News

Azure Active Directory Getting Custom Roles and MFA Improvements

• By Kurt Mackie
• 03/25/2020

Microsoft this month announced a couple of Azure Active Directory improvements with regard to custom roles and multifactor authentication support that are available now and on the horizon.

Custom Roles Preview
This week Microsoft announced a preview of an easier way to create custom roles as part of the role-based access control (RBAC) feature of the Azure Active Directory identity and access management service.

The preview of custom roles is available now in the Azure Portal. The RBAC feature has been available for more than four years, providing access to built-in roles that organizations can use. Basic built-in role privileges include "owner" (full access to resources), "contributor" (management privileges but no delegation privileges) and "reader" (able to view Azure resources).

The idea behind RBAC is to enforce least-privilege access among IT pros performing various management tasks as a security precaution. The roles get set up using the Azure management portal, which has a graphical user interface. However, organizations may need to modify or customize Microsoft's built-in roles, too.

The new custom roles preview permits IT pros to use the graphical user interface of the Azure management portal to make or modify Azure AD roles. It's an "evolution of the current experience," where custom roles can only be created using a command-line interface tool or the application programming interface of Azure Resource Manager, Microsoft's announcement explained.

The Azure Portal's custom roles preview permits the creation of custom roles either by "cloning" an existing Azure AD RBAC role that's used by an organization or by creating a new custom role. Users see a checklist of permissions to select from when creating a custom role afresh. It's also possible to create a custom role by modifying a JavaScript Object Notation (JSON) file.

Partner-Built MFA Support
In other Azure AD news, Microsoft last week suggested that it plans to improve the ability of organizations to use non-Microsoft ("third-party") multifactor authentication (MFA) solutions with the Microsoft Azure AD service. MFA is a security precaution that enforces the use of an alternative means of verifying a user's identity besides a password, typically by making the user enter a PIN or respond to an automated phone call.

Customers have told Microsoft that its current support for partner-built MFA solutions is "too limited," explained Alex Simons, corporate vice president of the Microsoft Identity Division. The current support itself is a preview where Microsoft extends "Conditional Access through custom controls," but that approach will get replaced, Simons explained:

We are planning to replace the current preview with an approach which will allow partner-provided authentication capabilities to work seamlessly with the Azure AD administrator and end user experiences. Today, partner MFA solutions can only function after a password has been entered, don't serve as MFA for step-up authentication on other key scenarios, and don't integrate with end user or administrative credential management functions. The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios including registration, usage, MFA claims, step-up authentication, reporting, and logging.

Microsoft isn't saying when this new approach to support partner MFA solutions on Azure AD will arrive. In the meantime, it'll continue to offer the old preview approach until the new design reaches "general availability" commercial release, Simons indicated.