Microsoft has embraced Zero Trust principles, both in our security products and in the way we secure our own enterprise environment. We’ve been helping thousands of organizations worldwide transition to a Zero Trust security model, including military departments and civilian agencies. Over the past three years, we’ve listened to our US government customers, so we can build rich new security features that help them meet the requirements described in the Executive Order, and then support their deployments. These advancements include certificate-based authentication in the cloud, Conditional Access authentication strength, cross-tenant access settings, FIDO2 provisioning APIs, Azure Virtual Desktop support for passwordless authentication, and device-bound passkeys.

The illustration below depicts the Zero Trust Maturity Model Pillars adopted by the US Cybersecurity and Infrastructure Security Agency (CISA).

As the memo’s deadline approaches, we’d like to celebrate the progress our customers have made using the capabilities in Microsoft Entra ID not only to meet requirements for the Identity pillar, but also to reduce complexity and to improve the user experience for their employees and partners.

Microsoft Entra ID is helping US government customers meet the M-22-09 requirements for identity

US government agencies are adopting Microsoft Entra ID to consolidate siloed identity solutions, reduce operational complexity, and improve control and visibility across all their users, as the memo requires. With Microsoft Entra ID, agencies can enforce multifactor authentication at the application level for more granular control. They can also strengthen security by enabling phishing-resistant authentication for staff, contractors, and partners, and by evaluating device information before authorizing access to resources.

Vision:

Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant multifactor authentication protects those personnel from sophisticated online attacks.

Actions:

1. Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms.
2. Agencies must use strong multifactor authentication throughout their enterprise.
   • Multifactor authentication must be enforced at the application layer, instead of the network layer.
   • For agency staff, contractors, and partners, phishing-resistant multifactor authentication is required.
   • For public users, phishing-resistant multifactor authentication must be an option.
   • Password policies must not require use of special characters or regular rotation.
3. When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user.

Source: M-22-09: Moving the US Government Toward Zero Trust Cybersecurity Principles, issued by the US Office of Management and Budget, January 2022, page 5.

Many of our US government civilian and military customers want to use the same solutions across their different environments. Since it’s available in secret and top-secret Microsoft Azure Government clouds, agencies can standardize on Microsoft Entra ID to secure user identities, to configure granular access permissions in one place, and to provide simpler, easier, and more secure sign-in experiences to applications their employees use in their work.

Microsoft Entra ID

Establish Zero Trust access controls, prevent identity attacks, and manage access to resources.

Try for free

Using Microsoft Entra ID as a centralized identity management system

Anyone who has struggled to manage multiple identity systems understands that it’s an expensive and inefficient approach. Government customers who have adopted Microsoft Entra ID as their central agency identity provider (IdP) gained a holistic view of all users and their access permissions as required by the memo. They also gained a centralized access policy engine that combines signals from multiple sources, including identities and devices, to detect anomalous user behavior, assess risk, and make real-time access decisions that adhere to Zero Trust principles.

Moreover, Microsoft Entra ID enables single sign-on (SSO) to resources and apps, including apps from Microsoft and thousands of other vendors, whether they’re on-premises or in Microsoft commercial or government clouds. When deployed as the central agency IdP, Microsoft Entra ID also secures access to resources in clouds from Amazon, Google, and Oracle.

Many government customers are facilitating secure collaboration among different organizations by using Microsoft Entra External ID for business-to-business (B2B) collaboration to enable cross-cloud access scenarios. They don’t have to give collaboration partners separate credentials for accessing applications and documents in their environment, which reduces their cyberattack surface and spares their partner users from maintaining multiple sets of credentials for multiple identity systems.

Using Microsoft Entra ID to facilitate cross-organizational collaboration

One of our government customers, along with their partner agency, configured cross-tenant access settings to trust multifactor authentication claims from each user’s home tenant. Their partner agency can now trust and enforce strong phishing-resistant authentication for the customer’s users without forcing them to sign in multiple times to collaborate. The partner agency also explicitly enforces, through a Conditional Access authentication strength policy, that the customer’s users must sign in using a personal identity verification (PIV) card or a common access card (CAC) before gaining access.

Another government customer needed to give employees from different organizations within the same agency access to shared services applications such as human resources systems. They used Microsoft Entra External ID for B2B collaboration along with cross-cloud settings to enable seamless and secure collaboration and resource sharing for all agency employees, other government agencies (OGAs), and external partners. They used Microsoft Entra Conditional Access policy and cross-tenant access settings to require that employees sign in using phishing-resistant authentication before accessing shared resources. Trust relationships ensure that this approach works whether the home tenant of an employee is in an Azure commercial or government cloud. They also enabled collaboration with agencies that use an IdP other than Microsoft Entra ID by setting up federation through the SAML 2.0 and WS-Fed protocols.

Next step after standardizing on Microsoft Entra ID as your centralized IdP: Use Microsoft Entra ID Governance to automate lifecycle management of guest accounts in your tenant, so guest users only get access to the resources they need, for only as long as they need it. Start here: What are lifecycle workflows?

Enabling strong multifactor authentication

Standardizing on Microsoft Entra ID has made it possible for our government customers to enable phishing-resistant authentication methods. Over the past 18 months, we’ve worked with our US government customers to increase adoption of phishing-resistant multifactor authentication with Microsoft Entra by almost 2,000%.

From there, customers configure Conditional Access policies that require strong phishing-resistant authentication for accessing applications and resources, as required by the memo. Using Conditional Access authentication strength, they can even set policies to require additional, stronger authentication based on the sensitivity of the application or resource the user is trying to access, or the operation they’re trying to perform.

Microsoft Entra supports strong phishing-resistant forms of authentication:

• Certificate-based authentication (CBA) using Personal Identification Cards (PIV) or Common Access Cards (CAC)
• Device-bound passkeys
  • FIDO2 security keys
  • Passkeys in the Microsoft Authenticator app
• Windows Hello for Business
• Platform single sign-on SSO for macOS devices (in preview)

For a deep dive into phishing resistant authentication in Microsoft Entra, explore the video series Phishing-resistant authentication in Microsoft Entra ID.

While Microsoft Entra ID can prevent the use of common passwords, identify compromised passwords, and enable self-service password reset, many of our government customers prefer to require the most secure forms of authentication, such as smart cards with x.509 certificates and passkeys, which don’t involve passwords at all. This makes signing in more secure, simplifies the user experience, and reduces management complexity.

Implementing phishing-resistant multifactor authentication methods with Microsoft Entra ID

To reduce the cost and complexity of maintaining an on-premises authentication infrastructure using Active Directory Federation Services (AD FS) for employee PIV cards, one agency wanted to use certificate-based authentication (CBA) in Microsoft Entra ID. To ensure the transition went smoothly, they moved users with Staged Rollout, carefully monitoring threat activity using Microsoft Entra ID Protection dashboards and Microsoft Graph API logs exported to their security information and event management (SIEM) system. They migrated all their users to cloud-based CBA in Microsoft Entra in less than three months and after monitoring the environment for a time, confidently decommissioned their AD FS servers.

A local government department chose an opt-in approach for moving employees and vendors to phishing-resistant authentication. Every user contacting the help desk for a password reset instead received help onboarding to Windows Hello for Business. This agency also gave FIDO2 keys to all admins and set a Conditional Access authentication strength policy requiring all vendors to perform phishing-resistant authentication. Their next step will be to roll out device-bound passkeys managed in the Microsoft Authenticator app and enforce their use through Conditional Access. This will save them the expense of issuing separate physical keys and give their users the familiar experience of authenticating securely from their mobile device.

By giving users access to applications and resources through Azure Virtual Desktop, another large agency avoids the overhead of maintaining and supporting individual devices and the software running on them. They also protect their environment from potentially unhealthy, misconfigured, or stolen devices. Whether employees use devices running Windows, MacOS, iOS, or Android, they run the same Virtual Desktop image and sign in, as policy requires, using phishing-resistant, passwordless authentication.

Next step after enabling strong multifactor authentication: Configure Conditional Access authentication strength to enforce phishing-resistant authentication for accessing sensitive resources. Start here: Overview of Microsoft Entra authentication strength.

