Five insights gained from the Entra Airlift Conference

On the last sunny day in September, I was queueing with a couple of colleagues for the lift to take us to the top of the Space Needle in Seattle.

The view from the top is a breathtaking 360° vista – distant peaks on the horizon; seaplanes and helicopters taking off and landing; and downtown Seattle Bellevue and Redmond.

But we weren’t just in Seattle for the views. We were here for something just as exciting – the Microsoft Identity ‘Airlift’.

Now known as the Entra Airlift, this event brings together key Microsoft partners with Microsoft’s engineering team to discuss technical topics and plans for the future.

As a Microsoft Security Solutions Partner, Kocho are at the heart of Microsoft’s plans for delivering identity and security solutions to its customers.

Here are five major developments we took away from the conference:

Avoid MFA fatigue

Despite the best efforts of organisations like Microsoft, cyber attacks are on the rise – increasing in both quantity and complexity.

A zero trust mindset with identity and multi-factor authentication (MFA) at the core is still the recommended approach. What’s worrying is that Microsoft is seeing instances of MFA fatigue set in if organisations overuse it.

It’s so easy to authenticate on mobile devices nowadays that it’s not uncommon for senior-level individuals to ‘rush approve’ MFA requests with a quick tap of their finger, confirming a sign-in even when their identity is being spoofed from elsewhere.

So how is Microsoft helping to overcome this?

Enter MFA with number matching! Now in public preview, this feature will stop attackers in their tracks. You’ll be able to apply number matching to any security group in your Azure tenant.

Verified ID is for everyone

Working with other organisations that back the standards-based decentralised identity framework, Microsoft envisions a more consumer-centric future.

Consumers will be in complete control of how they share their digital identity, controlling things like:

• Where their identity can be broken down into shareable elements (e.g., only sharing what they need to).
• Where information about what they have shared can be easily retrieved.
• Where information sharing can be revoked.

Running on blockchain, the technology is truly decentralised. This makes it easier for businesses and organisations to share data about individuals – or rather, for individuals to be the guardians of that data, instead of organisations.

Rather than exchanging data directly via complex APIs, organisations can simply use a standard protocol for requesting and checking user credentials.

One example of this is identity checks for employee onboarding.

A passport-checking service can issue a credential to the user’s digital wallet, which verifies the user’s name. Any organisation can access this credential using the decentralised ID framework, which reduces the effort of the employee onboarding process.

Permissions Management provides multi-cloud reporting and control

Entra Permissions Management (formerly CloudKnox) is a cross-platform tool providing reporting and management of permission risk. It covers Azure, Google Cloud, and Amazon Web Services.

Large organisations typically use multiple clouds to store resources and identities. This increases the attack surface and provides for inconsistencies and ‘permission creep’.

Identity and security teams can lack visibility of permissions across these cloud platforms. Entra Permissions management provides unified reporting including a ‘permissions creep index’.

As well as reporting, you can manage and monitor permissions and policies. You can also unify policies across cloud platforms to ensure consistency – giving you the ability to enforce the principles of ‘least privilege’ at cloud scale.

Multi-tenant organisations are about to be more manageable

Many large and complex organisations manage their users within more than one Azure tenant.

A typical example of this is where tenant ‘A’ belongs to an acquiring organisation and tenant ‘B’ belongs to the acquired organisation. Unless users are permanently moved to tenant A, it may be that users in tenant B need to access resources in tenant A and vice versa.

Until now, managing users across different Azure tenants was typically done manually, with tenant B users having to apply for tenant A Access Packages, or admins in tenant A having to invite users from tenant B.

Customers are looking for this to happen automatically, so that, in the process of onboarding to tenant B, users (or users in specific groups) are onboarded to tenant A without any extra steps.

While we can’t share the exact details of the changes to come, Microsoft has a solution for this which will be available in public preview very soon.

Joiner, mover, leaver (JML) is about to get easier

Many of our clients are looking for ways to reduce their reliance on on-premises systems as the Cloud offers better security, reliability, and performance.

In the case of managing access for joiners, movers, and leavers (JML) within large organisations, there hasn’t been much flexibility in Azure for automating the tasks that accompany these employee lifecycle events.

While Microsoft Identity Manager (MIM) isn’t going away any time soon, Microsoft is looking at creating ‘hooks’ for these employee lifecycle-related events. You’ll be able to attach processes like Logic Apps so you can make automated attribute changes, send emails, trigger provisioning logic, and so on.

B2X convergence is happening

Business-to-customer (B2C) is an authentication platform aimed at end-users, giving users a secure method of sign-in, all while making the process streamlined and easier than ever. It has a flexible user interface which is orchestrated by B2C ‘policies’.

Business-to-business (B2B) collaboration is a method of inviting external users into your Azure tenant to collaborate and use resources. It can make use of Access Packages and Access Reviews, but the interface is fairly rigid.

While these two features seem very different, they’re built on the same technology and use the same standards and protocols. It’s no secret that Microsoft’s grand plan for External Identities is to have B2C and B2B singing from the same hymn sheet.

However, the practical vision for this combined feature has been under wraps for a while – until now.

Microsoft will soon release a feature-limited version of this converged product. Without revealing too many details, what we can say is ‘watch this space’!