Zero Trust in the age of AI

Watch our on-demand webinar to learn how to simplify your Zero Trust strategy with the latest end-to-end security innovations.

Watch the webinar

The extraordinary advancements in technology that make our work lives easier and more flexible also create opportunities for bad actors seeking more effective ways to launch cyberattacks. A Zero Trust strategy is vital for helping keep your organization safe in an era when cyberattacks against passwords, networks, and applications continue to increase. According to Gartner®, “AI enhancement can provide malicious code, and facilitate phishing and social engineering, which enables better intrusion, increased credibility, and more damaging attacks.”¹

A proactive Zero Trust security strategy unifies defenses across identities, endpoints, networks, applications, data, and infrastructure with comprehensive security policies, pervasive threat protection, and governance. While individual tools are typically used to fulfill requirements across each Zero Trust pillar, a truly comprehensive strategy connects them together through a centralized access policy engine and integrated threat protection. This delivers defense-in-depth cybersecurity across your on-premises, hybrid, and multicloud environments.

Buying individual solutions and building truly comprehensive architecture from scratch is a herculean effort for most organizations. We’ve designed our security offering from the ground up to enable Zero Trust—delivering built-in integrations with unified policies, controls, and automation to accelerate your implementation and strengthen your security posture.

These announcements further simplify the implementation of a Zero Trust architecture across the full lifecycle from prevention to detection and response. The Microsoft Entra Suite enables organizations to converge policies across identities, endpoints, and private and public networks with a unified access policy engine. Our unified security operations platform brings together all the security signals your environment generates, then normalizes, analyzes, and uses them to proactively defend against cyberthreats.

The Microsoft Entra Suite

Given that 66% of digital attack paths involve insecure identity credentials, the Microsoft Entra Suite plays a critical role in preventing security breaches.²

Implemented alone, neither identity nor network security can address all possible access scenarios. The Microsoft Entra Suite unifies identity and network access security—a novel and necessary approach for Zero Trust security. It provides everything you need to verify users, prevent overprivileged permissions, improve detections, and enforce granular access controls for all users and resources. Its native integration facilitates collaboration between identity and network teams. It also reduces your IT administrators’ workload, because they can easily manage and enforce granular identity and network access policies in one place. In addition, Microsoft Entra skills in Microsoft Copilot for Security help identity professionals respond more quickly to identity risks.

The Microsoft Entra Suite can help you do the following:

Unify Conditional Access policies for identities and networks. Security teams only have to manage one set of policies in one portal to configure access controls for both identities and networks. Now they can extend Zero Trust access policies to any application, whether it’s in the cloud, on-premises, or even to the open internet. Conditional Access evaluates any access request, no matter where it’s coming from, performing real-time risk assessment to strengthen protection against unauthorized access. And because the access policy engine is unified, identity and network teams can be confident that they protect every access point without leaving gaps that often exist between disparate solutions.  

Ensure least privilege access for all users accessing all resources and apps, including AI. Identity professionals can automate the access lifecycle from the day a new employee joins their organization, through all their role changes, until the time of their exit. No matter how long or multifaceted an employee’s journey, Microsoft Entra ID Governance ensures they have the right access to just the applications and resources they need, which helps prevent a cyberattacker’s lateral movement in case of a breach. Identity professionals and business leaders have an additional layer of access control with regular, machine learning-powered access reviews to recertify access needs, ensure compliance with internal policies, and remove unnecessary permissions based on machine learning-powered insights that help reduce reviewer fatigue.  

Improve the user experience for both in-office and remote workers. Employees enjoy a faster and easier onboarding experience, faster and more secure sign-in through passwordless authentication, single sign-on for all applications, and superior performance. They can use a self-service portal to request access to relevant packages, manage approvals and access reviews, and view request and approval history. Face Check with Microsoft Entra Verified ID enables real-time verification of a user’s identity, which streamlines remote onboarding and self-service recovery of passwordless accounts.

Reduce the complexity and cost of managing security tools from multiple vendors. Since traditional on-premises security solutions don’t scale to the needs of modern cloud-first, AI-first environments, organizations are seeking ways to secure and manage their assets from the cloud. With the Microsoft Entra Suite, they can retire multiple on-premises security tools, such as traditional VPNs, on-premises Secure Web Gateway, and on-premises identity governance.

Microsoft Sentinel is generally available in Microsoft’s unified security operations platform

A complete Zero Trust architecture provides effective prevention, detection, investigation, and response to cyberthreats across every layer of your digital estate. Because threat actors constantly pivot, no defense is ever absolute. That’s why taking an “assume breach” stance by continuously re-verifying every action while monitoring for new risks and threats is a Zero Trust principle.

According to our research, organizations use as many as 80 individual tools in their security portfolio. For many, this means having to manually manage integration between their security information and event management (SIEM); security orchestration, automation, and response (SOAR); extended detection and response (XDR); posture and exposure management; cloud security; and threat intelligence.

We’ve been on a journey to unify these tools over the last few years and are excited to take the next step by bringing Microsoft Sentinel into the Microsoft Defender portal, which we can announce is generally available. Microsoft Sentinel customers on the commercial cloud with at least one Microsoft Defender XDR workload deployed will now be able to:

• Onboard a single workspace into the Defender portal.
• Have unified incidents and unified hunting with Microsoft Defender XDR, streamlining their investigations and reducing context switching.
• Take advantage of Microsoft Copilot for Security for incident summaries and reports, guided investigation, auto-generated Microsoft Teams messages, code analysis, and more.
• Extend attack disruption beyond Defender XDR workloads to other critical apps—starting with SAP.
• Get tailored, post-incident recommendations on preventing similar or repeat cyberattacks that tie directly into the Microsoft Security Exposure Management initiatives to automatically improve readiness scores as actions are completed.

Microsoft Sentinel customers can adopt the new experience easily while continuing to use the classic experience in Microsoft Azure if needed. It’s never been easier to add SIEM capabilities like connectors to hundreds of data sources, and extended retention or additional compliance capabilities to your existing Microsoft Defender XDR environment.

Some more details of the unified security operations platform include:

Automatically disrupt hands-on-keyboard cyberattacks with attack disruption. This out-of-the-box capability is powered by AI and machine learning to detect and stop the progression of advanced cyberattacks being conducted by well-resourced and sophisticated threat actors. Attack disruption stops the progress of human-operated ransomware, business email compromise, adversary-in-the-middle, and malicious use of OAuth apps in real time with 99% confidence, giving your security team a chance to complete their investigation and remediation under less pressure. By combining native and third-party signals from Defender XDR and Microsoft Sentinel, attack disruption has expanded to stop even more attacks in critical apps, such as SAP.

Detect and investigate faster with more accuracy. Bringing the depth of XDR signal from Defender and the flexibility of log sources from Microsoft Sentinel delivers an improved signal-to-noise ratio and enhanced alert correlation. Cyberattack timelines are automatically fully correlated in a single incident, allowing analysts to move faster to respond to breaches, with a more comprehensive view of an attack. The unification of SIEM and XDR has delivered to our customers, on average, 50% faster correlation among XDR, log data, custom detections, and threat intelligence—with 99% accuracy.³

Improved threat hunting experience. With a single experience for data querying, analysts don’t have to remember where data is available or jump across portals. Customers have found significant benefit in their ability to proactively search through data for an indicator of compromise. Embedded Microsoft Copilot for Security acts across SIEM and XDR data to further accelerate the work of security analysts with skills such as guided response or natural language to Kusto Query Language (KQL) translation.

“Our team has greatly benefited from the unified threat hunting experience provided by the platform. The integration of various data sources, including those from third-party providers through Microsoft Sentinel, has significantly enhanced our incident response capabilities. This has allowed us to expand on our threat hunting and custom detection possibilities.”

—DOW

Get started now: Commercial cloud users of Microsoft Sentinel with at least one Defender XDR workload deployed can onboard a single workspace into the Defender portal through a simple wizard, available on the home screen at security.microsoft.com. After the workspace is onboarded, customers can use the unified security operations platform for SIEM and XDR, while retaining access to their Microsoft Sentinel experience in the Azure portal.

“The biggest benefit of the unified security operations platform has been the ability to combine data in Defender XDR with logs from third-party security tools. Another advantage has been to eliminate the need to switch between Defender XDR and Microsoft Sentinel portals. We now have a single pane of glass, which the team has been wanting for some years.”

—Robel Kidane, Group Information Security Manager, Renishaw plc

Simplifying implementation of your Zero Trust architecture

By incorporating the principles of Zero Trust—verify explicitly, use least privileged access, and assume breach—the Microsoft Entra Suite and the Microsoft unified security operations platform help leaders and stakeholders for security operations, identity, IT, and network infrastructure understand their organization’s overall Zero Trust posture. They verify explicitly by ensuring continuous authentication and authorization of all access requests. They enforce least privileged access by granting only the minimal level of access necessary for users to perform their tasks, thereby reducing attack surfaces. Additionally, they assume breach by continuously monitoring and analyzing activities to identify and respond to cyberthreats proactively.

