In today’s digital world, passwords have become a universal language to access applications and devices. Now, many organizations are looking to employ a password-less strategy.

As I wrote in a previous blog about protecting the user identity and data with Zero Trust and Microsoft Security, let us start with the basics and realize the number one asset under attack: the identity. Today, as organizations continue to plan and strategize the adoption of multi-factor authentication, users continue to authenticate with one-factor authentication via passwords. For some organizations, password policies tend to remain relaxed for the ease of user experience. Especially when logging in to their Windows 10/11 device, Microsoft 365, a third-party cloud app, or a legacy/line-of-business app leveraging Azure Active Directory or Active Directory Domain Services. While a relaxed policy allows more accessible user experiences, it will enable malicious actors to draw an opportunity of deploying simple attack strategies for compromising identities, including but not limited to brute-force attacks and dictionary attacks.

While some systems have built-in security capabilities to prevent simple attacks, let us not forget the sophisticated methods for compromising an identity: social engineering. With social engineering, malicious actors draw out the user with psychological techniques for extracting the necessary data and generating possible passwords to leverage with moderate to high accuracy; this includes baiting, spear phishing, scareware, and pretexting. Of course, a simple password is only scratching the surface. Consider organizations with end-users complaining about the complex password requirements and refusing to use the systems or apps or users who reuse the same password in all systems and apps. The question becomes, “How do you protect the identity with a strengthened security foundation and optimal user experience?”. The answer? Eliminate passwords by defining a password-less strategy.

Password-less login makes it easier for users to sign in securely. It helps support a Zero Trust security model where every access request is authenticated independently of any device state or network location.

While password-less authentication can simplify the user experience, it also supports a Zero Trust security model. Every access request is authenticated independently of any device state or network location. In addition to simplifying the user experience and supporting a Zero Trust approach to security, password-less login makes it easier for IT teams to implement modern identity solutions such as Azure Active Directory (Azure AD).

How do you define a password-less strategy?

As implied, “password-less” indicates methods by which users can log in to respective systems and apps without needing a password. While a password-less strategy may sound impossible, culture and adoption are the primary factors. Imagine the typical user in your organization logging into their Windows 10/11 device with biometrics and/or PIN, already establishing two-factor authentication, and seamlessly logging in to Outlook and Microsoft Teams. Also, imagine the same user using a personal device to log in to Microsoft 365 with only the Microsoft Authenticator app. Finally, consider the field user who needs to log in to an enterprise app that leverages Azure AD as an identity provider and requires two-factor authentication; see the previous example with Microsoft 365!

With that, here are some questions to consider when defining a password-less strategy:

  1. What is the business culture when it comes to leveraging passwords?
  2. How many passwords does a user need to remember?
  3. What is the average number of enterprise apps the typical end-user logs in to daily?
  4. Does our organization already leverage devices for biometrics and or PIN to log in?
  5. How many incidents and requests do your help desk receive for resetting passwords or unlocking accounts?
  6. How many incidents does our cybersecurity team receive for compromised identities due to passwords?

How You Can Build a Better Security Strategy with Password-less Authentication

In brief, Microsoft defined a password-less strategy for all organizations, ranging from small-to-medium to enterprises, and summarizes four (4) steps: 

  1. Developing password-replacement offerings
  2. Reducing the user-visible password surface area
  3. Transitioning into your password-less deployment
  4. Eliminating passwords from your directory services, such as Active Directory Domain Services

    Password Less Strategy

Developing password-replacement offerings

The first step in your password-less strategy journey is determining the best replacement offerings for your organization. Next, consider the technologies your end-users are leveraging today: Windows 10 and 11, Microsoft 365, Azure Virtual Desktop, cloud apps (e.g., Box), and any enterprise apps deployed on-premises. Also, consider what will be convenient to your end-users when logging in to systems and apps leveraging Azure AD or Active Directory for authentication purposes and forms-based passwords.

Let us take Windows 10 and 11 as an example. A replacement for a password-less strategy is Windows Hello for Business, utilizing biometrics (e.g., facial recognition or fingerprint scanning) or PIN. In addition, you can couple these features with a Bluetooth device for two-factor authentication.

Now, let us consider Microsoft 365. Suppose your organization already adopted multi-factor authentication via Microsoft Authenticator. You are just one step closer to enabling password-less authentication and logging into Microsoft 365 from a personal device without a password!