Using Conditional Access policies to authorize access to resources

Using Conditional Access, our government customers have configured fine-tuned access policies that consider contextual information about the user, their device, their location, and real-time risk levels to control which apps and resources users can access and under what conditions.

To satisfy the memo’s third identity requirement, these customers include device-based signals in policies that make authorization decisions. For example, Microsoft Entra ID Protection can detect whether a device’s originating network is safe or unsafe based on its geographic location, IP address range, or whether it’s coming from an anonymous IP address (for example, TOR). Conditional Access can evaluate signals from Microsoft Intune or other mobile device management systems to determine whether a device is properly managed and compliant before granting access. It can also consider device threat signals from Microsoft Defender for Endpoint.

Enabling Microsoft Entra Conditional Access risk-based policies

One government department enabled risk-based Conditional Access policies across their applications, requiring more stringent sign-in methods depending on levels of user and sign-in risk. For example, a user evaluated as ‘no-risk’ must always perform multifactor authentication, a user evaluated as ‘low-medium risk’ must sign in using phishing-resistant multifactor authentication, and a user deemed ‘high-risk’ must sign in using a specific certificate issued to them by the department. The customer has also configured policy to require compliant devices, enable token protection, and define sign-in frequency. To facilitate threat hunting and automatic mitigation, they send their sign-in and other Microsoft Entra logs to Microsoft Sentinel.

Next step after configuring basic Conditional Access policies: Configure risk-based Conditional Access policies using Microsoft Intune. Start here: Configure and enable risk policies.

Next steps

On July 10, 2024, the White House issued Memorandum M-21-14, “Administration Cybersecurity Priorities for the FY 2026 Budget.” One budget priority calls on agencies to transition toward fully mature Zero Trust architectures by September 30, 2026. Agencies need to submit an updated implementation plan to the Office of Management and Budget within 120 days of the memo’s release.

Microsoft is here to help you rearchitect your environment and implement your Zero Trust strategy, so you can comply with every milestone of the Executive Order. We’ve published technical guidance and detailed documentation to help federal agencies use Microsoft Entra ID to meet identity requirements. We’ve also published detailed guidance on meeting the Department of Defense Zero Trust requirements with Microsoft Entra ID.

In the coming weeks and months, you’ll see announcements about additional steps we’re taking to simplify your Zero Trust implementation, such as the general availability of support for device-bound passkeys in Microsoft Authenticator and Microsoft-managed Conditional Access policies that enable multifactor authentication by default for US government customers.

We look forward to supporting you through the next phases of your Zero Trust journey.

1. Standardize on Microsoft Entra ID as your centralized identity provider to secure every identity and to secure access to your apps and resources. Start here: What is Microsoft Entra ID?
2. To facilitate secure cross-organization collaboration, configure cross-tenant access settings and Conditional Access policies to require that partners accessing your resources sign in using phishing-resistant authentication. Start here: Microsoft Entra B2B in government and national clouds.
3. If you’re using CBA on AD FS, migrate to cloud-based CBA using Staged Rollout and retire your on-premises federation servers. Start here: Migrate from AD FS Certificate-based Authentication (CBA) to Microsoft Entra ID CBA.
4. Eliminate passwords altogether by enabling passwordless phishing-resistant authentication using CBA, Windows Hello for Business, device-bound passkeys (FIDO2 security keys or passkeys managed in the Microsoft Authenticator app), or Platform SSO for MacOS. Start here: Plan a passwordless authentication deployment in Microsoft Entra ID.
5. Implement risk-based Conditional Access policies to adjust access requirements dynamically. Start here: DoD Zero Trust Strategy for the user pillar.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post How Microsoft Entra ID supports US government agencies in meeting identity security requirements appeared first on Microsoft Security Blog.

Zero Trust in the age of AI

Watch our on-demand webinar to learn how to simplify your Zero Trust strategy with the latest end-to-end security innovations.

Watch the webinar

The extraordinary advancements in technology that make our work lives easier and more flexible also create opportunities for bad actors seeking more effective ways to launch cyberattacks. A Zero Trust strategy is vital for helping keep your organization safe in an era when cyberattacks against passwords, networks, and applications continue to increase. According to Gartner®, “AI enhancement can provide malicious code, and facilitate phishing and social engineering, which enables better intrusion, increased credibility, and more damaging attacks.”¹

A proactive Zero Trust security strategy unifies defenses across identities, endpoints, networks, applications, data, and infrastructure with comprehensive security policies, pervasive threat protection, and governance. While individual tools are typically used to fulfill requirements across each Zero Trust pillar, a truly comprehensive strategy connects them together through a centralized access policy engine and integrated threat protection. This delivers defense-in-depth cybersecurity across your on-premises, hybrid, and multicloud environments.

Buying individual solutions and building truly comprehensive architecture from scratch is a herculean effort for most organizations. We’ve designed our security offering from the ground up to enable Zero Trust—delivering built-in integrations with unified policies, controls, and automation to accelerate your implementation and strengthen your security posture.

These announcements further simplify the implementation of a Zero Trust architecture across the full lifecycle from prevention to detection and response. The Microsoft Entra Suite enables organizations to converge policies across identities, endpoints, and private and public networks with a unified access policy engine. Our unified security operations platform brings together all the security signals your environment generates, then normalizes, analyzes, and uses them to proactively defend against cyberthreats.

The Microsoft Entra Suite

Given that 66% of digital attack paths involve insecure identity credentials, the Microsoft Entra Suite plays a critical role in preventing security breaches.²

Implemented alone, neither identity nor network security can address all possible access scenarios. The Microsoft Entra Suite unifies identity and network access security—a novel and necessary approach for Zero Trust security. It provides everything you need to verify users, prevent overprivileged permissions, improve detections, and enforce granular access controls for all users and resources. Its native integration facilitates collaboration between identity and network teams. It also reduces your IT administrators’ workload, because they can easily manage and enforce granular identity and network access policies in one place. In addition, Microsoft Entra skills in Microsoft Copilot for Security help identity professionals respond more quickly to identity risks.

The Microsoft Entra Suite can help you do the following:

Unify Conditional Access policies for identities and networks. Security teams only have to manage one set of policies in one portal to configure access controls for both identities and networks. Now they can extend Zero Trust access policies to any application, whether it’s in the cloud, on-premises, or even to the open internet. Conditional Access evaluates any access request, no matter where it’s coming from, performing real-time risk assessment to strengthen protection against unauthorized access. And because the access policy engine is unified, identity and network teams can be confident that they protect every access point without leaving gaps that often exist between disparate solutions.  

Ensure least privilege access for all users accessing all resources and apps, including AI. Identity professionals can automate the access lifecycle from the day a new employee joins their organization, through all their role changes, until the time of their exit. No matter how long or multifaceted an employee’s journey, Microsoft Entra ID Governance ensures they have the right access to just the applications and resources they need, which helps prevent a cyberattacker’s lateral movement in case of a breach. Identity professionals and business leaders have an additional layer of access control with regular, machine learning-powered access reviews to recertify access needs, ensure compliance with internal policies, and remove unnecessary permissions based on machine learning-powered insights that help reduce reviewer fatigue.  

Improve the user experience for both in-office and remote workers. Employees enjoy a faster and easier onboarding experience, faster and more secure sign-in through passwordless authentication, single sign-on for all applications, and superior performance. They can use a self-service portal to request access to relevant packages, manage approvals and access reviews, and view request and approval history. Face Check with Microsoft Entra Verified ID enables real-time verification of a user’s identity, which streamlines remote onboarding and self-service recovery of passwordless accounts.

Reduce the complexity and cost of managing security tools from multiple vendors. Since traditional on-premises security solutions don’t scale to the needs of modern cloud-first, AI-first environments, organizations are seeking ways to secure and manage their assets from the cloud. With the Microsoft Entra Suite, they can retire multiple on-premises security tools, such as traditional VPNs, on-premises Secure Web Gateway, and on-premises identity governance.

