Microsoft Ignite: Security takes center stage, Part 1: Identity as the new control plane
November 15 2019
by Garrett Bekker, Scott Crawford
Security was a big focus at this year's Ignite – the first time that Microsoft has had a dedicated security track. The company is placing a big emphasis on hybrid use cases and cross-platform capabilities – and not just for the Microsoft ecosystem.
Within security, Microsoft has a unique opportunity: Windows is ubiquitous on endpoints, Office 365 is an equally ubiquitous productivity suite, capabilities from Exchange to the Power portfolio add to its enterprise presence, and Azure has become a major contender among cloud providers. This has led the company to not only invest in security that leverages these strengths, but to also branch into new areas such as security operations. We will take a closer look at these capabilities and the announcements made around them at Ignite 2019 in Part 2 of this report.
In Part 1, we focus on a key area of emphasis this year: identity and identity-related topics, such as identity governance and password-less authentication. To illustrate just how great a hold Microsoft has on identity interests, one of the sessions detailing new features in Azure Active Directory (Azure AD) had hundreds of attendees and was turning people away at the door.
Overall, Microsoft has been busy updating and investing in identity-related technologies, specifically Azure AD, in addition to making extensive investments in reliability and uptime after some notable outages. Microsoft is also placing big bets on open standards like OAuth2, OpenID Connect, and FIDO2 for authentication and authorization; SCIM for provisioning users and applications; and JSON and REST for APIs.
The 451 Take
In the on-prem world, Microsoft was the de facto 800-pound gorilla in identity (at least for directory services), with over 90% market share for Active Directory. Azure AD is now much more than a directory, with a full identity and access management (IAM) stack that includes multi-factor authentication (MFA), single sign-on, governance and privileged account management functionality. As Microsoft continues to enrich Azure AD with more features, we expect that it will be increasingly difficult for independent IAM vendors to compete on level terms, particularly if Microsoft lives up to its promise of being truly cross-platform and takes advantage of its many hooks into the hybrid world that we will likely be living in for the foreseeable future. Competitors could face a vexing decision: try to remain a step ahead of Microsoft in terms of innovation and new features, or 'go where Microsoft isn't' (i.e., into adjacent areas or niches that provide white space in the market). That said, many of the announced features remain roadmap items, and Microsoft will still need to execute on the vision laid out at Ignite. Pricing and licensing also remains an area of confusion – something that competitors could try to exploit.
From an overall security perspective, Microsoft's extensive security efforts are now centered on four key areas: identity, threat protection, information protection (data security) and SIEM/analytics. We will look at the latter three categories more closely in Part 2, but with respect to identity security, the new identity-related features and functionality announced largely are centered on new governance and provisioning capabilities and authentication – specifically password-less authentication initiatives based on the new FIDO2 standard.
Governance and provisioning
In the governance and provisioning area, Microsoft had previously offered several ways to get new users into Azure AD: type them manually via the Azure AD user interface, use PowerShell or use Azure AD Connect to synchronize users from an on-premises directory. Microsoft has added several new options, including the ability to upload users by importing and exporting .csv files; in coming months, admins will also be able to import users from cloud-based HR systems from Oracle HCM and SAP SuccessFactors, in addition to Workday via the new Azure AD Cloud HR User Provisioning.
Microsoft also announced the public preview of Azure AD Connect cloud provisioning, which makes it easier to connect multiple disjointed AD forests into Azure AD for complex environments that may have multiple locations or forests globally, possibly from frequent M&A activity. Enterprises can sync their identities into Azure AD by placing lightweight agents/connectors in front of each on-prem forest, and the connectors will handle all the schema transformations and de-duplication automatically, eliminating the need to set up a large on-prem sync server.
Also coming are a series of prebuilt SCIM connectors to make it easier to extend Azure AD into on-prem legacy applications and provision users directly from a cloud HR system of record (like Workday) to legacy on-prem applications.
Microsoft also has invested in bridging the gap between managing identities for employees and for partners and customers, and as part of that effort will extend Conditional Access and Identity Protection to Azure AD B2C within the next year or so. As such, there are now several options for provisioning external partners or customers to Azure AD B2B via direct federation with any IDP that supports SAML or WS-Fed. Users without an identity system can also provision users into Azure AD B2B via a Google account or Gmail ID, or via an email message with a six-digit code for those without a Google ID.
Cloud-based Identity Governance with entitlement management is now generally available. The latter allows businesses to define access packages, and enables employees and partners to request and be recertified for access to resources they need. Down the road, Microsoft will extend support to governance of on-prem apps and will include new privileged account management features.
Most enterprises are hybrid, have apps that cannot be migrated to the cloud over time, and often use legacy authentication methods and protocols that aren't compatible with Azure AD. Secure Hybrid Access is a partner program that allows on-prem apps – that were exposed via a gateway device; that were lifted and shifted to Azure, AWS or Google Cloud Platform; and that may use header-based authentication or Kerberos â€“ to be managed via Azure AD and Conditional Access and Identity Protection policies without needing on-prem AD or ADFS servers.
Microsoft's app portal is called My Apps, and brings together all the apps a user has rights to in a single location for both cloud and on-prem apps. Workspaces is a new feature that allows users to set up a view of their most important apps so they can easily find them without searching through hundreds of apps. Users will soon be able to launch both Office and non-Office apps via the app launcher.
Perhaps the most high-profile announcements focused on Microsoft's efforts around MFA and password-less authentication. Microsoft now offers several varieties of strong authentication, including Windows Hello! facial recognition, the Microsoft Authenticator mobile app and now FIDO2-based security keys from partners such as Yubico. Despite consistent calls for the end of passwords in recent years, enterprise MFA adoption hovers at 53%, according to 451 Research.
What is your organization's status of implementation for the following technologies?
451 Research's Information Security, Workloads and Key Projects, Q1 2019
To that end, Microsoft has made considerable efforts to help drive adoption of MFA more broadly, but as of November 1, customers on any Azure AD plan can use MFA or password-less authentication for free. Furthermore, MFA will soon be turned on by default in all new Azure Active Directory tenants for Microsoft 365, Office 365, Dynamics and Azure.