We encourage you to watch the Zero Trust spotlight on-demand, when Microsoft experts and thought leaders will dive deeper into these and other announcements, including the general availability of Microsoft Entra Internet Access and Microsoft Entra Private Access, which is part of the Microsoft Entra Suite.

Learn more about the Microsoft Entra Suite

• Read more about the general availability of Microsoft Entra Suite.
• Read more about the general availability of Microsoft Entra Internet Access and Microsoft Entra Private Access.
• Read about Microsoft Entra plans and pricing.
• Visit the Microsoft Entra Suite trial page.
• Learn more about Microsoft identity and network access solutions.
• Register for the Tech Accelerator on August 14, 2024.

Learn more about the unified security operations platform

• Combine least privileged access with endpoint management and data governance for even stronger protection of sensitive information.
• Get started with the general availability of Microsoft Sentinel in the Defender Portal with some helpful FAQs.
• Learn more about the exposure management public preview.
• Read about the new Microsoft Sentinel SOC optimization API.
• Learn more about the general availability of Microsoft Sentinel in the unified SOC platform.
• Learn about our how SOC optimization helps your organization manage costs and protections.
• Manually deploy playbooks in the unified experience.
• Compare Microsoft 365 Enterprise Plans.
• Learn about Microsoft Sentinel pricing.

Learn more about Zero Trust

• Watch the on-demand Zero Trust spotlight.
• Embrace proactive security with Zero Trust.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Gartner Survey Shows AI-Enhanced Malicious Attacks Are a New Top Emerging Risk for Enterprises, Gartner press release. May 22, 2024. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

²State of Multicloud Risk Report, Microsoft. 2024.

³Microsoft Internal Research. June 2024.

The post Simplified Zero Trust security with the Microsoft Entra Suite and unified security operations platform, now generally available appeared first on Microsoft Security Blog.

Try Face Check for yourself.

Verified ID: Verify once, use everywhere

In our everyday lives, we use identity documents like driver’s licenses or passports as convenient and secure ways to prove our identity. Until now, we have not had a good digital equivalent. Microsoft Entra Verified ID provides a secure and easy-to-use experience for digitally verifying many aspects of our identity, such as education, skills, and workplace affiliation. As fraud skyrockets for businesses and consumers, and fraud tactics become increasingly complex—especially with advancements in generative AI—identity verification has never been more important.

Microsoft Entra Verified ID is based on open standards, enabling organizations to verify the widest variety of credentials using a simple API. Verified ID integrates with some of the leading verification partners to verify identity attributes for individuals (for example, a driver’s license and a liveness match) across 192 countries. Today, hundreds of organizations rely on Verified ID to remotely onboard new users as well as reduce fraud when providing self-service recovery. For example, Skype has reduced fraudulent cases of registering Skype Phone Numbers in Japan by 90% by implementing Verified ID. Elsewhere, enterprises are issuing Verified Employee Credentials to enable employees to verify their employment status with LinkedIn as well as for business-to-business collaboration.

Learn more about how Verified ID works and how organizations are using it today in our whitepaper.

Introducing Face Check with Verified ID: Unlocking high-assurance verifications at scale

Face Check, powered by Azure AI services, adds a critical layer of trust by matching a user’s real-time selfie and the photo from their identity document (such as a passport or driver’s license). By sharing only the match results and not any sensitive identity data, Face Check improves user privacy while allowing organizations to be sure the person claiming an identity is really them.

Many organizations are evaluating Face Check as part of the preview. BEMO, a leader in help desk services for cybersecurity operations, uses Face Check to quickly verify the identity of an employee and reduce the risk of impersonation. “The liability of granting admin [role] access to the wrong person is high, so Face Check provides an extra layer of insurance. In the past we had to trade off between increasing risk of fraudulent access or increased compliance risk by collecting personally identifiable information in an ad hoc manner. Now we can verify the identity of an employee instantly and with high confidence, without trading off between security and compliance.” More than a hundred of BEMO’s business customers have already implemented Face Check.

Visit our frequently asked questions to learn more. If you are ready to implement Face Check with Verified ID for your organization, see the steps below to get started. 

Get started with Face Check in Verified ID

If you are ready to implement Verified ID for your organization, here are the steps to get started.

Total time: 5 minutes

1. Follow this tutorial to create a Face Check-ready Verified Workplace Credential.

Time: 1 minute

2. Configure who can request a Verified ID by selecting all users or specific groups of users.

Time: 3 minutes

3. Users can sign in to http://myaccount.microsoft.com. Use the new option under your profile to get your Verified ID (using photo from Microsoft 365 profile). Use Microsoft Authenticator to get your Face Check-ready Verified ID. It’s that easy!

Time: 1 minute

How Face Check enables high-assurance verification

Apps can make a simple API request for users to perform a Face Check against a Verified Employee credential, state-issued government ID, or a custom digital credential with a trusted photo. For example, businesses can enable a wide variety of self-service scenarios including activating a passkey or resetting a password. A help desk service for a business can request a Face Check against a Verified Employee credential to verify the identity quickly and securely. To reduce compliance risk, apps receive a confidence score for match against the photo from the desired credential, without gaining access to liveness data.

Microsoft Entra Verified ID developer docs has a reference for a presentation request sample with Face Check.

What’s next for Verified ID?

Today, businesses can verify a wide variety of identity attributes, such as employment, education or government-issued ID (with partners like LexisNexis® Risk Solutions, Au10tix, and IDEMIA). Now with Face Check, businesses can be confident that the person presenting these credentials is indeed the right person to whom these credentials were issued. Next, we are extending this API pattern to verify other identity attributes that businesses care about, including verified work history and legal entity verification in partnership with Dun & Bradstreet (DNB), LexisNexis® Risk Solutions, and IDEMIA. Stay tuned for more details on this program in coming weeks.

Join us online at Microsoft Secure on March 13, 2024, to learn about Microsoft Entra innovations that redefine how to think about secure access for any identity to any resource, from anywhere.

Learn more

Learn more about Microsoft Entra Verified ID.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Entra Verified ID introduces Face Check in preview appeared first on Microsoft Security Blog.

Generative AI will empower individuals and organizations to increase productivity and accelerate their work, but these tools can also be susceptible to internal and external risk. Attackers are already using AI to launch, scale, and even automate new and sophisticated cyberattacks, all without writing a single line of code. Machine learning demands have increased as well, leading to an abundance of workload identities across corporate multicloud environments. This makes it more complex for identity and access professionals to secure, permission, and track a growing set of human and machine identities.

Adopting a comprehensive defense-in-depth strategy that spans identity, endpoint, and network can help your organization be better prepared for the opportunities and challenges we face in 2024 and beyond. To confidently secure identity and access at your organization, here are five areas worth prioritizing in the new year:

1. Empower your workforce with Microsoft Security Copilot.
2. Enforce least privilege access everywhere, including AI apps.
3. Get prepared for more sophisticated attacks.
4. Unify access policies across identity, endpoint, and network security.
5. Control identities and access for multicloud.

Our recommendations come from serving thousands of customers, collaborating with the industry, and continuously protecting the digital economy from a rapidly evolving threat landscape.

Microsoft Entra

Learn how unified multicloud identity and network access help you protect and verify identities, manage permissions, and enforce intelligent access policies, all in one place.

Explore Microsoft Entra

Priority 1: Empower your workforce with Microsoft Security Copilot

This year generative AI will become deeply infused into cybersecurity solutions and play a critical role in securing access. Identities, both human and machine, are multiplying at a faster rate than ever—as are identity-based attacks. Sifting through sign-in logs to investigate or remediate identity risks does not scale to the realities of cybersecurity talent shortages when there are more than 4,000 identity attacks per second.¹ To stay ahead of malicious actors, identity professionals need all the help they can get. Here’s where Microsoft Security Copilot can make a big difference at your organization and help cut through today’s noisy security landscape. Generative AI can meaningfully augment the talent and ingenuity of your identity experts with automations that work at machine-speed and intelligence.

Based on the latest Work Trend Index, business leaders are empowering workers with AI to increase productivity and help employees with repetitive and low value tasks.² Early adopters of Microsoft Security Copilot, our AI companion for cybersecurity teams, have seen a 44% increase in efficiency and 86% increase in quality of work.³ Identity teams can use natural language prompts in Copilot to reduce time spent on common tasks, such as troubleshooting sign-ins and minimizing gaps in identity lifecycle workflows. It can also strengthen and uplevel expertise in the team with more advanced capabilities like investigating users and sign-ins associated with security incidents while taking immediate corrective action. 

To get the most out of your AI investments, identity teams will need to build a consistent habit of using their AI companions. Once your workforce becomes comfortable using these tools, it is time to start building a company prompt library that outlines the specific queries commonly used for various company tasks, projects, and business processes. This will equip all current and future workers with an index of shortcuts that they can use to be productive immediately.

