If you’re reading this, you are probably looking for a way to secure your Azure AD (Entra ID) identity with conditional access, multifactor authentication, or network authentication and probably looked at Duo; however, either their pricing or user experience (check how a Purdue student created a browser extension to get around Duo due to the bad user experience) has you looking at an alternative.
Luckily, we are here with the alternative, and the best part of it is that it is (mostly) free (or you are already paying for it without knowing it)! The answer is: Azure AD. Azure AD has all the security features that most identity vendors offer and they give most of them for free with the basic plans (Conditional Access is behind a P2 license, but most organizations buy these licenses either on their own or as a bundle with E3 or E5 which are required for device management with Intune). In fact, here at Keytos we secure our Azure infrastructure by only running Microsoft identity solutions and are able to meet and exceed most security and compliance requirements to run PKI for Fortune 500 companies.
One of the main ways you can protect your organization’s Identity is going passwordless. Going passwordless allows you to prevent phishing attacks, and it has also been shown to save you money in the long term. Azure AD allows you to go passwordless with their phone authenticator app as well as with unphishable authentication methods such as FIDO2 in Entra ID and Entra ID CBA (Certificate Based Authentication). In the video below you can see how you can enable all three of these methods with help from EZCMS, the best way to onboard to Azure CBA.
The second reason we hear about people wanting to use Duo is to use the phone app as a second factor for authentication. Microsoft’s Authenticator app is one of the most popular authenticator apps, meaning that your users have already installed it for their personal accounts, and they are familiar with the experience. Plus, the integration with Microsoft services (such as passwordless authentication into all Microsoft services) and the price (free!) make it the best option for phone-based authentication.
Having multifactor authentication is the first step into securing your identity, but unfortunately it is no longer enough. A strong identity must be paired with smart conditional access that verifies that the user is authenticating from an approved device, from an approved location, and that the device passes the security requirements. Microsoft having their own MDM (Intune) allows them to offer conditional access that validates the user is authenticating from a managed device as well as set more strict policies based on the device health. Microsoft’s large footprint also allows them to detect attacks before other identity providers since their AI can see patterns across multiple customers.
Microsoft’s Achilles heel is Linux; while they have been supporting it in Windows and Azure for a while, Azure AD is yet to have a native way for organizations to manage access to Linux through SSH, forcing organizations to deploy solutions such as Duo to address the Linux security hole. Luckily, EZSSH, the first fully agentless SSH solution, allows you to natively authenticate to your Linux endpoints with your Entra ID credential without needing to install custom PAM modules or high privilege agents. Instead, it uses your Entra ID with conditional access policies to ensure you have access to the endpoint and, if you do, it creates a short term SSH Certificate and gives you Just In Time access to your resources. While it sounds complicated, you can see the video below on how seamless the user experience is (and definitely faster than having to pull out your phone and enter a code each time you are trying to SSH).
The last way you can improve your organization’s identity security is enabling SSO for all the services your users use. Entra ID is the #1 identity provider, meaning that most services enable SSO for Microsoft Identities, thus making it the best option for your organization.
Believe me, I run the identity services for Keytos – I know how big of a pain it can be to manage AAD, from weird behavior when setting up, to not so great documentation, but even with all those flaws, having a fully native Microsoft Identity system is the best way to protect your organization. If you still have questions, book a free call with one of our identity experts and we can help you in your journey to a more secure online identity.