ADFS was exploited perhaps because it's been too complex for most organizations to properly configure and secure. However, ADFS was leveraged in alleged nation-state espionage attacks publicized last year, following a SolarWinds Orion management software compromise. Microsoft had previewed Azure AD CBA back in February as a solution that would enable phishing-resistant authentications, while also letting organizations stop using Microsoft's Active Directory Federation Services (ADFS) for authentications.ĪDFS, a Windows Server role, lets organizations authenticate using their own infrastructures in conjunction with the Azure AD service. The Azure AD CBA service itself reached the "general availability" commercial-release stage last month as part of the Microsoft Ignite event, Weinert indicated. "Azure AD CBA with YubiKey is also supported with the brokered authentication flow using latest Microsoft Authenticator ( Android or iOS/iPadOS) for all apps that are not already on the latest MSAL," Microsoft's announcement clarified. If they don't have such support, organization can get around that limitation by using the Microsoft Authenticator app. Applications need to support the "latest Microsoft Authentication Library (MSAL)" to work with this scheme, Microsoft indicated.
Microsoft described one stipulation for the Azure AD CBA and YubiKey support.
Organizations can use Azure AD CBA with mobile devices, even unmanaged ones, and still meet the requirements of the Biden administration's Executive Order 14028, which requires the use of phishing-resistant authentications for federal agencies, Microsoft suggested. It's also possible to enforce conditional access policies on mobile device users by using Microsoft's "new Conditional Access authentication strength policies," Yubico noted. They can "require phishing-resistant MFA on mobile without having to provision certificates on the user's mobile device," explained Alex Weinert, director of identity security at Microsoft, in the announcement. Additionally, "the YubiKey is the only FIPS certified phishing-resistant solution available for Azure AD on mobile," Yubico indicated.Īzure AD CBA use will let organizations tap "bring your own device" (BYOD) scenarios. YubiKeys are the only security keys with Azure AD CBA support at present, Yubico noted, in a Wednesday announcement. Currently, it's supported with Yubico's YubiKey security keys. The Azure AD CBA support enables "phishing-resistant" multifactor authentication (MFA) protections for those mobile devices. Microsoft on Wednesday announced a preview of Azure Active Directory Certificate-Based Authentication (CBA) support for Android and iOS devices using hardware security keys.
0 kommentar(er)
