Identity at Microsoft Ignite: Securing access in the era of AI

As the digital world continues to expand, so do the risks and challenges of cybersecurity. There are more identities, endpoints, apps, and data to protect from nefarious groups staffed by skilled talent with funding from nation states and criminal syndicates. And in the new era of AI, there will be infinite new ways for malicious actors—including insiders—to cause damage.

 

Everything we’re adding to Microsoft Entra is designed to help you stay ahead of the evolving threat landscape. It all comes down to one principle: make it easier for you to stay secure. Whether you’re a large enterprise with a team of defenders or a small business with no IT department at all, we want to help you deploy the right tools and configure the right policies. At Microsoft Ignite 2023, we’re announcing the following new features and enhancements to Microsoft Entra:

 

Announcements: 

• Microsoft Entra + Security Copilot  
• Protect access to all applications and resources with Security Service Edge – Microsoft Entra Internet Access and Microsoft Entra Private Access 
• Auto-rollout of Microsoft-managed Conditional Access policies  
• Integrations for more robust Permissions Management 

 

Microsoft Entra + Security Copilot

 

Securing access requires a deep understanding of technology as well as business policies and regulations which sometimes makes the job of security professionals overwhelming. Fortunately, Microsoft Security Copilot is coming to Microsoft Entra to help you automate common tasks, troubleshoot faster, interpret complex policies, and design workflows.

 

In Microsoft Entra admin center, you can now ask Security Copilot to explain—in simple, conversational language—what a Conditional Access policy does or why MFA was triggered. You can use Security Copilot to troubleshoot identity scenarios, such as why a user couldn’t sign in. The embedded Security Copilot experience also offers a risk summary, remediation steps, and recommended guidance for each identity at risk to help you respond to identity risks quickly. Reduce gaps in configuration and increase efficiency when you’re building an ID Governance lifecycle workflow for joiner-mover-leaver scenarios such as onboarding new employees using the assisted workflow experience.

 

When investigating a security incident, you can ask Security Copilot about relevant sign-in and audit logs and get insights based on the context. Then you can get details about specific users, groups, workloads, sign-ins, roles, security alerts, and more. You can register today for the Security Copilot private preview, sign up to stay updated on all future developments, and if you’re a security partner interested in using Microsoft Security Copilot with your solutions, please sign up to join the Security Copilot Partner Ecosystem.

 

In the Microsoft Entra admin center, Microsoft Security Copilot explains in simple, conversational language what a Conditional Access policy does or why MFA was triggered.

 

Protect access to all applications and resources with Security Service Edge

Microsoft’s Security Service Edge (SSE) solution, now in preview, includes Microsoft Entra Internet Access and Microsoft Entra Private Access, and secures access to any app or resource for users and devices connecting from anywhere. 

 

The integrations across Microsoft’s SSE solution and the Microsoft Entra portfolio make it possible to enforce unified Conditional Access policies that consider identity, device, application, and now network conditions before granting access to any application or website. This works no matter which identity provider the application uses—without requiring any changes to the application.

 

 

Many of you are testing Microsoft Entra Internet Access, our identity-centric Secure Web Gateway (SWG), to secure access for Microsoft 365 traffic. We are expanding the public preview to include all internet apps and resources by the end of 2023 with new core capabilities: 

 

• Context-aware SWG with web content filtering to restrict end user access to unsafe and non-compliant content.  
• Universal Conditional Access to extend adaptive access controls to any network destination, such as an external website or a non-federated SaaS application.   
• Compliant Network Check, an easy-to-manage construct within Conditional Access. With this control, you can protect Microsoft Entra integrated cloud applications against token theft and ensure users do not bypass network security policies specific to their tenant while accessing critical cloud services. 
• Source IP restoration in ID Protection and Conditional Access location policies that maintains each user’s original source IP to enable backward compatibility of trusted location checks and continuous access evaluation, identity risk detection, and logging. 

 

Microsoft Entra Private Access is our identity-centric Zero Trust Network Access (ZTNA) for any private app or resource. New capabilities in private preview include:

 

• Support for more protocols in addition to TCP, including UDP and private DNS, so you’ll be able to transition from your traditional Virtual Private Network (VPN) to a modern ZTNA solution.
• Conditional Access controls and modern authentication methods, such as multifactor authentication (MFA), to secure access to all private applications and resources for remote and on-premises users.

 

Our SSE solution works with your existing security and network solutions through integrations across Microsoft’s security stack and open partner ecosystem. We’re partnering with other vendors in this space, starting with Netskope, to demonstrate seamless side-by-side operation in the same environment. We’re committed to giving you the flexibility to choose the SSE solution that best fits the network traffic in your environment. For both Internet Access and Private Access, we’re also announcing cross-OS client support for Windows and Android in public preview, and for MacOS and iOS in private preview. Our SSE solution is now available globally (except in China and Russia) with SSE edge locations coming in the future.

