News

Microsoft Goes Live with Password Protection for Azure AD Users

• By Kurt Mackie
• 04/02/2019

Microsoft's Azure Active Directory Password Protection feature is now deemed ready for deployment by organizations, having reached "general availability" status, according to Microsoft's announcement on Tuesday.

Password Protection is a service that's designed to diminish the threat of password spray attacks. It was at the preview stage back in June, and Microsoft's announcement noted that the agents used with the preview version of the service "will stop working after July 1, 2019."

With password spray attack scenarios, attackers try commonly used passwords (such as "password" and "12345678") against all users in an organization to find a weak link and gain a network foothold. Microsoft uses a banned password list as part of the Password Protection service to prevent users from creating guessable passwords. Organizations can also add a customized list of banned passwords.

According to Microsoft's licensing requirements, organizations that are "cloud-only" Azure AD users can use Microsoft's banned password list with the Password Protection service. However, to use a custom list, organizations will need to have Azure AD Premium P1 or P2 licensing in place. Premium licensing is also required for organizations that use Windows Server AD on-premises and synchronize their identity and access management service with Microsoft's service.

Last year, Microsoft outlined its best practice concepts for passwords. Along with blocking guessable passwords, Microsoft recommended that network administrators should use multifactor authentication (a secondary identify-verification measure) on top of passwords. Moreover, Microsoft contended that end users should not be compelled to regularly change their passwords since they'll likely just choose guessable patterns as a consequence.

Azure AD B2C Customization Framework
Last week, Microsoft announced the general availability of the Identity Experience Framework for Azure AD Business to Consumer (B2C) users. The framework lets organizations using the Azure AD B2C service customize the consumer end user experience when more complex access scenarios are required. It's done by using XML configuration files and adding a "special query parameter to HTTP authentication requests," according to this Microsoft document description:

Custom policies can be changed to complete many tasks. A custom policy is one or several XML-formatted files that refer to each other in a hierarchical chain. A starter pack is available for custom policies to enable common identity tasks.

Organizations might use the framework if their access solution needs to "interoperate with multiple identity providers and data sources," Microsoft's announcement explained. Microsoft cited the case of the Subway sandwich company, which needed customization to move its customers away from using an old identity management system.

In other Azure AD-related news this month, Microsoft announced that its naming policy for Office 365 Groups reached general availability. It lets IT pros automatically add prefixes or suffixes to Office 365 group names created by end users, and IT pros can also block the creation "bad" group names.

Microsoft's Identity Hub Vision
Microsoft also outlined a vision on Friday whereby individuals could gain greater control over the use of their identity information. Such control can be facilitated through the use of a blockchain-based "Identity Hub," an electronic ledger that stores Decentralized Identifiers but not personal identity data. Such a scheme wouldn't be reliant on the trustworthiness of a service provider.

To that end, Microsoft has been contributing open source code to the Decentralized Identity Foundation, which maintains an Identity Hub project. It's also working with the World Wide Web Consortium's Credentials Community Group. In addition, Microsoft has been building its own georedundant Identity Hub version, which will be "backed by Azure's operational guarantees."

The blockchain-based Identity Hub can be independent of a service provider, Microsoft's announcement noted:

An Identity Hub can run in the cloud, on edge devices, or any infrastructure that can implement the Identity Hub's replication protocol. This means that users do not have to rely on a single cloud provider, like Microsoft, to act as a single, centralized custodian for their personal data. Instead, users can maintain a replicated instance of their Identity Hub on devices they physically own. They can also set up multiple cloud Hub providers, to reduce risk that their data will become unavailable.

Microsoft is working to build connectors that will let users choose which data store to use for an Identity Hub.

Microsoft already has a Decentralized Identity home page. It housed a whitepaper on the project, as well as Microsoft's overall vision in which every user has "a digital identity that they own" with "complete control over how identity data is accessed and used."

The Decentralized Identity Foundation that's creating the standards will be 2 years old next month. It's not clear when these standards might get implemented. However, it appears to be a growing effort. The Decentralized Identity Foundation counted 56 members in its first year, for instance.