This architecture shows how security operations center (SOC) teams can incorporate Microsoft Entra identity and access capabilities into an overall integrated and layered zero-trust security strategy.
Network security dominated SOC operations when all services and devices were contained on managed networks in organizations. However, Gartner predicts that through 2022, the market size of cloud services will grow at a rate nearly three times that of overall IT services. As more companies embrace cloud computing, there's a shift toward treating user identity as the primary security boundary.
Securing identities in the cloud is a high priority.
Verizon's 2020 data breach investigations report stated that 37% involved use of stolen credentials, and 22% of data breaches involved phishing.
A 2019 IBM study of data breach incidents reported that the average global cost of a data breach was $3.9M, with the US average cost closer to $8.2M.
The Microsoft 2019 Security Intelligence Report reported that phishing attacks increased by a margin of 250% between January and December 2018.
The Zero Trust security model treats all hosts as if they're internet-facing, and considers the entire network to be potentially compromised and hostile. This approach focuses on building strong authentication (AuthN), authorization, and encryption, while also providing compartmentalized access and better operational agility.
Gartner promotes an adaptive security architecture that replaces an incident response-based strategy with a prevent-detect-respond-predict model. Adaptive security combines access control, behavioral monitoring, usage management, and discovery with continuous monitoring and analysis.
The Microsoft Cybersecurity Reference Architecture (MCRA) describes Microsoft's cybersecurity capabilities and how they integrate with existing security architectures, including cloud and hybrid environments, that use Microsoft Entra ID for Identity-as-a-Service (IDaaS).
This article advances the zero-trust, adaptive security approach to IDaaS, emphasizing components available on the Microsoft Entra platform.
Potential use cases
- Design new security solutions
- Enhance or integrate with existing implementations
- Educate SOC teams
Architecture
Download a Visio file of this architecture.
Workflow
- Credential management controls authentication.
- Provisioning and entitlement management define the access package, assign users to resources, and push data for attestation.
- The authorization engine evaluates the access policy to determine access. The engine also evaluates risk detections, including user/entity behavioral analytics (UEBA) data, and checks device compliance for endpoint management.
- If authorized, the user or device gains access per conditional access policies and controls.
- If authorization fails, users can do real-time remediation to unblock themselves.
- All session data is logged for analysis and reporting.
- The SOC team's security information and event management (SIEM) system (security information and event management (SIEM)) receives all log, risk detection, and UEBA data from cloud and on-premises identities.
Components
The following security processes and components contribute to this Microsoft Entra IDaaS architecture.
Credential management
Credential management includes services, policies, and practices that issue, track, and update access to resources or services. Microsoft Entra credential management includes the following capabilities:
Self-service password reset (SSPR) lets users self-serve and reset their own lost, forgotten, or compromised passwords. SSPR not only reduces helpdesk calls, but provides greater user flexibility and security.
Password writeback syncs passwords changed in the cloud with on-premises directories in real time.
Banned passwords analyzes telemetry data exposing commonly used weak or compromised passwords, and bans their use globally throughout Microsoft Entra ID. You can customize this functionality for your environment, and include a list of custom passwords to ban within your own organization.
Smart lockout compares legitimate authentication attempts with brute-force attempts to gain unauthorized access. Under the default smart lockout policy, an account locks out for one minute after 10 failed sign-in attempts. As sign-in attempts continue to fail, the account lockout time increases. You can use policies to adjust the settings for the appropriate mix of security and usability for your organization.
Multifactor authentication requires multiple forms of authentication when users attempt to access protected resources. Most users are familiar with using something they know, like a password, when accessing resources. MFA asks users to also demonstrate something that they have, like access to a trusted device, or something that they are, like a biometric identifier. MFA can use different kinds of authentication methods like phone calls, text messages, or notification through the authenticator app.