Microsoft Sentinel is generally available in Microsoft’s unified security operations platform

A complete Zero Trust architecture provides effective prevention, detection, investigation, and response to cyberthreats across every layer of your digital estate. Because threat actors constantly pivot, no defense is ever absolute. That’s why taking an “assume breach” stance by continuously re-verifying every action while monitoring for new risks and threats is a Zero Trust principle.

According to our research, organizations use as many as 80 individual tools in their security portfolio. For many, this means having to manually manage integration between their security information and event management (SIEM); security orchestration, automation, and response (SOAR); extended detection and response (XDR); posture and exposure management; cloud security; and threat intelligence.

We’ve been on a journey to unify these tools over the last few years and are excited to take the next step by bringing Microsoft Sentinel into the Microsoft Defender portal, which we can announce is generally available. Microsoft Sentinel customers on the commercial cloud with at least one Microsoft Defender XDR workload deployed will now be able to:

• Onboard a single workspace into the Defender portal.
• Have unified incidents and unified hunting with Microsoft Defender XDR, streamlining their investigations and reducing context switching.
• Take advantage of Microsoft Copilot for Security for incident summaries and reports, guided investigation, auto-generated Microsoft Teams messages, code analysis, and more.
• Extend attack disruption beyond Defender XDR workloads to other critical apps—starting with SAP.
• Get tailored, post-incident recommendations on preventing similar or repeat cyberattacks that tie directly into the Microsoft Security Exposure Management initiatives to automatically improve readiness scores as actions are completed.

Microsoft Sentinel customers can adopt the new experience easily while continuing to use the classic experience in Microsoft Azure if needed. It’s never been easier to add SIEM capabilities like connectors to hundreds of data sources, and extended retention or additional compliance capabilities to your existing Microsoft Defender XDR environment.

Some more details of the unified security operations platform include:

Automatically disrupt hands-on-keyboard cyberattacks with attack disruption. This out-of-the-box capability is powered by AI and machine learning to detect and stop the progression of advanced cyberattacks being conducted by well-resourced and sophisticated threat actors. Attack disruption stops the progress of human-operated ransomware, business email compromise, adversary-in-the-middle, and malicious use of OAuth apps in real time with 99% confidence, giving your security team a chance to complete their investigation and remediation under less pressure. By combining native and third-party signals from Defender XDR and Microsoft Sentinel, attack disruption has expanded to stop even more attacks in critical apps, such as SAP.

Detect and investigate faster with more accuracy. Bringing the depth of XDR signal from Defender and the flexibility of log sources from Microsoft Sentinel delivers an improved signal-to-noise ratio and enhanced alert correlation. Cyberattack timelines are automatically fully correlated in a single incident, allowing analysts to move faster to respond to breaches, with a more comprehensive view of an attack. The unification of SIEM and XDR has delivered to our customers, on average, 50% faster correlation among XDR, log data, custom detections, and threat intelligence—with 99% accuracy.³

Improved threat hunting experience. With a single experience for data querying, analysts don’t have to remember where data is available or jump across portals. Customers have found significant benefit in their ability to proactively search through data for an indicator of compromise. Embedded Microsoft Copilot for Security acts across SIEM and XDR data to further accelerate the work of security analysts with skills such as guided response or natural language to Kusto Query Language (KQL) translation.

“Our team has greatly benefited from the unified threat hunting experience provided by the platform. The integration of various data sources, including those from third-party providers through Microsoft Sentinel, has significantly enhanced our incident response capabilities. This has allowed us to expand on our threat hunting and custom detection possibilities.”

—DOW

Get started now: Commercial cloud users of Microsoft Sentinel with at least one Defender XDR workload deployed can onboard a single workspace into the Defender portal through a simple wizard, available on the home screen at security.microsoft.com. After the workspace is onboarded, customers can use the unified security operations platform for SIEM and XDR, while retaining access to their Microsoft Sentinel experience in the Azure portal.

“The biggest benefit of the unified security operations platform has been the ability to combine data in Defender XDR with logs from third-party security tools. Another advantage has been to eliminate the need to switch between Defender XDR and Microsoft Sentinel portals. We now have a single pane of glass, which the team has been wanting for some years.”

—Robel Kidane, Group Information Security Manager, Renishaw plc

Simplifying implementation of your Zero Trust architecture

By incorporating the principles of Zero Trust—verify explicitly, use least privileged access, and assume breach—the Microsoft Entra Suite and the Microsoft unified security operations platform help leaders and stakeholders for security operations, identity, IT, and network infrastructure understand their organization’s overall Zero Trust posture. They verify explicitly by ensuring continuous authentication and authorization of all access requests. They enforce least privileged access by granting only the minimal level of access necessary for users to perform their tasks, thereby reducing attack surfaces. Additionally, they assume breach by continuously monitoring and analyzing activities to identify and respond to cyberthreats proactively.

We encourage you to watch the Zero Trust spotlight on-demand, when Microsoft experts and thought leaders will dive deeper into these and other announcements, including the general availability of Microsoft Entra Internet Access and Microsoft Entra Private Access, which is part of the Microsoft Entra Suite.

Learn more about the Microsoft Entra Suite

• Read more about the general availability of Microsoft Entra Suite.
• Read more about the general availability of Microsoft Entra Internet Access and Microsoft Entra Private Access.
• Read about Microsoft Entra plans and pricing.
• Visit the Microsoft Entra Suite trial page.
• Learn more about Microsoft identity and network access solutions.
• Register for the Tech Accelerator on August 14, 2024.

Learn more about the unified security operations platform

• Combine least privileged access with endpoint management and data governance for even stronger protection of sensitive information.
• Get started with the general availability of Microsoft Sentinel in the Defender Portal with some helpful FAQs.
• Learn more about the exposure management public preview.
• Read about the new Microsoft Sentinel SOC optimization API.
• Learn more about the general availability of Microsoft Sentinel in the unified SOC platform.
• Learn about our how SOC optimization helps your organization manage costs and protections.
• Manually deploy playbooks in the unified experience.
• Compare Microsoft 365 Enterprise Plans.
• Learn about Microsoft Sentinel pricing.

Learn more about Zero Trust

• Watch the on-demand Zero Trust spotlight.
• Embrace proactive security with Zero Trust.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Gartner Survey Shows AI-Enhanced Malicious Attacks Are a New Top Emerging Risk for Enterprises, Gartner press release. May 22, 2024. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

²State of Multicloud Risk Report, Microsoft. 2024.

³Microsoft Internal Research. June 2024.

The post Simplified Zero Trust security with the Microsoft Entra Suite and unified security operations platform, now generally available appeared first on Microsoft Security Blog.

Generative AI will empower individuals and organizations to increase productivity and accelerate their work, but these tools can also be susceptible to internal and external risk. Attackers are already using AI to launch, scale, and even automate new and sophisticated cyberattacks, all without writing a single line of code. Machine learning demands have increased as well, leading to an abundance of workload identities across corporate multicloud environments. This makes it more complex for identity and access professionals to secure, permission, and track a growing set of human and machine identities.

Adopting a comprehensive defense-in-depth strategy that spans identity, endpoint, and network can help your organization be better prepared for the opportunities and challenges we face in 2024 and beyond. To confidently secure identity and access at your organization, here are five areas worth prioritizing in the new year:

1. Empower your workforce with Microsoft Security Copilot.
2. Enforce least privilege access everywhere, including AI apps.
3. Get prepared for more sophisticated attacks.
4. Unify access policies across identity, endpoint, and network security.
5. Control identities and access for multicloud.

Our recommendations come from serving thousands of customers, collaborating with the industry, and continuously protecting the digital economy from a rapidly evolving threat landscape.

Microsoft Entra

Learn how unified multicloud identity and network access help you protect and verify identities, manage permissions, and enforce intelligent access policies, all in one place.

