To better secure systems and workforce, Microsoft simplified identity management, provisioning identity access to "exactly the right systems and tools," the security team said in a blog post last week. There is a balance with identity and access management: If a company under-provisions, employees are likely to request more access than is required to avoid going through the provisioning process again.
To prevent over-provisioning, Microsoft established role-based access, tying access rules to the "systems, tools and resources" each role requires, according to the post. If an employee moves roles, Microsoft has a process in place to ensure people don't carry system access with them.
Microsoft is also moving toward a "password-less world." Only 10% of Microsoft users enter a password per day, in part thanks to a push to reduce legacy authentication workflows, according to the post. The company is also committed to using PINs and a biometric rather than a password.
Microsoft, with its $974 billion market cap, has security woes, just like every other company. From the view of the security team, the risks the company faces are prevalent throughout industry.
The company's workforce is spread out, leaving many to access corporate sites through external networks, according to the blog post. Those 131,000 employees are just as fallible as workers at other companies. Remembering complex passwords is a challenge, leaving many to repeat credentials across sites.
In the name of security, the company dropped legacy password expiration policies and closely follows a banned passwords list.
Its recommendations follow the logical security narrative: Make sure employees who need access have access. Otherwise, lock systems down.
This is in part why Microsoft has paid close attention to administrator accounts. Administrative users have access to critical data and internal systems, making them a ripe target. The fewer people who have privileged access, the more secure a system.
The company also requires users with administrative privileges to use separate, secure devices, have an isolated identity and have zero account rights by default. If an admin requires access, they have to request just-in-time privileges.
Microsoft is cautious by necessity. If a malicious actor were to gain access to a privileged administrative account, they could wreak havoc on businesses across every sector through a third-party, supply chain style attack.