How does Azure AD protect my organisation?

I'll assume you've read my first post, which is a gentle introduction to modern authentication.

We now look at some of the security advantages of using Microsoft's Azure AD to act as your Identity Provider.


Azure Active Directory ('AAD') is of course the cloud successor to the very successful Active Directory, a distributed directory of users introduced at around the turn of the century.

Active Directory used a protocol called Kerberos (developed outside of Microsoft in the 80s and 90s) to carry out that all-important authentication handshake and carry tokens around the system.

The Azure version uses OpenID Connect, a widely used authentication protocol built on OAuth 2.0.  This ensures that the user's user name and password are not seen by the relying application, and that only the relying application can read and trust the token from AAD.

Connect your applications

As a company, you configure or write your applications to connect to AAD for authentication, and then your users (let's assume you have users in your AAD) will attempt to access those applications, be redirected to AAD for sign in, sign in successfully with their usual AAD user name and password, and will be passed back to the application to gain access - the flow we discussed previously. 

So far, so good - you've got an ever-green service using the latest industry standard protocols to protect your login information.

More secure

There are, however, other services which provide pretty much the same thing.  What distinguishes AAD is that in addition to supporting the most modern protocols, it also detects suspicious activity and guards against it.

Suspicious activity can be anything from multiple bad password attempts, impossible travel, activity originating at a suspicious IP address, stolen credentials, or being part of a botnet.  Microsoft stores information about some of these but detects others in real time - for example it can uncover botnet activity just because it has so many entry points worldwide which are subject to attack - over AAD, XBox,  , MSN, B2C and so on.

You'll find more info on some of this automatic threat detection here: https://docs.microsoft.com/en-us/azure/security/fundamentals/threat-detection 





Location: Bristol, UK

Comments

Post a Comment

Popular posts from this blog

Microsoft CIAM debuts at Build 2023

Image
For a long time we've been aware of Microsoft's efforts towards converging Azure Active Directory B2C and Azure Active Directory. They are making this change in order to provide a single stable product for the back end portal and other aspects of these identity services.  New developments will see a 'CIAM' product sitting on top of AAD - this replaces (or will eventually replace) B2C.   CIAM will also provide better experiences for developers hoping to build user journeys (sign in, sign up, etc.). Microsoft continues to support AAD B2C.  At time of writing it provides a fuller feature set.  However, B2C as-is will eventually retire, and migration paths will be important. The CIAM solution will offer more back-end management features, and an event-driven programming paradigm for user journeys. I will make more information available as and when!
Read more

LinkedIn now uses Verified ID for Employee verification

Image
  Microsoft Verified ID is a digital identity verification solution that enables individuals to obtain digital "credentials" from organisations that know them, or more accurately, that know some aspect of their identity.  For example, their name, their educational qualifications, or in this case, their employment status.  These credentials can then be shared with third-party organizations, such as employers or educational institutions, in a secure and trusted manner.  LinkedIn, which is owned by Microsoft, has integrated with Microsoft Verified ID to allow LinkedIn members to verify their employment status. Using this new integration, employers can create a custom process for verifying employees, and employees, once they have done this, can present the credential to LinkedIn in order to obtain the new green "check mark" on their LinkedIn profile. Currently this requires the LinkedIn app - at time of writing there is no announcement yet about migrating this feature t
Read more

Keeping safe beyond sign-in

Image
As The Register reports today , Microsoft briefly exposed a plethora of passwords and other secrets due to a bulk upload of data to GitHub recently. The data was a set of AI training data - data used to teach AI models how to understand the world around them. It makes no sense having the best locks on your front door if you leave the back door open... so what can we learn from this episode? Protecting passwords and other sensitive information from exposure to the wider world is essential for maintaining your online security. Here are some measures you can take: Use Strong, Unique Passwords: Create strong, complex passwords that are difficult to guess. Use a combination of uppercase and lowercase letters, numbers, and special characters. Avoid common dictionary words or phrases. Ensure your passwords are at least 12-16 characters long. Use a passphrase, which is a sequence of random words or a sentence that's easy to remember but hard to crack. Use a Password Manager: A password man
Read more