 

Join us at our upcoming Tech Accelerator Ask Microsoft Anything (AMA) session to discuss with our product experts all your questions about Microsoft’s SSE solution!

 

Auto-rollout of Microsoft Entra Conditional Access policies and more

 

Last year, we turned on security defaults in Microsoft Entra ID (formerly Azure Active Directory) for almost seven million existing tenants, which cut the number of compromises in those tenants by 80 percent. Based on the positive customer feedback, we’re helping more Microsoft Entra ID customers protect themselves by automatically enrolling eligible tenants into Conditional Access policies based on customer risk signals, current usage, and licensing. Microsoft-managed conditional access policies will start with three policies that enforce multifactor authentication (MFA) in high-risk scenarios. You can learn more details in Alex Weinert’s recent blog post, Automatic Conditional Access policies in Microsoft Entra streamline identity protection.

 

Tenant with Microsoft managed Conditional Access policies. The policy details are shown in a context pane to the right, indicating that the selected policy requires certain administrator roles to perform multifactor authentication when accessing the Microsoft admin portal.

 

But not all MFA methods offer equal protection. The more effective MFA methods, such as FIDO2 Security keys, Windows Hello, Microsoft Entra certificate-based authentication (CBA), and passkeys, use cryptographic techniques to make authentication phishing-resistant. The preview of Microsoft Entra CBA allows you to tailor authentication policies by certificate, resource type, and user group. All these phishing-resistant authentication methods make it possible to eliminate passwords altogether, so they can’t be guessed, intercepted, or phished.

 

Microsoft is committed to supporting passkeys across our ecosystem, starting with Windows 11. Once you create a passkey for a website, application, or service using Windows Hello, you can sign in from your device using your face, fingerprint, or device PIN. This gives enterprises and government customers an additional, phishing-resistant alternative to physical FIDO2 security keys. Microsoft Entra ID users will soon be able to sign in using passkeys managed from the Microsoft Authenticator app.

 

 

Lastly Microsoft Entra ID Protection now detects anomalies such as an unusual token lifetime or a token played from an unfamiliar location. When a trigger is alerted, Conditional Access can immediately expire the token and force reauthentication along with other measures, such as a password reset or step-up MFA, without requiring manual intervention. If a user makes a password change on-premises, Entra ID Protection can now automatically remediate their risk. This makes it easier for hybrid organizations to take advantage of user risk policies.

 

Integrations for more robust Permissions Management

 

Microsoft Entra Permissions Management has two significant integrations that will give you insights on permission risks so you can improve your security posture.

 

The Microsoft Defender for Cloud (MDC) integration preview consolidates identity and access permission insights with other cloud security information in a single interface. This view will display actionable recommendations for addressing permissions risks, as well as the Permissions Creep Index, and make it easier to enforce least privilege access for cloud resources across Azure, Amazon Web Services (AWS), and Google Cloud.

 

Microsoft Entra Permissions Management integration with Microsoft Defender for Cloud (MDC), which is now in public preview, provides and efficient way to consolidate insights into other cloud security posture information on a single interface.

 

The second integration, now generally available, allows ServiceNow customers to request time-bound, on-demand permissions for multicloud environments (Azure, AWS, Google Cloud) via the ServiceNow portal. This popular IT service management (ITSM) solution strengthens your Zero Trust posture by adding access permission requests to existing approval workflows in ServiceNow. Now when a user requests access approvals, the ServiceNow Plugin fetches the latest data from Permissions Management, then sends the requested user permissions, along with time-bound approval based on the requestor’s roles, back to ServiceNow.

 

Evolving secure identity and network access

 

Adopting a single integrated solution with comprehensive capabilities with Microsoft Entra will simplify access security for your admins and give your end users a better experience.

 

The Microsoft Entra portfolio works together to help you secure identities, devices, networks, and workloads. It extends to any user type, including customers, partners, and digital workloads. And now, with our SSE solution, Microsoft Entra is converging identity and network access controls into a single policy engine.

 

I hope the latest innovations in Microsoft Entra will make it easier for you to secure access to everything for everyone.

 

To learn more about our recent announcements, watch my session, Secure access in the AI era: What’s new in Microsoft Entra, at Ignite 2023.

 

Learn more

To learn more about Microsoft security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

 

 

Learn more about Microsoft Entra: 

• See recent Microsoft Entra blogs 
• Dive into Microsoft Entra technical documentation 
• Join the conversation on the Microsoft Entra discussion space and Twitter 
• Learn more about Microsoft Security