{"id":25118,"date":"2024-08-26T19:00:45","date_gmt":"2024-08-27T03:00:45","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/08\/26\/news-18848\/"},"modified":"2024-08-26T19:00:45","modified_gmt":"2024-08-27T03:00:45","slug":"news-18848","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/08\/26\/news-18848\/","title":{"rendered":"How Microsoft Entra ID supports US government agencies in meeting identity security requirements"},"content":{"rendered":"<p><strong>Credit to Author: Joy Chik| Date: Mon, 26 Aug 2024 16:00:00 +0000<\/strong><\/p>\n<p>If you\u2019re in charge of cybersecurity for a United States government agency, you\u2019re already familiar with Memorandum M-22-09, \u201c<a href=\"https:\/\/zerotrust.cyber.gov\/downloads\/M-22-09%20Federal%20Zero%20Trust%20Strategy.pdf\">Moving the U.S. Government Toward Zero Trust Cybersecurity Principles<\/a>,\u201d which the US Office of Management and Budget issued in January 2022. This memo set a September 30, 2024, deadline for meeting \u201cspecific cybersecurity standards and objectives\u201d toward implementing a Zero Trust architecture in compliance with the <a href=\"https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/\" target=\"_blank\" rel=\"noreferrer noopener\">Executive Order on Improving the Nation\u2019s Cybersecurity<\/a>.<\/p>\n<p>Microsoft has embraced Zero Trust principles, both in our security products and in the way we secure our own enterprise environment. We\u2019ve been helping thousands of organizations worldwide transition to a Zero Trust security model, including military departments and civilian agencies. Over the past three years, we\u2019ve listened to our US government customers, so we can build rich new security features that help them meet the requirements described in the Executive Order, and then support their deployments. These advancements include certificate-based authentication in the cloud, Conditional Access authentication strength, cross-tenant access settings, FIDO2 provisioning APIs, Azure Virtual Desktop support for passwordless authentication, and device-bound passkeys.<\/p>\n<p>The illustration below depicts the <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2023-04\/zero_trust_maturity_model_v2_508.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Zero Trust Maturity Model Pillars<\/a> adopted by the US Cybersecurity and Infrastructure Security Agency (CISA).<\/p>\n<p>As the memo\u2019s deadline approaches, we\u2019d like to celebrate the progress our customers have made using the capabilities in <a href=\"https:\/\/www.microsoft.com\/security\/business\/identity-access\/microsoft-entra-id\">Microsoft Entra ID<\/a> not only to meet requirements for the Identity pillar, but also to reduce complexity and to improve the user experience for their employees and partners.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/Picture1-1.webp\" alt='An architectural diagram that illustrates the Zero Trust Maturity Model Pillars adopted by the U.S. Cybersecurity and Infrastructure Security Agency. The five pillars are depicted as five vertical boxes labeled Identity, Devices, Networks, Applications and Workloads, and Data. Along the bottom of the diagram are three horizontal boxes labeled \"Visibility and analytics,\" \"Automation and orchestration,\"  and \"Governance.\"' class=\"wp-image-135508 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/Picture1-1.webp\"><\/figure>\n<h2 class=\"wp-block-heading\" id=\"microsoft-entra-id-is-helping-us-government-customers-meet-the-m-22-09-requirements-for-identity\">Microsoft Entra ID is helping US government customers meet the M-22-09 requirements for identity<\/h2>\n<p>US government agencies are adopting Microsoft Entra ID to consolidate siloed identity solutions, reduce operational complexity, and improve control and visibility across all their users, as the memo requires. With Microsoft Entra ID, agencies can enforce <a href=\"https:\/\/www.microsoft.com\/security\/business\/identity-access\/microsoft-entra-mfa-multi-factor-authentication\">multifactor authentication<\/a> at the application level for more granular control. They can also strengthen security by enabling phishing-resistant authentication for staff, contractors, and partners, and by evaluating device information before authorizing access to resources.<\/p>\n<blockquote class=\"wp-block-quote blockquote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Vision<\/strong>: <\/p>\n<p>Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant multifactor authentication protects those personnel from sophisticated online attacks.<\/p>\n<p><strong>Actions<\/strong>:<\/p>\n<ol class=\"wp-block-list\">\n<li>Agencies <strong>must employ centralized identity management systems<\/strong> for agency users that can be integrated into applications and common platforms.