Microsoft's latest security announcements have focused on securing Azure AD and Identity. Updates include stronger compromise prevention for Azure AD, a zero-trust business plan, and some changes to managing user authentication in Azure Portal.
Since it's a lot of news to work through, below is a recap of the highlights:
The updated Azure AD compromise prevention system, released last week, still uses supervised machine learning but expands the features and process used to train the model. This model, Microsoft says, aims to provide more accurate risk assessments by flagging more suspicious activity while reducing the number of false alarms.
Its system pulls data from several sources including user behavior, threat intelligence, network intelligence, and device intelligence. Known good or bad sign-ins, called "labels," aim to help teach the algorithm how to differentiate between the two. All of this intelligence is used train new machine learning models, which are deployed to the Azure AD authentication service and used to evaluate 30 billion authentications daily, Microsoft reports.
News of the Azure AD update arrived shortly after news of the SolarWinds breach began to make headlines. Reports indicate intruders used multiple attack vectors, one of which was distributing malware hidden in SolarWinds Orion network management software. The other, CISA reports, may have involved a multifactor authentication bypass, done by accessing a secret key from the Outlook Web App server. Late last week, Microsoft confirmed its network was breached.
Earlier this month, Microsoft released a zero-trust business plan to provide guidance for organizations starting the zero-trust implementation process. The document, which includes lessons learned from leaders who oversaw zero trust adoption in their own environments, lays out the process of planning, implementing, and measuring success of a zero trust deployment.
Some of the new features we saw come from Microsoft in recent weeks include updates to managing user authentication methods in Azure Portal. The new UX design lets admins add, edit, and delete users' authentication phone numbers and email addresses. As authentication methods are released in coming months, they'll appear and be managed in the same interface.
As part of usability improvements, Microsoft is simplifying how phone numbers are managed in Azure AD. Users now have two sets of phone numbers: a public number that is managed in the user profile and never used for authentication, and an authentication number managed under authentication methods and kept private. This will be available to all Directory-synced tenants by 2021.
Microsoft is also releasing new APIs to beta in Microsoft Graph. New authentication method APIs can be used to read and remove a user's FIDO2 security keys; read and remove a user's Passwordless Phone Sign-In capability with Microsoft Authenticator; and read, add, update, and remove a user's email address for Self-Service Password Reset.
Microsoft Authenticator will be updated with password management and autofill capabilities, which were made available for public preview last week. Authenticator will autofill passwords, which can be synced across mobile and desktop devices. Microsoft notes this is currently limited to Microsoft accounts and not for Azure AD-based work or school accounts.
Azure AD Application Proxy, which provides secure remote access to on-premise applications, will now support more applications, including those that use headers for authentication such as Peoplesoft, NetWeaver Portal, and WebCenter, Microsoft announced earlier this month. The new support started in public preview on Dec. 1.
To connect a header-based authentication application to Application Proxy, users will need Application Proxy enabled in their tenant and have at least one connector installed, Microsoft says. Its full blog post on the announcement has additional steps.