Explore Microsoft Entra

Priority 1: Empower your workforce with Microsoft Security Copilot

This year generative AI will become deeply infused into cybersecurity solutions and play a critical role in securing access. Identities, both human and machine, are multiplying at a faster rate than ever—as are identity-based attacks. Sifting through sign-in logs to investigate or remediate identity risks does not scale to the realities of cybersecurity talent shortages when there are more than 4,000 identity attacks per second.¹ To stay ahead of malicious actors, identity professionals need all the help they can get. Here’s where Microsoft Security Copilot can make a big difference at your organization and help cut through today’s noisy security landscape. Generative AI can meaningfully augment the talent and ingenuity of your identity experts with automations that work at machine-speed and intelligence.

Based on the latest Work Trend Index, business leaders are empowering workers with AI to increase productivity and help employees with repetitive and low value tasks.² Early adopters of Microsoft Security Copilot, our AI companion for cybersecurity teams, have seen a 44% increase in efficiency and 86% increase in quality of work.³ Identity teams can use natural language prompts in Copilot to reduce time spent on common tasks, such as troubleshooting sign-ins and minimizing gaps in identity lifecycle workflows. It can also strengthen and uplevel expertise in the team with more advanced capabilities like investigating users and sign-ins associated with security incidents while taking immediate corrective action. 

To get the most out of your AI investments, identity teams will need to build a consistent habit of using their AI companions. Once your workforce becomes comfortable using these tools, it is time to start building a company prompt library that outlines the specific queries commonly used for various company tasks, projects, and business processes. This will equip all current and future workers with an index of shortcuts that they can use to be productive immediately.

How to get started: Check out this Microsoft Learn training on the fundamentals of generative AI, and subscribe for updates on Microsoft Security Copilot to be the first to hear about new product innovations, the latest generative AI tips, and upcoming events.

Priority 2: Enforce least privilege access everywhere, including AI apps

One of the most common questions we hear is how to secure access to AI apps—especially those in corporate (sanctioned) and third-party (unsanctioned) environments. Insider risks like data leakage or spoilage can lead to tainted large language models, confidential data being shared in apps that are not monitored, or the creation of rogue user accounts that are easily compromised. The consequences of excessively permissioned users are especially damaging within sanctioned AI apps where users who are incorrectly permissioned can quickly gain access to and manipulate company data that was never meant for them.

Ultimately, organizations must secure their AI applications with the same identity and access governance rules they apply to the rest of their corporate resources. This can be done with an identity governance solution, which lets you define and roll out granular access policies for all your users and company resources, including the generative AI apps your organization decides to adopt. As a result, only the right people will have the right level of access to the right resources. The access lifecycle can be automated at scale through controls like identity verification, entitlement management, lifecycle workflows, access requests, reviews, and expirations. 

To enforce least privilege access, make sure that all sanctioned apps and services, including generative AI apps, are managed by your identity and access solution. Then, define or update your access policies with a tool like Microsoft Entra ID Governance that controls who, when, why, and how long users retain access to company resources. Use lifecycle workflows to automate user access policies so that any time a user’s status changes, they still maintain the correct level of access. Where applicable, extend custom governance rules and user experiences to any customer, vendor, contractor, or partner by integrating Microsoft Entra External ID, a customer identity and access management (CIAM) solution. For high-risk actions, require proof of identity in real-time using Microsoft Entra Verified ID. Microsoft Security Copilot also comes with built-in governance policies, tailored specifically for generative AI applications, to prevent misuse.

How to get started: Read the guide to securely govern AI and other business-critical applications in your environment. Make sure your governance strategy abides by least privilege access principles.

Priority 3: Get prepared for more sophisticated attacks

Not only are known attacks like password spray increasing in intensity, speed, and scale, but new attack techniques are being developed rapidly that pose a serious threat to unprepared teams. Multifactor authentication adds a layer of security, but cybercriminals can still find ways around it. More sophisticated attacks like token theft, cookie replay, and AI-powered phishing campaigns are also becoming more prevalent. Identity teams need to adapt to a new cyberthreat landscape where bad actors can automate the full lifecycle of a threat campaign—all without writing a single line of code.

To stay safe in today’s relentless identity threat landscape, we recommend taking a multi-layered approach. Start by implementing phishing-resistant multifactor authentication that is based on cryptography or biometrics such as Windows Hello, FIDO2 security keys, certificate-based authentication, and passkeys (both roaming and device-bound). These methods can help you combat more than 99% of identity attacks as well as advanced phishing and social engineering schemes.⁴ 

For sophisticated attacks like token theft and cookie replay, have in place a machine learning-powered identity protection tool and Secure Web Gateway (SWG) to detect a wide range of risk signals that flag unusual user behavior. Then use continuous access evaluation (CAE) with token protection features to respond to risk signals in real-time and block, challenge, limit, revoke, or allow user access. For new attacks like one-time password (OTP) bots that take advantage of multifactor authentication fatigue, educate employees about common social engineering tactics and use the Microsoft Authenticator app to suppress sign-in prompts when a multifactor authentication fatigue attack is detected. Finally, for high assurance scenarios, consider using verifiable credentials—digital identity claims from authoritative sources—to quickly verify an individual’s credentials and grant least privilege access with confidence. 

Customize your policies in the Microsoft Entra admin center to mandate strong, phishing resistant authentication for any scenario, including step up authentication with Microsoft Entra Verified ID. Make sure to implement an identity protection tool like Microsoft Entra ID Protection, which now has token protection capabilities, to detect and flag risky user signals that your risk-based CAE engine can actively respond to. Lastly, secure all internet traffic, including all software as a service (SaaS) apps, with Microsoft Entra Internet Access, an identity-centric SWG that shields users against malicious internet traffic and unsafe content.  

How to get started: To quick start your defense-in-depth campaign, we’ve developed default access policies that make it easy to implement security best practices, such as requiring multifactor authentication for all users. Check out these guides on requiring phishing-resistant multifactor authentication and planning your conditional access deployment. Finally, read up on our token protection, continuous access evaluation, and multifactor authentication fatigue suppression capabilities.

Priority 4: Unify access policies across identity, endpoint, and network security

In most organizations, the identity, endpoint, and network security functions are siloed, with teams using different technologies for managing access. This is problematic because it requires conditional access changes to be made in multiple places, increasing the chance of security holes, redundancies, and inconsistent access policies between teams. Identity, endpoint, and network tools need to be integrated under one policy engine, as neither category alone can protect all access points.

By adopting a Zero Trust security model that spans identity, endpoint, and network security, you can easily manage and enforce granular access policies in one place. This helps reduce operational complexity and can eliminate gaps in policy coverage. Plus, by enforcing universal conditional access policies from a single location, your policy engine can analyze a more diverse set of signals such as network, identity, endpoint, and application conditions before granting access to any resource—without making any code changes. 

Microsoft’s Security Service Edge (SSE) solution is identity-aware and is delivering a unique innovation to the SSE category by bringing together identity, endpoint, and network security access policies. The solution includes Microsoft Entra Internet Access, an SWG for safeguarding SaaS apps and internet traffic, as well as Microsoft Entra Private Access, a Zero Trust Network Access (ZTNA) solution for securing access to all applications and resources. When you unify your network and identity access policies, it is easier to secure access and manage your organization’s conditional access lifecycle.

How to get started: Read these blogs to learn why their identity-aware designs make Microsoft Entra Internet Access and Microsoft Entra Private Access unique to the SSE category. To learn about the different use cases and scenarios, configuration prerequisites, and how to enable secure access, go to the Microsoft Entra admin center. 

Priority 5: Control identities and access for multicloud

Today, as multicloud adoption increases, it is harder than ever to gain full visibility over which identities, human or machine, have access to what resources across your various clouds.  Plus, with the massive increase in AI-driven workloads, the number of machine identities being used in multicloud environments is quickly rising, outnumbering human identities 10 to 1.⁵ Many of these identities are created with excessive permissions and little to no governance, with less than 5% of permissions granted actually used, suggesting that a vast majority of machine identities are not abiding by least privilege access principles. As a result, attackers have shifted their attention to apps, homing in on workload identities as a vulnerable new threat vector. Organizations need a unified control center for managing workload identities and permissions across all their clouds.

