News

Microsoft Adds Azure AD Security and Compliance Perks

• By Kurt Mackie
• 09/02/2022

Microsoft this week announced Azure Active Directory enhancements for organizations that likely will better address some security and compliance issues.

The enhancements include a new Multifactor Authentication Server Migration Utility, an Azure AD Kerberos preview for Azure Files users, plus the ending of unmanaged accounts for users of the Azure AD B2B service.

MFA Server Migration Utility
Microsoft has released a new Multifactor Authentication Server Migration Utility, which aims to help organizations shift from using the on-premises MFA Server to using the Azure MFA service.

The utility is an included tool when downloading Azure MFA bits. The MFA Server Migration Utility is said to not require reregistration by end users after making a shift to the Azure MFA service. It allows IT pros to test things in staged rollouts before fully implementing the changes.

"Since no changes to your tenant or federation settings are required, carrying out testing is extremely low risk and can be done with as many or as few users as you wish," stated Alex Weinert, director of identity security at Microsoft, in the announcement.

While Microsoft's announcement didn't mention it specifically, this utility will help organizations get rid of their Active Directory Federation Services (ADFS) deployments on premises, which have lately made the news in a bad way as being targeted by nation-state attackers. When using the Azure MFA service, the authentications happen in Microsoft's cloud. The MFA service seen as easier to secure than ADFS used on premises.

In April, Microsoft had announced other Azure AD enhancements aimed at helping organizations move away from ADFS.

Azure Files and Kerberos Security Preview
Microsoft also this week announced that Azure Files is now integrated with Azure AD Kerberos for use when organizations are using a "hybrid" (cloud plus on-premises) approach to controlling identity and access management.

This Azure Files integration with the "new" Azure AD Kerberos feature, available at the preview stage, will enable Azure Files users to not have to use on-premises Active Directory Domain Services (ADDS) or Azure Active Directory Domain Services (Azure ADDS) for authentications. Azure AD Kerberos allows organizations to dispense with some infrastructure requirements that are involved with those two approaches.

Here's Microsoft's explanation to that effect:

Azure AD Kerberos allows Azure AD to issue Kerberos service tickets over HTTPS for service applications in Azure AD. This removes the need to setup and manage another domain service, while also removing the line-of-sight requirement to the domain controller when authenticating with Azure Files. For this experience, the clients connecting to Azure Files need to be Azure AD-joined clients (or hybrid Azure AD-joined), and the user identities must be hybrid identities, managed in Active Directory.

The Azure AD Kerberos preview for Azure Files was said to be an expansion based on similar improvements in FSLogix profiles support. FSLogix is Microsoft's solution that's used to maintain user profiles in virtual desktop infrastructure scenarios.

Azure AD B2B and Unmanaged Accounts
Microsoft also this week indicated that it's ending the user option to use "unmanaged accounts" when accessing resources via Microsoft's Azure Active Directory B2B ("Business to Business") sharing service.

These unmanaged accounts could get created using a capability that enabled "self-service sign-up for email-verified users," Microsoft explained. It was a quick way for Azure AD B2B-invited guests to access resources, but it apparently became a compliance nightmare.

Microsoft didn't use the word, "nightmare," but it did acknowledge the problems created by these self-service sign-ups:

This [self-service sign-ups] allows invited guest users to create Azure AD accounts by validating ownership of their work email address when their domain is not verified in Azure AD. However, this sometimes means that users would create accounts in a tenant not managed by the IT department of their organization. This has several unintended consequences such as challenges with user lifecycle management, support costs due to password reset issues and information disclosure between users in the Azure Portal.

Microsoft announced the end of these unmanaged accounts on Sept. 2, 2022, so presumably they can't now be created. There is an alternative "invitation redemption flow," as described in this Microsoft document, which offers other ways for guest users to verify their identities. These other sign-up options include using a federation identity provider, Google federation, a personal Microsoft account or the "one-time passcode" approach, which sends a link to access resources via e-mail invitations.

The announcement noted that "accounts that have previously been invited and redeemed with unmanaged Azure AD accounts will continue to work." However, it also listed a bunch of tools for organizations to locate such accounts, which can then be reset to use the other sign-up options.