<\/li>\n<li>Agencies must use strong multifactor authentication throughout their enterprise.\n<ul class=\"wp-block-list\">\n<li><strong>Multifactor authentication must be enforced at the application layer<\/strong>, instead of the network layer.<\/li>\n<li>For agency staff, contractors, and partners, <strong>phishing-resistant multifactor authentication is required<\/strong>.<\/li>\n<li>For public users, <strong>phishing-resistant multifactor authentication must be an option<\/strong>.<\/li>\n<li>Password policies <strong>must not require use of special characters or regular rotation<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<li>When authorizing users to access resources, agencies <strong>must consider at least one device-level signal<\/strong> alongside identity information about the authenticated user.<\/li>\n<\/ol>\n<p><em><strong>Source<\/strong>: M-22-09: Moving the US Government Toward Zero Trust Cybersecurity Principles, issued by the US Office of Management and Budget, January 2022, page 5.<\/em><\/p>\n<\/blockquote>\n<p>Many of our US government civilian and military customers want to use the same solutions across their different environments. Since it\u2019s available in secret and top-secret Microsoft Azure Government clouds, agencies can standardize on Microsoft Entra ID to secure user identities, to configure granular access permissions in one place, and to provide simpler, easier, and more secure sign-in experiences to applications their employees use in their work.<\/p>\n<div class=\"wp-block-msxcm-cta-block\" data-moray data-bi-an=\"CTA Block\">\n<div class=\"card d-block mx-ng mx-md-0\">\n<div class=\"row no-gutters\">\n<div class=\"d-flex col-md\">\n<div class=\"card-body align-self-center p-4 p-md-5\">\n<h2>Microsoft Entra ID<\/h2>\n<div class=\"mb-3\">\n<p>Establish Zero Trust access controls, prevent identity attacks, and manage access to resources.<\/p>\n<\/p><\/div>\n<div class=\"link-group\"> \t\t\t\t\t\t\t<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/identity-access\/microsoft-entra-id\" class=\"btn btn-primary\" > \t\t\t\t\t\t\t\t<span>Try for free<\/span> \t\t\t\t\t\t\t\t<span class=\"glyph-append glyph-append-chevron-right glyph-append-xsmall\"><\/span> \t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"col-md-4\"> \t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"1000\" height=\"1000\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/SEC20_Security_015.jpg\" class=\"card-img img-object-cover\" alt=\"\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/SEC20_Security_015.jpg 1000w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/SEC20_Security_015-300x300.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/SEC20_Security_015-150x150.jpg 150w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2024\/08\/SEC20_Security_015-768x768.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/>\t\t\t\t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<h2 class=\"wp-block-heading\" id=\"using-microsoft-entra-id-as-a-centralized-identity-management-system\">Using Microsoft Entra ID as a centralized identity management system<\/h2>\n<p>Anyone who has struggled to manage multiple identity systems understands that it\u2019s an expensive and inefficient approach. Government customers who have adopted Microsoft Entra ID as their central agency identity provider (IdP) gained a holistic view of all users and their access permissions as required by the memo. They also gained a centralized access policy engine that combines signals from multiple sources, including identities and devices, to detect anomalous user behavior, assess risk, and make real-time access decisions that adhere to <a href=\"https:\/\/www.microsoft.com\/security\/business\/zero-trust\">Zero Trust principles<\/a>.<\/p>\n<p>Moreover, Microsoft Entra ID enables single sign-on (SSO) to resources and apps, including apps from Microsoft and thousands of other vendors, whether they\u2019re on-premises or in Microsoft commercial or government clouds. When deployed as the central agency IdP, Microsoft Entra ID also secures access to resources in clouds from Amazon, Google, and Oracle.<\/p>\n<p>Many government customers are facilitating secure collaboration among different organizations by using <a href=\"https:\/\/www.microsoft.com\/security\/business\/identity-access\/microsoft-entra-external-id\">Microsoft Entra External ID<\/a> for business-to-business (B2B) collaboration to enable cross-cloud access scenarios. They don\u2019t have to give collaboration partners separate credentials for accessing applications and documents in their environment, which reduces their cyberattack surface and spares their partner users from maintaining multiple sets of credentials for multiple identity systems.