Microsoft Previews Advanced Customizations for Certificate-Based Authentications
The Microsoft Entra ID Conditional Access service is now previewing more "granular" controls over certificate-based authentication methods, per a Tuesday announcement.
The more granular controls, at preview, were added to address organizational needs, where "using the same certificate for all Entra ID federated applications is not always sufficient." The example Microsoft gave was an organization with different security clearance levels, such as "Confidential, Secret or Top Secret." In such cases, organizations can now issue "three different types of multifactor certifications," based on properties such as "Policy OID [Object Identifiers] or issuer."
The "authentication strength" capability in the Entra ID Conditional Access service is used control those properties. One idea behind using authentication strength is that multifactor authentication has different strengths in term of being "phishing resistant," and so IT organizations can specify which authentication methods can be used. Microsoft defines true phishing-resistant strength as using either Windows Hello for Business (biometric authentications, such as face scans), FIDO2 methods (authentications via PIN, card or key fob) or certificate-based authentication, for instance.
Microsoft previewed the authentication strength capability more than a year ago as a way of specifying which multifactor authentication methods can be used. Back then, Microsoft had said it planned to permit IT pros to scope methods to "specific groups, not just all or no users." The new granular control over certificate-based authentication using authentication strength, now at preview, appears to be fulfilling that promise.
The new granular controls preview is described as "advanced options" for customizing authentication strengths using certificate-based authentication, per this document's description.
In other Entra ID (formerly "Azure Active Directory") news, Microsoft eased matters for "AzCopy version 10.22.0 or newer" users. AzCopy is a command-line tool used to "copy blobs or files to or from a storage account," according to this document's description. IT pros can now "reuse your existing Entra ID authentication tokens from Azure PowerShell and Azure CLI for authentication for blob transfers to and from your storage accounts," Microsoft indicated in this announcement. It reduces the number of times IT pros will have to enter their credentials.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.