Securing access to your multicloud infrastructure across all identity types starts with selecting the methodology that makes sense for your organization. Zero Trust provides an excellent, customizable framework that applies just as well to workload identities as it does to human identities. You can effectively apply these principles with a cloud infrastructure entitlement management (CIEM) platform, which provides deep insights into the permissions granted across your multicloud, how they are used, and the ability to right size those permissions. Extending these controls to your machine identities will require a purpose-built tool for workload identities that uses strong credentials, conditional access policies, anomaly and risk signal monitoring, access reviews, and location restrictions.

Unifying and streamlining the management of your organization’s multicloud starts with diagnosing the health of your multicloud infrastructure with Microsoft Entra Permissions Management, which will help you discover, detect, right-size, and govern your organization’s multicloud identities. Then, using Microsoft Entra Workload ID, migrate your workload identities to managed identities where possible and apply strong Zero Trust principles and conditional access controls to them.

How to get started: Start a Microsoft Entra Permissions Management free trial to assess the state of your organization’s multicloud environment, then take the recommended actions to remediate any access right risks. Also, use Microsoft Entra Workload ID to assign conditional access policies to all of your apps, services, and machine identities based on least privilege principles.

Our commitment to continued partnership with you

It is our hope that the strategies in this blog help you form an actionable roadmap for securing access at your organization—for everyone, to everything.

But access security is not a one-way street, it is your continuous feedback that enables us to provide truly customer-centric solutions to the identity and access problems we face in 2024 and beyond.  We are grateful for the continued partnership and dialogue with you—from day-to-day interactions, to joint deployment planning, to the direct feedback that informs our strategy. As always, we remain committed to building the products and tools you need to defend your organization throughout 2024 and beyond.

Learn more about Microsoft Entra, or recap the identity at Microsoft Ignite blog.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report, Microsoft. October 2023. 

²Work Trend Index Annual Report: Will AI Fix Work? Microsoft. May 9, 2023.

³Microsoft unveils expansion of AI for security and security for AI at Microsoft Ignite, Vasu Jakkal. November 15, 2023.

⁴How effective is multifactor authentication at deterring cyberattacks? Microsoft.

⁵2023 State of Cloud Permissions Risks report now published, Alex Simons. March 28, 2023.

The post 5 ways to secure identity and access for 2024 appeared first on Microsoft Security Blog.

The increasing speed, scale, and sophistication of recent cyberattacks demand a new approach to security. Traditional tools are no longer enough to keep pace with the threats posed by cybercriminals. In just two years, the number of password attacks detected by Microsoft has risen from 579 per second to more than 4,000 per second.¹ According to Cybersecurity Ventures, the global cost of cybercrime is expected to reach $10.5 trillion by 2025, up from $3 trillion in 2015.² Many organizations use a disconnected and vast collection of fragmented security tools to manage their environment, resulting in security teams facing data deluge, alert fatigue, and limited visibility across security solutions. Security teams face an asymmetric challenge: they must protect everything, while cyberattackers only need to find one weak point. And security teams must do this while facing regulatory complexity, a global talent shortage, and rampant fragmentation.

One of the advantages for security teams is their view of the data field—they know how the infrastructure, user posture, and applications, are set up before a cyberattack begins. To further tip the scale in favor of cyberdefenders, Microsoft Security offers a very large-scale data advantage—65 trillion daily signals, expertise of global threat intelligence, monitoring more than 300 cyberthreat groups, and insights on cyberattacker behaviors from more than 1 million customers and more than 15,000 partners.¹

Our new generative AI solution—Microsoft Security Copilot—combined with our massive data advantage and end-to-end security, all built on the principles of Zero Trust, creates a flywheel of protection to change the asymmetry of the digital threat landscape and favor security teams in this new era of security.

To learn more about Microsoft Security’s vision for the future and the latest generative AI announcements and demos, watch the Microsoft Ignite keynote “The Future of Security with AI” presented by Charlie Bell, Executive Vice President, Microsoft Security, and I on Thursday, November 16, 2023, at 10:15 AM PT.  

Changing the paradigm with Microsoft Security Copilot

One of the biggest challenges in security is the lack of cybersecurity professionals. This is an urgent need given the three million unfilled positions in the field, with cyberthreats increasing in frequency and severity.³ 

In a recent study to measure the productivity impact for “new in career” analysts, participants using Security Copilot demonstrated 44 percent more accurate responses and were 26 percent faster across all tasks.⁴ 

According to the same study:

• 86 percent reported that Security Copilot helped them improve the quality of their work. 
• 83 percent stated that Security Copilot reduced the effort needed to complete the task. 
• 86 percent said that Security Copilot made them more productive. 
• 90 percent expressed their desire to use Security Copilot next time they do the same task. 

Check out the Security Copilot Early Access Program—with Microsoft Defender Threat Intelligence included at no additional charge—that adds speed and scale for scenarios like security posture management, incident investigation and response, security reporting, and more—now available to interested and qualified customers. For example, one early adopter from Willis Towers Watson (WTW) said “I envision Microsoft Security Copilot as a change accelerator. The ability to do threat hunting at pace will mean that I’m able to reduce my mean time to investigate, and the faster I can do that, the better my security posture will become.”  Keep reading for a full list of capabilities.

Introducing the industry’s first generative AI-powered unified security operations platform with built-in Copilot

Security operations teams struggle to manage disparate security toolsets from siloed technologies and apps. This challenge is only exacerbated given the scarcity of skilled security talent. And while organizations have been investing in traditional AI and machine learning to improve threat intelligence, deploying AI and machine learning comes with its unique challenges and its own shortage of data science talent. It’s time for a step-change in our industry, and thanks to generative AI, we can now close the talent gap for both security and data professionals. Securing an organization today requires an innovative approach that prevents, detects, and disrupts cyberattacks at machine speed, while delivering simplicity and and approachable, conversational experiences to help security operations center (SOC) teams move faster, and bringing together all the security signals and threat intelligence currently stuck in disconnected tools. Today, we are thrilled to announce the next major step in this industry-defining vision: combining the power of leading solutions in security information and event management (SIEM), extended detection and response (XDR), and generative AI for security into the first unified security operations platform.

By bringing together Microsoft Sentinel, Microsoft Defender XDR (previously Microsoft 365 Defender), and Microsoft Security Copilot, security analysts now have a unified incident experience that streamlines triage and provides a complete, end-to-end view of threats across the digital estate. With a single set of automation rules and playbooks enriched with generative AI, coordinating response is now easier and quicker for analysts of every level. In addition, unified hunting now gives analysts the ability to query all SIEM and XDR data in one place to uncover cyberthreats and take appropriate remediation action. Customers interested in joining the preview of the unified security operations platform should contact their account team.

Further, Microsoft Security Copilot is natively embedded into the analyst experience supporting both SIEM and XDR and equipping analysts with step-by-step guidance and automation for investigating and resolving incidents, without the reliance of data analysts. Complex tasks, such as analyzing malicious scripts or crafting Kusto Query Language (KQL) queries to hunt across data in Microsoft Sentinel and Defender XDR, can be accomplished simply by asking a question in natural language or accepting a suggestion from Security Copilot. If you need to update your chief information security officer (CISO) on an incident, you can now instantly generate a polished report that summarizes the investigation and the remediation actions that were taken to resolve it.

To keep up with the speed of cyberattackers, the unified security operations platform catches cyberthreats at machine speed and protects your organization by automatically disrupting advanced attacks. We are extending this capability to act on third-party signals, for example with SAP signals and alerts. For SIEM customers who have SAP connected, attack disruption will automatically detect financial fraud techniques and disable the native SAP and connected Microsoft Entra account to prevent the cyberattacker from transferring any funds—with no SOC intervention. The attack disruption capabilities will be further strengthened by new deception capabilities in Microsoft Defender for Endpoint—which can now automatically generate authentic-looking decoys and lures, so you can entice cyberattackers with fake, valuable assets that will deliver high-confidence, early stage signal to the SOC and trigger automatic attack disruption even faster.

