This architecture shows how security operations center (SOC) teams can incorporate Microsoft Entra identity and access capabilities into an overall integrated and layered zero-trust security strategy.

Network security dominated SOC operations when all services and devices were contained on managed networks in organizations. However, Gartner predicts that through 2022, the market size of cloud services will grow at a rate nearly three times that of overall IT services. As more companies embrace cloud computing, there's a shift toward treating user identity as the primary security boundary.

Securing identities in the cloud is a high priority.

The zero trust security model treats all hosts as if they're internet-facing, and considers the entire network to be potentially compromised and hostile. This approach focuses on building strong authentication (AuthN), authorization, and encryption, while also providing compartmentalized access and better operational agility.

Gartner promotes an adaptive security architecture that replaces an incident response-based strategy with a prevent-detect-respond-predict model. Adaptive security combines access control, behavioral monitoring, usage management, and discovery with continuous monitoring and analysis.

The Microsoft Cybersecurity Reference Architecture (MCRA) describes Microsoft's cybersecurity capabilities and how they integrate with existing security architectures, including cloud and hybrid environments, that use Microsoft Entra ID for Identity-as-a-Service (IDaaS).

This article advances the zero-trust, adaptive security approach to IDaaS, emphasizing components available on the Microsoft Entra platform.

Potential use cases

  • Design new security solutions
  • Enhance or integrate with existing implementations
  • Educate SOC teams

Architecture


Download a Visio file of this architecture.

Workflow

  1. Credential management controls authentication.
  2. Provisioning and entitlement management define the access package, assign users to resources, and push data for attestation.
  3. The authorization engine evaluates the access policy to determine access. The engine also evaluates risk detections, including user/entity behavioral analytics (UEBA) data, and checks device compliance for endpoint management.
  4. If authorized, the user or device gains access per conditional access policies and controls.
  5. If authorization fails, users can do real-time remediation to unblock themselves.
  6. All session data is logged for analysis and reporting.
  7. The SOC team's security information and event management (SIEM) system (security information and event management (SIEM)) receives all log, risk detection, and UEBA data from cloud and on-premises identities.

Components

The following security processes and components contribute to this Microsoft Entra IDaaS architecture.

Credential management

Credential management includes services, policies, and practices that issue, track, and update access to resources or services. Microsoft Entra credential management includes the following capabilities:

  • Self-service password reset (SSPR) lets users self-serve and reset their own lost, forgotten, or compromised passwords. SSPR not only reduces helpdesk calls, but provides greater user flexibility and security.

  • Password writeback syncs passwords changed in the cloud with on-premises directories in real time.

  • Banned passwords analyzes telemetry data exposing commonly used weak or compromised passwords, and bans their use globally throughout Microsoft Entra ID. You can customize this functionality for your environment, and include a list of custom passwords to ban within your own organization.

  • Smart lockout compares legitimate authentication attempts with brute-force attempts to gain unauthorized access. Under the default smart lockout policy, an account locks out for one minute after 10 failed sign-in attempts. As sign-in attempts continue to fail, the account lockout time increases. You can use policies to adjust the settings for the appropriate mix of security and usability for your organization.

  • Multi-factor authentication (MFA) requires multiple forms of authentication when users attempt to access protected resources. Most users are familiar with using something they know, like a password, when accessing resources. MFA asks users to also demonstrate something that they have, like access to a trusted device, or something that they are, like a biometric identifier. MFA can use different kinds of authentication methods like phone calls, text messages, or notification through the authenticator app.

  • Passwordless authentication replaces the password in the authentication workflow with a smartphone or hardware token, biometric identifier, or PIN. Microsoft passwordless authentication can work with Azure resources like Windows Hello for Business, and the Microsoft Authenticator app on mobile devices. You can also enable passwordless authentication with FIDO2-compatible security keys, which use WebAuthn and the FIDO Alliance's Client-to-Authenticator (CTAP) protocol.