While developing your password-replacement offerings, this is the best opportunity for your organization to structure the journey by identifying the different personas throughout your organizational departments, including IT. Also another factor is identifying all applications and services that leverage a password. The number of personas, departments, and apps in your organization will determine how long it will take to establish a solid foundation for your password-less journey. Still, the best idea is, to begin with, a pilot!

Reducing the user-visible password surface area

As you progress through the pilot and confirm the feasibility of the password-less technologies, the next step is a deep engagement with the personas and departments on the usage of passwords and the comfort level of eliminating passwords for their apps and services. Once the deep dive is complete and understanding the overall use and frequency of passwords for each app and service, the journey continues with developing a mitigation plan. While the easy part is the apps and services already leveraging Active Directory and Azure AD for authentication purposes, the challenge is determining the effort level for applications requiring custom development or vendor support for additional authentication methods. However, once your mitigation plan is in place for all apps and services, engage with the pilot and remove all password capabilities, such as enforcing Windows Hello for Business or removing the password credential provider.

Transitioning into your password-less deployment

If all went well with the pilot and user acceptance testing was successful, the next milestone is taking the remaining personas and departments, deploying the password-less technologies, and eliminating the password surface area. Of course, aside from technology, this milestone requires extensive organizational change management and end-user adoption. 

As you transition the personas and departments into the password-less space, there are essential items to consider: 

  • Organizational change management
  • End-user adoption
  • Awareness campaigns
  • Training sessions
  • Education material

The purpose is to establish a positive atmosphere for promoting the password-less journey, and the benefits received.

During the transition, the IT organization will report and track all issues related to the password-less deployment transition, ensuring gaps do not exist in the deployment and resolution is met with all issues. After resolving issues and remediating gaps, the final step is configuring identities to disallow passwords and enforce the use of password-less technology.

Eliminating passwords from your directory services

As the transition to a password-less deployment is near completion, the final milestone is eliminating passwords from your directory services, such as Active Directory. Today, organizations can accomplish this by removing the password spaces, enforcing the use of password-less technology, and randomizing passwords for all identities, where possible.

Schedule your Free Cloud Security Assessment

Let our certified security experts help with your password-less journey. AIS is a Microsoft Gold Partner with mission-critical competencies and Advanced Specializations, including Cloud Security, Identity and Access Management, and Cloud Productivity. Begin your password-less journey today with an AIS Cloud Security Assessment to help identify and determine your roadmap for a password-less journey, and accomplish your objectives in a reasonable, cost-effective, and secured timeframe.

Whether you start with a Cloud Security Assessment, or if you’re ready to engage a partner to begin your journey to a password-less space, contact us to learn more about how AIS experts can help you.

The Current Situation

Today, organizations continue the transition to cloud computing as part of their digital transformation journey and become highly productive organizations in their respective industry. While transitioning to cloud computing demonstrates agility, scalability, cost-effectiveness, and performance, the challenge is strengthening their security foundation and reducing risk. While vendors, such as Microsoft, provide the best-in-class measures and features for tightening the organization’s security foundation, the ultimate responsibility belongs to the specific organization. Of course, organizations will take precautionary steps for protecting device assets and data from malicious exfiltration and theft. Still, organizations tend to loosely protect the number one crucial asset: the user’s identity. As reported by Microsoft, cybersecurity experts detected and reported 15 million attacks, scoped to password-based attacks alone. This is a signal that the user’s password is the primary target! So, the big question is…how does an organization protect the user identity, device assets, and corporate data, preventing compromises and breaches? The answer: Zero Trust.

What is Zero Trust?

Top cybersecurity experts and leaders changed the game with the introduction and indoctrination of Zero Trust, revealed as the top method to protecting identities, assets, data, and the overall organization. First, let’s start with the basics: what is Zero Trust?

Microsoft clearly defines Zero Trust by following three objectives:

  • Verify explicitly
  • Use least-privileged access
  • Assume breach

To summarize, treat every request as if it came from an unknown network and always verify.

Zero Trust Foundation

Verify explicitly – the user identity is the key to accessing organizational data and assets. Therefore, the first step is to verify the identity belongs to the user accessing the data—Azure AD supplements this concept with Conditional Access and leveraging security features, such as multi-factor authentication.

Ask yourself these questions:

  • Is the user accessing the data from the correct device to take it a step forward?
  • Is it in the correct location?
  • Is the user now at high risk?
  • Is the device at high exposure due to an existing cybersecurity incident? Is the device compliant?

Use least-privileged access – not a new concept, but not a heavily practiced concept. Specifically, in Microsoft 365, organizations utilize privileged identities for administrative functions and operations. However, remember that organizations do not separate privileged access from their regular accounts and leave a permanent assignment for privileged access even if the identities are separate. Also, some organizations allow users to consent for apps accessing Microsoft 365 data. Azure AD offers features to reduce the risk revolving around privileged access and tracking identities. For example, Azure AD Privileged Identity Management, Microsoft Defender for Identity, Conditional Access, Azure AD Identity Governance, Azure AD Identity Protection, Microsoft Information Protection, and more.

Assume breach – As any cybersecurity expert, vendor, or leader will tell you, an organization will never reach 100% hardened as malicious actors and attackers continue to develop sophisticated attacks. Therefore, the organization must adopt the “assume breach” mindset and always defend themselves. Thus, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Cloud App Security protect the organization from modern attacks, allowing an organization to become proactive and leverage advanced hunting features to prevent future malicious attacks. Other methods of adopting the “assume breach” mindset are reviewing user sign-in risk, device health risk and exposure, threat and vulnerability management, device & user identity hygiene, and more.

Why Microsoft Security for Zero Trust Foundation?

In brief, Microsoft defines security under four (4) pillars: protect everything, simplify the complex, catch what others miss, and grow your future.

Safeguard your people, data and infrastructure

The four (4) pillars outline the overall position on Microsoft Security and the value it demonstrates for all customers: simplifying the Zero Trust foundation. In addition, Microsoft Security is proving its firm establishment in the cybersecurity field by being a prime leader in seven (7) Forrester Wave reports, and five (5) Gartner Magic Quadrant reports.

Microsoft Security a Leader in Gartner Magic Quadrant

Microsoft Security

Microsoft Security continues to develop an end-to-end approach, integrating with a total of 53 essential categories around the cybersecurity landscape. It also demonstrates cost savings with Microsoft security solutions covered under Microsoft 365 E3 and Microsoft 365 E5 licensing tiers, compared to competitors in cybersecurity, such as Symantec, Cisco, and CrowdStrike.

Integrate up to 40 categories

Enhanced Microsoft Security

How Can AIS help?

As a Microsoft Gold Partner, AIS contains the expertise and skills to assess, guide, and deploy the Zero Trust foundation from leveraging the solutions from the Microsoft Security foundation, such as Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Cloud App Security, Microsoft Information Protection, Azure AD Privileged Identity Management, and more. Below is the Zero Trust Guidance Center from Microsoft. Consider AIS for assistance on this journey for your organization to be at an optimal state of the Zero Trust foundation!

Zero Trust Guidance Center: Zero Trust Guidance Center | Microsoft Docs

Microsoft 365 is the best-in-class enterprise communication and collaboration solution, allowing your organization to become highly productive within and outside of the organization. In brief, Microsoft 365 is compromised of various products and workloads, from utilizing Exchange for email and Microsoft Teams for instant messaging and telephony to SharePoint Online for developing your intranet and Yammer for inter-organizational social interaction. So, now that your organization utilizes Microsoft 365, the best-in-class enterprise communication and collaboration solution, what is your next step?

The Challenge

Microsoft 365 provides extensive usage of available products like Exchange, Microsoft Teams, SharePoint Online, and Power Apps. Your organization may want to give the best solution and user experience to the end-user community, becoming productive and competitive in your respective industry. However, as your organization continues to adopt and incorporate change by providing the available features in Microsoft 365, the end-user community will begin utilizing these features as soon as possible.

So, what’s going to happen now? For example, I give my child a brand-new toy or video game, and they are ecstatic. However, after a few days, once my child is done playing with the toy or video game, they toss it in a nearby spot and completely forget about it. However, as a parent, I teach my child to put the new toy or video game in a specific location each time they are done, properly dispose if the child doesn’t want the toy or video game, or write their name on it, in case they lose it. Overall, there is an essential factor that organizations tend to forget or lack before communicating new features and products available in Microsoft 365: governance.

BOOSTING COLLABORATION & SAVING MONEY WITH O365
AIS helped ACA Compliance Group migrate its entire 800-person company to Microsoft Teams & Planner in just 16 weeks, increasing productivity and reducing subscription costs.

