Manage your multi-cloud identity infrastructure with Microsoft Entra

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

A single solution to centrally manage your entire identity infrastructure with Microsoft Entra. Whether hybrid across your on-premises systems and the Microsoft Cloud, or across services spanning multiple clouds, like AWS, Google Cloud Platform and your favorite SaaS apps.

 

Main pic.png

Joey Cruz, from the identity team at Microsoft, highlights the comprehensive capabilities of Microsoft Entra, including unified identity management, that spans beyond your Microsoft estate and beyond Azure Active Directory. He demonstrates new and unique capabilities for the day-to-day management of your users and workloads.

 

Passwordless auth for non-Microsoft services.

1- Passwordless Auth.png

Custom and cross-cloud authentication with Microsoft Entra. Watch the rundown.

 

Credential verification from third-party digital IDs — automated to remove the manual work.

2- Verified ID.png

Watch a summation of Microsoft Entra with Verified IDs and see how to turn it on today.

 

Amazon Web Services, Google Cloud Platform and Azure protection and monitoring in one place.

3- Permissions Management.png

Watch a run-through of Microsoft Entra Permissions Management.

 

Watch our video here.

 

QUICK LINKS:

00:00 — Introduction

00:25 — Microsoft Entra admin center

01:07 — Secure access to Google services with passwordless authentication using Microsoft Entra

02:20 — Access all of your cloud and on-prem apps from myapps.microsoft.com

03:13 — Supported authentication methods

04:24 — Verified IDs to automate new user verification and access provisioning

05:40 — Workload Identity management for secure app to app communication

06:56 — Privileged Identity Management to protect admin accounts and more

07:41 — Permissions Management to monitor and protect Azure, AWS and GCP in one place

08:20 — Wrap up

 

Link References:

Try Microsoft Entra at https://entra.microsoft.com

Check out our docs at https://aka.ms/EntraDocs

 

Unfamiliar with Microsoft Mechanics?

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

 

Keep getting this insider knowledge, join us on social:


Joey Cruz (00:02):
Coming up, we take an inside look at Microsoft Entra, our family of integrated best-in-class products that give you a single solution to centrally manage your entire identity infrastructure, whether hybrid across your on-premises system and the Microsoft Cloud, or across services spanning multiple clouds. Everything comes together in the Microsoft Entra admin center, which is the one place where you can manage everything related to identity for your organization. You can get to it at entra.microsoft.com. In terms of breadth of capabilities, Microsoft Entra goes beyond the familiar identity and access management capabilities of Azure Active Directory that you may be accustomed to. It brings additional capabilities for permissions management, next-generation technologies like decentralized identities, non-human workloads, and expanded identity governance controls. In fact, today I’ll give you a tour of Microsoft Entra, including examples of unified identity management that span beyond your Microsoft estate. And I’ll also show you new and unique capabilities for the day-to-day management of your users and workloads.

 

(00:59):
Did you know Microsoft Entra can secure access to your non-Microsoft services and apps? Microsoft Entra can unify identity management across these services. In this example, we are logging into a Google workspace account right from Google’s domain. This redirects to a branded organization sign-in page that’s been configured and is powered by Microsoft Entra. To sign in, you’re prompted to use passwordless authentication. This sends a notification to your phone’s authenticator app. You can see where the sign-in attempt is coming from and what app is requesting the MFA. Now you can enter the number on the sign-in page, and then finish the authentication process with your biometric. This is an example of custom and cross-cloud modern authentication that you can achieve with the single and integrated Microsoft Entra solution.

 

(01:41):
As you saw, it provides several layers of protection against unauthorized access. For example, if a bad actor tries to access your account with your email, they would need access to both your phone and your biometric to complete the authentication. And without those, they would be stopped. And one thing to note, if you’re worried about approving the request by accident, because the access code is only visible on the bad actor’s screen, without your approval, their attempt is treated as fraud and blocked.

 

(02:05):
And of course, Microsoft Entra is able to unify the sign-in experience for all your enterprise applications across cloud services and even your on-premises apps. One thing you might not know is that Microsoft Entra lets you securely access all these apps from one place. Let me show you. Here, you’re seeing a Woodgrove branded experience with the apps that you have permissions to. It’s just one location to remember or bookmark, and it’s a single sign-on experience to securely access your apps all without additional sign-ins, steps or prompts. There are apps from different cloud services like you’re seeing here from AWS, Salesforce, and SAP to name a few. And they appear alongside with your internal line-of-business apps running on local servers. If I click on the tile for ServiceNow, it takes me directly to my account. There are no additional prompts or separate sign-in flows. All activity gets logged into Microsoft Entra for reporting and further action.

