Turning Microsoft’s MFA Requirement for Azure Into an Epic Security Win With Duo
We are less than two months away, are you ready?
Starting next month, Microsoft announced that they will begin rolling out mandatory multi-factor authentication (MFA) sign-in for Azure (also known as Microsoft Entra ID) resources.
It is no secret that identity-based breaches are on the rise, so we applaud Microsoft by taking the first step towards better protecting Azure resources! As Microsoft points out in their announcement, MFA “can block more than 99.2% of account compromise attacks.”
MFA “can block more than 99.2% of account compromise attacks.”
Not only do we applaud them, but at Duo we have been partnering with Microsoft for years to provide seamless integrations that make any Microsoft deployment more secure. Most recently, Duo became the first approved vendor in Microsoft’s new External Authentication Methods framework.
To illustrate the depth of our integration, you can satisfy Microsoft’s mandatory MFA requirement through any one of the following Duo configurations:
Duo Single Sign-On for Microsoft 365 supports Microsoft’s mandate out of the box
Duo two-factor authentication for Microsoft Entra ID External Authentication Methods (EAM) supports Microsoft’s mandate out of the box
If you are using Duo with Active Directory Federated Service (AD FS), you will need to ensure you are sending the Authentication Methods Reference (AMR) in the AD FS custom claim to support Microsoft's mandate
However, while MFA has shown to help stop attacks, authentication alone is not the answer. The security industry has diligently battled compromised credentials. We have evolved from passwords to multi-factor authentication (MFA) to phishing-resistant passwordless — our most secure form of authentication to date. Duo has been at the forefront of passwordless development and fully supports passwordless authentication as a component of an identity security program.
Despite these advancements, we still see many identity-based breaches year over year. This is why we released Continuous Identity Security earlier this year. Continuous Identity Security is built on the premise that we need to enhance our traditional access management controls. It combines Duo’s current authentication capabilities like MFA, Passwordless and SSO with powerful security insights into identity and device risk. It also provides mechanisms to maintain and revoke trust based on these insights.
For example, Continuous Identity Security includes an Identity Intelligence layer that provides visibility and context into identities across multiple data sources such as EntraID, Duo, Okta, Workday, Google and Salesforce. This context can be used to proactively improve identity security posture by doing things like finding and removing dormant accounts. But, it can also be used to inform an identity threat detection & response (ITDR) practice that seamlessly responds to identity threats.
In addition to Identity Intelligence, Continuous Identity Security includes functionality like Duo Passport which securely brokers trust across disparate authentication scenarios, reducing the number of times a user is asked to log in. Just like SSO before it, Duo Passport eases the burden of performing authentication on an end user, making them much less susceptible to frustration-based attacks like Push Bombing.
With Continuous Identity Security, not only can you satisfy Microsoft’s mandatory MFA requirement, but you are able to protect yourself against the sharp rise in identity-based attacks — all while maintaining a seamless access experience for your end users. Security is better because you now have deep visibility across all your identity environments enabling ISPM and ITDR. Yet, user experience is also improved because Passport and continuous analysis means trust can be shared between authentication checkpoints, reducing authentication frustration.
If you’re interested to learn more about how Duo and Microsoft can help secure your organization, check out this eBook that highlights how we work together to enable Zero Trust.
If you’d like to learn more about how to implement Continuous Identity Security at your company, you can read more on our product page or reach out to sales for a quick discussion.