You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/develop/whats-new-docs.md
+26-16Lines changed: 26 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: active-directory
5
5
author: henrymbuguakiarie
6
6
manager: CelesteDG
7
7
8
-
ms.date: 04/03/2023
8
+
ms.date: 05/02/2023
9
9
ms.service: active-directory
10
10
ms.subservice: develop
11
11
ms.topic: reference
@@ -18,6 +18,31 @@ ms.custom: has-adal-ref
18
18
19
19
Welcome to what's new in the Microsoft identity platform documentation. This article lists new docs that have been added and those that have had significant updates in the last three months.
Copy file name to clipboardExpand all lines: articles/active-directory/standards/fedramp-identification-and-authentication-controls.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,7 +45,7 @@ Each row in the following table provides prescriptive guidance to help you devel
45
45
| **IA-2(11)**<br>The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [*FedRAMP Assignment: FIPS 140-2, NIAP* Certification, or NSA approval*].<br><br>*National Information Assurance Partnership (NIAP)<br>**Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** PIV = separate device. Please refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials. FIPS 140-2 means validated by the Cryptographic Module Validation Program (CMVP). | **Implement Azure AD multifactor authentication to access customer-deployed resources remotely so that one of the factors is provided by a device separate from the system gaining access where the device meets FIPS-140-2, NIAP certification, or NSA approval.**<p>See guidance for IA-02(1-4). Azure AD authentication methods to consider at AAL3 meeting the separate device requirements are:<p> FIDO2 security keys<br> <li>Windows Hello for Business with hardware TPM (TPM is recognized as a valid "something you have" factor by NIST 800-63B Section 5.1.7.1.)<br> <li>Smart card<p>References<br><li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md)<br> <li>[NIST 800-63B Section 5.1.7.1](https://pages.nist.gov/800-63-3/sp800-63b.html) |
46
46
| **IA-2(12)*<br>The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.<br><br>**IA-2 (12) Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12. | **Accept and verify personal identity verification (PIV) credentials. This control isn't applicable if the customer doesn't deploy PIV credentials.**<p>Configure federated authentication by using Active Directory Federation Services (AD FS) to accept PIV (certificate authentication) as both primary and multifactor authentication methods and issue the multifactor authentication (MultipleAuthN) claim when PIV is used. Configure the federated domain in Azure AD with setting **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` (recommended) or SupportsMfa to `$True` to direct multifactor authentication requests originating at Azure AD to AD FS. Alternatively, you can use PIV for sign-in on Windows devices and later use integrated Windows authentication along with seamless single sign-on. Windows Server and client verify certificates by default when used for authentication. <p>Resources<br><li>[What is federation with Azure AD?](../hybrid/whatis-fed.md)<br> <li>[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br> <li>[Configure authentication policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)<br> <li>[Secure resources with Azure AD multifactor authentication and AD FS](../authentication/howto-mfa-adfs.md)<br><li>[Set-MsolDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings)<br> <li>[Azure AD Connect: Seamless single sign-on](../hybrid/how-to-connect-sso.md) |
47
47
|**IA-3 Device Identification and Authentication**<br>The information system uniquely identifies and authenticates [*Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network*] connection. |**Implement device identification and authentication prior to establishing a connection.**<p>Configure Azure AD to identify and authenticate Azure AD Registered, Azure AD Joined, and Azure AD Hybrid joined devices.<p> Resources<br><li>[What is a device identity?](../devices/overview.md)<br> <li>[Plan an Azure AD devices deployment](../devices/plan-device-deployment.md)<br><li>[Require managed devices for cloud app access with conditional access](../conditional-access/require-managed-devices.md)|
48
-
