Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:50 PM
Connect Directly

Microsoft Ups Security of Azure AD, Identity

A roundup of Microsoft's recent security news and updates that focus on protecting identity.

Microsoft's latest security announcements have focused on securing Azure AD and Identity. Updates include stronger compromise prevention for Azure AD, a zero-trust business plan, and some changes to managing user authentication in Azure Portal.

Since it's a lot of news to work through, below is a recap of the highlights:

Related Content:

XDR 101: What's the Big Deal About Extended Detection & Response?

Building an Effective Cybersecurity Incident Response Team

New From The Edge: 5 Email Threat Predictions for 2021

The updated Azure AD compromise prevention system, released last week, still uses supervised machine learning but expands the features and process used to train the model. This model, Microsoft says, aims to provide more accurate risk assessments by flagging more suspicious activity while reducing the number of false alarms.

Its system pulls data from several sources including user behavior, threat intelligence, network intelligence, and device intelligence. Known good or bad sign-ins, called "labels," aim to help teach the algorithm how to differentiate between the two. All of this intelligence is used train new machine learning models, which are deployed to the Azure AD authentication service and used to evaluate 30 billion authentications daily, Microsoft reports. 

News of the Azure AD update arrived shortly after news of the SolarWinds breach began to make headlines. Reports indicate intruders used multiple attack vectors, one of which was distributing malware hidden in SolarWinds Orion network management software. The other, CISA reports, may have involved a multifactor authentication bypass, done by accessing a secret key from the Outlook Web App server. Late last week, Microsoft confirmed its network was breached. 

Earlier this month, Microsoft released a zero-trust business plan to provide guidance for organizations starting the zero-trust implementation process. The document, which includes lessons learned from leaders who oversaw zero trust adoption in their own environments, lays out the process of planning, implementing, and measuring success of a zero trust deployment.

Some of the new features we saw come from Microsoft in recent weeks include updates to managing user authentication methods in Azure Portal. The new UX design lets admins add, edit, and delete users' authentication phone numbers and email addresses. As authentication methods are released in coming months, they'll appear and be managed in the same interface. 

As part of usability improvements, Microsoft is simplifying how phone numbers are managed in Azure AD. Users now have two sets of phone numbers: a public number that is managed in the user profile and never used for authentication, and an authentication number managed under authentication methods and kept private. This will be available to all Directory-synced tenants by 2021.

Microsoft is also releasing new APIs to beta in Microsoft Graph. New authentication method APIs can be used to read and remove a user's FIDO2 security keys; read and remove a user's Passwordless Phone Sign-In capability with Microsoft Authenticator; and read, add, update, and remove a user's email address for Self-Service Password Reset.

Microsoft Authenticator will be updated with password management and autofill capabilities, which were made available for public preview last week. Authenticator will autofill passwords, which can be synced across mobile and desktop devices. Microsoft notes this is currently limited to Microsoft accounts and not for Azure AD-based work or school accounts. 

Azure AD Application Proxy, which provides secure remote access to on-premise applications, will now support more applications, including those that use headers for authentication such as Peoplesoft, NetWeaver Portal, and WebCenter, Microsoft announced earlier this month. The new support started in public preview on Dec. 1.

To connect a header-based authentication application to Application Proxy, users will need Application Proxy enabled in their tenant and have at least one connector installed, Microsoft says. Its full blog post on the announcement has additional steps. 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...