Microsoft Entra Expands Passkey Support and Phishing‑Resistant MFA Across Linux, Boosting Identity Security
What Happened — Microsoft released a suite of Entra enhancements in the past 30 days, adding phishing‑resistant multi‑factor authentication (MFA) for Linux desktops, high‑scale migration tools for Azure AD B2C, system‑preferred authentication, and passkey registration campaigns. The updates also introduce cross‑tenant security‑group sync, orphan‑account visibility, and app deactivation controls.
Why It Matters for TPRM —
- Strengthened authentication reduces the risk of credential‑theft attacks on third‑party services that rely on Azure AD/Entra.
- Cross‑tenant group sync and orphan‑account reporting improve visibility into supplier access privileges.
- High‑scale migration tools help large enterprises transition to modern identity models without forcing user password resets, limiting disruption to downstream vendors.
Who Is Affected — Enterprises and SaaS providers using Microsoft Entra ID, Azure AD B2C, or any Microsoft‑based identity federation across all industries (tech, finance, healthcare, retail, etc.).
Recommended Actions —
- Review your organization’s Entra configuration to ensure the new phishing‑resistant MFA is enabled, especially on Linux endpoints.
- Evaluate the passkey registration campaign feature and consider prompting users to adopt FIDO2 credentials.
- Audit cross‑tenant group sync and orphan‑account reports to verify that third‑party accounts have appropriate access.
- Update internal identity‑governance policies to incorporate system‑preferred authentication and app deactivation capabilities.
Technical Notes — The updates introduce Linux‑native MFA via the Microsoft identity broker (Ubuntu 24.04/26.04, RHEL 8‑10), High Scale Compatibility (HSC) mode for Azure AD B2C migrations (≥5 M objects), and passkey support via Windows Hello (device‑bound FIDO2). No new CVEs are disclosed; the changes are feature‑driven enhancements to the Entra identity platform. Source: Help Net Security