Microsoft Entra aims to help businesses streamline their operations, improve productivity, and drive innovation using advanced technology solutions.

Microsoft Entra offers a wide range of services to businesses, including cloud computing, data analysis, artificial intelligence, and machine learning capabilities. There’s always new features and functionality being released in Microsoft Entra, so let’s take a look at some of the latest and greatest developments that relate to your organisation’s security posture, and how you can keep identities as safe from compromise as possible.

Auto-rollout of Conditional Access policies

At Microsoft Ignite in November last year, Microsoft announced the concept of Microsoft-managed Conditional Access policies. Microsoft also began to roll these policies out to tenants worldwide – you may see these yourself when in the Conditional Access policy console in Microsoft Entra. These policies relate to how multi-factor authentication (MFA) is being utilised in your organisation. They are named:

• Multifactor authentication for admins accessing Microsoft Admin portals.
  • This policy covers 14 administrator roles that we consider to be highly privileged, who are accessing the Microsoft Admin Portals group, and requires them to perform MFA.
  • This policy targets Microsoft Entra ID P1 and P2 tenants where security defaults aren’t
• Multifactor authentication for per-user multifactor authentication users.
  • This policy covers users per-user MFA, a configuration that Microsoft no longer recommends. Conditional Access offers a better admin experience with many additional features. Consolidating all MFA policies in Conditional Access can help you be more targeted in requiring MFA, lowering end user friction while maintaining security posture.
  • This policy targets licensed users with Microsoft Entra ID P1 and P2, where security defaults policy isn’t enabled and there are less than 500 per-user MFA enabled/enforced users.
• Multifactor authentication and reauthentication for risky sign-ins.
  • This policy covers all users and requires MFA and reauthentication when we detect high-risk sign-ins. High-risk in this case means something about the way the user signed in is out of the ordinary. These high-risk sign-ins might include: travel that is highly abnormal, password spray attacks, or token replay attacks. For more information about these risk definitions, see the article ‘What are risk detections?’
  • This policy targets Microsoft Entra ID P2 tenants where security defaults aren’t enabled and there are enough licences for each user. Microsoft Entra ID doesn’t allow risky users to register for MFA, so to avoid locking them out of the system this policy is only available to organisations where every user is already registered for MFA.

All these policies were deployed in ‘report only’ mode, meaning that security teams would benefit from seeing how these policies would have interacted with the user experience had they been fully switched on. This is a very handy feature to use to support the rollout of any new Conditional Access policies. You can complement this with the “What if” feature in Conditional Access too, helping to model and predict the different user experiences before changes are released to the wider environment.

What’s different about the Microsoft-managed policies is that they are set to enable automatically after being in ‘report only’ mode for a few weeks, unless it’s explicitly switched off by a security administrator. It’s worth jumping on to the Conditional Access portal to check this if you’re unsure of the status right now.

Microsoft Admin Portals in Conditional Access

Sticking with Conditional Access, an update was recently made to be able to specify some Microsoft Admin portals as a targeted resource in Conditional Access. If a security administrator creates a new policy, or edits an existing policy, and clicks on the ‘Targeted resources’ pane, under Cloud Apps, there will be an option to select ‘Microsoft Admin portals’ which with one click will protect access to the following portals under whatever conditions are stipulated:

• Azure Portal
• Exchange Admin Center
• Microsoft 365 Admin Center
• Microsoft 365 Defender Portal
• Microsoft Entra Admin Center
• Microsoft Intune Admin Centre
• Microsoft Purview Compliance Portal.

This is a fantastic way of standardising the way administrators interact with the important touch points that security processes interact with. An MFA prompt will stop nearly 93% of attempts to compromise an account. This simple change could increase your organisation’s security posture with just a few clicks.

New API functionality in Entra Permissions Management

Another exciting update is the introduction of application programming interface (API) support in Entra Permissions Management. Developers can now discover, remediate and monitor permissions throughout their cloud infrastructure. This opens the door for Quorum Cyber to start surfacing this information and feeding it into our incredible detection and response services. Quorum Cyber were approached by Microsoft last year to help shape the kind of information that is surfaced using the API, and we can’t wait to put it to great use. Watch this space for future developments!

As always, if anything in this update has grabbed your attention and you’d like to know more about how it could impact your organisation, reach out to Quorum Cyber and we’ll make sure that the best minds we have in the identity space will be ready to help.