented scale. With password spray or brute force attacks still accounting for more than 97% of identity-related alerts we see, more customers are turning on multifactor authentication to defend themselves.¹ Multifactor authentication also reduces the risk of identity compromise by more than 99%, making it the single most important security measure an organization can implement.¹ This is forcing bad actors to evolve their tactics.

Using sophisticated phishing attacks, they trick users into authenticating on fake sites so they can intercept multifactor authentication codes and session tokens. And now they’re even using generative AI to impersonate colleagues and help desk personnel in fraudulent emails and Microsoft Teams chats, luring users into authenticating on their behalf or into granting broad permissions to malicious applications. They’re also targeting workloads, such as AI agents, which use non-human identities that may not have the same level of protection as human users.

This growing cyberthreat landscape is why a comprehensive, integrated identity and access management (IAM) strategy with strong identity governance and agentic AI controls is vital to every organization’s security posture.

A unified solution to simplify and strengthen security

Microsoft Entra is our unified secure access solution that simplifies IAM and consumer IAM (CIAM) for organizations and applications of all sizes across all industries. Instead of having to assemble multiple tools or rely on fragmented processes, security teams get a streamlined experience with centralized visibility and control.

And since we have fully integrated generative AI into the Microsoft Entra admin center, strengthening security posture is as simple as chatting with Microsoft Security Copilot, for example, to create and troubleshoot lifecycle workflows that automate joiner, mover, and leaver scenarios. Security teams can also use natural language prompting to investigate and respond to cyberthreats to any kind of identity.

We’ve also made it easier for developers to integrate authentication into their apps with Microsoft Entra External ID. These include AI-based tools for creating highly customized sign-up/sign-in flows and automated tools for migrating apps from Azure AD B2C or a third-party platform to External ID.

Investing to secure identities for the AI era

A comprehensive IAM solution for non-human identities requires visibility to your organization’s AI agents. We introduced Microsoft Entra Agent ID, which creates enterprise identities for AI agents. Now identity admins can manage and govern agents using the same granular access controls and lifecycle workflows they already use to manage and govern users and applications.

We’ve also expanded Security Copilot to include agents. For example, the Conditional Access Optimization Agent detects policy gaps and provides actionable recommendations to strengthen Zero Trust enforcement and eliminate blind spots.

The Access Review agent, currently in preview, surfaces intelligent recommendations directly in Microsoft Teams. By using AI to analyze sign-in activity, peer group changes, and unusual access patterns making access reviews faster and more secure.

Innovations such as these represent the continued commitment to securing all identities and access points. Stay tuned for more exciting advancements coming your way at Microsoft Ignite.

Explore more

• Read the full 2025 Gartner® Magic Quadrant™ for Access Management report.
• Learn more about Microsoft Entra and our identity solutions.
• Visit the Microsoft Security site for the latest innovations.

Are you a regular user of Microsoft Entra ID? Share your insights on Microsoft Entra ID and get rewarded with a $25 gift card on Gartner Peer Insights™.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

¹Microsoft Digital Defense Report 2025

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. 

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

Gartner, Magic Quadrant for Access Management, 11, November 2025, By Brian Guthrie, Nathan Harris, Yemi Davies, Steve Wessels

The post Microsoft named a Leader in the Gartner® Magic Quadrant™ for Access Management for the ninth consecutive year appeared first on Microsoft Security Blog.

Microsoft has embraced Zero Trust principles, both in our security products and in the way we secure our own enterprise environment. We’ve been helping thousands of organizations worldwide transition to a Zero Trust security model, including military departments and civilian agencies. Over the past three years, we’ve listened to our US government customers, so we can build rich new security features that help them meet the requirements described in the Executive Order, and then support their deployments. These advancements include certificate-based authentication in the cloud, Conditional Access authentication strength, cross-tenant access settings, FIDO2 provisioning APIs, Azure Virtual Desktop support for passwordless authentication, and device-bound passkeys.

The illustration below depicts the Zero Trust Maturity Model Pillars adopted by the US Cybersecurity and Infrastructure Security Agency (CISA).

As the memo’s deadline approaches, we’d like to celebrate the progress our customers have made using the capabilities in Microsoft Entra ID not only to meet requirements for the Identity pillar, but also to reduce complexity and to improve the user experience for their employees and partners.

Microsoft Entra ID is helping US government customers meet the M-22-09 requirements for identity

US government agencies are adopting Microsoft Entra ID to consolidate siloed identity solutions, reduce operational complexity, and improve control and visibility across all their users, as the memo requires. With Microsoft Entra ID, agencies can enforce multifactor authentication at the application level for more granular control. They can also strengthen security by enabling phishing-resistant authentication for staff, contractors, and partners, and by evaluating device information before authorizing access to resources.

Vision:

Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant multifactor authentication protects those personnel from sophisticated online attacks.

Actions:

Source: M-22-09: Moving the US Government Toward Zero Trust Cybersecurity Principles, issued by the US Office of Management and Budget, January 2022, page 5.

Many of our US government civilian and military customers want to use the same solutions across their different environments. Since it’s available in secret and top-secret Microsoft Azure Government clouds, agencies can standardize on Microsoft Entra ID to secure user identities, to configure granular access permissions in one place, and to provide simpler, easier, and more secure sign-in experiences to applications their employees use in their work.

Microsoft Entra ID

Establish Zero Trust access controls, prevent identity attacks, and manage access to resources.

Try for free

Using Microsoft Entra ID as a centralized identity management system

Anyone who has struggled to manage multiple identity systems understands that it’s an expensive and inefficient approach. Government customers who have adopted Microsoft Entra ID as their central agency identity provider (IdP) gained a holistic view of all users and their access permissions as required by the memo. They also gained a centralized access policy engine that combines signals from multiple sources, including identities and devices, to detect anomalous user behavior, assess risk, and make real-time access decisions that adhere to Zero Trust principles.

Moreover, Microsoft Entra ID enables single sign-on (SSO) to resources and apps, including apps from Microsoft and thousands of other vendors, whether they’re on-premises or in Microsoft commercial or government clouds. When deployed as the central agency IdP, Microsoft Entra ID also secures access to resources in clouds from Amazon, Google, and Oracle.

Many government customers are facilitating secure collaboration among different organizations by using Microsoft Entra External ID for business-to-business (B2B) collaboration to enable cross-cloud access scenarios. They don’t have to give collaboration partners separate credentials for accessing applications and documents in their environment, which reduces their cyberattack surface and spares their partner users from maintaining multiple sets of credentials for multiple identity systems.

Using Microsoft Entra ID to facilitate cross-organizational collaboration

One of our government customers, along with their partner agency, configured cross-tenant access settings to trust multifactor authentication claims from each user’s home tenant. Their partner agency can now trust and enforce strong phishing-resistant authentication for the customer’s users without forcing them to sign in multiple times to collaborate. The partner agency also explicitly enforces, through a Conditional Access authentication strength policy, that the customer’s users must sign in using a personal identity verification (PIV) card or a common access card (CAC) before gaining access.

Another government customer needed to give employees from different organizations within the same agency access to shared services applications such as human resources systems. They used Microsoft Entra External ID for B2B collaboration along with cross-cloud settings to enable seamless and secure collaboration and resource sharing for all agency employees, other government agencies (OGAs), and external partners. They used Microsoft Entra Conditional Access policy and cross-tenant access settings to require that employees sign in using phishing-resistant authentication before accessing shared resources. Trust relationships ensure that this approach works whether the home tenant of an employee is in an Azure commercial or government cloud. They also enabled collaboration with agencies that use an IdP other than Microsoft Entra ID by setting up federation through the SAML 2.0 and WS-Fed protocols.

Next step after standardizing on Microsoft Entra ID as your centralized IdP: Use Microsoft Entra ID Governance to automate lifecycle management of guest accounts in your tenant, so guest users only get access to the resources they need, for only as long as they need it. Start here: What are lifecycle workflows?

Enabling strong multifactor authentication

Standardizing on Microsoft Entra ID has made it possible for our government customers to enable phishing-resistant authentication methods. Over the past 18 months, we’ve worked with our US government customers to increase adoption of phishing-resistant multifactor authentication with Microsoft Entra by almost 2,000%.