Lastly, we are building on the native XDR experience by including cloud workload signals and alerts from Microsoft Defender for Cloud—a leading cloud-native application protection platform (CNAPP)—so analysts can conduct investigations that span across their multicloud infrastructure (Microsoft Azure, Amazon Web Services, and Google Cloud Platform environments) and identities, email and collaboration tools, software as a service (SaaS) apps, and multiplatform endpoints—making Microsoft Defender XDR one of the most comprehensive native XDR platforms in the industry.

Customers who operate both SIEM and XDR can add Microsoft Sentinel into their Microsoft Defender portal experience easily, with no migration required. Existing Microsoft Sentinel customers can continue using the Azure portal. The unified security operations platform is now available in private preview and will move to public preview in 2024.

Expanding Copilot for data security, identity, device management, and more 

Security is a shared responsibility across teams, yet many don’t share the same tools or data—and they often don’t collaborate with one another. We are adding new capabilities and embedded experiences of Security Copilot across the Microsoft Security portfolio as part of the Early Access Program to empower all security and IT roles to detect and address cyberthreats at machine speed. And to enable all roles to protect against top security risks and drive operational efficiency, Microsoft Security Copilot now brings together signals across Microsoft Defender, Microsoft Defender for Cloud, Microsoft Sentinel, Microsoft Intune, Microsoft Entra, and Microsoft Purview into a single pane of glass.

New capabilities in Security Copilot creating a force multiplier for security and IT teams

Microsoft Purview: Data security and compliance teams review a multitude of complex and diverse alerts spread across multiple security tools, each alert containing a wealth of rich insights. To make data protection faster, more effective, and easier, Security Copilot is now embedded in Microsoft Purview, offering summarization capabilities directly within Microsoft Purview Data Loss Prevention, Microsoft Purview Insider Risk Management, Microsoft Purview eDiscovery, and Microsoft Purview Communication Compliance workflows, making sense of profuse and diverse data, accelerating investigation and response times, and enabling analysts at all levels to complete complex tasks with AI-powered intelligence at their fingertips. Additionally, with AI translator capabilities in eDiscovery, you can use natural language to define search queries, resulting in faster and more accurate search iterations and eliminating the need to use keyword query language. These new data security capabilities are also available now in the Microsoft Security Copilot standalone experience.

Microsoft Entra: Password-based attacks have increased dramatically in the last year, and new attack techniques are now trying to circumvent multifactor authentication. To strengthen your defenses against identity compromise, Security Copilot embedded in Microsoft Entra can assist in investigating identity risks and help with troubleshooting daily identity tasks, such as why a sign-in required multifactor authentication or why a user’s risk level increased. IT administrators can instantly get a risk summary, steps to remediate, and recommended guidance for each identity at risk, in natural language. Quickly get to the root of an issue for a sign-in with a summarized report of the most relevant information and context. Additionally, in Microsoft Entra ID Governance, admins can use Security Copilot to guide in the creation of a lifecycle workflow to streamline the process of creating and issuing user credentials and access rights. These new capabilities to summarize users and groups, sign-in logs, and high-risk users are also available now in the Microsoft Security Copilot standalone experience.

Microsoft Intune: The evolving device landscape is driving IT complexity and risk of endpoint vulnerabilities—and IT administrators play a critical security role in managing these devices and protecting organizational data. We are introducing Security Copilot embedded in Microsoft Intune in the coming weeks for select customers of the Early Access Program, marking a meaningful advancement in endpoint management and security. This experience offers unprecedented visibility across security data with full device context, provides real-time guidance when creating policies, and empowers security and IT teams to discover and remediate the root cause of device issues faster and easier. Now IT administrators and security analysts are empowered to drive better and informed outcomes with pre-deployment, AI-based guard rails to help them understand the impact of policy changes in their environment before applying them. With Copilot, they can save time and reduce complexity of gathering near real-time device, user, and app data and receive AI-driven recommendations to respond to threats, incidents, and vulnerabilities, fortifying endpoint security. 

Microsoft Defender for Cloud: Maintaining a strong cloud security posture is a challenge for cybersecurity teams, as they face siloed visibility into risks and vulnerabilities across the application lifecycle, due to the rise of cloud-native development and multicloud environments. With Security Copilot now embedded in Microsoft Defender for Cloud, security admins are empowered to identify critical concerns to resources faster with guided risk exploration that summarizes risks, enriched with contextual insights such as critical vulnerabilities, sensitive data, and lateral movement. To address the uncovered critical risks more efficiently, admins can use Security Copilot in Microsoft Defender for Cloud to guide remediation efforts and streamline the implementation of recommendations by generating recommendation summaries, step-by-step remediation actions, and scripts in a preferred language, and directly delegate remediation actions to key resource users. These new cloud security capabilities are also available now in the Microsoft Security Copilot standalone experience. 

Microsoft Defender for External Attack Surface Management (EASM): Keeping up with tracking assets and their vulnerabilities can be overwhelming for security teams, as it requires time, coordination, and research to understand which assets pose a risk to the organization. New Defender for EASM capabilities are available in the Security Copilot standalone experience and enable security teams to quickly gain insights into their external attack surface, regardless of where the assets are hosted, and feel confident in the outcomes. These capabilities provide security operations teams with a snapshot view of their external attack surface, help vulnerability managers understand if their external attack surface is impacted by a particular common vulnerability and exposure (CVE), and provide visibility into vulnerable critical and high priority CVEs to help teams know how pervasive they are to their assets, so they can prioritize remediation efforts.

Custom plugins to trusted third-party tools: Security Copilot provides more robust, enriched insight and guidance when it is integrated with a broader set of security and IT teams’ tools. To do so, Security Copilot must embrace a vast ecosystem of security partners. As part of this effort, we are excited to announce the latest integration now available to Security Copilot customers with ServiceNow. For customers who want to bring onboard their trusted security tools and integrate their own organizational data and applications, we’re also introducing a new set of custom plugins that will enable them to expand the reach of Security Copilot to new data and new capabilities.

Securing the use of generative AI for safeguarding your organization

As organizations quickly adopt generative AI, it is vital to have robust security measures in place to ensure safe and responsible use. This involves understanding how generative AI is being used, protecting the data that is being used or created by generative AI, and governing the use of AI. As generative AI apps become more popular, security teams need tools that secure both the AI applications and the data they interact with. In fact, 43 percent of organizations said lack of controls to detect and mitigate risk in AI is a top concern.⁵ Different AI applications pose various levels of risk, and organizations need the ability to monitor and control these generative AI apps with varying levels of protection.

Microsoft Defender: Microsoft Defender for Cloud Apps is expanding its discovery capabilities to help organizations gain visibility into the generative AI apps in use, provide extensive protection and control to block risky generative AI apps, and apply ready-to-use customizable policies to prevent data loss in AI prompts and AI responses. This new feature supports more than 400 generative AI apps, and offers an easy way to sift through low- versus high-risk apps. 

Microsoft Purview: New capabilities in Microsoft Purview help comprehensively secure and govern data in AI, including Microsoft Copilot and non-Microsoft generative AI applications. Customers can gain visibility into AI activity, including sensitive data usage in AI prompts, comprehensive protection with ready-to-use policies to protect data in AI prompts and responses, and compliance controls to help easily meet business and regulatory requirements. Microsoft Purview capabilities are integrated with Microsoft Copilot, starting with Copilot for Microsoft 365, strengthening the data security and compliance for Copilot for Microsoft 365.

Further, to enable customers to gain a better understanding of which AI applications are being used and how, we are announcing the preview of AI hub in Microsoft Purview. Microsoft Purview can provide organizations with an aggregated view of total prompts being sent to Copilot and the sensitive information included in those prompts. Organizations can also see an aggregated view of the number of users interacting with Copilot. And we are extending these capabilities to provide insights for more than 100 of the most commonly used consumer generative AI applications, such as ChatGPT, Bard, DALL-E, and more.

Expanding end-to-end security for comprehensive protection everywhere

Keeping up with daily protection requirements is a security challenge that can’t be ignored—and the struggle to stay ahead of cyberattackers and safeguard your organization’s data is why we’ve designed our security features to evolve with the digital threat landscape and provide comprehensive protection against cyberthreats.