Passwordless authentication replaces the password in the authentication workflow with a smartphone or hardware token, biometric identifier, or PIN. Microsoft passwordless authentication can work with Azure resources like Windows Hello for Business, and the Microsoft Authenticator app on mobile devices. You can also enable passwordless authentication with FIDO2-compatible security keys, which use WebAuthn and the FIDO Alliance's Client-to-Authenticator (CTAP) protocol.
App provisioning and entitlement
Entitlement management is a Microsoft Entra identity governance feature that enables organizations to manage identity and access lifecycle at scale. Entitlement management automates access request workflows, access assignments, reviews, and expirations.
Microsoft Entra provisioning lets you automatically create user identities and roles in applications that users need to access. You can configure Microsoft Entra provisioning for third-party software-as-a-service (SaaS) apps like SuccessFactors, Workday, and many more.
Seamless single sign-on (SSO) automatically authenticates users to cloud-based applications once they sign in to their corporate devices. You can use Microsoft Entra seamless SSO with either password hash synchronization or pass-through authentication.
Attestation with Microsoft Entra access reviews help meet monitoring and auditing requirements. Access reviews let you do things like quickly identify the number of admin users, make sure new employees can access needed resources, or review users' activity to determine whether they still need access.
Conditional Access policies and controls
A conditional access policy is an if-then statement of assignments and access controls. You define the response ("do this") to the reason for triggering your policy ("if this"), enabling the authorization engine to make decisions that enforce organizational policies. With Microsoft Entra Conditional Access, you can control how authorized users access your apps. The Microsoft Entra ID What If tool can help you understand why a Conditional Access policy was or wasn't applied, or if a policy would apply to a user in a specific circumstance.
Conditional access controls work in conjunction with Conditional Access policies to help enforce organizational policy. Microsoft Entra Conditional Access controls let you implement security based on factors detected at the time of the access request, rather than a one-size fits all approach. By coupling Conditional Access controls with access conditions, you reduce the need to create additional security controls. As a typical example, you can allow users on a domain-joined device to access resources using SSO, but require MFA for users off-network or using their own devices.
Microsoft Entra ID can use the following Conditional Access controls with Conditional Access policies:
Azure role-based access control (RBAC) lets you configure and assign appropriate roles to users who need to do administrative or specialized tasks with Azure resources. You can use Azure RBAC to create or maintain separate dedicated admin-only accounts, scope access to roles you set up, time limit access, or grant access through approval workflows.
Privileged Identity Management (PIM) helps reduce the attack vector for your organization by letting you add additional monitoring and protection to administrative accounts. With Microsoft Entra PIM, you can manage and control access to resources within Azure, Microsoft Entra ID, and other Microsoft 365 services with just-in-time (JIT) access and just enough administration (JEA). PIM provides a history of administrative activities and a change log, and alerts you when users are added or removed from roles you define.
You can use PIM to require approval or justification for activating administrative roles. Users can maintain normal privileges most of the time, and request and receive access to roles they need to complete administrative or specialized tasks. When they complete their work and sign out, or the time limit on their access expires, they can reauthenticate with their standard user permissions.
Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that analyzes traffic logs to discover and monitor the applications and services in use in your organization. With Defender for Cloud Apps, you can:
- Create policies to manage interaction with apps and services
- Identify applications as sanctioned or unsanctioned
- Control and limit access to data
- Apply information protection to guard against information loss
Defender for Cloud Apps can also work with access policies and session policies to control user access to SaaS apps. For example, you can:
- Limit the IP ranges that can access apps
- Require multifactor authentication for app access
- Allow activities only from within approved apps
The access control page in the SharePoint admin center provides several ways to control access to SharePoint and OneDrive content. You can choose to block access, allow limited, web-only access from unmanaged devices, or control access based on network location.
You can scope application permissions to specific Exchange Online mailboxes by using ApplicationAccessPolicy from the Microsoft Graph API.
Terms of Use (TOU) provides a way to present information that end users must consent to before gaining access to protected resources. You upload TOU documents to Azure as PDF files, which are then available as controls in Conditional Access policies. By creating a Conditional Access policy that requires users to consent to TOU at sign-in, you can easily audit users that accepted the TOU.