From there, customers configure Conditional Access policies that require strong phishing-resistant authentication for accessing applications and resources, as required by the memo. Using Conditional Access authentication strength, they can even set policies to require additional, stronger authentication based on the sensitivity of the application or resource the user is trying to access, or the operation they’re trying to perform.

Microsoft Entra supports strong phishing-resistant forms of authentication:

• Certificate-based authentication (CBA) using Personal Identification Cards (PIV) or Common Access Cards (CAC)
• Device-bound passkeys
  • FIDO2 security keys
  • Passkeys in the Microsoft Authenticator app
• Windows Hello for Business
• Platform single sign-on SSO for macOS devices (in preview)

For a deep dive into phishing resistant authentication in Microsoft Entra, explore the video series Phishing-resistant authentication in Microsoft Entra ID.

While Microsoft Entra ID can prevent the use of common passwords, identify compromised passwords, and enable self-service password reset, many of our government customers prefer to require the most secure forms of authentication, such as smart cards with x.509 certificates and passkeys, which don’t involve passwords at all. This makes signing in more secure, simplifies the user experience, and reduces management complexity.

Implementing phishing-resistant multifactor authentication methods with Microsoft Entra ID

To reduce the cost and complexity of maintaining an on-premises authentication infrastructure using Active Directory Federation Services (AD FS) for employee PIV cards, one agency wanted to use certificate-based authentication (CBA) in Microsoft Entra ID. To ensure the transition went smoothly, they moved users with Staged Rollout, carefully monitoring threat activity using Microsoft Entra ID Protection dashboards and Microsoft Graph API logs exported to their security information and event management (SIEM) system. They migrated all their users to cloud-based CBA in Microsoft Entra in less than three months and after monitoring the environment for a time, confidently decommissioned their AD FS servers.

A local government department chose an opt-in approach for moving employees and vendors to phishing-resistant authentication. Every user contacting the help desk for a password reset instead received help onboarding to Windows Hello for Business. This agency also gave FIDO2 keys to all admins and set a Conditional Access authentication strength policy requiring all vendors to perform phishing-resistant authentication. Their next step will be to roll out device-bound passkeys managed in the Microsoft Authenticator app and enforce their use through Conditional Access. This will save them the expense of issuing separate physical keys and give their users the familiar experience of authenticating securely from their mobile device.

By giving users access to applications and resources through Azure Virtual Desktop, another large agency avoids the overhead of maintaining and supporting individual devices and the software running on them. They also protect their environment from potentially unhealthy, misconfigured, or stolen devices. Whether employees use devices running Windows, MacOS, iOS, or Android, they run the same Virtual Desktop image and sign in, as policy requires, using phishing-resistant, passwordless authentication.

Next step after enabling strong multifactor authentication: Configure Conditional Access authentication strength to enforce phishing-resistant authentication for accessing sensitive resources. Start here: Overview of Microsoft Entra authentication strength.

Using Conditional Access policies to authorize access to resources

Using Conditional Access, our government customers have configured fine-tuned access policies that consider contextual information about the user, their device, their location, and real-time risk levels to control which apps and resources users can access and under what conditions.

To satisfy the memo’s third identity requirement, these customers include device-based signals in policies that make authorization decisions. For example, Microsoft Entra ID Protection can detect whether a device’s originating network is safe or unsafe based on its geographic location, IP address range, or whether it’s coming from an anonymous IP address (for example, TOR). Conditional Access can evaluate signals from Microsoft Intune or other mobile device management systems to determine whether a device is properly managed and compliant before granting access. It can also consider device threat signals from Microsoft Defender for Endpoint.

Enabling Microsoft Entra Conditional Access risk-based policies

One government department enabled risk-based Conditional Access policies across their applications, requiring more stringent sign-in methods depending on levels of user and sign-in risk. For example, a user evaluated as ‘no-risk’ must always perform multifactor authentication, a user evaluated as ‘low-medium risk’ must sign in using phishing-resistant multifactor authentication, and a user deemed ‘high-risk’ must sign in using a specific certificate issued to them by the department. The customer has also configured policy to require compliant devices, enable token protection, and define sign-in frequency. To facilitate threat hunting and automatic mitigation, they send their sign-in and other Microsoft Entra logs to Microsoft Sentinel.

