News

Microsoft Bumping Up SLA Support for Azure Active Directory B2C Service

• By Kurt Mackie
• 02/25/2021

Microsoft had lots to say this month about its Azure Active Directory service.

Organizations can look forward to a coming new B2C service-level agreement (SLA). They're also getting deprecated support in the Azure Kubernetes Service. Microsoft talked about general FIDO2 progress for authentications without passwords. It also described ServiceNow help-desk integration perks.

Azure AD B2C 'Four Nines' Support
With regard to the Azure AD B2C (Business to Consumer) service, Microsoft is planning to increase its SLA uptime assurance to "four nines" (99.99 percent), starting on May 25, according to a Wednesday Microsoft announcement.

This bump-up in SLA support will just apply to user traffic, though, and Microsoft is planning to alter its SLA to reflect that change. Here's how that notion was expressed in the announcement:

This [change in the Azure AD B2C SLA] builds on our recent announcement of 99.99% uptime for Azure AD user authentication beginning April 1, 2021. In alignment with our updates to the Azure AD SLA, we are revising the Azure AD B2C SLA to include only user authentication and federation in the definition of Azure AD B2C SLA availability.

Back in mid-December, Microsoft had said it would bump up the SLA to 99.99 percent for its Azure AD service, starting on April 1. However, it indicated back then that the SLA would get altered and it would just apply to end user access, and not to administrative activities that might get interrupted by Azure AD downtime. 

That circumstance also seems to be the case for the 99.99 percent SLA for the Azure AD B2C service that's coming in May.

AKS and Legacy Azure AD Deprecation
Microsoft issued a brief notice on Tuesday for Azure Kubernetes Service (AKS) users that it is planning to end support for the "legacy Azure Active Directory integration on 29 February 2024."

The "legacy" term just refers to an older implementation. Microsoft has another Azure AD integration in effect for the AKS service, which it calls "AKS-managed Azure AD integration." This managed approach is the preferred one, but its main benefit appears to be ease of use.

Here's how Microsoft's document on AKS-managed Azure AD explained that point:

AKS-managed Azure AD integration is designed to simplify the Azure AD integration experience, where users were previously required to create a client app, a server app, and required the Azure AD tenant to grant Directory Read permissions. In the new version, the AKS resource provider manages the client and server apps for you.

The document included instructions on upgrading to the AKS-managed Azure AD integration from the earlier legacy solution.

Microsoft Loves Passwordless Sign-Ins
Microsoft, a member of the FIDO Alliance, has been an advocate for alternatives to passwords for user authentications. The idea is to use biometric approaches, such as a fingerprint scan or a face scan (Microsoft's Windows Hello service, built into Windows 10, supports the latter). Alternatively, key fobs or cards can be used to double-check user identities before granting system access.

FIDO 2 (Fast ID Online 2) is the current effort, with some specifications still under review by the World Wide Web Consortium (W3C) standards body. Microsoft earlier this month pointed to a few W3C efforts of note that are under consideration.

One of them is Enterprise Attestation. It's part of a couple of standards under review by the W3C. Enterprise Attestation "enables binding of an authenticator to an account using a persistent identifier, similar to a smart card today," Microsoft explained. This capability is designed specifically for use in enterprise environments, rather than for the general public. The authenticator can be hardcoded into firmware or it can be set by policy.

Other specs under consideration include Credential Management and Bio Enrollment. These capabilities might be used to add or remove fingerprints from a device, for instance.

Another feature under review is the ability to set a minimum PIN length, or compel end users to change a PIN. It's not clear when all of these capabilities will reach the "Recommended" release status at the W3C, though.

Microsoft also this month profiled the FIDO keys and cards that are being offered by hardware partners. They include products from AuthenTrend, Ensurity, Feitian, HID Global, Thales, TrustKey and Yubico, as described in Part 5 of Microsoft's "10 Reasons to Love Passwordless" blog series. Other reasons to love the passwordless approach include the FIDO standard itself, NIST compliance, biometrics as an access method and the security assurances that come with passwordless authentication, according to the series so far.

ServiceNow Integration with Azure AD
It's possible to automate Azure AD actions with the ServiceNow help-desk service, which is explained in this Tuesday Microsoft announcement. ServiceNow has been the most used app that integrates with the Azure AD service, Microsoft announced last month.

It's possible to set up a chatbot within Microsoft Teams, for instance, to help employees reset their passwords. It's possible to automate events when "onboarding and offboarding" employees in organizations. ServiceNow further described capabilities associated with the Azure AD integration in this blog post.