Security was a big focus at 2019's Ignite – the first time that Microsoft has had a dedicated security track. The company is placing a big emphasis on hybrid use cases and cross-platform capabilities – and not just for the Microsoft ecosystem.
Within security, Microsoft has a unique opportunity: Windows is ubiquitous on endpoints, Office 365 is an equally ubiquitous productivity suite, capabilities from Exchange to the Power portfolio add to its enterprise presence, and Azure has become a major contender among cloud providers. This has led the company to not only invest in security that leverages these strengths, but to also branch into new areas such as security operations. We will take a closer look at these capabilities and the announcements made around them at Ignite 2019 in Part 2 of this report.
In Part 1, we focus on a key area of emphasis this year: identity and identity-related topics, such as identity governance and password-less authentication. To illustrate just how great a hold Microsoft has on identity interests, one of the sessions detailing new features in Azure Active Directory (Azure AD) had hundreds of attendees and was turning people away at the door.
Overall, Microsoft has been busy updating and investing in identity-related technologies, specifically Azure AD, in addition to making extensive investments in reliability and uptime after some notable outages. Microsoft is also placing big bets on open standards like OAuth2, OpenID Connect, and FIDO2 for authentication and authorization; SCIM for provisioning users and applications; and JSON and REST for APIs.
The 451 Take
Governance and Provisioning
Microsoft also announced the public preview of Azure AD Connect cloud provisioning, which makes it easier to connect multiple disjointed AD forests into Azure AD for complex environments that may have multiple locations or forests globally, possibly from frequent M&A activity. Enterprises can sync their identities into Azure AD by placing lightweight agents/connectors in front of each on-prem forest, and the connectors will handle all the schema transformations and de-duplication automatically, eliminating the need to set up a large on-prem sync server.
Also coming are a series of prebuilt SCIM connectors to make it easier to extend Azure AD into on-prem legacy applications and provision users directly from a cloud HR system of record (like Workday) to legacy on-prem applications.
Microsoft also has invested in bridging the gap between managing identities for employees and for partners and customers, and as part of that effort will extend Conditional Access and Identity Protection to Azure AD B2C within the next year or so. As such, there are now several options for provisioning external partners or customers to Azure AD B2B via direct federation with any IDP that supports SAML or WS-Fed. Users without an identity system can also provision users into Azure AD B2B via a Google account or Gmail ID, or via an email message with a six-digit code for those without a Google ID.
Cloud-based Identity Governance with entitlement management is now generally available. The latter allows businesses to define access packages, and enables employees and partners to request and be recertified for access to resources they need. Down the road, Microsoft will extend support to governance of on-prem apps and will include new privileged account management features.
Hybrid Access to On-prem Applications
Most enterprises are hybrid, have apps that cannot be migrated to the cloud over time, and often use legacy authentication methods and protocols that aren't compatible with Azure AD. Secure Hybrid Access is a partner program that allows on-prem apps – that were exposed via a gateway device; that were lifted and shifted to Azure, AWS or Google Cloud Platform; and that may use header-based authentication or Kerberos – to be managed via Azure AD and Conditional Access and Identity Protection policies without needing on-prem AD or ADFS servers.
Updated App Portal
Microsoft's app portal is called My Apps, and brings together all the apps a user has rights to in a single location for both cloud and on-prem apps. Workspaces is a new feature that allows users to set up a view of their most important apps so they can easily find them without searching through hundreds of apps. Users will soon be able to launch both Office and non-Office apps via the app launcher.
Perhaps the most high-profile announcements focused on Microsoft's efforts around MFA and password-less authentication. Microsoft now offers several varieties of strong authentication, including Windows Hello! facial recognition, the Microsoft Authenticator mobile app and now FIDO2-based security keys from partners such as Yubico. Despite consistent calls for the end of passwords in recent years, enterprise MFA adoption hovers at 53%, according to 451 Research's most recent Voice of the Enterprise (VotE) survey.
Garrett Bekker is a Principal Analyst in the Information Security Practice at 451 Research. He brings a unique and diverse background, having viewed enterprise security from a variety of perspectives over the past 16 years.
Scott Crawford is Research Vice President for the Information Security Channel at 451 Research, where he leads coverage of emerging trends, innovation and disruption in the information security market. Scott is also a member of 451 Research’s Center of Excellence for Quantum Technologies.
Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation