Microsoft Previews SAML Token Encryption in Azure Active Directory

Microsoft has been adding to its Azure Active Directory capabilities in recent weeks.

New capabilities at the preview stage were announced. Microsoft also rolled out an ability to detect Microsoft account changes for users of the Microsoft Authenticator app.

SAML Token Encryption Preview
There's a new preview of encryption for tokens using the Security Assertion Markup Language (SAML), per Microsoft's Thursday announcement. SAML, an XML-like markup language currently at version 2.0, is typically used to support single sign-on schemes for applications. Single sign-on simplifies application access, since users only need to use one set of credentials to authenticate and access various apps.

To support SAML token exchanges, Azure AD functions as the "identity provider," exchanging a public key and then getting a private key in response from a "service provider." The service provider is typically the application itself that's being signed into by an end user.

Even though Azure AD SAML tokens are currently exchanged over encrypted connections using HTTPS/TLS, some organizations want token encryption, as well. It's wanted for "internal security standards or compliance requirements," Microsoft's announcement explained.

There's also another benefit to Azure AD SAML token encryption. It will permit some organizations to move away from using Active Directory Federation Services (ADFS), a Windows Server capability that's used to support single sign-on access to applications. Instead of using ADFS, organizations could use the SAML encryption feature directly with Azure AD.

"Now that Azure AD support[s] SAML token encryption, you can go ahead and move applications requiring this capability from AD FS to work directly with Azure AD," Microsoft's announcement stated.

Microsoft is requiring that organizations have Azure AD Premium 1 or E3 plans in place to use the new SAML token encryption capability. While this feature is currently at preview stage, it's expected to reach "general availability" (production-ready stage) by the end of next month. The preview can be accessed in the Azure Portal using the "Enterprise Applications blade," Microsoft explained in this document.

Azure AD Identity Protection Previews
Microsoft also announced previews late last month of new Azure AD Identity Protections features. Azure AD Identity Protection is an added service (requiring an Azure AD Premium P2 subscription) that uses machine learning to check for suspicious actions associated with an Azure AD environment. It provides detection for things like identity theft and phishing attacks, for instance.

Microsoft is previewing an improved Azure AD Identity Protection monitoring experience for IT pros. The preview is available in the Azure Portal using the Azure AD blade.

Microsoft enhanced it to show "sign-in risk trends" for Azure AD Identity Protection users. The portal also now includes pointers to high-risk users, who are shown in "tiles" on the right side. It has a "Risky User Report," which comes with remediation suggestions. New capabilities are surfaced in tabs, including a new "MFA Info" tab, which shows whether multifactor authentication was required or not, and a Conditional Access policy tab, for instance.

The preview also lets IT pros surface information using APIs. The service includes a new "Risky Users API" and a "Sign-Ins API." These APIs can be used to run queries on end users or to detect trends.

Authenticator App Notifications
The latest version of the Microsoft Authenticator app, available for Android and iOS devices, will now let users know if a password change happened for their Microsoft accounts. It'll let end users take protective actions if needed, Microsoft explained in an announcement this week.

The Microsoft Authenticator app is used to add two-factor authentication identity verification for account access. The second ID factor might be the use of a PIN or a biometric face or fingerprint confirmation of one's identity before accessing an application. The Microsoft Authenticator app works with "any app that uses two-factor authentication and any account that supports the Time-Based One-Time password (TOTP) standards," Microsoft's overview article explained.

Apparently, a password-change notifications capability is under consideration for Azure AD accounts, as well.

"We do want to have this feature for AAD accounts too someday," said Olena Huang in the comments section of Microsoft's announcement. "Right now, we're working on bringing the AAD Account Activity page to public preview. Then, we'll start working on account activity notifications."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube