Microsoft is Consolidating Microsoft Account and Azure AD Authentication Models

In the current Microsoft cloud world, there are two core identity management systems – 1) the Microsoft account and 2) the Azure AD account.  As a user, you are continually asked to choose whether you are a business user or a personal user and then you login using one of these two paths.image

For developers building applications against these identity stores, there are two separate APIs to contend with to authenticate the user, enforcing the same forking of the authentication workflow and making it more complex to build applications.

Microsoft has announced that they are working on a consolidated authentication flow and API that will provide a consolidated user experience and API for developers.  The App Model v2.0 is now in preview.

  

Instead of forcing the user to tell us what type of account they are using, the API will figure it out under the covers and authenticate using either account type in a single flow.  In addition, the API for authenticate either Microsoft personal accounts or AD Azure accounts will be the same to make it easier for developers to build external applications that use these accounts as identities.

Read More

Admin Security Reviews Come to Azure AD Premium in Preview

Admin accounts have a significant risk exposure to enterprise organizations because they have access to potentially hundreds of services, accounts and settings that if compromised could wreak havoc on the organization’s overall security.  As part of an overall enterprise security program, validating these accounts to ensure they are still active and being used by the right people ensures that the threat to these accounts is minimized.

Microsoft has now introduced a new “Security review” process as part of Azure AD Premium (which is itself part of the Microsoft Enterprise Mobility Suite bundle) that allows the security administrator to validate administrator accounts through the following process:

  • Security administrator picks a privileged role, such as Global Administrator, where they believe administrators might still be holding that role who no longer need it.
  • Azure AD sends each user in that role a notification, and they respond in the Azure portal whether or not they need still need that role.
  • The security administrator reviews the results to decide who to remove from the role.

The security review process is in addition to the existing features of the Privileged Identity Management service which provides global administrators the ability to:

  • Discover and monitor privileged roles. The Azure AD PIM Dashboard gives you visibility into and tracking of users with privileged roles.
  • Automatically restrict the time that users have these privileged permissions through on-demand “just in time (JIT)” activation of permissions for pre-configured time windows.
  • Monitor and track privileged operations for audit purposes or security incident forensics.

Read More