News

Azure Active Directory Getting Custom Roles and MFA Improvements

Microsoft this month announced a couple of Azure Active Directory improvements with regard to custom roles and multifactor authentication support that are available now and on the horizon.

Custom Roles Preview
This week Microsoft announced a preview of an easier way to create custom roles as part of the role-based access control (RBAC) feature of the Azure Active Directory identity and access management service.

The preview of custom roles is available now in the Azure Portal. The RBAC feature has been available for more than four years, providing access to built-in roles that organizations can use. Basic built-in role privileges include "owner" (full access to resources), "contributor" (management privileges but no delegation privileges) and "reader" (able to view Azure resources).

The idea behind RBAC is to enforce least-privilege access among IT pros performing various management tasks as a security precaution. The roles get set up using the Azure management portal, which has a graphical user interface. However, organizations may need to modify or customize Microsoft's built-in roles, too.

The new custom roles preview permits IT pros to use the graphical user interface of the Azure management portal to make or modify Azure AD roles. It's an "evolution of the current experience," where custom roles can only be created using a command-line interface tool or the application programming interface of Azure Resource Manager, Microsoft's announcement explained.

The Azure Portal's custom roles preview permits the creation of custom roles either by "cloning" an existing Azure AD RBAC role that's used by an organization or by creating a new custom role. Users see a checklist of permissions to select from when creating a custom role afresh. It's also possible to create a custom role by modifying a JavaScript Object Notation (JSON) file.

Partner-Built MFA Support
In other Azure AD news, Microsoft last week suggested that it plans to improve the ability of organizations to use non-Microsoft ("third-party") multifactor authentication (MFA) solutions with the Microsoft Azure AD service. MFA is a security precaution that enforces the use of an alternative means of verifying a user's identity besides a password, typically by making the user enter a PIN or respond to an automated phone call.

Customers have told Microsoft that its current support for partner-built MFA solutions is "too limited," explained Alex Simons, corporate vice president of the Microsoft Identity Division. The current support itself is a preview where Microsoft extends "Conditional Access through custom controls," but that approach will get replaced, Simons explained:

We are planning to replace the current preview with an approach which will allow partner-provided authentication capabilities to work seamlessly with the Azure AD administrator and end user experiences. Today, partner MFA solutions can only function after a password has been entered, don't serve as MFA for step-up authentication on other key scenarios, and don't integrate with end user or administrative credential management functions. The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios including registration, usage, MFA claims, step-up authentication, reporting, and logging.

Microsoft isn't saying when this new approach to support partner MFA solutions on Azure AD will arrive. In the meantime, it'll continue to offer the old preview approach until the new design reaches "general availability" commercial release, Simons indicated.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.