Entra Engineering Partner Airlift

It was the last bright sunny day in September and with a couple of colleagues, I was queueing for the lift which would take us to the top of the Space Needle in Seattle.



What were we doing so far from home and what were we going to see?

The Identity ‘Airlift’ (now the Entra Airlift) has been an event aimed at bringing key Microsoft partners together with the engineering team at Microsoft to discuss technical topics and plans for the future.  It has been 3 years since an in-person Identity Airlift conference at Microsoft – and many of their team were meeting in person for the  first time since the pandemic, so this event meant a lot to organisers and attendees.

As we reached the top of the Space Needle we could see a huge 360’ vista – the landscape including distant peaks on the horizon, and nearby, downtown Seattle Bellevue and Redmond, and above the ground, seaplanes and helicopters taking off and landing.   It was breath-taking.

Back on the ground, we had not only seen the latest and greatest Entra features, we had seen and discussed what was on the virtual horizon, and our collective vision for a safer and more productive future.

Here are five takeaways from the conference:

The struggle is real 

Despite the best efforts of organisations like Microsoft, to educate consumers and organisations about cyber security and to hit back against attackers, cyber attacks are on the rise.  Some of the most sophisticated attacks – the kind perpetrated by nation states like Russia and China – can end up in the public domain and teenagers can replay them from their bedrooms.   

At the same time, there is a lot that can be done to counter these attacks, with Zero Trust as the starting point.  The defence has also become more sophisticated, with identity at the core.  

Microsoft has taken time to liaise with government regarding the response to some of the more devastating attacks, but emphasises that it has been necessary to develop a communications protocol for these kinds of high-level communications – nobody is going to believe someone calling them out of the blue, saying “hello, this is Microsoft, your computer is infected with a virus”!

Multi-factor authentication (MFA) is the much heralded solution for reducing authentication based attacks, and needs to be more widely used, but if overused can be subject to fatigue issues, with users even confirming sign in via MFA when their identity is being spoofed elsewhere.  So MFA with number matching (now in public preview) is the answer which will stop attackers in their tracks.  You can apply this to any security group in your Azure tenant.

Verified ID is for everyone

Working together with other organisations backing the standards-based decentralised identity framework, Microsoft has a vision of a more consumer-centric future, where  consumers are in control of how they share their digital identity, where that identity can be broken down into shareable elements so that they only share what they need to, where information about what they shared can be easily retrieved, and where the sharing of information can be revoked. 

Running on blockchain, the technology is truly decentralised, and among other applications, together with the UN, Microsoft has developed a system for helping refugees 

The technology behind this also makes it easier for businesses and other organisations to share data about individuals – or rather – for individuals to be the guardians and gatekeepers of such data instead of organisations.  Rather than exchanging data directly via complex APIs, organisations can simply use a standard protocol for requesting and checking user credentials.

One example of this is identity checks for employee onboarding. A passport checking service is able to issue a credential to the user’s digital wallet, verifying the user’s name.  Any organisation can access this credential using the decentralised ID framework, reducing the effort involved in the employee onboarding process.

Permissions Management provides multi-cloud permissions reporting and control

Entra Permissions Management (formerly CloudKnox) is a cross platform tool providing reporting and management of permission risk.  It covers Azure, Google Cloud, and Amazon Web Services.

Large organisations typically use multiple clouds to store resources and identities.  This increases the attack surface and provides for inconsistencies and ‘permission creep’.

Identity and security teams can lack visibility of permissions across these cloud platforms.  Entra Permissions management provides unified reporting including a ‘permissions creep index’.

As well as reporting, you can manage and monitor permissions and policies.  You can also unify policies across cloud platforms to ensure consistency – giving you the ability to enforce the principles of ‘least privilege’ at cloud scale.

Multi-tenant orgs are about to be more manageable

Many large and complex organisations manage their users within more than one Azure tenant.  A typical example of this is where tenant ‘A’ belongs to an acquiring organisation and tenant ‘B’ belongs to the acquired organisation.  Unless or until users are permanently moved to tenant A, it may be that users in tenant B need to access resources in tenant A and vice versa.