<\/p>\n<h2 class=\"wp-block-heading\" id=\"using-microsoft-entra-id-to-facilitate-cross-organizational-collaboration\">Using Microsoft Entra ID to facilitate cross-organizational collaboration<\/h2>\n<div class=\"wp-block-msxcm-kicker-container\">\n<div class=\" wp-block-msxcm-kicker-block wp-block-msxcm-kicker--align-left\" data-bi-an=\"Kicker Left\">\n<p class=\"wp-block-msxcm-kicker__title small text-neutral-400 text-uppercase\"> \t\t\tCross-tenant access with Microsoft Entra External ID\t\t<\/p>\n<p> \t\t<a \t\t\tclass=\"wp-block-msxcm-kicker__cta btn btn-link p-0 text-decoration-none\" \t\t\thref=\"https:\/\/learn.microsoft.com\/en-us\/entra\/external-id\/cross-tenant-access-overview\" \t\t\ttarget=\"_blank\"\t\t> \t\t\t<span>Read more<\/span> <span class=\"glyph-append glyph-append-xsmall wp-block-msxcm-kicker__glyph glyph-append-go\"><\/span> \t\t<\/a> \t<\/div>\n<\/p><\/div>\n<p>One of our government customers, along with their partner agency, configured cross-tenant access settings to trust multifactor authentication claims from each user\u2019s home tenant. Their partner agency can now trust and enforce strong phishing-resistant authentication for the customer\u2019s users without forcing them to sign in multiple times to collaborate. The partner agency also explicitly enforces, through a <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/concept-authentication-strengths\">Conditional Access authentication strength<\/a> policy, that the customer\u2019s users must sign in using a personal identity verification (PIV) card or a common access card (CAC) before gaining access.<\/p>\n<div class=\"wp-block-msxcm-kicker-container\">\n<div class=\" wp-block-msxcm-kicker-block wp-block-msxcm-kicker--align-right\" data-bi-an=\"Kicker Right\">\n<p class=\"wp-block-msxcm-kicker__title small text-neutral-400 text-uppercase\"> \t\t\tConfigure cross-tenant access settings for B2B collaboration\t\t<\/p>\n<p> \t\t<a \t\t\tclass=\"wp-block-msxcm-kicker__cta btn btn-link p-0 text-decoration-none\" \t\t\thref=\"https:\/\/learn.microsoft.com\/en-us\/entra\/external-id\/cross-tenant-access-settings-b2b-collaboration\" \t\t\ttarget=\"_blank\"\t\t> \t\t\t<span>Learn more<\/span> <span class=\"glyph-append glyph-append-xsmall wp-block-msxcm-kicker__glyph glyph-append-go\"><\/span> \t\t<\/a> \t<\/div>\n<\/p><\/div>\n<p>Another government customer needed to give employees from different organizations within the same agency access to shared services applications such as human resources systems. They used Microsoft Entra External ID for B2B collaboration along with cross-cloud settings to enable seamless and secure collaboration and resource sharing for all agency employees, other government agencies (OGAs), and external partners. They used <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/identity-access\/microsoft-entra-conditional-access\">Microsoft Entra Conditional Access<\/a> policy and cross-tenant access settings to require that employees sign in using phishing-resistant authentication before accessing shared resources. Trust relationships ensure that this approach works whether the home tenant of an employee is in an Azure commercial or government cloud. They also enabled collaboration with agencies that use an IdP other than Microsoft Entra ID by setting up federation through the SAML 2.0 and WS-Fed protocols.<\/p>\n<p><strong>Next step after standardizing on Microsoft Entra ID as your centralized IdP<\/strong>: Use <a href=\"https:\/\/www.microsoft.com\/security\/business\/identity-access\/microsoft-entra-id-governance\">Microsoft Entra ID Governance<\/a> to automate lifecycle management of guest accounts in your tenant, so guest users only get access to the resources they need, for only as long as they need it. Start here: <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/id-governance\/what-are-lifecycle-workflows\" target=\"_blank\" rel=\"noreferrer noopener\">What are lifecycle workflows?<\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"enabling-strong-multifactor-authentication\">Enabling strong multifactor authentication<\/h2>\n<p>Standardizing on Microsoft Entra ID has made it possible for our government customers to enable phishing-resistant authentication methods. Over the past 18 months, we\u2019ve worked with our US government customers to increase adoption of phishing-resistant multifactor authentication with Microsoft Entra by almost 2,000%.<\/p>\n<p>From there, customers configure Conditional Access policies that require strong phishing-resistant authentication for accessing applications and resources, as required by the memo. Using Conditional Access authentication strength, they can even set policies to require additional, stronger authentication based on the sensitivity of the application or resource the user is trying to access, or the operation they\u2019re trying to perform.