How to get started: Check out this Microsoft Learn training on the fundamentals of generative AI, and subscribe for updates on Microsoft Security Copilot to be the first to hear about new product innovations, the latest generative AI tips, and upcoming events.

Priority 2: Enforce least privilege access everywhere, including AI apps

One of the most common questions we hear is how to secure access to AI apps—especially those in corporate (sanctioned) and third-party (unsanctioned) environments. Insider risks like data leakage or spoilage can lead to tainted large language models, confidential data being shared in apps that are not monitored, or the creation of rogue user accounts that are easily compromised. The consequences of excessively permissioned users are especially damaging within sanctioned AI apps where users who are incorrectly permissioned can quickly gain access to and manipulate company data that was never meant for them.

Ultimately, organizations must secure their AI applications with the same identity and access governance rules they apply to the rest of their corporate resources. This can be done with an identity governance solution, which lets you define and roll out granular access policies for all your users and company resources, including the generative AI apps your organization decides to adopt. As a result, only the right people will have the right level of access to the right resources. The access lifecycle can be automated at scale through controls like identity verification, entitlement management, lifecycle workflows, access requests, reviews, and expirations. 

To enforce least privilege access, make sure that all sanctioned apps and services, including generative AI apps, are managed by your identity and access solution. Then, define or update your access policies with a tool like Microsoft Entra ID Governance that controls who, when, why, and how long users retain access to company resources. Use lifecycle workflows to automate user access policies so that any time a user’s status changes, they still maintain the correct level of access. Where applicable, extend custom governance rules and user experiences to any customer, vendor, contractor, or partner by integrating Microsoft Entra External ID, a customer identity and access management (CIAM) solution. For high-risk actions, require proof of identity in real-time using Microsoft Entra Verified ID. Microsoft Security Copilot also comes with built-in governance policies, tailored specifically for generative AI applications, to prevent misuse.

How to get started: Read the guide to securely govern AI and other business-critical applications in your environment. Make sure your governance strategy abides by least privilege access principles.

Priority 3: Get prepared for more sophisticated attacks

Not only are known attacks like password spray increasing in intensity, speed, and scale, but new attack techniques are being developed rapidly that pose a serious threat to unprepared teams. Multifactor authentication adds a layer of security, but cybercriminals can still find ways around it. More sophisticated attacks like token theft, cookie replay, and AI-powered phishing campaigns are also becoming more prevalent. Identity teams need to adapt to a new cyberthreat landscape where bad actors can automate the full lifecycle of a threat campaign—all without writing a single line of code.

To stay safe in today’s relentless identity threat landscape, we recommend taking a multi-layered approach. Start by implementing phishing-resistant multifactor authentication that is based on cryptography or biometrics such as Windows Hello, FIDO2 security keys, certificate-based authentication, and passkeys (both roaming and device-bound). These methods can help you combat more than 99% of identity attacks as well as advanced phishing and social engineering schemes.⁴ 

For sophisticated attacks like token theft and cookie replay, have in place a machine learning-powered identity protection tool and Secure Web Gateway (SWG) to detect a wide range of risk signals that flag unusual user behavior. Then use continuous access evaluation (CAE) with token protection features to respond to risk signals in real-time and block, challenge, limit, revoke, or allow user access. For new attacks like one-time password (OTP) bots that take advantage of multifactor authentication fatigue, educate employees about common social engineering tactics and use the Microsoft Authenticator app to suppress sign-in prompts when a multifactor authentication fatigue attack is detected. Finally, for high assurance scenarios, consider using verifiable credentials—digital identity claims from authoritative sources—to quickly verify an individual’s credentials and grant least privilege access with confidence. 

Customize your policies in the Microsoft Entra admin center to mandate strong, phishing resistant authentication for any scenario, including step up authentication with Microsoft Entra Verified ID. Make sure to implement an identity protection tool like Microsoft Entra ID Protection, which now has token protection capabilities, to detect and flag risky user signals that your risk-based CAE engine can actively respond to. Lastly, secure all internet traffic, including all software as a service (SaaS) apps, with Microsoft Entra Internet Access, an identity-centric SWG that shields users against malicious internet traffic and unsafe content.  

How to get started: To quick start your defense-in-depth campaign, we’ve developed default access policies that make it easy to implement security best practices, such as requiring multifactor authentication for all users. Check out these guides on requiring phishing-resistant multifactor authentication and planning your conditional access deployment. Finally, read up on our token protection, continuous access evaluation, and multifactor authentication fatigue suppression capabilities.

Priority 4: Unify access policies across identity, endpoint, and network security

In most organizations, the identity, endpoint, and network security functions are siloed, with teams using different technologies for managing access. This is problematic because it requires conditional access changes to be made in multiple places, increasing the chance of security holes, redundancies, and inconsistent access policies between teams. Identity, endpoint, and network tools need to be integrated under one policy engine, as neither category alone can protect all access points.

By adopting a Zero Trust security model that spans identity, endpoint, and network security, you can easily manage and enforce granular access policies in one place. This helps reduce operational complexity and can eliminate gaps in policy coverage. Plus, by enforcing universal conditional access policies from a single location, your policy engine can analyze a more diverse set of signals such as network, identity, endpoint, and application conditions before granting access to any resource—without making any code changes. 

Microsoft’s Security Service Edge (SSE) solution is identity-aware and is delivering a unique innovation to the SSE category by bringing together identity, endpoint, and network security access policies. The solution includes Microsoft Entra Internet Access, an SWG for safeguarding SaaS apps and internet traffic, as well as Microsoft Entra Private Access, a Zero Trust Network Access (ZTNA) solution for securing access to all applications and resources. When you unify your network and identity access policies, it is easier to secure access and manage your organization’s conditional access lifecycle.

How to get started: Read these blogs to learn why their identity-aware designs make Microsoft Entra Internet Access and Microsoft Entra Private Access unique to the SSE category. To learn about the different use cases and scenarios, configuration prerequisites, and how to enable secure access, go to the Microsoft Entra admin center. 

Priority 5: Control identities and access for multicloud

Today, as multicloud adoption increases, it is harder than ever to gain full visibility over which identities, human or machine, have access to what resources across your various clouds.  Plus, with the massive increase in AI-driven workloads, the number of machine identities being used in multicloud environments is quickly rising, outnumbering human identities 10 to 1.⁵ Many of these identities are created with excessive permissions and little to no governance, with less than 5% of permissions granted actually used, suggesting that a vast majority of machine identities are not abiding by least privilege access principles. As a result, attackers have shifted their attention to apps, homing in on workload identities as a vulnerable new threat vector. Organizations need a unified control center for managing workload identities and permissions across all their clouds.

Securing access to your multicloud infrastructure across all identity types starts with selecting the methodology that makes sense for your organization. Zero Trust provides an excellent, customizable framework that applies just as well to workload identities as it does to human identities. You can effectively apply these principles with a cloud infrastructure entitlement management (CIEM) platform, which provides deep insights into the permissions granted across your multicloud, how they are used, and the ability to right size those permissions. Extending these controls to your machine identities will require a purpose-built tool for workload identities that uses strong credentials, conditional access policies, anomaly and risk signal monitoring, access reviews, and location restrictions.

Unifying and streamlining the management of your organization’s multicloud starts with diagnosing the health of your multicloud infrastructure with Microsoft Entra Permissions Management, which will help you discover, detect, right-size, and govern your organization’s multicloud identities. Then, using Microsoft Entra Workload ID, migrate your workload identities to managed identities where possible and apply strong Zero Trust principles and conditional access controls to them.

How to get started: Start a Microsoft Entra Permissions Management free trial to assess the state of your organization’s multicloud environment, then take the recommended actions to remediate any access right risks. Also, use Microsoft Entra Workload ID to assign conditional access policies to all of your apps, services, and machine identities based on least privilege principles.

Our commitment to continued partnership with you

It is our hope that the strategies in this blog help you form an actionable roadmap for securing access at your organization—for everyone, to everything.

But access security is not a one-way street, it is your continuous feedback that enables us to provide truly customer-centric solutions to the identity and access problems we face in 2024 and beyond.  We are grateful for the continued partnership and dialogue with you—from day-to-day interactions, to joint deployment planning, to the direct feedback that informs our strategy. As always, we remain committed to building the products and tools you need to defend your organization throughout 2024 and beyond.

Learn more about Microsoft Entra, or recap the identity at Microsoft Ignite blog.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report, Microsoft. October 2023. 

²Work Trend Index Annual Report: Will AI Fix Work? Microsoft. May 9, 2023.

³Microsoft unveils expansion of AI for security and security for AI at Microsoft Ignite, Vasu Jakkal. November 15, 2023.

⁴How effective is multifactor authentication at deterring cyberattacks? Microsoft.

⁵2023 State of Cloud Permissions Risks report now published, Alex Simons. March 28, 2023.