| **IA-04 Identifier Management**<br>The organization manages information system identifiers for users and devices by:<br>**(a.)** Receiving authorization from [*FedRAMP Assignment at a minimum, the ISSO (or similar role within the organization)*] to assign an individual, group, role, or device identifier;<br>**(b.)** Selecting an identifier that identifies an individual, group, role, or device;<br>**(c.)** Assigning the identifier to the intended individual, group, role, or device;<br>**(d.)** Preventing reuse of identifiers for [*FedRAMP Assignment: at least two (2) years*]; and<br>**(e.)** Disabling the identifier after [*FedRAMP Assignment: thirty-five (35) days (see additional requirements and guidance)*]<br>**IA-4e Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** The service provider defines the time period of inactivity for device identifiers.<br>**Guidance:** For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.<br><br>**IA-4(4)**<br>The organization manages individual identifiers by uniquely identifying each individual as [*FedRAMP Assignment: contractors; foreign nationals*]. | **Disable account identifiers after 35 days of inactivity and prevent their reuse for two years. Manage individual identifiers by uniquely identifying each individual (for example, contractors and foreign nationals).**<p>Assign and manage individual account identifiers and status in Azure AD in accordance with existing organizational policies defined in AC-02. Follow AC-02(3) to automatically disable user and device accounts after 35 days of inactivity. Ensure that organizational policy maintains all accounts that remain in the disabled state for at least two years. After this time, you can remove them. <p>Determine inactivity<br> <li>[Manage inactive user accounts in Azure AD](../reports-monitoring/howto-manage-inactive-user-accounts.md)<br> <li>[Manage stale devices in Azure AD](../devices/manage-stale-devices.md)<br> <li>[See AC-02 guidance](fedramp-access-controls.md) |
48
+
| **IA-04 Identifier Management**<br>The organization manages information system identifiers for users and devices by:<br>**(a.)** Receiving authorization from [*FedRAMP Assignment at a minimum, the ISSO (or similar role within the organization)*] to assign an individual, group, role, or device identifier;<br>**(b.)** Selecting an identifier that identifies an individual, group, role, or device;<br>**(c.)** Assigning the identifier to the intended individual, group, role, or device;<br>**(d.)** Preventing reuse of identifiers for [*FedRAMP Assignment: at least two (2) years*]; and<br>**(e.)** Disabling the identifier after [*FedRAMP Assignment: thirty-five (35) days (see additional requirements and guidance)*]<br>**IA-4e Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** The service provider defines the time period of inactivity for device identifiers.<br>**Guidance:** For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP.<br><br>**IA-4(4)**<br>The organization manages individual identifiers by uniquely identifying each individual as [*FedRAMP Assignment: contractors; foreign nationals*]. | **Disable account identifiers after 35 days of inactivity and prevent their reuse for two years. Manage individual identifiers by uniquely identifying each individual (for example, contractors and foreign nationals).**<p>Assign and manage individual account identifiers and status in Azure AD in accordance with existing organizational policies defined in AC-02. Follow AC-02(3) to automatically disable user and device accounts after 35 days of inactivity. Ensure that organizational policy maintains all accounts that remain in the disabled state for at least two years. After this time, you can remove them. <p>Determine inactivity<br> <li>[Manage inactive user accounts in Azure AD](../reports-monitoring/howto-manage-inactive-user-accounts.md)<br> <li>[Manage stale devices in Azure AD](../devices/manage-stale-devices.md)<br> <li>[See AC-02 guidance](fedramp-access-controls.md) |
49
49
| **IA-5 Authenticator Management**<br>The organization manages information system authenticators by:<br>**(a.)** Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;<br>**(b.)** Establishing initial authenticator content for authenticators defined by the organization;<br>**(c.)** Ensuring that authenticators have sufficient strength of mechanism for their intended use;<br>**(d.)** Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;<br>**(e.)** Changing default content of authenticators prior to information system installation;<br>**(f.)** Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;<br>**(g.)** Changing/refreshing authenticators [*Assignment: organization-defined time period by authenticator type*].<br>**(h.)** Protecting authenticator content from unauthorized disclosure and modification;<br>**(i.)** Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and<br>**(j.)** Changing authenticators for group/role accounts when membership to those accounts changes.<br><br>**IA-5 Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3 | **Configure and manage information system authenticators.**<p>Azure AD supports various authentication methods. You can use your existing organizational policies for management. See guidance for authenticator selection in IA-02(1-4). Enable users in combined registration for SSPR and Azure AD multifactor authentication and require users to register a minimum of two acceptable multifactor authentication methods to facilitate self-remediation. You can revoke user-configured authenticators at any time with the authentication methods API. <p>Authenticator strength/protecting authenticator content<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md)<p>Authentication methods and combined registration<br> <li>[What authentication and verification methods are available in Azure Active Directory?](../authentication/concept-authentication-methods.md)<br> <li>[Combined registration for SSPR and Azure AD multifactor authentication](../authentication/concept-registration-mfa-sspr-combined.md)<p>Authenticator revokes<br> <li>[Azure AD authentication methods API overview](/graph/api/resources/authenticationmethods-overview) |
