News

Microsoft Enhancing Azure Active Directory Roles and Conditional Access Capabilities

• By Kurt Mackie
• 08/17/2020

Microsoft announced some Azure Active Directory improvements last week.

Users of the Azure AD Conditional Access service are now getting a new policy that will block devices using older authentication methods by default, unless granted an exception. Also, Microsoft is previewing the capability of assigning groups of personnel to various Azure AD management roles.

Legacy Authentication Blocked by Default
Microsoft added updates to its Azure Active Directory Conditional Access service that will block devices using so-called "legacy authentication" methods, per a Tuesday announcement.

These legacy authentication methods use protocols such as "POP, SMTP, IMAP, and MAPI," which just rely on a password and can't enforce multifactor authentication protections. Multifactor authentication is a secondary identity verification scheme beyond a password. Attackers typically target organizations using the older protocols to carry out so-called "password spray attacks," where they try commonly used passwords across an organization to gain a foothold.

Microsoft noted that "fewer than 16% of organizations" had Conditional Access policies in place for sign-ins using these legacy authentication protocols. Consequently, it changed how its Azure AD Conditional Access service works in that respect.

It rolled out two updates to that end, namely:

1. New Conditional Access policies will apply to legacy authentication clients by default.
2. The client apps condition, including improvements to the client apps admin experience, is now in General Availability.

Apparently, both of these updates are currently in effect for Azure AD Conditional Access subscribers.

With the first update, clients using the legacy protocols now get blocked by the Azure AD Condition Access service. Organizations that must use those older protocols can grant policy exceptions, though.

The second update lets IT pros apply policies to client applications that aren't using so-called "modern authentication" methods. Policies can be set via a graphical user interface or a "new Conditional Access API."

Microsoft also refers to the legacy authentication methods as "Basic Authentication." Support for Basic Authentication methods will be ending next year for use with Microsoft's services. For instance, Microsoft is planning to disable the use of Basic Authentication with its Exchange Online service in the second half of 2021.

Azure AD Roles for Groups
Microsoft is previewing the ability to set roles for groups of personnel, such as assigning IT staff to the helpdesk administration role, according to a Thursday announcement. The preview just works for Azure AD's built-in roles right now. However, Microsoft is planning to extend those group controls to "on-premises groups as well as Azure AD custom roles" sometime in a future update.

Only users with "either a Privileged Role Administrator or a Global Administrator" role have the permission to assign roles for groups. After that's done, group owners can "manage group memberships and control who can get the role," Microsoft's announcement explained.

A similar preview capability in Microsoft's Privileged Identity Management service enables group management via a new "Privileged Access Groups" capability. It lets IT pros add "just-in-time" controls over group access to workflows.

The two new previews require having certain licensing in place. An Azure AD Premium P1 is needed for assigning groups to roles. An Azure AD Premium P2 license is needed for Privileged Identity Management.