Next step after configuring basic Conditional Access policies: Configure risk-based Conditional Access policies using Microsoft Intune. Start here: Configure and enable risk policies.

Next steps

On July 10, 2024, the White House issued Memorandum M-21-14, “Administration Cybersecurity Priorities for the FY 2026 Budget.” One budget priority calls on agencies to transition toward fully mature Zero Trust architectures by September 30, 2026. Agencies need to submit an updated implementation plan to the Office of Management and Budget within 120 days of the memo’s release.

Microsoft is here to help you rearchitect your environment and implement your Zero Trust strategy, so you can comply with every milestone of the Executive Order. We’ve published technical guidance and detailed documentation to help federal agencies use Microsoft Entra ID to meet identity requirements. We’ve also published detailed guidance on meeting the Department of Defense Zero Trust requirements with Microsoft Entra ID.

In the coming weeks and months, you’ll see announcements about additional steps we’re taking to simplify your Zero Trust implementation, such as the general availability of support for device-bound passkeys in Microsoft Authenticator and Microsoft-managed Conditional Access policies that enable multifactor authentication by default for US government customers.

We look forward to supporting you through the next phases of your Zero Trust journey.

1. Standardize on Microsoft Entra ID as your centralized identity provider to secure every identity and to secure access to your apps and resources. Start here: What is Microsoft Entra ID?
2. To facilitate secure cross-organization collaboration, configure cross-tenant access settings and Conditional Access policies to require that partners accessing your resources sign in using phishing-resistant authentication. Start here: Microsoft Entra B2B in government and national clouds.
3. If you’re using CBA on AD FS, migrate to cloud-based CBA using Staged Rollout and retire your on-premises federation servers. Start here: Migrate from AD FS Certificate-based Authentication (CBA) to Microsoft Entra ID CBA.
4. Eliminate passwords altogether by enabling passwordless phishing-resistant authentication using CBA, Windows Hello for Business, device-bound passkeys (FIDO2 security keys or passkeys managed in the Microsoft Authenticator app), or Platform SSO for MacOS. Start here: Plan a passwordless authentication deployment in Microsoft Entra ID.
5. Implement risk-based Conditional Access policies to adjust access requirements dynamically. Start here: DoD Zero Trust Strategy for the user pillar.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post How Microsoft Entra ID supports US government agencies in meeting identity security requirements appeared first on Microsoft Security Blog.

Microsoft Entra is a unified identity and network access solution that protects any identity and secures access to any application or resource, in any cloud or on-premises. We’re grateful to all of you—our customers and partners, for your generous feedback that guides our product vision, roadmap, and innovation, and for the collaborative engineering approach that has enabled us to co-create modern identity and access solutions.  

Today, we are honored to announce that for the seventh year in a row, Microsoft has been named a Leader in the 2023 Gartner® Magic Quadrant ^TM for Access Management. We believe Microsoft’s placement in the Leaders quadrant validates our commitment to empowering our customers with a comprehensive solution powered by AI and automation.

Making it easier to secure access

Microsoft Entra’s mission is to help you stay ahead of the evolving digital threat landscape by making it easier to secure access to everything, for everyone, from anywhere. This year, we released several key innovations in pursuit of this goal. Here are a few recent highlights: 

First, we introduced Microsoft Entra ID Governance, our complete identity governance solution that helps ensure the right people have the right access to the right resources at the right time. This cloud-delivered product includes capabilities that were already available in Microsoft Entra ID, plus more advanced tools that automate identity and access lifecycle management, and simplify access governance for on-premises, software as a service, and cloud apps and resources.

Second, we made significant progress towards offering additional phishing-resistant authentication methods in alignment with Executive Order 14028: Users will be able to sign in using passkeys managed from the Microsoft Authenticator app, which is also Federal Information Processing Standards (FIPS) 140-compliant for both iOS and Android. We have also added more customization for our cloud-based certificate-based authentication (CBA) solution. 