Strengthen your code-to-cloud defenses with Microsoft Defender for Cloud. To cope with the complexity of multicloud environments and cloud-native applications, security teams need a comprehensive strategy that enables code-to-cloud defenses on all cloud deployments. For posture management, the preview of Defender for Cloud’s integration with Microsoft Entra Permissions Management helps you apply the least privilege principle for cloud resources and shows the link between access permissions and potential vulnerabilities across Azure, AWS, and Google Cloud. Defender for Cloud also has an improved attack path analysis experience, which helps you predict and prevent complex cloud attacks—and provides more insights into your Kubernetes deployments across Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) clusters and APIs insights to prioritize cloud risk remediation.

To strengthen security throughout the application lifecycle, preview of the GitLab Ultimate integration gives you a clear view of your application security posture and simplifies code-to-cloud remediation workflows across all major developer platforms—GitHub, Azure DevOps, and GitLab within Defender for Cloud. Additionally, general availability of Defender for APIs, which offers machine learning-driven protection against API threats and agentless vulnerability assessments for container images in Microsoft Azure Container Registries. Defender for Cloud now offers a unified vulnerability assessment engine spanning all cloud workloads, powered by the strong capabilities of Microsoft Defender Vulnerability Management.

Leverage Microsoft Defender Threat Intelligence for elevating your threat intelligence. Available in Microsoft Defender XDR, Microsoft Defender Threat Intelligence offers valuable open-source intelligence and internet data sets found nowhere else. These capabilities now enhance Microsoft Defender products with crucial context around threat actors, tooling, and infrastructure at no additional cost to customers. Available in the Threat Intelligence blade of Defender XDR, Detonation Intelligence enables users to search, look up, and contextualize cyberthreats as well as detonate URLs and view results to quickly understand a malicious file or URL. Defender XDR customers can quickly submit an indicator of compromise (IoC) to immediately view the results. Vulnerability Profiles put intelligence collected from the Microsoft Threat Intelligence team about vulnerabilities all in one place. Profiles are updated when new information is discovered and contains a description, Common Vulnerability Scoring System scores (CVSS), a priority score, exploits, and deep and dark web chatter observations.

Use Microsoft Purview to extend data protection capabilities across structured and unstructured data types. In the past, securing and governing sensitive data across these diverse elements of your digital estate would have required multiple providers, adding a heavy integration tax. But today, with Microsoft Purview, you can gain visibility across your entire data estate, secure your structured and unstructured data, and detect risks across clouds. Microsoft Purview’s labeling and classification capabilities are expanding beyond Microsoft 365, offering access controls for both structured and unstructured data types. Users will have the ability to discover, classify, and safeguard sensitive information hosted in structured databases such as Microsoft Azure SQL and Azure Data Lake Storage (ADLS)—also extending these capabilities into Amazon Simple Storage Service (S3) buckets.

Detect insider risk with Microsoft Purview Insider Risk Management, which offers ready-to-use risk indicators to detect critical insider risks in Azure, AWS, and SaaS applications, including Box, Dropbox, Google Drive, and GitHub. Admins with appropriate permissions will no longer need to manually cross-reference signals in these environments. They can now utilize the curated and preprocessed indicators to obtain a more holistic view of a potential insider incident.

Simplify access security with Microsoft Entra. Securing access points is critical and can be complex when using multiple providers for identity management, network security, and cloud security. With Microsoft Entra, you can centralize all your access controls together to more fully secure and protect your environment. Microsoft’s Security Service Edge solution is expanding with several new features.

• By the end of 2023, Microsoft Entra Internet Access preview will include context-aware secure web gateway (SWG) capabilities for all internet apps and resources with web content filtering, Conditional Access controls, compliant network check, and source IP restoration.
• Microsoft Entra Private Access for private apps and resources has extended protocol support so you can seamlessly transition from your traditional VPN to a modern Zero Trust Network Access (ZTNA) solution, and the ability to add multifactor authentication to all private apps for remote and on-premises users.
• Now with auto-enrollment into Microsoft Entra Conditional Access policies you can enhance security posture and reduce complexity for securing access. Easily create and manage a passkey, a free phishing-resistant credential based on open standards, in the Microsoft Authenticator app for signing into Microsoft Entra ID-managed apps.
• Promote enforcement of least-privilege access for cloud resources with new integrations for Microsoft Entra Permissions Management. Permissions Management has a new integration with ServiceNow that enables organizations to incorporate time-bound access permission requests to existing approval workflows in ServiceNow.

Unify, simplify, and delight users by the Microsoft Intune Suite. We’re adding three new solutions to the Intune Suite, available in February 2024. These solutions further unify critical endpoint management workloads in Intune to fortify device security posture, power better experiences, and simplify IT and security operations end-to-end. We will also be able to offer these solutions coupled with the existing Intune Suite capabilities to agencies and organizations of the Government Community Cloud (GCC) in March 2024.

• Microsoft Cloud PKI offers a comprehensive, cloud-based public key infrastructure and certificate management solution to simply create, deploy, and manage certificates for authentication, Wi-Fi, and VPN endpoint scenarios.
• Microsoft Intune Enterprise Application Management streamlines third-party app discovery, packaging, deployment, and updates via a secure enterprise catalog to help all workers stay current.
• Microsoft Intune Advanced Analytics extends the Intune Suite anomaly detection capabilities and provides deep device data insights as well as battery health scoring for administrators to proactively power better, more secure user experiences and productivity improvements.

Partner opportunities and news

There are several partners participating in our engineer-led Security Copilot Partner Private Preview to validate usage scenarios and provide feedback on functionality, operations, and APIs to assist with extensibility. If you are joining us in person at Microsoft Ignite, watch the demos at the Customer Meet-up Hub, presented by Microsoft Intelligent Security Association (MISA) members sponsoring at Microsoft Ignite. And if you’re a partner interested in staying current, join the Security Copilot Partner Interest Community.

Join us in creating a more secure future

Embracing innovation has never been more important for an organization, not only with respect to today’s cyberthreats but also in anticipation of those to come. Recently, to create a more secure future, we launched the Secure Future Initiative—a new initiative to pursue our next generation of cybersecurity protection.

Microsoft Ignite 2023

Join Vasu Jakkal and Charlie Bell at Microsoft Ignite to watch "the Future of Security and AI" on November 16, 2023, at 10:15 AM PT.

Watch the keynote

AI is changing our world forever. It is empowering us to achieve the impossible and it will usher in a new era of security that favors security teams. Microsoft is privileged to be a leader in this effort and committed to a vision of security for all.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as Twitter) (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2023.

²Cybercrime To Cost The World $10.5 Trillion Annually By 2025, Cybercrime Magazine. November 13, 2020.

³Cybersecurity Workforce Study, ISC². 2022.

⁴Microsoft Security Copilot randomized controlled trial conducted by Microsoft Office of the Chief Economist, November 2023.

⁵Data Security Index: Trends, insights, and strategies to secure data, Microsoft.

The post Microsoft unveils expansion of AI for security and security for AI at Microsoft Ignite appeared first on Microsoft Security Blog.

Protecting identities and access is critical. As our work and lives become increasingly digital, cyberattacks are becoming more frequent and more sophisticated, affecting organizations of every size, in every industry, and in every part of the world. In the last 12 months, we saw an average of more than 4,000 password attacks per second, an almost threefold increase from the 1,287 attacks per second we saw the previous year.² We’re also seeing far more sophisticated attacks, including ones that manage to evade critical defenses, such as multifactor authentication, to steal access tokens, impersonate a rightful user, and gain access to critical data.

To help organizations protect their ever-evolving digital estates, we’ve been expanding beyond managing directories and authenticating users to securing and governing access for any identity to any app or resource. Today, we’re thrilled to announce the next milestone in our vision of making it easy to secure access with two new products: Microsoft Entra Internet Access and Microsoft Entra Private Access. We’re adding these capabilities to help organizations instill trust, not only in their digital experiences and services but in every digital interaction that powers them.

Secure access to any app or resource, from anywhere

Flexible work arrangements and the resulting increase in cloud workloads are straining traditional corporate networks and legacy network security approaches. Using VPNs to backhaul traffic to the legacy network security stack weakens security posture and damages the user experience while using siloed solutions and access policies leaves security gaps.

