At the 2019 ThirdSpace Identity and Security Summit, we got a sneak preview of the exciting developments coming to Azure AD over the next few months.
This year’s Identity and Security Summit saw the return of a familiar face from Microsoft’s Identity Division.
Delivering the opening keynote of day one, Alex Simons, the Corporate Vice President for Identity Program Management at Microsoft, outlined how the technology giant would be developing its identity and security offerings in the coming months, including announcements to be revealed at their November Ignite conference.
Alex covered a great deal of new announcements and features coming to the Azure AD platform over the next three to six months, but let’s dig in and pick out some of the standout moments from Alex’s hour-long presentation.
Alex began by explaining that we’re currently experiencing the fifth major transformation of the past 100,000 years. Microsoft believe this transformation is being driven by four key elements:
These factors present a great deal of disruption, but also opportunity. Microsoft’s plan to adapt to these trends is to develop a strategy built on five key pillars:
As part of these pillars, Alex revealed a series of new developments and capabilities that will be coming to Microsoft’s flagship cloud identity platform, Azure AD. The full presentation can be viewed on-demand from our resources section but here are the key announcements to be aware of:
By Alex’s own admission, this was a feature he didn’t even know was needed until customers requested it. What those customers wanted was to be able to get new firstline staff up and running much faster.
For businesses with warehouse or retail requirements, they frequently experience a higher level of turnover and the long process of getting someone into the HR system to be provisioned access to the applications they need is no longer acceptable.
What this latest feature does is allow store managers to rapidly get staff set up on devices using their phone number as their ID, eliminating the need to remember a lengthy new username.
Using their phone number, they can log in and be provided with a code to secure access, allowing them to immediately get to work. As an example, Alex mentioned that the hotel chain Marriott would be using this for when they open a new hotel and have a lot of new staff that need to be quickly onboarded.
Speaking of getting people into the HR system, Azure AD’s HR cloud provisioning services are growing.
As announced at this year’s Microsoft Ignite expo, an Azure AD integration for SAP’s HCM system, SuccessFactors, will be entering public preview as well as an integration with Oracle’s HCM services.
SuccessFactors and Oracle join the existing Workday integration, which really opens up the opportunity for organisations to provision users straight from their HR data into the Cloud, whilst still being compatible with their on-premises AD.
That data can then be used to assign applications and access based on their groups and roles, as well as automate lifecycle management, making the whole process much, much easier.
In the interest of making applications more accessible to users, there’s now a one-stop-shop for all your applications.
The new MyApps portal allows organisation admins to group applications into workspaces. This ensures that users should only see the apps that they’ll actually need, from more general HR apps to job specific applications.
Users will also have the option to customise this space and remove or add applications they feel are needed.
It also means that for those applications not used frequently, users know where to find it when they need to, rather than having to go looking.
In conjunction with the new apps portal, Alex also revealed a new My Account experience, where users can update or amend their profile and security information. Not revolutionary, but it helps streamline and simplify the interface, making life easier for users to self-service things like password reset and device management.
True to their ethos on open standards, Alex announced that Microsoft would be deepening its 3rd party integrations in Azure.
Organisations using a 3rd party service such as F5 or Zscaler to allow users remote access to on-premises apps will now have the authentication process handled by Azure AD. So, regardless of location or authentication method, all apps will have their authentication pass through Azure AD.
This means that organisations with a mixture of on-premise and multi-cloud architecture can make use of Azure’s authentication across all their apps without having to rework or restructure their whole network.
Discover how Azure AD can secure your internal and external identities - and provide seamless access to all your applications and data. You'll learn how to:
Another new feature to be announced at Ignite is the introduction of Microsoft’s cloud provisioning service.
This allows organisations to quickly hoover up any disparate active directories directly into their Azure AD tenant. This removes the need for a physical Azure AD Connect server, as the process is instead managed via a series of lightweight cloud connectors.
This way, organisations can quickly assimilate new acquisitions and large ADs into a single cloud space rather than have all their identities spread out across servers.
“That’s our goal, to give you this one, completely integrated IAM service across everything you could need,” Alex said. This statement was accompanied by a packed slide featuring all of the identity and access management capabilities Azure AD can (and will eventually) take care of.
Microsoft’s aim is to move all identity processes into the Cloud so that anything you could do on-premises can be done in the Cloud.
Alex commented that he’s frequently asked what’s happening with Microsoft Identity Manager (MIM). He stated that MIM still has another decade of support lined up, so it’s not going anywhere soon, but they are moving all that capability into the Cloud to provide one integrated service across everything you could need.
“What you’ll notice is we’re in the process of adding all of the MIM capabilities into Azure Active Directory.”
To that end, Microsoft has been hard at work improving their identity governance offerings.