The post 5 ways to secure identity and access for 2024 appeared first on Microsoft Security Blog.

Microsoft Entra is a unified identity and network access solution that protects any identity and secures access to any application or resource, in any cloud or on-premises. We’re grateful to all of you—our customers and partners, for your generous feedback that guides our product vision, roadmap, and innovation, and for the collaborative engineering approach that has enabled us to co-create modern identity and access solutions.  

Today, we are honored to announce that for the seventh year in a row, Microsoft has been named a Leader in the 2023 Gartner® Magic Quadrant ^TM for Access Management. We believe Microsoft’s placement in the Leaders quadrant validates our commitment to empowering our customers with a comprehensive solution powered by AI and automation.

Making it easier to secure access

Microsoft Entra’s mission is to help you stay ahead of the evolving digital threat landscape by making it easier to secure access to everything, for everyone, from anywhere. This year, we released several key innovations in pursuit of this goal. Here are a few recent highlights: 

First, we introduced Microsoft Entra ID Governance, our complete identity governance solution that helps ensure the right people have the right access to the right resources at the right time. This cloud-delivered product includes capabilities that were already available in Microsoft Entra ID, plus more advanced tools that automate identity and access lifecycle management, and simplify access governance for on-premises, software as a service, and cloud apps and resources.

Second, we made significant progress towards offering additional phishing-resistant authentication methods in alignment with Executive Order 14028: Users will be able to sign in using passkeys managed from the Microsoft Authenticator app, which is also Federal Information Processing Standards (FIPS) 140-compliant for both iOS and Android. We have also added more customization for our cloud-based certificate-based authentication (CBA) solution. 

Third, Microsoft Entra ID introduced a series of marquee features, including Microsoft Entra ID Protection that help you proactively block identity takeover in real-time. These innovations include a brand-new dashboard with improved security posture insights and recommendations, new risk detections that can prevent attacks in their early phases, and an integration with Microsoft Defender XDR to correlate incidents. Strict location enforcement capabilities have also been added to continuous access evaluation (CAE), which enables Microsoft Entra ID to use those signals to revoke access and remediate potential compromise if a change in location was detected in in near real-time. As part of an ongoing commitment to token protection, Microsoft Entra ID also released sign-in session token protection to help defend against token theft attacks. 

Fourth, we released the preview of new, unified capabilities in Microsoft Entra External ID, our next-generation customer identity and access management platform that unifies secure and engaging experiences for all external identities, including customers, partners, citizens, and others within a single integrated platform. These new capabilities deliver a more developer-centric platform with the latest security and governance capabilities of Microsoft Entra ID and deep integrations across Microsoft Security. 

Fifth, we launched our new identity-centric Security Service Edge solution with the release of two products, Microsoft Entra Internet Access and Microsoft Entra Private Access. This solution unifies identity and network access controls under a single policy engine, extending universal Conditional Access controls to any user and any resource across identity, endpoint and network. By bringing these two solutions into the Microsoft Entra portfolio, we’re expanding our reach beyond identity and access management to a comprehensive solution that can help secure access holistically.

We can’t wait to bring more innovations to the Microsoft Entra portfolio in this new year and continue making progress against our goal to simplify securing access to everything, for everyone.

Discover the Microsoft Entra product family

The Microsoft Entra product family includes:

• Microsoft Entra ID, part of Microsoft Entra, our flagship cloud identity product.
• Microsoft Entra Permissions Management, our cloud infrastructure entitlement management product.
• Microsoft Entra External ID, our customer identity and access management product.
• Microsoft Entra Verified ID, our decentralized identity product.
• Microsoft Entra Identity Governance, our complete identity governance product.
• Microsoft Entra Workload ID, our product that brings advanced security and governance to non-human identities.
• Microsoft Entra Internet Access, our identity-centric secure web gateway (SWG) product.
• Microsoft Entra Private Access, our identity-centric Zero Trust Network Access (ZTNA) product.

Are you a regular user of Microsoft Entra? Review your experience on Gartner Peer Insights™ and get a $25 gift card.

Microsoft Entra

Unified multicloud identity and network access help you protect and verify identities, manage permissions, and enforce intelligent access policies, all in one place.

Try for free

Learn more

You can learn more by reading the full 2023 Gartner^® Magic Quadrant^TM for Access Management report. To learn more about the Microsoft Entra portfolio and its products, visit our website.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2023.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner and Magic Quadrant are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner, Magic Quadrant for Access Management, by Henrique Teixeira, Abhyuday Data, Nathan Harris, Robertson Pimentel. 16 November 2023.

The post Microsoft named a Leader in 2023 Gartner® Magic Quadrant™ for Access Management for the 7th year​​ appeared first on Microsoft Security Blog.

Protecting identities and access is critical. As our work and lives become increasingly digital, cyberattacks are becoming more frequent and more sophisticated, affecting organizations of every size, in every industry, and in every part of the world. In the last 12 months, we saw an average of more than 4,000 password attacks per second, an almost threefold increase from the 1,287 attacks per second we saw the previous year.² We’re also seeing far more sophisticated attacks, including ones that manage to evade critical defenses, such as multifactor authentication, to steal access tokens, impersonate a rightful user, and gain access to critical data.

To help organizations protect their ever-evolving digital estates, we’ve been expanding beyond managing directories and authenticating users to securing and governing access for any identity to any app or resource. Today, we’re thrilled to announce the next milestone in our vision of making it easy to secure access with two new products: Microsoft Entra Internet Access and Microsoft Entra Private Access. We’re adding these capabilities to help organizations instill trust, not only in their digital experiences and services but in every digital interaction that powers them.

Secure access to any app or resource, from anywhere

Flexible work arrangements and the resulting increase in cloud workloads are straining traditional corporate networks and legacy network security approaches. Using VPNs to backhaul traffic to the legacy network security stack weakens security posture and damages the user experience while using siloed solutions and access policies leaves security gaps.

Microsoft Entra Internet Access is an identity-centric Secure Web Gateway that protects access to internet, software as a service (SaaS), and Microsoft 365 apps and resources. It extends Conditional Access policies with network conditions to protect against malicious internet traffic and other threats from the open internet. For Microsoft 365 environments, it enables best-in-class security and visibility, along with faster and more seamless access to Microsoft 365 apps, so you can boost productivity for any user, anywhere. Microsoft 365 scenarios in Microsoft Entra Internet Access are in preview today, and you can sign up for the preview of capabilities for all internet traffic and SaaS apps and resources that will be available later this year.

Microsoft Entra Private Access is an identity-centric Zero Trust Network Access that secures access to private apps and resources. Now any user, wherever they are, can quickly and easily connect to private apps—across hybrid and multicloud environments, private networks, and data centers—from any device and any network. Now in preview, Microsoft Entra Private Access reduces operational complexity and cost by replacing legacy VPNs and offers more granular security. You can apply Conditional Access to individual applications, and enforce multifactor authentication, device compliance, and other controls to any legacy application without changing those applications.

Together, Internet Access and Private Access, coupled with Microsoft Defender for Cloud Apps, our SaaS security-focused cloud access security broker, comprise Microsoft’s Security Service Edge (SSE) solution. We’ll continue to evolve our SSE solution as an open platform that delivers the flexibility of choice between solutions from Microsoft and our partners. Pricing for Microsoft Entra Internet Access and Microsoft Entra Private Access will be available when those products reach general availability.

Figure 1. Microsoft’s Security Service Edge (SSE) solution.

Neither identity nor network security alone can protect the breadth of access points and scenarios that modern organizations require. That’s why, as cyberattacks get more sophisticated, we’re adding identity-centric network access to our cloud identity solutions. We’re converging controls for identity and network access so you can create unified Conditional Access policies that extend all protections and governance to all identities and resources. With a single place to safeguard and verify identities, manage permissions, and enforce intelligent access policies, protecting your digital estate has never been easier.

Microsoft Azure Active Directory is becoming Microsoft Entra ID

When we introduced Microsoft Entra in May of 2022, it included three products: Microsoft Azure Active Directory (Azure AD), Microsoft Entra Permissions Management, and Microsoft Entra Verified ID.¹ We later expanded the Microsoft Entra family with Microsoft Entra ID Governance and Microsoft Entra Workload ID.³ Today, Microsoft Entra protects any identity and secures access to any resource—on-premises, across clouds, and anywhere in between—with a product family that unifies multicloud identity and network access solutions.

To simplify our product naming and unify our product family, we’re changing the name of Azure AD to Microsoft Entra ID. Capabilities and licensing plans, sign-in URLs, and APIs remain unchanged, and all existing deployments, configurations, and integrations will continue to work as before. Starting today, you’ll see notifications in the administrator portal, on our websites, in documentation, and in other places where you may interact with Azure AD. We’ll complete the name change from Azure AD to Microsoft Entra ID by the end of 2023. No action is needed from you.