The Solution

In brief, Microsoft 365 governance revolves around planning the protection of your assets, ensuring proper asset lifecycle management, and minimizing risk to your organization, in the case of data leakage, improper role and permission assignment, and ownerless content. Examples of Microsoft 365 governance controls are access reviews for certain assets, such as Microsoft 365 groups, teams, or SharePoint communication sites. Another example is leveraging Microsoft Information Protection and assigning sensitivity labels to Microsoft 365 groups for protection and classification. Another example is leveraging Azure AD PIM (Privileged Identity Management) for permanent or temporary role assignments and just-in-time access for specific tasks or objectives. A final example is establishing required controls and permissions for Azure AD app registration and consent.

The Objective

As you continue to adopt Microsoft 365 in your organization, begin planning and establishing a Microsoft 365 governance framework for all workloads utilized, such as Exchange, Microsoft Teams, Azure AD, Yammer, SharePoint, and more. As you establish the Microsoft 365 governance framework, collaborate with key members from adoption & change management, business stakeholders, and inter-organizational Microsoft 365 champions, ensure the overall end-user community is aware of the governance controls set for Microsoft 365. Also, keep in mind, your Microsoft 365 governance framework is a living, ever-evolving concept. Therefore, as you continue to utilize Microsoft 365 in your organization, keep your governance framework up-to-date and inform the same key members and stakeholders.

Quick Links

JOIN OUR GROWING TEAM
We're looking for top-tier talent to join our quickly growing team. Learn more about our benefits, culture, and open opportunities on our career site.

As your organization continues the digital transformation journey, Microsoft offers a highly beneficial service for protecting and containerizing corporate data and assets for the remote workforce, such as employees, consultants, or contractors: Desktop-as-a-Service. In brief, Desktop-as-a-Service provides a virtual desktop infrastructure, eliminating the need to manage the actual infrastructure! Specifically, the customer is responsible for app deployments, custom images, virtual machine sizing and deployment, directory services integration, and data center network connectivity (e.g., site-to-site VPN, SD-WAN, ExpressRoute, etc.). Today, Microsoft offers two solutions for Desktop-as-a-Service: Azure Virtual Desktop (formerly Windows Virtual Desktop) and Windows 365. Now, comes the business decision: which one?

Azure Virtual Desktop

Azure Virtual Desktop allows your organization to deploy persistent and non-persistent virtual desktops, whether direct or automatic assignment, along with complete compute elasticity. Also, Azure Virtual Desktop enables your organization to deploy multi-session hosts and publish RemoteApps, depending on organizational requirements.
Consider several configuration steps:

  • Host pool settings (e.g., allow USB redirecting, RDP settings)
  • Out-of-the-box or custom images
  • Application groups
  • User profile storage
  • Load-balancing between non-persistent virtual desktops
  • Device management

Also, there are key decisions to consider when utilizing Azure Virtual Desktop, such as disaster recovery and business continuity. Finally, while your organization must understand the consumed compute operational costs in Azure, keep in mind the licensing costs for the Windows desktop OS (e.g., perpetual or subscription-based). Overall, the proper planning and execution make Azure Virtual Desktop a beneficial and flexible solution for your organization.

REHOST ON AZURE
Our rehost migration approach helps initiate your cloud journey on Microsoft technologies to accelerate cloud transformation.

Windows 365

Windows 365 offers an end-to-end solution for persistent virtual desktops, deployed and managed via Microsoft Endpoint Manager (formerly Microsoft Intune). In brief, some of the prerequisites include network connectivity to Active Directory on-premises (Azure AD Join coming soon!), identity and device synchronization via Azure AD Connect, Azure subscription, Azure virtual network, and DNS resolution to Active Directory on-premises. In addition, there are some configuration steps to consider, such as a custom or out-of-the-box images, provisioning policies, and user settings. Finally, a pivotal decision to consider and understand is the licensing types for Windows 365, dependent upon the compute resource size requirement (e.g., vCPU, RAM, and storage). Overall, while there may be a lack of computing elasticity and disaster recovery flexibility, Windows 365 is a perfect solution to quickly deploy virtual desktops to the remote workforce at a fixed cost, regardless of actual compute resource usage.

How Do You Decide?

Azure Virtual Desktop and Windows 365 provide various options to meet specific organizational needs.

Ultimately, deciding on Azure Virtual Desktop and Windows 365 is dependent upon several factors:

  • Operational versus fixed costs
  • Disaster recovery and business continuity expectations
  • Compute elasticity and auto-scaling
  • Device management roadmap
  • IT administration functions

Below are common scenarios and possible solutions between Azure Virtual Desktop, Windows 365, or both!

Scenario and Solution table

Conclusion

I hope this blog has been helpful When choosing between Azure Virtual Desktop and Windows 365 for Desktop-as-a-Service.