Third, Microsoft Entra ID introduced a series of marquee features, including Microsoft Entra ID Protection that help you proactively block identity takeover in real-time. These innovations include a brand-new dashboard with improved security posture insights and recommendations, new risk detections that can prevent attacks in their early phases, and an integration with Microsoft Defender XDR to correlate incidents. Strict location enforcement capabilities have also been added to continuous access evaluation (CAE), which enables Microsoft Entra ID to use those signals to revoke access and remediate potential compromise if a change in location was detected in in near real-time. As part of an ongoing commitment to token protection, Microsoft Entra ID also released sign-in session token protection to help defend against token theft attacks. 

Fourth, we released the preview of new, unified capabilities in Microsoft Entra External ID, our next-generation customer identity and access management platform that unifies secure and engaging experiences for all external identities, including customers, partners, citizens, and others within a single integrated platform. These new capabilities deliver a more developer-centric platform with the latest security and governance capabilities of Microsoft Entra ID and deep integrations across Microsoft Security. 

Fifth, we launched our new identity-centric Security Service Edge solution with the release of two products, Microsoft Entra Internet Access and Microsoft Entra Private Access. This solution unifies identity and network access controls under a single policy engine, extending universal Conditional Access controls to any user and any resource across identity, endpoint and network. By bringing these two solutions into the Microsoft Entra portfolio, we’re expanding our reach beyond identity and access management to a comprehensive solution that can help secure access holistically.

We can’t wait to bring more innovations to the Microsoft Entra portfolio in this new year and continue making progress against our goal to simplify securing access to everything, for everyone.

Discover the Microsoft Entra product family

The Microsoft Entra product family includes:

• Microsoft Entra ID, part of Microsoft Entra, our flagship cloud identity product.
• Microsoft Entra Permissions Management, our cloud infrastructure entitlement management product.
• Microsoft Entra External ID, our customer identity and access management product.
• Microsoft Entra Verified ID, our decentralized identity product.
• Microsoft Entra Identity Governance, our complete identity governance product.
• Microsoft Entra Workload ID, our product that brings advanced security and governance to non-human identities.
• Microsoft Entra Internet Access, our identity-centric secure web gateway (SWG) product.
• Microsoft Entra Private Access, our identity-centric Zero Trust Network Access (ZTNA) product.

Are you a regular user of Microsoft Entra? Review your experience on Gartner Peer Insights™ and get a $25 gift card.

Microsoft Entra

Unified multicloud identity and network access help you protect and verify identities, manage permissions, and enforce intelligent access policies, all in one place.

Try for free

Learn more

You can learn more by reading the full 2023 Gartner^® Magic Quadrant^TM for Access Management report. To learn more about the Microsoft Entra portfolio and its products, visit our website.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2023.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner and Magic Quadrant are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner, Magic Quadrant for Access Management, by Henrique Teixeira, Abhyuday Data, Nathan Harris, Robertson Pimentel. 16 November 2023.

The post Microsoft named a Leader in 2023 Gartner® Magic Quadrant™ for Access Management for the 7th year​​ appeared first on Microsoft Security Blog.

Protecting identities and access is critical. As our work and lives become increasingly digital, cyberattacks are becoming more frequent and more sophisticated, affecting organizations of every size, in every industry, and in every part of the world. In the last 12 months, we saw an average of more than 4,000 password attacks per second, an almost threefold increase from the 1,287 attacks per second we saw the previous year.² We’re also seeing far more sophisticated attacks, including ones that manage to evade critical defenses, such as multifactor authentication, to steal access tokens, impersonate a rightful user, and gain access to critical data.

To help organizations protect their ever-evolving digital estates, we’ve been expanding beyond managing directories and authenticating users to securing and governing access for any identity to any app or resource. Today, we’re thrilled to announce the next milestone in our vision of making it easy to secure access with two new products: Microsoft Entra Internet Access and Microsoft Entra Private Access. We’re adding these capabilities to help organizations instill trust, not only in their digital experiences and services but in every digital interaction that powers them.