Figure 2. With the name change to Microsoft Entra ID, the standalone license names are changing. Azure AD Free becomes Microsoft Entra ID Free. Azure AD Premium P1 becomes Microsoft Entra ID P1. Azure AD Premium P2 becomes Microsoft Entra ID P2. And our product for customer identities, Azure AD External Identities, becomes Microsoft Entra External ID. SKU and service plan name changes take effect on October 1, 2023.

More innovations in Microsoft Entra

Today we’d also like to highlight other innovations in the Microsoft Entra portfolio that strengthen defenses against attackers who are becoming more adept at exploiting identity-related vulnerabilities such as weak credentials, misconfigurations, and excessive access permissions.

Prevent identity takeover in real time

Several exciting changes to Microsoft Entra ID Protection (currently Azure AD Identity Protection) help IT and identity practitioners prevent account compromise. Instead of reactively revoking access based on stale data, ID Protection uses the power of advanced machine learning to identify sign-in anomalies and anomalous user behavior and then block, challenge, or limit access in real time. For example, it may trigger a risk-based Conditional Access policy that requires high-assurance and phishing-resistant authentication methods for accessing sensitive resources.

A new dashboard demonstrates the impact of the identity protections that organizations deploy with a comprehensive snapshot of prevented identity attacks and the most common attack patterns. On the dashboard, you can view simple metric cards and attack graphs that show risk origins, security posture over time, types of current attacks, as well as recommendations based on risk exposure, while highlighting the business impact of enforced controls. With these insights, you can further investigate your organization’s security posture in additional tools and applications for enhanced recommendations.

Figure 3. New Microsoft Entra ID Protection dashboard.

Automate access governance

An important part of securing access for any identity to any app is ensuring that only the right identities have the right access at the right time. Some organizations only realize they need to take this approach when they fail a security audit. Microsoft Entra ID Governance, now generally available, is a complete identity governance solution that helps you comply with organizational and regulatory security requirements while increasing employee productivity through real-time, self-service, and workflow-based app entitlements.⁴

ID Governance automates the employee identity lifecycle to reduce manual work for IT and provides machine learning-based insights about identities and app entitlements. Because it’s cloud-delivered, it scales to complex cloud and hybrid environments, unlike traditional on-premises identity governance point solutions. It supports cloud and on-premises apps from any provider, as well as custom-built apps hosted in the public cloud or on-premises. Our global system integrator partners—including Edgile, a Wipro company, EY, KPMG, and PwC—started helping with the planning and deployment of ID Governance on July 1, 2023.

Figure 4. New Microsoft Entra ID Governance dashboard.

Personalize and secure access to any application for customers and partners

As we announced at Microsoft Build 2023, new developer-centric capabilities in Microsoft Entra External ID are now in preview. External ID is an integrated identity solution for external users, including customers, patients, citizens, guests, partners, and suppliers. It offers rich customization options, Conditional Access, identity protection, and support for social identity providers. Using our comprehensive developer tools, even those developers who have little to no identity experience can create personalized sign-in and sign-up experiences for their applications within minutes.

Simplify identity verification with Microsoft Entra Verified ID

Since we announced the general availability of Microsoft Entra Verified ID last summer, organizations around the world have been reinventing business processes, such as new employee onboarding, around this new, simpler way of verifying someone’s identity.⁵ For example, we recently announced that millions of LinkedIn members will be able to verify their place of work using a Verified ID credential.⁶ At the 2023 Microsoft Build event, we launched the Microsoft Entra Verified ID SDK so that developers can quickly add a secure digital wallet to any mobile application. The app can then store and verify a wide range of digital ID cards.

Microsoft Entra: Secure access for a connected world

You can see our expanded Microsoft Entra product family in Figure 5. Visit the Microsoft Entra website to learn more.

Figure 5. The Microsoft Entra family of identity and network access products.

We’re committed to building a more secure world for all and making life harder for threat actors, easier for admins, and more secure for every user. As part of that commitment, we’ll keep expanding Microsoft Entra to provide the broadest possible coverage along with a flexible and agile model where people, organizations, apps, and even smart things can confidently make real-time access decisions.

Encourage your technical teams to dive deeper into these announcements by attending the Tech Accelerator event on July 20, 2023, on the Microsoft Tech Community.

Microsoft Entra

Meet the family of multicloud identity and access products.

Learn more

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Secure access for a connected world—meet Microsoft Entra, Joy Chik and Vasu Jakkal. May 31, 2022.

²Microsoft internal data.

³Do more with less—Discover the latest Microsoft Entra innovations, Joy Chik. October 19, 2022.

⁴Microsoft Entra ID Governance is generally available, Joseph Dadzie. June 7, 2023.

⁵Microsoft Entra Verified ID now generally available, Ankur Patel. August 8, 2022.

⁶LinkedIn and Microsoft Entra introduce a new way to verify your workplace, Joy Chik. April 12, 2023.

The post Microsoft Entra expands into Security Service Edge and Azure AD becomes Microsoft Entra ID appeared first on Microsoft Security Blog.

Microsoft Build 2023

Browse virtual and in-person security sessions at Microsoft Build.

Register now

Below is a quick tour of a few security-related sessions and the new features and technologies they highlight.

New identity and access features in Microsoft Entra

Welcome to modern identity and access management with Microsoft Entra

Developers are in the business of building app features and capabilities. Most developers are not—and don’t want to be—identity security experts.

At Microsoft Build, we’re announcing the next generation customer identity access management platform: Microsoft Entra External ID, now in preview. Microsoft Entra External ID was purpose-built to personalize and secure access to applications while protecting any external identity and effectively controlling which resources they can access. It delivers a flexible, unified identity platform, personalized customer experiences, adaptive access policies, and built-in identity governance. In the session “Explore CIAM capabilities with External Identities in Microsoft Entra,” Yoel Horvitz, Senior Program Manager, Microsoft Azure Active Directory (Azure AD), and Namita Singh, Senior Software Engineer at Cloud Data Center Cybersecurity, Microsoft, will explore how easily you can create branded sign-up and sign-in app experiences. No more trade-offs between great security and great customer experiences. You’ll see how quickly you can add a strong sign-up or sign-in experience plus comprehensive onboarding flows that capture and validate customer information.

Partner identity scenarios (B2B Collaboration) remain in the same location on the Microsoft Entra admin portal within the Workforce tenant. Please note that there is no action for our current Azure AD business-to-consumer (B2C) customers required at this time as the next generation platform is currently in early preview only. We remain fully committed to support the current Azure AD B2C solution, and there are no requirements for B2C customers to migrate at this time and no plans to discontinue the current B2C service.

This next-generation expanded solution for customer and partner identities marks the next chapter in our customer identity solution, addressing critical customer feedback and building on top of our existing capabilities.

External ID now combines familiar B2B collaboration functionality in Microsoft Entra (generally available) with evolved and unified customer identity (CIAM) capabilities, targeting customer-facing applications, now in preview. Help us shape the future of this new platform with your participation in our preview.

Microsoft Entra Verified ID digital wallet SDK

Microsoft Entra Verified ID is an open standards-based verifiable credentials service that customers can use to automate the identity validation process while enabling privacy-protected interactions between organizations and users. You can integrate the upcoming release of the Verified ID Wallet Library into your mobile apps to store and share digital Verified ID cards. This allows you to issue verifiable credentials for dozens of use cases, such as reducing the risk for fraud and account takeovers, streamlining app sign-ins, creating self-service account recovery and helpdesk flows, and enabling rich partner rewards ecosystems. Be sure to check out the “Reduce fraud and improve engagement using Digital Wallets” session by Christer Ljung, Principal Program Manager, Microsoft, and Sydney Morton, Software Engineer, Microsoft, to learn more about Verified ID’s open source digital wallet SDK.

New capabilities for compliance and data automation in Microsoft Purview

General availability of machine learning-enabled source code classifier

Microsoft Purview Information Protection helps organizations automate data classification, labeling, and protection across multiple platforms. More than 35 pre-trained classifiers help quickly identify and protect some of the most sensitive data, such as intellectual property and trade secrets, material non-public information, sensitive health and medical files, business sensitive financial information, and personally identifiable information for General Data Protection Regulation (GDPR) compliance. Plus, an improved ready-to-use source code classifier that supports more than 70 file extensions and 23 programming languages can detect embedded and partial source code.  

New APIs available to help automate compliance workflows

You can take advantage of new Microsoft Graph APIs built specifically for Microsoft Purview eDiscovery and compliance scenarios to help organizations automate their litigation and investigation workflows. Join us for “Streamline eDiscovery with new innovations, including Microsoft Graph APIs,” a sequel to Microsoft Senior Product Marketing Manager Caitlin Fitzgerald’s Microsoft Build 2022 session, which will share recent examples of using APIs to ensure repeatable and predictable management of time-sensitive compliance processes.