 

(02:57):
And everything you just saw is configurable in the Microsoft Entra admin center, where in addition to users, groups, and device management controls, you can manage secure access to apps. These can reside across different clouds, and we provide a broad range of authentication methods. This includes passwordless options for FIDO2 security keys, Temporary Access Pass for new accounts or account recovery, as well as the new certificate-based authentication method, which is a phish resistant approach and uses enterprise public key infrastructure. We also help you navigate these choices. In authentication strengths, you’ll find new options organized by strength to implement zero trust measures and meet the US Executive Order for cybersecurity. Phishing-resistant multifactor authentication methods are on the top, along with other strong authentication types. In fact, policies can be configured to require different strong authentication methods. Here, for example, we’ve configured AWS to require phish resistant MFA using a FIDO2 security key.

 

(03:54):
Next, let’s move on to day-to-day management activities that get easier with Microsoft Entra. For example, user onboarding is often the most manual side of identity and access management, and it often requires time intensive and manual background checks. With Verified IDs and Microsoft Entra, you can digitize and automate that process. Microsoft Entra Verified ID is a unique decentralized identity solution that allows you to automate verification of credentials from third party issuers.

 

(04:23):
Let me show you what’s possible as a new employee. Using just a hyperlink from a hiring manager’s email, you can access an onboarding page for new employees. If you don’t already have verifiable digital ID yet, that’s okay, because the process just takes a few seconds to securely get one. You’ll approve your identity to an issuer of verifiable credential by taking a selfie and uploading an image of your government ID. The issuing service uses AI in advanced algorithms to compare your photo with your ID. Once verified, the service issues you a verified digital credential you can store in your digital wallet and use at any time to prove your identity. In this case, you’ll present this credential to your employer, so they can give you access to company resources with confidence. So background checks are just completed in a few moments, but it doesn’t stop there.

 

(05:09):
Microsoft Entra helps you automate the rest of the onboarding process with built-in lifecycle workflows. There are several available templates that you can choose from, and it’s easy to define multi-step onboarding task sequences, like this one that standardizes the user onboarding experience and puts the right permissions in place. Automated lifecycle workflows can save you a ton of time, and you can integrate them with your HR system for even more scale. So far, we’ve seen the experiences and controls built into Microsoft Entra for managing all types of users.

 

(05:38):
Next, let’s look at non-human workload identities. These may need to be managed with an even higher level of scrutiny, due to their ongoing access to data and services. In fact, Microsoft internal research shows workload identities today outnumber human identities five to one, and this is projected to increase 20 to one in the next three years. They can pose a higher level of risk because their connections frequently go unchecked once they’ve been established. In Microsoft Entra, you can configure secure app-to-app communications for your workload identities. Conditional access policies can assess risk in real-time for your apps or services based on location, risk levels and access patterns. This lets you quickly and intelligently detect potentially compromised workload identities to reduce your exposure to risk and directly respond to avoid data loss or a possible attack. You get real-time and historical insights, including the status and activities performed by each workload identity.

 

(06:36):
This brings us to everyday monitoring and governance. Microsoft Entra also continuously delivers powerful insights and actionable recommendations across all identity types. Part of this is ensuring that admins have just enough access, just in time, while making sure that standing permissions are continuously reviewed, scrutinized and surfaced via built-in alerts. Here, Privileged Identity Management helps you minimize the number of users who have higher privileged access to resources in Azure and Azure AD. Not only can you see accounts that may be compromised or at risk, but you can authorize time-limited, just-in-time privileged access to your infrastructure and resources. And something you may not know is that you can apply just in time access for roles in non-Microsoft apps such as AWS, that you can see here, for example. And you can manage access reviews across your applications and groups where, for example, you can use rules to automatically remove access to unconfirmed or infrequently use resources.

 

(07:34):
And by the way, if you have significant investments in Amazon Web Services or Google Cloud Platform, Microsoft Entra has you covered. Microsoft Entra Permissions Management is our Cloud Infrastructure Entitlement Management solution. This provides comprehensive visibility and control over permissions for both users and workload identities across multi-cloud infrastructures. Permissions Management helps you detect, monitor and right-size, unused and excessive permission creep across services, with extensive analytics and reporting information. And it proactively mitigates the risk of data breaches enabling you to enforce least privileged access across Microsoft Azure, Amazon Web Services, and Google Cloud platform.

 

(08:17):
So that concludes our tour of Microsoft Entra, our family of integrated best-in-class products that gives you a single solution to centrally manage your entire identity infrastructure, whether hybrid across your on-premise systems and the Microsoft Cloud or across services spanning multiple clouds. Try it out today at entra.microsoft.com. And to learn more, check out our docs at aka.ms/EntraDocs. Keep watching Microsoft Mechanics for the latest tech updates. Hit subscribe, and thank you for watching.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.