Secure access to any app or resource, from anywhere

Flexible work arrangements and the resulting increase in cloud workloads are straining traditional corporate networks and legacy network security approaches. Using VPNs to backhaul traffic to the legacy network security stack weakens security posture and damages the user experience while using siloed solutions and access policies leaves security gaps.

Microsoft Entra Internet Access is an identity-centric Secure Web Gateway that protects access to internet, software as a service (SaaS), and Microsoft 365 apps and resources. It extends Conditional Access policies with network conditions to protect against malicious internet traffic and other threats from the open internet. For Microsoft 365 environments, it enables best-in-class security and visibility, along with faster and more seamless access to Microsoft 365 apps, so you can boost productivity for any user, anywhere. Microsoft 365 scenarios in Microsoft Entra Internet Access are in preview today, and you can sign up for the preview of capabilities for all internet traffic and SaaS apps and resources that will be available later this year.

Microsoft Entra Private Access is an identity-centric Zero Trust Network Access that secures access to private apps and resources. Now any user, wherever they are, can quickly and easily connect to private apps—across hybrid and multicloud environments, private networks, and data centers—from any device and any network. Now in preview, Microsoft Entra Private Access reduces operational complexity and cost by replacing legacy VPNs and offers more granular security. You can apply Conditional Access to individual applications, and enforce multifactor authentication, device compliance, and other controls to any legacy application without changing those applications.

Together, Internet Access and Private Access, coupled with Microsoft Defender for Cloud Apps, our SaaS security-focused cloud access security broker, comprise Microsoft’s Security Service Edge (SSE) solution. We’ll continue to evolve our SSE solution as an open platform that delivers the flexibility of choice between solutions from Microsoft and our partners. Pricing for Microsoft Entra Internet Access and Microsoft Entra Private Access will be available when those products reach general availability.

Figure 1. Microsoft’s Security Service Edge (SSE) solution.

Neither identity nor network security alone can protect the breadth of access points and scenarios that modern organizations require. That’s why, as cyberattacks get more sophisticated, we’re adding identity-centric network access to our cloud identity solutions. We’re converging controls for identity and network access so you can create unified Conditional Access policies that extend all protections and governance to all identities and resources. With a single place to safeguard and verify identities, manage permissions, and enforce intelligent access policies, protecting your digital estate has never been easier.

Microsoft Azure Active Directory is becoming Microsoft Entra ID

When we introduced Microsoft Entra in May of 2022, it included three products: Microsoft Azure Active Directory (Azure AD), Microsoft Entra Permissions Management, and Microsoft Entra Verified ID.¹ We later expanded the Microsoft Entra family with Microsoft Entra ID Governance and Microsoft Entra Workload ID.³ Today, Microsoft Entra protects any identity and secures access to any resource—on-premises, across clouds, and anywhere in between—with a product family that unifies multicloud identity and network access solutions.

To simplify our product naming and unify our product family, we’re changing the name of Azure AD to Microsoft Entra ID. Capabilities and licensing plans, sign-in URLs, and APIs remain unchanged, and all existing deployments, configurations, and integrations will continue to work as before. Starting today, you’ll see notifications in the administrator portal, on our websites, in documentation, and in other places where you may interact with Azure AD. We’ll complete the name change from Azure AD to Microsoft Entra ID by the end of 2023. No action is needed from you.

Figure 2. With the name change to Microsoft Entra ID, the standalone license names are changing. Azure AD Free becomes Microsoft Entra ID Free. Azure AD Premium P1 becomes Microsoft Entra ID P1. Azure AD Premium P2 becomes Microsoft Entra ID P2. And our product for customer identities, Azure AD External Identities, becomes Microsoft Entra External ID. SKU and service plan name changes take effect on October 1, 2023.

More innovations in Microsoft Entra

Today we’d also like to highlight other innovations in the Microsoft Entra portfolio that strengthen defenses against attackers who are becoming more adept at exploiting identity-related vulnerabilities such as weak credentials, misconfigurations, and excessive access permissions.

Prevent identity takeover in real time

Several exciting changes to Microsoft Entra ID Protection (currently Azure AD Identity Protection) help IT and identity practitioners prevent account compromise. Instead of reactively revoking access based on stale data, ID Protection uses the power of advanced machine learning to identify sign-in anomalies and anomalous user behavior and then block, challenge, or limit access in real time. For example, it may trigger a risk-based Conditional Access policy that requires high-assurance and phishing-resistant authentication methods for accessing sensitive resources.

