News

Microsoft Previews Contextual Settings for Azure Active Directory Conditional Access

• By Kurt Mackie
• 05/27/2021

Microsoft this week announced a public preview release of an Azure Active Directory Conditional Access capability that lets organization trigger policies for end users based on a situation or context.

This "Authentication Context" feature was briefly mentioned back in March as a coming preview that would allow organizations to set "more granular policies" based on end user actions. It permits more nuanced policies to take effect.

Caleb Baker, a program manager on the Microsoft Identity team, offered this example in Microsoft's March announcement on the topic:

Your HR handbook and secret plans in SharePoint can have different access policies, and your company's financials app can apply a different standard between reading balances and wiring funds.

The Authentication Context preview works with Microsoft's cloud-based applications and "all kinds of cloud apps." It also works with so-called homegrown "line-of-business" apps. This feature will work with any application that uses "OpenID Connect/OAuth 2.0 for authentication."

The Authentication Context preview shows up in the Azure portal via a new Azure AD Conditional Access "tab" interface. IT pros assign Conditional Access policies in the usual way, except that these policies get assigned to an authentication context.

Microsoft's example is to turn on certain Conditional Access policies when an end user attempts to download sensitive files from a service, such as from "Office 365, Salesforce, Workday and more."

The Authentication Context feature is currently integrated with "Microsoft Cloud App Security (MCAS), Microsoft Information Protection (MIP) and SharePoint Online." Microsoft is planning to integrate this feature with other services, such as its Privileged Identity Management service, when the product nears commercial release, yet to be announced.

Building Zero-Trust Apps
On top of the Authentication Context preview news, Microsoft's Build online event for developers happened this week. Microsoft used that occasion to outline its zero-trust Azure AD development advice for app builders, which is described in this announcement.

Zero trust principles included "verify explicitly, use least privileged access and assume breach." To get there, Microsoft wants application developers leveraging Azure AD to shift to its Microsoft Identity Platform. The Microsoft Identity Platform uses the OAuth 2.0 and OpenID Connect protocols for authentications. It also uses the Microsoft Authentication Library (MSAL), instead of the older Azure AD Authentication Library (ADAL).

Microsoft had described this Microsoft Identity Platform shift two years ago. Developers are said to get benefits from using it. The Microsoft Identity Platform enables built-in app support for "single sign-on, advanced security, passwordless authentication," plus the conditional access policies set by IT departments, Microsoft had indicated.

Verifiable Credentials Preview
And then there's the future for identity and access management. Microsoft this week described design concepts for its emerging verifiable credentials approach, known as the "Azure Active Directory Verifiable Credentials" service, which was at the preview stage last month.

Microsoft is considering using a card-like design for its Verifiable Credentials approach, somewhat like a driver's license ID carried in a wallet. Microsoft's is also considering adopting an electronic receipts approach, where users can look back and see where their credentials got verified. The idea is to make the service seem familiar and simple to use, while also being trusted.

The Azure Active Directory Verifiable Credentials preview has undergone testing by various organizations, Microsoft indicated this week. Health care, public sector and educational institutions have tested the service, as well as retail, financial services and professional sports organizations.

Microsoft's Azure Active Directory Verifiable Credentials service implements decentralized identity recommendations from the World Wide Web Consortium and the Decentralized Identity Foundation. The aim is to establish cryptographically secure digital attestations of user identities using public blockchain electronic ledgers. It's conceived as a better alternative to companies storing credentials data on private servers.