Explore built-in security features in these Microsoft Build sessions

Unlocking the Power of Azure Security: Conversations with Experts, Q&A

In this Q&A session, Richard Diver, Technical Story Design Lead, Microsoft, will moderate a panel of experts who help secure the software supply chain within Microsoft Azure and other platforms. The session is based on a four-part blog series that includes Microsoft Azure’s defense-in-depth approach to cloud vulnerabilities and Cloud Variant Hunting. The panel will share Microsoft security best practices and how we’re enhancing our response process, extending our internal security research, and continually improving how we secure multitenant services.

Next-Level DevSecOps: Secure Supply Chain Consumption Framework, Q&A

Microsoft Build 2023

Join us in Seattle for Microsoft Build from May 23 to 25, 2023. We’ll stream online sessions May 23 and 24, 2023 during Pacific Time hours. Register now to reserve your spot and visit the Microsoft Build 2023 website to explore the session catalog and plan your experience. We look forward to connecting with you!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹8th Annual State of the Software Supply Chain Report, Sonatype.

The post Microsoft Build 2023: Announcing new identity, compliance, and security features from Microsoft Security appeared first on Microsoft Security Blog.

To evaluate the net effects of moving to Microsoft’s cloud-native identity and access management (IAM) solution, Forrester Consulting has conducted a commissioned study on behalf of Microsoft: The Total Economic Impact™ Of Microsoft Entra. Forrester interviewed 10 representatives from eight existing Microsoft customers that are currently using three products in the Microsoft Entra family: Azure Active Directory (Azure AD), Microsoft Entra Permissions Management, and Microsoft Entra Verified ID.  

In total, Forrester’s financial analysis found that a composite organization based on these interviewed customers experienced benefits of USD12.14 million over three years, versus costs of USD3.57 million. This adds up to a net present value of USD8.57 million and a return on investment (ROI) of 240 percent. Forrester left no stone unturned in examining the financial impact of Microsoft Entra. The results were divided into five categories common to most organizations. Here’s an overview of their findings:

Modernizing identity and consolidating vendors

Before Microsoft Entra, interviewed organizations managed identity and access using multiple-point solutions. This patchwork approach came up short in providing adequate security and introduced high complexity and costs. With Microsoft Entra, organizations could retire some of these solutions as well as sunset legacy on-premises infrastructure such as Active Directory Federation Services (AD FS). After consolidating with Microsoft Entra, Forrester determined that composite organization’s cost savings totaled USD2,084,082.

“We wanted to centralize all of our IAM tools, and we decided to use Microsoft Entra because of what Microsoft offered in terms of its security and enterprise relationships, and also [because of] the fact that our chief information security officer felt comfortable about having our identity managed by Microsoft.”

—Identity and access team lead, software industry

Increasing identity team efficiency

By securing access for all their identities to any app and resource, the surveyed organizations were able to implement granular risk-based policies. With multifactor authentication, they protected against phishing, credential stuffing, and other attacks that exploit user credentials. Permissions Management enabled organizations to discover and remediate security risks caused by excessive and unused permissions in their multicloud environments. Forrester found that the composite organization was able to reduce the likelihood of a breach by 20 percent over three years. This also helped ensure compliance with regulatory standards. All these improvements yielded a three-year, risk-adjusted total of USD1,521,840.

Accelerating development velocity

Surveyed organizations shared that for security purposes developers were required to request permissions every time they needed new access, and this tended to have a negative impact on product-development speed. A developer’s work on a project could get interrupted by up to several days while the developer was waiting for access, and any project as a whole could get delayed by weeks or even months as those interruptions added up. Adopting Permissions Management improved product development velocity from days to hours, which helped keep development projects on schedule. Forrester calculated that wait time for developers was reduced by 90 percent. This sped-up development yields a total of USD922,422 in benefits over three years.

“What previously took two to three days is now handled in a couple of hours at most.”

—Head of enterprise security architecture, insurance industry

Increasing worker productivity and reducing IT friction

Employees expect to collaborate on any project from anywhere using any app—especially now that hybrid work is the new normal. But they find signing into multiple applications throughout the day frustrating and time-consuming. Interviewees shared that one of their primary goals for their organizations was to improve user experience by enabling single sign-on for applications from almost any device or location. According to Forrester’s calculations, with Microsoft Entra, each employee saved 13 hours per year on average and the composite organization saved USD4,048,685 over three years. If you have a help desk, your employees likely make thousands of password reset requests per month. Locked-out users can’t be productive, and their pleas for help eat up valuable time help desk workers could spend on other priority tasks. With Microsoft Entra, employees can reset their own passwords without help desk intervention. Forrester estimates that customers can decrease the number of password reset calls per year by 75 percent, yielding a three-year adjusted present value of USD251,794.

“If you have your applications integrated with Azure AD, you can have a really, really sweet user experience, security model, and simple administration.”
—Senior security engineer, software industry

Security for all

At Microsoft Security, we’re committed to being a trusted partner for IAM and security teams like those who shared their experiences for this study. We believe a holistic approach to security can help you protect what matters without slowing productivity. To get the full analysis on how cloud-native, scalable Microsoft Entra can deliver significant, be sure to download The Total Economic Impact™ Of Microsoft Entra and share its accompanying infographic for fast insights.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Verizon 2022 Data Breach Investigations Report

The post Microsoft Entra delivers 240 percent ROI, according to new Forrester study appeared first on Microsoft Security Blog.

Verifying a LinkedIn member’s workplace

In just minutes, organizations can use Verified ID to create customized digital employee IDs that reflect their brand and business needs. On LinkedIn, members will see an option to verify their workplace on their profile. With a few taps on their phone, members can get their digital employee ID from their organization and choose to share it on LinkedIn. After they send the credential, a Workplace verification will be displayed on their profile.

A trustworthy approach to verification

In our everyday lives, we use identity documents like driver’s licenses or passports as convenient and secure ways to prove our identity. Until now, we have not had a good digital equivalent. Verified ID provides an easy-to-use and secure experience for digitally verifying many aspects of our identity, such as education, skills, and workplace affiliation.

Verified ID is built on open standards for decentralized identity, which operates on a “triangle of trust” model involving three parties: an issuer, a holder, and a verifier. For instance, an organization can act as an issuer by cryptographically signing a digital credential and issuing it to an employee as a digital employee ID. As the credential holder, the employee can decide to share their credential with apps and websites, such as LinkedIn. Then the verifier can cryptographically authenticate that the digital employee ID is genuine and was issued by the place of work the employee claims. This approach represents a more secure, convenient, and trustworthy way to verify digital information at scale.

Best of all, because Verified ID is based on open standards, it can work with existing HR systems, as well as a range of identity systems, such as Microsoft Azure Active Directory, now part of Microsoft Entra product family, and even identity systems that are on-premises.

Looking ahead

To help ensure that this new capability in LinkedIn is an easy-to-use, secure experience, we’re testing and gathering feedback from more than 70 organizations representing millions of LinkedIn members, including companies like Accenture, Avanade, and Microsoft. We plan to start rolling out this new capability by the end of the month.

Verifying workplace credentials for use on LinkedIn is just one example of how Verified ID can make digital interactions simpler and more trustworthy, whether they involve organizations or individuals. This new way to verify can be useful for background checks, rewards programs, help desk support, and a host of other scenarios that require proof of workplace affiliation. It will also make the process of verifying a prospective employee’s identity and qualifications less manual, time-consuming, and expensive.

But this is just the beginning. Verified ID credentials can increase trust, authenticity, and verifiability while reducing cost, time, and friction in many scenarios. You can issue employee IDs using Verified ID today. It only takes a few minutes. To get started, check out these tutorials.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post LinkedIn and Microsoft Entra introduce a new way to verify your workplace appeared first on Microsoft Security Blog.

In many organizations, however, too many identities not only lack fundamental protections, but also end up with too many access permissions that they keep for too long. Our new State of Cloud Permissions Risks Report reveals some sobering statistics that drive home the importance of carefully protecting and managing your identities to reduce both risk and opportunities for cybercriminals.

Across multicloud, more than half of all identities are admin and workload identities that have all access rights and all permissions to cloud resources. This is dangerous because overall, identities are using only 1 percent of the permissions granted to them. Some don’t use their permissions at all. In fact, more than 60 percent of all identities with permissions to cloud resources are completely inactive. At 80 percent, the proportion of inactive workload identities is even higher—and workload identities outnumber human identities 10 to 1.

While this report summarizes issues with cloud permissions, we see similar issues for business users.

At the recent Microsoft Secure event, I shared ways to strengthen your identity defenses using the latest innovations we’re delivering in Microsoft Entra. These include new governance controls and real-time access protections to help you secure identities and the resources they access.

A new, faster way to onboard with Microsoft Entra Identity Governance and Microsoft Entra Verified ID

Good identity practices start during onboarding, a process that often frustrates IT admins and users alike.

The goal of onboarding is to give new users the right access to the right resources for the right amount of time—adhering to the Zero Trust principle of “least privilege access”—on day one. However, traditional onboarding still requires loads of redundant paperwork and online forms that require manual review and approval before new users can start work and get access to resources. This can delay hiring and increase ramp-up time.