Microsoft Entra Internet Access is an identity-centric Secure Web Gateway that protects access to internet, software as a service (SaaS), and Microsoft 365 apps and resources. It extends Conditional Access policies with network conditions to protect against malicious internet traffic and other threats from the open internet. For Microsoft 365 environments, it enables best-in-class security and visibility, along with faster and more seamless access to Microsoft 365 apps, so you can boost productivity for any user, anywhere. Microsoft 365 scenarios in Microsoft Entra Internet Access are in preview today, and you can sign up for the preview of capabilities for all internet traffic and SaaS apps and resources that will be available later this year.

Microsoft Entra Private Access is an identity-centric Zero Trust Network Access that secures access to private apps and resources. Now any user, wherever they are, can quickly and easily connect to private apps—across hybrid and multicloud environments, private networks, and data centers—from any device and any network. Now in preview, Microsoft Entra Private Access reduces operational complexity and cost by replacing legacy VPNs and offers more granular security. You can apply Conditional Access to individual applications, and enforce multifactor authentication, device compliance, and other controls to any legacy application without changing those applications.

Together, Internet Access and Private Access, coupled with Microsoft Defender for Cloud Apps, our SaaS security-focused cloud access security broker, comprise Microsoft’s Security Service Edge (SSE) solution. We’ll continue to evolve our SSE solution as an open platform that delivers the flexibility of choice between solutions from Microsoft and our partners. Pricing for Microsoft Entra Internet Access and Microsoft Entra Private Access will be available when those products reach general availability.

Figure 1. Microsoft’s Security Service Edge (SSE) solution.

Neither identity nor network security alone can protect the breadth of access points and scenarios that modern organizations require. That’s why, as cyberattacks get more sophisticated, we’re adding identity-centric network access to our cloud identity solutions. We’re converging controls for identity and network access so you can create unified Conditional Access policies that extend all protections and governance to all identities and resources. With a single place to safeguard and verify identities, manage permissions, and enforce intelligent access policies, protecting your digital estate has never been easier.

Microsoft Azure Active Directory is becoming Microsoft Entra ID

When we introduced Microsoft Entra in May of 2022, it included three products: Microsoft Azure Active Directory (Azure AD), Microsoft Entra Permissions Management, and Microsoft Entra Verified ID.¹ We later expanded the Microsoft Entra family with Microsoft Entra ID Governance and Microsoft Entra Workload ID.³ Today, Microsoft Entra protects any identity and secures access to any resource—on-premises, across clouds, and anywhere in between—with a product family that unifies multicloud identity and network access solutions.

To simplify our product naming and unify our product family, we’re changing the name of Azure AD to Microsoft Entra ID. Capabilities and licensing plans, sign-in URLs, and APIs remain unchanged, and all existing deployments, configurations, and integrations will continue to work as before. Starting today, you’ll see notifications in the administrator portal, on our websites, in documentation, and in other places where you may interact with Azure AD. We’ll complete the name change from Azure AD to Microsoft Entra ID by the end of 2023. No action is needed from you.

Figure 2. With the name change to Microsoft Entra ID, the standalone license names are changing. Azure AD Free becomes Microsoft Entra ID Free. Azure AD Premium P1 becomes Microsoft Entra ID P1. Azure AD Premium P2 becomes Microsoft Entra ID P2. And our product for customer identities, Azure AD External Identities, becomes Microsoft Entra External ID. SKU and service plan name changes take effect on October 1, 2023.

More innovations in Microsoft Entra

Today we’d also like to highlight other innovations in the Microsoft Entra portfolio that strengthen defenses against attackers who are becoming more adept at exploiting identity-related vulnerabilities such as weak credentials, misconfigurations, and excessive access permissions.

Prevent identity takeover in real time

Several exciting changes to Microsoft Entra ID Protection (currently Azure AD Identity Protection) help IT and identity practitioners prevent account compromise. Instead of reactively revoking access based on stale data, ID Protection uses the power of advanced machine learning to identify sign-in anomalies and anomalous user behavior and then block, challenge, or limit access in real time. For example, it may trigger a risk-based Conditional Access policy that requires high-assurance and phishing-resistant authentication methods for accessing sensitive resources.

A new dashboard demonstrates the impact of the identity protections that organizations deploy with a comprehensive snapshot of prevented identity attacks and the most common attack patterns. On the dashboard, you can view simple metric cards and attack graphs that show risk origins, security posture over time, types of current attacks, as well as recommendations based on risk exposure, while highlighting the business impact of enforced controls. With these insights, you can further investigate your organization’s security posture in additional tools and applications for enhanced recommendations.

Figure 3. New Microsoft Entra ID Protection dashboard.

Automate access governance

An important part of securing access for any identity to any app is ensuring that only the right identities have the right access at the right time. Some organizations only realize they need to take this approach when they fail a security audit. Microsoft Entra ID Governance, now generally available, is a complete identity governance solution that helps you comply with organizational and regulatory security requirements while increasing employee productivity through real-time, self-service, and workflow-based app entitlements.⁴

ID Governance automates the employee identity lifecycle to reduce manual work for IT and provides machine learning-based insights about identities and app entitlements. Because it’s cloud-delivered, it scales to complex cloud and hybrid environments, unlike traditional on-premises identity governance point solutions. It supports cloud and on-premises apps from any provider, as well as custom-built apps hosted in the public cloud or on-premises. Our global system integrator partners—including Edgile, a Wipro company, EY, KPMG, and PwC—started helping with the planning and deployment of ID Governance on July 1, 2023.

Figure 4. New Microsoft Entra ID Governance dashboard.

Personalize and secure access to any application for customers and partners

As we announced at Microsoft Build 2023, new developer-centric capabilities in Microsoft Entra External ID are now in preview. External ID is an integrated identity solution for external users, including customers, patients, citizens, guests, partners, and suppliers. It offers rich customization options, Conditional Access, identity protection, and support for social identity providers. Using our comprehensive developer tools, even those developers who have little to no identity experience can create personalized sign-in and sign-up experiences for their applications within minutes.

Simplify identity verification with Microsoft Entra Verified ID

Since we announced the general availability of Microsoft Entra Verified ID last summer, organizations around the world have been reinventing business processes, such as new employee onboarding, around this new, simpler way of verifying someone’s identity.⁵ For example, we recently announced that millions of LinkedIn members will be able to verify their place of work using a Verified ID credential.⁶ At the 2023 Microsoft Build event, we launched the Microsoft Entra Verified ID SDK so that developers can quickly add a secure digital wallet to any mobile application. The app can then store and verify a wide range of digital ID cards.

Microsoft Entra: Secure access for a connected world

You can see our expanded Microsoft Entra product family in Figure 5. Visit the Microsoft Entra website to learn more.

Figure 5. The Microsoft Entra family of identity and network access products.

We’re committed to building a more secure world for all and making life harder for threat actors, easier for admins, and more secure for every user. As part of that commitment, we’ll keep expanding Microsoft Entra to provide the broadest possible coverage along with a flexible and agile model where people, organizations, apps, and even smart things can confidently make real-time access decisions.

Encourage your technical teams to dive deeper into these announcements by attending the Tech Accelerator event on July 20, 2023, on the Microsoft Tech Community.

Microsoft Entra

Meet the family of multicloud identity and access products.

Learn more

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Secure access for a connected world—meet Microsoft Entra, Joy Chik and Vasu Jakkal. May 31, 2022.

²Microsoft internal data.

³Do more with less—Discover the latest Microsoft Entra innovations, Joy Chik. October 19, 2022.

⁴Microsoft Entra ID Governance is generally available, Joseph Dadzie. June 7, 2023.

⁵Microsoft Entra Verified ID now generally available, Ankur Patel. August 8, 2022.

⁶LinkedIn and Microsoft Entra introduce a new way to verify your workplace, Joy Chik. April 12, 2023.

The post Microsoft Entra expands into Security Service Edge and Azure AD becomes Microsoft Entra ID appeared first on Microsoft Security Blog.