Endpoint management controls how authorized users can access your cloud apps from a broad range of devices, including mobile and personal devices. You can use Conditional Access policies to restrict access only to devices that meet certain security and compliance standards. These managed devices require a device identity.
Risk detection
Azure Identity Protection includes several policies that can help your organization manage responses to suspicious user actions. User risk is the probability that a user identity is compromised. Sign-in risk is the probability that a sign-in request isn't coming from the user. Microsoft Entra ID calculates sign-in risk scores based on the probability of the sign-in request originating from the actual user, based on behavioral analytics.
Microsoft Entra risk detections use adaptive machine learning algorithms and heuristics to detect suspicious actions related to user accounts. Each detected suspicious action is stored in a record called a risk detection. Microsoft Entra ID calculates user and sign-in risk probability using this data, enhanced with Microsoft's internal and external threat intelligence sources and signals.
You can use the Identity Protection risk detection APIs in Microsoft Graph to expose information about risky users and sign-ins.
Real-time remediation allows users to unblock themselves by using SSPR and MFA to self-remediate some risk detections.
Considerations
These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that can be used to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework.
Security
Security provides assurances against deliberate attacks and the abuse of your valuable data and systems. For more information, see Design review checklist for Security.
Logging
Microsoft Entra audit reports provide traceability for Azure activities with audit logs, sign-in logs, and risky sign-in and risky user reports. You can filter and search the log data based on several parameters, including service, category, activity, and status.
You can route Microsoft Entra ID log data to endpoints like:
- Azure Storage accounts
- Azure Monitor logs
- Azure event hubs
- SIEM solutions like Microsoft Sentinel, ArcSight, Splunk, SumoLogic, other external SIEM tools, or your own solution.
You can also use the Microsoft Graph reporting API to retrieve and consume Microsoft Entra ID log data within your own scripts.
On-premises and hybrid considerations
Authentication methods are key to securing your organization's identities in a hybrid scenario. Microsoft provides specific guidance on choosing a hybrid authentication method with Microsoft Entra ID.
Microsoft Defender for Identity can use your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions. Defender for Identity uses UEBA to identify insider threats and flag risk. Even if an identity becomes compromised, Defender for Identity can help identify the compromise based on unusual user behavior.
Defender for Identity is integrated with Defender for Cloud Apps to extend protection to cloud apps. You can use Defender for Cloud Apps to create session policies that protect your files on download. For example, you can automatically set view-only permissions on any file downloaded by specific types of users.
You can configure an on-premises application in Microsoft Entra ID to use Defender for Cloud Apps for real-time monitoring. Defender for Cloud Apps uses Conditional Access App Control to monitor and control sessions in real-time based on Conditional Access policies. You can apply these policies to on-premises applications that use Application Proxy in Microsoft Entra ID.
Microsoft Entra Application Proxy lets users access on-premises web applications from remote clients. With Application Proxy, you can monitor all sign-in activities for your applications in one place.
You can use Defender for Identity with Microsoft Entra ID Protection to help protect user identities that are synchronized to Azure with Microsoft Entra Connect.
If some of your apps already use an existing delivery controller or network controller to provide off-network access, you can integrate them with Microsoft Entra ID. Several partners including Akamai, Citrix, F5 Networks, and Zscaler offer solutions and guidance for integration with Microsoft Entra ID.
Cost Optimization
Cost Optimization is about looking at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Design review checklist for Cost Optimization.
Microsoft Entra pricing ranges from free, for features like SSO and MFA, to Premium P2, for features like PIM and Entitlement Management. For pricing details, see Microsoft Entra pricing.
Next steps
- Zero Trust security
- Zero Trust Deployment Guide for Microsoft Entra ID
- Overview of the security pillar
- Microsoft Entra demo tenant (requires a Microsoft Partner Network account), or Enterprise Mobility + Security free trial
- Microsoft Entra deployment plans