Eighty-two percent of organizations Microsoft surveyed want a better—and less manual—way to do identity verification, and now they have one.³ Microsoft Entra Identity Governance and Microsoft Entra Verified ID now work together to simplify onboarding. Instead of spending weeks collecting and verifying pre-hire documentation such as education and industry certifications, organizations can validate everything digitally using Verified ID credentials issued by trusted authorities.

When you use entitlement management in Identity Governance to create an access package with specific applications and expiration settings, you can now require a Verified ID as part of the approval workflow.⁴ With entitlement management, you can make the onboarding process completely digital and self-serve—no admin required.⁵ New users get an automated welcome email with a link to the My Access portal. Once they share the required Verified ID and their manager approves their access request, they get all their workplace access permissions at once. When their permissions expire, they can easily prove their identity again using their Verified ID without going through a lengthy renewal process.

This streamlined onboarding process is faster, safer, and less resource intensive. Organizations will spend less time validating credentials on paper and approving access requests manually, and more time collaborating and innovating. Plus, other Identity Governance features, such as automation of routine joiner, leaver, and mover tasks, help keep permissions the right size over time.

New protections to help secure access

Once a new user is on board, then Microsoft Entra helps you secure their access. This starts with proactive controls such as enforcing multifactor authentication.

Strong sign-in defenses make you less attractive—and less vulnerable—to most attackers, who don’t have the technical prowess, funding, or resources of more sophisticated groups. Credential attacks are the most common because they cost relatively little to perform, but you can interrupt them with multifactor authentication.⁶ Our data shows that more than 99.9 percent of compromised accounts don’t have multifactor authentication enabled.

However, sophisticated attackers are trying to work around multifactor authentication with techniques such as SIM jacking and multifactor authentication fatigue attacks. To counter these techniques, Microsoft Entra supports phishing-resistant multifactor authentication methods. These include passwordless options such as Windows Hello for Business and FIDO2 security keys. Certificate-based authentication is also available for organizations standardized on it.

When you enable multifactor authentication, by all means, adopt the strongest methods. Older methods, such as SMS and voice calls, are simply less secure.

Phishing-resistant features in Microsoft Authenticator further strengthen your multifactor authentication defenses.⁷ Number Matching requires users to enter a number displayed on the sign-in screen, making it harder to accidentally approve a request. To help users confirm that they’re approving an access request they (and not an attacker) made, application context shows them which application they’re signing into, while location context displays their sign-in location based on the IP address of their device.

And now, with Conditional Access authentication strengths, admins can set policy on the strength of multifactor authentication required—and base that policy on the sensitivity of the apps and resources a user is trying to access.⁸ In tandem, we’re extending phishing-resistant multifactor authentication to more scenarios. For example, you can require phishing-resistant multifactor authentication for Microsoft Azure virtual machines to protect remote sign-ins and to provide end-to-end coverage for dev, testing, and production environments. You can also require it for external users and for users who have to move between different Microsoft cloud instances to collaborate, for example, between government and commercial clouds.⁹

In addition, with Conditional Access for high-risk actions, you can now require phishing-resistant multifactor authentication for sensitive actions, such as modifying access policies, and coming soon, adding a new credential to an application or changing federated trust configuration. You can also restrict high-risk actions based on device compliance or location.

New countermeasures to help prevent lateral movement

Once a new user has signed in, Microsoft Entra helps you take a proactive “assume breach” stance to protect their credentials and prevent lateral movement. This is essential because post-authentication attacks, such as token theft through malware, mining poorly configured logs, and compromising routing infrastructure, are on the rise.¹⁰

Attackers replay stolen tokens to impersonate an authenticated user. Just as thieves copy a credit card number or read its RFID code and then go on a shopping spree until the bank notices and freezes the card, attackers steal tokens to access your digital resources—and cause a lot of damage—until that token expires.

Two new capabilities in Microsoft Entra are closing the token replay window.

First, strict enforcement of location policies lets resource providers use continuous access evaluation (CAE) to immediately revoke tokens that run afoul of location policies. Until now, a stolen token could stay valid for an hour or more, even if an attacker tried to replay it outside of the location range that policy allows.

Exchange Online, SharePoint, and Microsoft Graph can now respond to network change events by revoking tokens in near real-time. Since CAE is part of the Microsoft identity platform, hundreds of apps have adopted it to benefit from the enforcement of location policies and other CAE events. This includes Microsoft 365 apps such as Outlook, Microsoft Teams, and OneDrive, as well as the built-in Mail app on Mac, iPhone, and iPads. Third-party apps can adopt CAE through Microsoft Services Authentication Library.¹¹

While closing the token replay window is a big step forward, we’re also working to make sure it never opens in the first place through a new capability called Token Protection.¹² This adds a cryptographic key to issued tokens that blocks attackers from replaying them on a different device, which is like having a credit card that instantly deactivates if someone steals it from your wallet.

As a first step, we’re adding this capability for sign-in sessions on Windows (version 10 or later). Next, we’ll extend this capability to other platforms and address more Windows scenarios, such as app sessions and workload cookies.

A new dashboard to help close policy gaps

The new identity protections described above are just part of what’s available for creating granular Conditional Access policies. To help you find vulnerable areas in your environment, we’re adding an overview dashboard to the Microsoft Azure Active Directory Conditional Access blade that summarizes your policy posture, identifies unprotected users and apps, provides insights and recommendations on Conditional Access coverage based on sign-in activity, and helps you investigate the impact of individual policies. This will help you more quickly identify where you need to better enforce Zero Trust principles, so you can strengthen your defenses.

Good permissions governance and protecting against identity compromise are essential strategies for keeping your people and resources safe.

Learn more

Learn more about Microsoft Entra.

To learn more about the new governance and identity protection capabilities described in this blog post, check out these Microsoft Secure sessions. To review all the new innovations announced at Microsoft Secure, read Vasu Jakkal’s blog post.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹2023 identity security trends and solutions from Microsoft, Alex Weinert. January 26, 2023.

²Verizon 2022 Data Breach Investigations Report. 2022.

³Microsoft survey of 3,000 United States-based companies with more than 500 users. 2021.

⁴Add a Verified ID requirement (Preview), Microsoft Learn. January 24, 2023.

⁵What is entitlement management? Microsoft Learn. March 9, 2023.

⁶Navigating the ever-evolving authentication landscape, Pamela Dingle. January 10, 2023.

⁷Defend your users from MFA fatigue attacks, Alex Weinert. September 28, 2022.

⁸Conditional Access authentication strength, Microsoft Learn. January 29, 2023.

⁹Configure Microsoft cloud settings for B2B collaboration, Microsoft Learn. March 9, 2023.

¹⁰Token tactics: How to prevent, detect, and respond to cloud token theft, Microsoft Security Experts and Microsoft Incident Response. November 16, 2022.

¹¹How to use Continuous Access Evaluation enabled APIs in your applications, Microsoft Learn. March 2, 2023.

¹²Conditional Access: Token protection, Microsoft Learn. March 8, 2023.

The post Latest Microsoft Entra advancements strengthen identity security appeared first on Microsoft Security Blog.

Looking at the steady rise in cybercrime, it can feel like there are only gray skies on the horizon. Since September 2021 we saw the number of password attacks rise from 579¹ to 1,287² per second. That’s a staggering increase. But at Microsoft, we’re moving into the new year full of hope and resolution. We center our actions around the belief that cybersecurity is about people—to protect, involve, and empower everyone.

We’re committed to innovating against the threats of today and tomorrow by harnessing AI, machine learning, and cloud technologies all brought together in an end-to-end security cloud. Since July 2022, Microsoft Security has delivered more than 300 product innovations—from minor updates to major launches like Microsoft Entra Workload Identities (November 2022). In addition, we now have more than 15,000 partners integrated across our security ecosystem so customers have the power to choose what works best for them. In a time when security professionals are being asked to do more with less—fewer people, scant resources, and less time—Microsoft has responded with a simplified, comprehensive security approach that protects your entire multicloud, multiplatform digital estate. And we continue to foster a diverse, inclusive new generation of cyber defenders who will keep us all moving ahead—fearlessly. Here’s a look at some of our newest innovations to help you move into the new year with confidence.

Unified innovations to protect you comprehensively and make your job easier

According to Microsoft research, 72 percent of chief information security officers (CISOs) and other C-level security professionals say that it’s very important for a technology vendor to offer a comprehensive set of products across security, compliance, and identity.³ We continue to respond to this need, and over the past year, we’ve streamlined and simplified our security solutions into six integrated product families designed to decrease your costs and enable growth. This simplification makes it easier for you to anticipate vulnerabilities, manage risks, and navigate a rapidly evolving threat landscape and regulatory environment. This comprehensive solution with interconnected product families cover extended detection and response (XDR), security information and event management (SIEM), threat intelligence, identity and access management (IAM), endpoint management, cloud security, and data protection, compliance, and privacy. For organizations that want to extend their ability to defend and manage threats, we’ve added a new line of managed services—Microsoft Security Experts.