App provisioning and entitlement

Conditional Access policies and controls

A conditional access policy is an if-then statement of assignments and access controls. You define the response ("do this") to the reason for triggering your policy ("if this"), enabling the authorization engine to make decisions that enforce organizational policies. With Microsoft Entra Conditional Access, you can control how authorized users access your apps. The Microsoft Entra ID What If tool can help you understand why a Conditional Access policy was or wasn't applied, or if a policy would apply to a user in a specific circumstance.

Conditional access controls work in conjunction with Conditional Access policies to help enforce organizational policy. Microsoft Entra Conditional Access controls let you implement security based on factors detected at the time of the access request, rather than a one-size fits all approach. By coupling Conditional Access controls with access conditions, you reduce the need to create additional security controls. As a typical example, you can allow users on a domain-joined device to access resources using SSO, but require MFA for users off-network or using their own devices.

Microsoft Entra ID can use the following Conditional Access controls with Conditional Access policies:

Risk detection

Azure Identity Protection includes several policies that can help your organization manage responses to suspicious user actions. User risk is the probability that a user identity is compromised. Sign-in risk is the probability that a sign-in request isn't coming from the user. Microsoft Entra ID calculates sign-in risk scores based on the probability of the sign-in request originating from the actual user, based on behavioral analytics.

  • Microsoft Entra risk detections use adaptive machine learning algorithms and heuristics to detect suspicious actions related to user accounts. Each detected suspicious action is stored in a record called a risk detection. Microsoft Entra ID calculates user and sign-in risk probability using this data, enhanced with Microsoft's internal and external threat intelligence sources and signals.

  • You can use the Identity Protection risk detection APIs in Microsoft Graph to expose information about risky users and sign-ins.

  • Real-time remediation allows users to unblock themselves by using SSPR and MFA to self-remediate some risk detections.

Considerations

Keep these points in mind when you use this solution.

Logging

Microsoft Entra audit reports provide traceability for Azure activities with audit logs, sign-in logs, and risky sign-in and risky user reports. You can filter and search the log data based on several parameters, including service, category, activity, and status.

You can route Microsoft Entra ID log data to endpoints like:

You can also use the Microsoft Graph reporting API to retrieve and consume Microsoft Entra ID log data within your own scripts.

On-premises and hybrid considerations

Authentication methods are key to securing your organization's identities in a hybrid scenario. Microsoft provides specific guidance on choosing a hybrid authentication method with Microsoft Entra ID.

Microsoft Defender for Identity can use your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions. Defender for Identity uses UEBA to identify insider threats and flag risk. Even if an identity becomes compromised, Defender for Identity can help identify the compromise based on unusual user behavior.

Defender for Identity is integrated with Defender for Cloud Apps to extend protection to cloud apps. You can use Defender for Cloud Apps to create session policies that protect your files on download. For example, you can automatically set view-only permissions on any file downloaded by specific types of users.

You can configure an on-premises application in Microsoft Entra ID to use Defender for Cloud Apps for real-time monitoring. Defender for Cloud Apps uses Conditional Access App Control to monitor and control sessions in real-time based on Conditional Access policies. You can apply these policies to on-premises applications that use Application Proxy in Microsoft Entra ID.

Microsoft Entra Application Proxy lets users access on-premises web applications from remote clients. With Application Proxy, you can monitor all sign-in activities for your applications in one place.

You can use Defender for Identity with Microsoft Entra ID Protection to help protect user identities that are synchronized to Azure with Microsoft Entra Connect.

If some of your apps already use an existing delivery controller or network controller to provide off-network access, you can integrate them with Microsoft Entra ID. Several partners including Akamai, Citrix, F5 Networks, and Zscaler offer solutions and guidance for integration with Microsoft Entra ID.

Cost optimization

Microsoft Entra pricing ranges from free, for features like SSO and MFA, to Premium P2, for features like PIM and Entitlement Management. For pricing details, see Microsoft Entra pricing.

Next steps