<\/p>\n<blockquote class=\"wp-block-quote blockquote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Microsoft Entra supports strong phishing-resistant forms of authentication:<\/p>\n<ul class=\"wp-block-list\">\n<li>Certificate-based authentication (CBA) using Personal Identification Cards (PIV) or Common Access Cards (CAC)<\/li>\n<li>Device-bound passkeys\n<ul class=\"wp-block-list\">\n<li>FIDO2 security keys<\/li>\n<li>Passkeys in the Microsoft Authenticator app<\/li>\n<\/ul>\n<\/li>\n<li>Windows Hello for Business<\/li>\n<li>Platform single sign-on SSO for macOS devices (in preview)<\/li>\n<\/ul>\n<p>For a deep dive into phishing resistant authentication in Microsoft Entra, explore the video series <a href=\"https:\/\/aka.ms\/DontGetPhished\" target=\"_blank\" rel=\"noreferrer noopener\">Phishing-resistant authentication in Microsoft Entra ID<\/a>.<\/p>\n<\/blockquote>\n<p>While Microsoft Entra ID can prevent the use of common passwords, identify compromised passwords, and enable self-service password reset, many of our government customers prefer to require the most secure forms of authentication, such as smart cards with x.509 certificates and passkeys, which don\u2019t involve passwords at all. This makes signing in more secure, simplifies the user experience, and reduces management complexity.<\/p>\n<h2 class=\"wp-block-heading\" id=\"implementing-phishing-resistant-multifactor-authentication-methods-with-microsoft-entra-id\">Implementing phishing-resistant multifactor authentication methods with Microsoft Entra ID<\/h2>\n<div class=\"wp-block-msxcm-kicker-container\">\n<div class=\" wp-block-msxcm-kicker-block wp-block-msxcm-kicker--align-left\" data-bi-an=\"Kicker Left\">\n<p class=\"wp-block-msxcm-kicker__title small text-neutral-400 text-uppercase\"> \t\t\tMigrate to cloud authentication using Staged Rollout\t\t<\/p>\n<p> \t\t<a \t\t\tclass=\"wp-block-msxcm-kicker__cta btn btn-link p-0 text-decoration-none\" \t\t\thref=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/hybrid\/connect\/how-to-connect-staged-rollout\" \t\t\ttarget=\"_blank\"\t\t> \t\t\t<span>Learn more<\/span> <span class=\"glyph-append glyph-append-xsmall wp-block-msxcm-kicker__glyph glyph-append-go\"><\/span> \t\t<\/a> \t<\/div>\n<\/p><\/div>\n<p>To reduce the cost and complexity of maintaining an on-premises authentication infrastructure using Active Directory Federation Services (AD FS) for employee PIV cards, one agency wanted to use certificate-based authentication (CBA) in Microsoft Entra ID. To ensure the transition went smoothly, they moved users with Staged Rollout, carefully monitoring threat activity using Microsoft Entra ID Protection dashboards and Microsoft Graph API logs exported to their security information and event management (SIEM) system. They migrated all their users to cloud-based CBA in Microsoft Entra in less than three months and after monitoring the environment for a time, confidently decommissioned their AD FS servers.<\/p>\n<div class=\"wp-block-msxcm-kicker-container\">\n<div class=\" wp-block-msxcm-kicker-block wp-block-msxcm-kicker--align-left\" data-bi-an=\"Kicker Left\">\n<p class=\"wp-block-msxcm-kicker__title small text-neutral-400 text-uppercase\"> \t\t\tPublic preview: Microsoft Entra ID FIDO2 provisioning APIs\t\t<\/p>\n<p> \t\t<a \t\t\tclass=\"wp-block-msxcm-kicker__cta btn btn-link p-0 text-decoration-none\" \t\t\thref=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-entra-blog\/public-preview-microsoft-entra-id-fido2-provisioning-apis\/ba-p\/4062699\" \t\t\ttarget=\"_blank\"\t\t> \t\t\t<span>Learn more<\/span> <span class=\"glyph-append glyph-append-xsmall wp-block-msxcm-kicker__glyph glyph-append-go\"><\/span> \t\t<\/a> \t<\/div>\n<\/p><\/div>\n<p>A local government department chose an opt-in approach for moving employees and vendors to phishing-resistant authentication. Every user contacting the help desk for a password reset instead received help onboarding to Windows Hello for Business. This agency also gave FIDO2 keys to all admins and set a Conditional Access authentication strength policy requiring all vendors to perform phishing-resistant authentication. Their next step will be to roll out device-bound passkeys managed in the Microsoft Authenticator app and enforce their use through Conditional Access. This will save them the expense of issuing separate physical keys and give their users the familiar experience of authenticating securely from their mobile device.