Until now, managing users across different Azure tenants is typically done with a manual element, whether tenant B users themselves have to apply for tenant A Access Packages, or admins in tenant A have to invite tenant B users to the tenant.

What customers are looking for is a way for this to happen automatically, so that in the process of onboarding to tenant B, users (or users in specific groups) are onboarded to tenant A without having to do anything else.

While I can’t share the exact details of the changes to come, Microsoft do have a solution for this which will be available in public preview very soon.

JML is about to get easier

Many of our clients are looking for ways to reduce their reliance on on-premise systems when the cloud offers better security, reliability, and performance.  In the case of managing access for joiners, movers and leavers (JML) within large organisations, there has in the past been little flexibility in Azure for automating the tasks that accompany these employee lifecycle events.

While MIM is not going away any time soon, Microsoft are looking at creating ‘hooks’ for all of these employee lifecycle-related events, which means that you will be able to attach processes like Logic Apps to them in order to ensure that you can make automated attribute changes, send emails, trigger provisioning logic, and so on.

B2X Convergence is happening

B2C is an authentication platform aimed at end-users, giving users a secure method of sign-in while at the same time making it easier than ever to sign in, driving engagement up.  It has a flexible user interface which is orchestrated by B2C ‘policies’.

B2B collaboration is a method of inviting external users into your Azure tenant to collaborate and use resources.  It can make use of Access Packages and Access Reviews but the interface is fairly rigid.

While these two features seem very different, they are built on the same technology and utilise the same standards and protocols.   So it hasn’t been a secret that Microsoft’s vision for External Identities is to have B2C and B2B singing from the same hymn sheet.

However, the practical vision for this combined feature has been under wraps for a while, until now.    Microsoft are soon going to be releasing a feature-limited version of the converged product, so watch this space!


Comments

Post a Comment

Popular posts from this blog

Microsoft CIAM debuts at Build 2023

Image
For a long time we've been aware of Microsoft's efforts towards converging Azure Active Directory B2C and Azure Active Directory. They are making this change in order to provide a single stable product for the back end portal and other aspects of these identity services.  New developments will see a 'CIAM' product sitting on top of AAD - this replaces (or will eventually replace) B2C.   CIAM will also provide better experiences for developers hoping to build user journeys (sign in, sign up, etc.). Microsoft continues to support AAD B2C.  At time of writing it provides a fuller feature set.  However, B2C as-is will eventually retire, and migration paths will be important. The CIAM solution will offer more back-end management features, and an event-driven programming paradigm for user journeys. I will make more information available as and when!
Read more

LinkedIn now uses Verified ID for Employee verification

Image
  Microsoft Verified ID is a digital identity verification solution that enables individuals to obtain digital "credentials" from organisations that know them, or more accurately, that know some aspect of their identity.  For example, their name, their educational qualifications, or in this case, their employment status.  These credentials can then be shared with third-party organizations, such as employers or educational institutions, in a secure and trusted manner.  LinkedIn, which is owned by Microsoft, has integrated with Microsoft Verified ID to allow LinkedIn members to verify their employment status. Using this new integration, employers can create a custom process for verifying employees, and employees, once they have done this, can present the credential to LinkedIn in order to obtain the new green "check mark" on their LinkedIn profile. Currently this requires the LinkedIn app - at time of writing there is no announcement yet about migrating this feature t
Read more

Keeping safe beyond sign-in

Image
As The Register reports today , Microsoft briefly exposed a plethora of passwords and other secrets due to a bulk upload of data to GitHub recently. The data was a set of AI training data - data used to teach AI models how to understand the world around them. It makes no sense having the best locks on your front door if you leave the back door open... so what can we learn from this episode? Protecting passwords and other sensitive information from exposure to the wider world is essential for maintaining your online security. Here are some measures you can take: Use Strong, Unique Passwords: Create strong, complex passwords that are difficult to guess. Use a combination of uppercase and lowercase letters, numbers, and special characters. Avoid common dictionary words or phrases. Ensure your passwords are at least 12-16 characters long. Use a passphrase, which is a sequence of random words or a sentence that's easy to remember but hard to crack. Use a Password Manager: A password man
Read more