A new dashboard demonstrates the impact of the identity protections that organizations deploy with a comprehensive snapshot of prevented identity attacks and the most common attack patterns. On the dashboard, you can view simple metric cards and attack graphs that show risk origins, security posture over time, types of current attacks, as well as recommendations based on risk exposure, while highlighting the business impact of enforced controls. With these insights, you can further investigate your organization’s security posture in additional tools and applications for enhanced recommendations.

Figure 3. New Microsoft Entra ID Protection dashboard.

Automate access governance

An important part of securing access for any identity to any app is ensuring that only the right identities have the right access at the right time. Some organizations only realize they need to take this approach when they fail a security audit. Microsoft Entra ID Governance, now generally available, is a complete identity governance solution that helps you comply with organizational and regulatory security requirements while increasing employee productivity through real-time, self-service, and workflow-based app entitlements.⁴

ID Governance automates the employee identity lifecycle to reduce manual work for IT and provides machine learning-based insights about identities and app entitlements. Because it’s cloud-delivered, it scales to complex cloud and hybrid environments, unlike traditional on-premises identity governance point solutions. It supports cloud and on-premises apps from any provider, as well as custom-built apps hosted in the public cloud or on-premises. Our global system integrator partners—including Edgile, a Wipro company, EY, KPMG, and PwC—started helping with the planning and deployment of ID Governance on July 1, 2023.

Figure 4. New Microsoft Entra ID Governance dashboard.

Personalize and secure access to any application for customers and partners

As we announced at Microsoft Build 2023, new developer-centric capabilities in Microsoft Entra External ID are now in preview. External ID is an integrated identity solution for external users, including customers, patients, citizens, guests, partners, and suppliers. It offers rich customization options, Conditional Access, identity protection, and support for social identity providers. Using our comprehensive developer tools, even those developers who have little to no identity experience can create personalized sign-in and sign-up experiences for their applications within minutes.

Simplify identity verification with Microsoft Entra Verified ID

Since we announced the general availability of Microsoft Entra Verified ID last summer, organizations around the world have been reinventing business processes, such as new employee onboarding, around this new, simpler way of verifying someone’s identity.⁵ For example, we recently announced that millions of LinkedIn members will be able to verify their place of work using a Verified ID credential.⁶ At the 2023 Microsoft Build event, we launched the Microsoft Entra Verified ID SDK so that developers can quickly add a secure digital wallet to any mobile application. The app can then store and verify a wide range of digital ID cards.

Microsoft Entra: Secure access for a connected world

You can see our expanded Microsoft Entra product family in Figure 5. Visit the Microsoft Entra website to learn more.

Figure 5. The Microsoft Entra family of identity and network access products.

We’re committed to building a more secure world for all and making life harder for threat actors, easier for admins, and more secure for every user. As part of that commitment, we’ll keep expanding Microsoft Entra to provide the broadest possible coverage along with a flexible and agile model where people, organizations, apps, and even smart things can confidently make real-time access decisions.

Encourage your technical teams to dive deeper into these announcements by attending the Tech Accelerator event on July 20, 2023, on the Microsoft Tech Community.

Microsoft Entra

Meet the family of multicloud identity and access products.

Learn more

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Secure access for a connected world—meet Microsoft Entra, Joy Chik and Vasu Jakkal. May 31, 2022.

²Microsoft internal data.

³Do more with less—Discover the latest Microsoft Entra innovations, Joy Chik. October 19, 2022.

⁴Microsoft Entra ID Governance is generally available, Joseph Dadzie. June 7, 2023.

⁵Microsoft Entra Verified ID now generally available, Ankur Patel. August 8, 2022.

⁶LinkedIn and Microsoft Entra introduce a new way to verify your workplace, Joy Chik. April 12, 2023.

The post Microsoft Entra expands into Security Service Edge and Azure AD becomes Microsoft Entra ID appeared first on Microsoft Security Blog.