Going into general availability at Ignite, Azure AD now offers functionality such as entitlement management, employee and partner lifecycle management, access campaigns and privileged identity management for use in Office, Azure or 3rd party workloads.
Alex acknowledged that most of the governance features have been entirely customer driven:
“Customers were saying, ‘Hey, you can’t just give me an identity management system, there has to be some way to manage these and make sure that I can clean up and get rid of my compliance and security risk rather than just let it accumulate’.”
Alex explained that the eventual goal is to allow partners and customers to use their own single identity when accessing your network (either their own Azure ID or a social ID from Facebook, etc.), but that in doing so, they would be subject to your security and access requirements.
The aim being to have one integrated solution for all identities, whether they’re an employee, customer or partner. The only significant difference between them is that you would buy a licence for employees and pay for the usage of external users.
Alex said we should start to see more significant steps toward this outcome in the spring of 2020.
A long-term IAM strategy is critical if you want to take advantage of today's dynamic business landscape. Discover:
Anyone of the opinion that Microsoft ‘doesn’t do security’ would be hard pressed to hold onto that stance having seen the steps Microsoft have made with their conditional access policies.
The sheer level of control and information organisations can now gain via these policies is staggering:
“You can see every single attempt to get to any one of your resources. We show you the device, the user, the IP address, which conditional access policies were fired and evaluated, why something failed, what the outcome was… an unbelievable level of detail for every single action that’s been taken.”
Using machine learning and AI, the latest batch of improvements allows Microsoft to analyse an access attempt and take an automated response on an organisation’s behalf in
less than a hundred milliseconds.
“You can see every single attempt to get to any one of your resources […] an unbelievable level of detail for every single action that’s been taken.”
This response is specified by the organisation, of course, and can result in a number of different actions depending on the perceived risk level, such as preventing them from downloading and printing, insisting on further authentication or simply blocking them altogether.
Alex also outlined a new ‘Report-only Mode’ coming into public preview by the end of this year. This mode, affectionately referred to as the ‘Don’t fire me mode’ by Alex, allows admins to run conditional access policies on their environment before activating them.
This allows an admin to see how many times key figures within the company (their CEO, for example) would have been accidentally denied access without finding out the hard way.
All of these new and upcoming updates give organisations super flexible policy and security options, all enforced in one place with tremendous amounts of control and reporting detail.
Azure’s conditional access capabilities are powered by Microsoft’s identity protection software.
Using machine learning, Azure AD Identity Protection now produces a new set of algorithms to assess user risk every 24 hours.
Alex commented: “One of the things we’ve learnt from doing this is that any algorithms we create, within about 5 – 7 days start to deteriorate if you don’t keep on top of it. Any service that keeps their algorithms for a while, you’re going to find that by the end of the week you’re getting compromised.”
There are also a host of new detections coming to identity protection, including the ability to simulate a password spray attack to see who amongst your employees has a particularly weak password and then get them to change it.
Passwords and usernames are the top threat to most enterprises.
Alex revealed that 81% of successful enterprise attacks last year were due to compromised usernames and passwords.
”The only people who love usernames and passwords are hackers.”
Corporate password policies condition users to choose easy to remember passwords, thus making them easier to break.
Hence why Microsoft are going so hard on alternative forms of authentication. According to Alex, passwordless already exists for some 85 million users, utilising a combination of Windows Hello, the Microsoft Authenticator and FIDO2 security keys.
Microsoft aims to get that number to around one billion passwordless users a month, so there’s some way to go, but passwordless uptake is definitely growing.
To wrap up his keynote, Alex spent some time outlining where Microsoft sees all of this going.
Microsoft’s vision of the future is built upon decentralized identity, where users take back ownership of their data and identity which can then be used by organisations both to perform data processing and to ensure that user is verified.
The motivation behind this was to find a way to answer the following question: “How do you give back control of a user’s personal data, make it into a portable, verifiable format but also have it easily available for when you need to run a business process without taking on the GDPR privacy risks inherent in that?”
Microsoft believes the answer to this lies in a set of verified credentials that show up as ‘cards’ in a digital wallet. These could be loyalty cards, student cards, professional qualifications, etc., all verified through open standards and modern security protocols.
Alex said that the aim is to eventually get these cards to the point where they’re legally accepted as identification, i.e. using a digitally verified card of your driver’s licence as proof of age.
More on Microsoft’s plans for decentralized ID can be found here.
Alex revealed a great deal of exciting new changes and features coming to Azure and its related technologies over the coming months.
We’ve highlighted the more important announcements here, but if you’d like to view the full presentation you can do so from our resources section.
Next, watch our cloud identity on-demand webinar to see how Azure AD is evolving to prepare for the future.
Or, download our free e-Guide and make the business case for identity in your organisation.
Simply request a free Vision Call. We can help you with solution ideas, technology education, best practice advice and more.Request Vision Call
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.