<\/p>\n<div class=\"wp-block-msxcm-kicker-container\">\n<div class=\" wp-block-msxcm-kicker-block wp-block-msxcm-kicker--align-left\" data-bi-an=\"Kicker Left\">\n<p class=\"wp-block-msxcm-kicker__title small text-neutral-400 text-uppercase\"> \t\t\tSupported identities and authentication methods in Azure Virtual Desktop\t\t<\/p>\n<p> \t\t<a \t\t\tclass=\"wp-block-msxcm-kicker__cta btn btn-link p-0 text-decoration-none\" \t\t\thref=\"https:\/\/learn.microsoft.com\/en-us\/azure\/virtual-desktop\/authentication\" \t\t\ttarget=\"_blank\"\t\t> \t\t\t<span>Learn more<\/span> <span class=\"glyph-append glyph-append-xsmall wp-block-msxcm-kicker__glyph glyph-append-go\"><\/span> \t\t<\/a> \t<\/div>\n<\/p><\/div>\n<p>By giving users access to applications and resources through Azure Virtual Desktop, another large agency avoids the overhead of maintaining and supporting individual devices and the software running on them. They also protect their environment from potentially unhealthy, misconfigured, or stolen devices. Whether employees use devices running Windows, MacOS, iOS, or Android, they run the same Virtual Desktop image and sign in, as policy requires, using phishing-resistant, passwordless authentication.<\/p>\n<p><strong>Next step after enabling strong multifactor authentication:<\/strong> Configure Conditional Access authentication strength to enforce phishing-resistant authentication for accessing sensitive resources. Start here: <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/concept-authentication-strengths\" target=\"_blank\" rel=\"noreferrer noopener\">Overview of Microsoft Entra authentication strength<\/a>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"using-conditional-access-policies-to-authorize-access-to-resources\">Using Conditional Access policies to authorize access to resources<\/h2>\n<p>Using Conditional Access, our government customers have configured fine-tuned access policies that consider contextual information about the user, their device, their location, and real-time risk levels to control which apps and resources users can access and under what conditions.<\/p>\n<p>To satisfy the memo\u2019s third identity requirement, these customers include device-based signals in policies that make authorization decisions. For example, Microsoft Entra ID Protection can detect whether a device\u2019s originating network is safe or unsafe based on its geographic location, IP address range, or whether it\u2019s coming from an anonymous IP address (for example, TOR). Conditional Access can evaluate signals from Microsoft Intune or other mobile device management systems to determine whether a device is properly managed and compliant before granting access. It can also consider device threat signals from Microsoft Defender for Endpoint.<\/p>\n<h2 class=\"wp-block-heading\" id=\"enabling-microsoft-entra-conditional-access-risk-based-policies\">Enabling Microsoft Entra Conditional Access risk-based policies<\/h2>\n<p>One government department enabled risk-based Conditional Access policies across their applications, requiring more stringent sign-in methods depending on levels of user and sign-in risk. For example, a user evaluated as \u2018no-risk\u2019 must always perform multifactor authentication, a user evaluated as \u2018low-medium risk\u2019 must sign in using phishing-resistant multifactor authentication, and a user deemed \u2018high-risk\u2019 must sign in using a specific certificate issued to them by the department. The customer has also configured policy to require compliant devices, enable token protection, and define sign-in frequency. To facilitate threat hunting and automatic mitigation, they send their sign-in and other Microsoft Entra logs to Microsoft Sentinel.<\/p>\n<p><strong>Next step after configuring basic Conditional Access policies:<\/strong> Configure risk-based Conditional Access policies using Microsoft Intune. Start here: <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/id-protection\/howto-identity-protection-configure-risk-policies\">Configure and enable risk policies<\/a>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"next-steps\">Next steps<\/h2>\n<p>On July 10, 2024, the White House issued Memorandum M-21-14, \u201c<a href=\"https:\/\/whitehouse.gov\/wp-content\/uploads\/2024\/07\/FY26-Cybersecurity-Priorities-Memo_Signed.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Administration Cybersecurity Priorities for the FY 2026 Budget<\/a>.\u201d One budget priority calls on agencies to transition toward fully mature Zero Trust architectures by September 30, 2026. Agencies need to submit an updated implementation plan to the Office of Management and Budget within 120 days of the memo\u2019s release. Agencies in the Department of Defense must also implement Zero Trust by September 30, 2026, a year earlier than the previously published timeline.<\/p>\n<p>Microsoft is here to help you rearchitect your environment and implement your Zero Trust strategy, so you can comply with every milestone of the Executive Order. We\u2019ve published <a href=\"https:\/\/learn.microsoft.com\/en-us\/security\/zero-trust\/dod-zero-trust-strategy-user\" target=\"_blank\" rel=\"noreferrer noopener\">technical guidance<\/a> and <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/standards\/memo-22-09-meet-identity-requirements\" target=\"_blank\" rel=\"noreferrer noopener\">detailed documentation<\/a> to help federal agencies use Microsoft Entra ID to meet identity requirements. We\u2019ve also published <a href=\"https:\/\/learn.microsoft.com\/en-us\/security\/zero-trust\/dod-zero-trust-strategy-user\">detailed guidance<\/a> on meeting the Department of Defense Zero Trust requirements with Microsoft Entra ID.