50
50
| **IA-5(1)**<br>The information system, for password-based authentication:<br>**(a.)** Enforces minimum password complexity of [*Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type*];<br>**(b.)** Enforces at least the following number of changed characters when new passwords are created: [*FedRAMP Assignment: at least fifty percent (50%)*];<br>**(c.)** Stores and transmits only cryptographically-protected passwords;<br>**(d.) Enforces password minimum and maximum lifetime restrictions of [*Assignment: organization- defined numbers for lifetime minimum, lifetime maximum*];<br>**(e.)** Prohibits password reuse for [*FedRAMP Assignment: twenty-four (24)*] generations; and<br>**(f.)** Allows the use of a temporary password for system logons with an immediate change to a permanent password.<br><br>**IA-5 (1) a and d Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant. | **Implement password-based authentication requirements.**<p>Per NIST SP 800-63B Section 5.1.1: Maintain a list of commonly used, expected, or compromised passwords.<p>With Azure AD password protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your business and security needs, you can define entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.<p>We strongly encourage passwordless strategies. This control is only applicable to password authenticators, so removing passwords as an available authenticator renders this control not applicable.<p>NIST reference documents<br><li>[NIST Special Publication 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html)<br><li>[NIST Special Publication 800-53 Revision 5](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf) - IA-5 - Control enhancement (1)<p>Resource<br><li>[Eliminate bad passwords using Azure AD password protection](../authentication/concept-password-ban-bad.md) |
51
51
| **IA-5(2)**<br>The information system, for PKI-based authentication:<br>**(a.)** Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;<br>**(b.)** Enforces authorized access to the corresponding private key;<br>**(c.)** Maps the authenticated identity to the account of the individual or group; and<br>**(d.)** Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. | **Implement PKI-based authentication requirements.**<p>Federate Azure AD via AD FS to implement PKI-based authentication. By default, AD FS validates certificates, locally caches revocation data, and maps users to the authenticated identity in Active Directory. <p> Resources<br> <li>[What is federation with Azure AD?](../hybrid/whatis-fed.md)<br> <li>[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication) |
Copy file name to clipboardExpand all lines: articles/aks/kubernetes-service-principal.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -233,7 +233,7 @@ Check the expiration date of your service principal credentials using the [`az a
233
233
az ad app credential list --id <app-id> --query "[].endDateTime" -o tsv
234
234
```
235
235
236
-
The default expiration time for the service principal credentials is one year. If your credentials are older than one year, you can [reset the existing credentials](/update-credentials#reset-the-existing-service-principal-credentials) or [create a new service principal](/update-credentials#create-a-new-service-principal).
236
+
The default expiration time for the service principal credentials is one year. If your credentials are older than one year, you can [reset the existing credentials](update-credentials.md#reset-the-existing-service-principal-credentials) or [create a new service principal](update-credentials.md#create-a-new-service-principal).
237
237
238
238
**General Azure CLI troubleshooting**
239
239
@@ -255,7 +255,7 @@ Check the expiration date of your service principal credentials using the [Get-A
The default expiration time for the service principal credentials is one year. If your credentials are older than one year, you can [reset the existing credentials](/update-credentials#reset-the-existing-service-principal-credentials) or [create a new service principal](/update-credentials#create-a-new-service-principal).
258
+
The default expiration time for the service principal credentials is one year. If your credentials are older than one year, you can [reset the existing credentials](update-credentials.md#reset-the-existing-service-principal-credentials) or [create a new service principal](update-credentials.md#create-a-new-service-principal).
0 commit comments