Azure Active Directory Gets 'Converged' Management for Authentication Methods
Microsoft this week announced a few Azure Active Directory improvements.
The improvements include a "Converged Authentication Methods" addition for centralizing the management of authentication methods and password resets. Also, there's a new suspicious activity reporting capability, at preview, that lets end users notify IT departments when they encounter iffy multifactor authentication (MFA) prompts.
Microsoft additionally announced a preview of an approach that's designed to thwart attacks that try to use stolen tokens for log-ins.
Converged Authentication Methods GA
One Azure AD improvement that reached the "general availability" (GA) commercial-release stage is called Converged Authentication Methods, as described in this Tuesday announcement.
This enhancement promises centralized management for "all methods used for authentication and password reset." Additionally, IT pros can better "target groups of users" with Converged Authentication Methods.
MFA and self-service password reset (SSPR) methods can now be managed in "one policy alongside passwordless methods like FIDO2 security keys and certificate-based authentication," explained Alex Weinert, director of Identity Security at Microsoft, in the announcement.
Converged Authentication Methods also centralizes the management of methods such as "SMS, Voice Calls, Third-party Software OATH, and Email OTP."
Weinert suggested IT pros could use Converged Authentication Methods to test "trial methods with pilot groups" of users before broader rollout.
Legacy MFA and SSPR Methods
The addition of the new Converged Authentication Methods capability also signals that there are "legacy MFA and self-service password reset policies" that IT pros will need to move away from. Microsoft is previewing a "Manage Migration" capability to help with such moves.
Those legacy MFA and SSPR methods will be deprecated next year, Weinert indicated:
Later in 2024 we'll be deprecating the ability to manage authentication methods in the legacy policies. As you migrate, we recommend stepping up your security posture by moving away from SMS and Voice , and enabling more secure methods like Microsoft Authenticator and FIDO2 Security keys, if you haven't already.
Report Suspicious Activity Preview
Microsoft has updated its existing MFA Fraud Alert feature with a new Report Suspicious Activity capability, which was released at preview. It works with the Azure AD Identity Protection service.
The Report Suspicious Activity preview lets end users report suspected MFA prompts when received via a phone or the Microsoft Authenticator app. These reports will put the user into the "high risk user" category, and IT pros can then carry out actions, such as limiting the user's access or enabling SSPR so that the user can change the password.
IT pros will see such suspicious activity via the "Sign-ins report (as a sign-in that was rejected by the user), in the Audit logs, and in the Risk detections report," Microsoft explained, in this document.
Token Protection for Sign-Ins Preview
Microsoft on Wednesday introduced a preview of token protection for sign-in sessions, which is part of the Azure AD Conditional Access service.
The idea behind token protection for sign-in sessions is to tie a token to its intended device to thwart the use of stolen tokens, Microsoft explained.
Token Protection ensures that tokens can only be used on the intended device. When enforced through Conditional Access policies, tokens authorizing access to resources must come from the device where the user originally signed in. This provides the best available protection for your high-value users and data against breaches involving token theft.
The preview currently just works with Office 365 applications such as "Exchange mailboxes and SharePoint sites," and it just focuses on blocking "stolen Windows native client Refresh Tokens," the announcement explained. However, Microsoft expects to expand its protections to "more applications and data, other client platforms, and other types of tokens" in the near future. Microsoft Teams support will be "coming soon."
Currently, just Windows 10 or Windows 11 desktop devices are supported with the preview, but support for "Mac, iOS, Android, and Linux clients" is on the horizon.
Dashing a little water on Microsoft's token protection scheme was a finding by a TrustedSec security researcher that switching the user agent header offered a bypass. That notion was floated by TrustedSec writer "@rootsecdev" in this May 9 Twitter post.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.