Integrated security defense

As cyberattacks become more sophisticated, Microsoft continues to keep pace. We’re always pushing our limits and improving our products to help you eliminate security gaps and protect more with less. During the latter half of 2022, we extended our vision of simplified, unified protection—delivering hundreds of innovations to help protect your entire digital estate. Some of our notable launches over the past six months include:

• Microsoft Defender for IoT adds agentless monitoring to secure enterprise IoT devices like Voice over Internet Protocol (VoIP), printers, and smart TVs—as well as Operational Technology (OT) devices in critical industries like energy, manufacturing, and healthcare.⁴ A dedicated integration with Microsoft 365 Defender adds XDR for Internet of Things (IoT) devices, which means less complexity and greater visibility within one unified security operational center. These entry points can be used to escalate laterally across your network and are often overlooked. 
• Microsoft Defender Cloud Security Posture Management (in preview), helps your security teams save time and remediate critical risks with contextual cloud security. Get a continuous security assessment of your resources running across Microsoft Azure, Amazon Web Services (AWS), Google Cloud, and on-premises systems with new agentless scanning capabilities that provide real-time assessments across hybrid and multicloud environments. 
• Microsoft Defender for DevOps (also in preview) integrates with Defender Cloud Security Posture Management to further connect the dots for security operations (SecOps) teams. Defender for DevOps empowers your team to unify and strengthen DevOps security to minimize vulnerabilities, then effectively prioritize and drive remediation across multipipeline environments. 
• Microsoft Defender External Attack Surface Management also integrates with Defender Cloud Security Posture Management to help provide a better picture of your attack surface, including shadow IT and other unseen assets accumulated through normal business growth. This gives SecOps the ability to discover unknown resources that are accessible from the internet—the same view an attacker has when selecting a target. With this new tool, your team is empowered to maintain a dynamic inventory of external resources across multiple cloud and hybrid environments, helping to monitor unmanaged resources that could serve as potential entry points. 
• Microsoft Defender Threat Intelligence empowers your team to better track threat actor activity and patterns.⁵ Uncover attacker infrastructure so you can accelerate your investigation and remediation with more context, insights, and analysis. Armed with this real-time data, your team can proactively hunt for threats, undertake custom threat intelligence processes and investigations, and even improve the performance of third-party security products.
• Microsoft Defender Experts for Hunting provides a proactive threat-hunting service for customers who would prefer to have Microsoft experts help them hunt down threats using Microsoft Defender data.⁶ This new service covers not only endpoints, but also Microsoft Office 365, cloud applications, and identity. Our experts will investigate anything they find, then hand off contextual alert information and remediation instructions, enabling your team to respond quickly. 

Integrated data and identity protection

A recent industry study found that phishing, password spray, multifactor authentication fatigue, and other identity-driven attacks now account for 61 percent of breaches.⁷ And during the third quarter of 2022, approximately 15 million data records were breached worldwide—a 37 percent increase over the previous quarter.⁸ Because our adversaries aren’t slowing their attacks, we’ve continued to innovate and expand capabilities for Microsoft Entra, Microsoft Intune, and Microsoft Purview to help your team protect user identities, their endpoints, and the precious data that keep your business going.

• Microsoft Entra Permissions Management (formerly CloudKnox Security) is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility and control over permissions for any identity and any resource in Azure, AWS, and Google Cloud.⁹ With Permissions Management, organizations can discover, remediate, and monitor permissions for all identities and resources across multicloud environments. This empowers your team to enforce the Zero Trust principle of least-privilege access at cloud scale using historical data—improving your security without interrupting productivity.
• Microsoft Entra Workload Identities extends advanced capabilities, such as Conditional Access and Identity Protection, to better manage lifecycles with insight into access activities and protect your non-human identities as well. 
• Microsoft Entra Verified ID—for Microsoft Azure Active Directory (Azure AD) subscribers (free and premium)—provides provides an easy option to issue, request, and verify credentials for employment, education, or any other claim.¹⁰ This decentralized identity system offers a convenient, portable way to verify your identity while controlling your own data.
• Microsoft Entra certificate-based authentication (CBA) through Azure AD strengthens access controls and helps organizations reduce infrastructure costs, so even customers who have regulatory requirements for CBA can move authentication to the cloud and eliminate the need for Active Directory Federation Services (AD FS).
• Microsoft Entra Identity Governance is a complete identity cloud-delivered governance solution to ensure that only the right people have access to the right resources. This service includes more advanced tools—lifecycle workflows that automate repetitive tasks like employee onboarding and separation of duties, which introduces checks and balances within entitlements management and provisioning back to your on-premises applications——and capabilities that were already available in Azure AD.
• Microsoft Purview Data Loss Prevention and new capabilities focused on granular policy configuration and context for post-incident investigation on endpoint devices help users make informed decisions and take the right actions while using sensitive data, helping balance security and productivity. A recent survey by MDC Research shows that a majority of customers purchase three or more products to meet their compliance and data protection needs. Stitching together disparate solutions is not only resource-intensive but also could lead to potential blind spots and gaps in an organization’s data protection strategy.¹¹
• Microsoft Purview Information Protection for Adobe Document Cloud provides a rights-management solution that helps you protect your data when shared in documents. This portable data protection solution combines native classification and labeling capabilities with the power of Adobe Acrobat to seamlessly secure PDFs with sensitivity labels and user-defined permissions. Available for Windows and macOS.
• Microsoft Purview Insider Risk Management offers analytics, quicker policy creation capabilities, new file path, keyword, and site URL exclusions to reduce false positives, and a new policy type to help detect risky browsing usage help organizations detect risky insider activities that may lead to a data security incident.¹² Data breaches arising from insider threats cost businesses an average of USD7.5 million annually. Our holistic insider risk management program report showed that the most effective way to address insider risks is to build a program focused on empowering your people, making user privacy a priority, collaborating across leadership, and addressing data protection and insider risk management from multiple lenses.¹³
• Microsoft Purview eDiscovery APIs help organizations lower costs by leveraging automation to streamline repetitive workflows. The automation and extensibility of eDiscovery workflows help reduce staff hours and the likelihood of costly human errors, which is critical for organizations with complex requirements for litigation and investigation.

Looking back, I am appreciative for all we’ve accomplished. These innovations across the Microsoft Security comprehensive solution empower your team to move into this year with confidence—six integrated product families to help you protect what matters most.

Creating a safer world for all is our north star; it’s what drives us toward relentless innovation. We hope you will join us in this goal and discover new ways to stay ahead of the bad actors. Today, Microsoft Security helps to protect billions of people around the globe. Our ability to process trillions of signals daily gives us a unique vantage point to scan the threat landscape and help protect against sophisticated new attacks. As proof, the number of Microsoft Security customers almost doubled in the last year to more than 860,000 worldwide. That’s why Microsoft is driving the future of cybersecurity by continuing to invest in AI, machine learning, and cloud technologies.

Join us at Microsoft Secure to hear about future innovations

Be among the first to hear important security announcements from Microsoft leaders and learn how your organization can eliminate security gaps and cut costs with simplified, comprehensive protection for the new year at Microsoft Secure on March 28, 2023. This new digital event will bring our customers, partners, and the defender community together to share perspectives on navigating the security landscape and to build on real-world experience. Register today!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹The passwordless future is here for your Microsoft account, Vasu Jakkal. September 15, 2021.

²Microsoft Entra: 5 identity priorities for 2023, Joy Chik. January 9, 2023.

³Microsoft Security audience tracking research, November 2022.

⁴Introducing security for unmanaged devices in the Enterprise network with Microsoft Defender for IoT, Michal Braverman-Blumenstyk and Nir Giller. July 11, 2022.

⁵Microsoft announces new solutions for threat intelligence and attack surface management, Vasu Jakkal. August 2, 2022.

⁶Microsoft Defender Experts for Hunting proactively hunts threats, Microsoft Security Experts. August 3, 2022.

⁷50 Identity And Access Security Stats You Should Know In 2022, Caitlin Jones. January 6, 2023.

⁸Number of data records exposed worldwide from 1st quarter 2020 to 3rd quarter 2022, Statista. November 29, 2022.

⁹Microsoft Entra Permissions Management is now generally available, Alex Simons. July 7, 2022.

¹⁰Microsoft Entra Verified ID now generally available, Ankur Patel. August 8, 2022.

¹¹New capabilities that help proactively secure data with Microsoft Purview Data Loss Prevention, Shilpa Bothra. October 12, 2022.

¹²Detecting and investigating security risks with new capabilities from Insider Risk Management, Talhah Mir. October 12, 2022.

¹³Microsoft publishes new report on holistic insider risk management, Bret Arsenault. October 6, 2022.

The post Microsoft Security innovations from 2022 to help you create a safer world today appeared first on Microsoft Security Blog.