<\/p>\n<p>In the coming weeks and months, you\u2019ll see announcements about additional steps we\u2019re taking to simplify your Zero Trust implementation, such as the general availability of <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-entra-blog\/public-preview-expanding-passkey-support-in-microsoft-entra-id\/ba-p\/4062702\" target=\"_blank\" rel=\"noreferrer noopener\">support for device-bound passkeys<\/a> in Microsoft Authenticator and <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/managed-policies\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft-managed Conditional Access policies<\/a> that enable multifactor authentication by default for US government customers.<\/p>\n<p>We look forward to supporting you through the next phases of your Zero Trust journey.<\/p>\n<ol class=\"wp-block-list\">\n<li>Standardize on Microsoft Entra ID as your centralized identity provider to secure every identity and to secure access to your apps and resources. Start here: <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/fundamentals\/whatis\" target=\"_blank\" rel=\"noreferrer noopener\">What is Microsoft Entra ID?<\/a><\/li>\n<li>To facilitate secure cross-organization collaboration, configure cross-tenant access settings and Conditional Access policies to require that partners accessing your resources sign in using phishing-resistant authentication. Start here: <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/external-id\/b2b-government-national-clouds\">Microsoft Entra B2B in government and national clouds<\/a>.<\/li>\n<li>If you\u2019re using CBA on AD FS, migrate to cloud-based CBA using Staged Rollout and retire your on-premises federation servers. Start here: <a href=\"https:\/\/www.youtube.com\/watch?v=jsKQxo-xGgA\">Migrate from AD FS Certificate-based Authentication (CBA) to Microsoft Entra ID CBA<\/a>.<\/li>\n<li>Eliminate passwords altogether by enabling passwordless phishing-resistant authentication using CBA, Windows Hello for Business, device-bound passkeys (FIDO2 security keys or passkeys managed in the Microsoft Authenticator app), or Platform SSO for MacOS. Start here: <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/authentication\/howto-authentication-passwordless-deployment\">Plan a passwordless authentication deployment in Microsoft Entra ID<\/a>.<\/li>\n<li>Implement risk-based Conditional Access policies to adjust access requirements dynamically. Start here: <a href=\"https:\/\/learn.microsoft.com\/en-us\/security\/zero-trust\/dod-zero-trust-strategy-user#13-multi-factor-authentication\">DoD Zero Trust Strategy for the user pillar<\/a>.<\/li>\n<\/ol>\n<p>To learn more about Microsoft Security solutions, visit our&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\" target=\"_blank\" rel=\"noreferrer noopener\">website.<\/a>&nbsp;Bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/\" target=\"_blank\" rel=\"noreferrer noopener\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (<a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-security\/\">Microsoft Security<\/a>) and X (<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">@MSFTSecurity<\/a>)&nbsp;for the latest news and updates on cybersecurity.<\/p>\n<p>The post <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/26\/how-microsoft-entra-id-supports-us-government-agencies-in-meeting-identity-security-requirements\/\">How Microsoft Entra ID supports US government agencies in meeting identity security requirements<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/26\/how-microsoft-entra-id-supports-us-government-agencies-in-meeting-identity-security-requirements\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Joy Chik| Date: Mon, 26 Aug 2024 16:00:00 +0000<\/strong><\/p>\n<p>United States Government agencies are adopting Microsoft Entra ID to consolidate siloed identity solutions, reduce operational complexity, and improve control and visibility across all users.<\/p>\n<p>The post <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/08\/26\/how-microsoft-entra-id-supports-us-government-agencies-in-meeting-identity-security-requirements\/\">How Microsoft Entra ID supports US government agencies in meeting identity security requirements<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[],"class_list":["post-25118","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25118","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25118"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25118\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}