Microsoft Bringing Inactive Account Removals and Default Security to Azure Active Directory Users

Microsoft announced a couple of Azure Active Directory security enhancements this week.

Microsoft is previewing the ability to allow IT pros to remove inactive user accounts for organizations that use the Azure AD identity and access management service. Also, Microsoft is planning to compel the activation of security baseline protections for organizations using the Azure AD service but not currently using the recommended protections.

Security Baselines Coming in June
On the latter front, Microsoft is planning to turn on security defaults for organizations that are using the Azure AD service but not using good security practices, such as multifactor authentication (MFA).

MFA is a secondary means of verifying user identities besides the basic user name-plus-password approach. Basic authentication is subject to phishing and "password spray" attacks (the guessing of commonly used passwords). Microsoft estimates that 99.9 percent of hacked accounts typically have lacked MFA.

Microsoft is planning to kick off the process of turning on Azure AD baseline security for organizations not currently using those protections starting next month. IT pros with global administrator privileges will be notified of the change beforehand via e-mail.

When the change starts happening for Azure AD tenancies, end users will have 14 days to register to use MFA. This process will happen via the Microsoft Authenticator app.

The coming security defaults will just be presented to organizations that used Azure AD before Oct. 2019. Microsoft had actually switched new tenants back then to its current security defaults.

At present, there are "more than 30 million organizations" that use Microsoft's Azure AD security defaults, according to Alex Weinert, director of identity security at Microsoft, per the announcement.

However, after the older Azure AD tenancies get offered Microsoft's security baseline protections, rolling out in June, protections will be afforded to "an additional 60 million accounts," Weinert indicated.

Organizations will be able to disable the coming security defaults "through the Azure Active Directory properties or through the Microsoft 365 admin center," Microsoft indicated, although it means bearing some risks.

Inactive Account Removals Preview
Microsoft on Tuesday announced a public preview of the ability to remove inactive user accounts from Azure AD-managed tenancies. This new "Access Review" capability is part of the Azure Active Directory Identity Governance service.

IT pros using the Access Review capability can set it up to automatically remove inactive or "stale accounts." The max setting for accounts to remain inactive is "up to two years for guest users, or all users."

Use of the Access Review feature will apparently require having an Azure AD Premium P2 licensing. That point is mentioned in this Microsoft document on the topic, which describes setup steps.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube