On Monday, Microsoft announced it has transitioned its Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs). The company is also in the process of migrating the Entra ID signing service. This development comes seven months after Microsoft completed updates to Microsoft Entra ID and MS for both public and United States government clouds, enabling the generation, storage, and automatic rotation of access token signing keys using Azure Managed Hardware Security Module (HSM) services.
Charlie Bell, Executive Vice President for Microsoft Security, explained that these improvements aim to mitigate attack vectors exploited during the 2023 Storm-0558 attack on Microsoft, a cyber incident that compromised numerous organizations.
Strengthening Security with Advanced Token Validation and MFA
Microsoft also shared that 90% of identity tokens from Microsoft Entra ID for Microsoft applications are validated through a hardened identity Software Development Kit (SDK). Additionally, 92% of employee productivity accounts are now protected by phishing-resistant multifactor authentication (MFA), reducing the risks posed by advanced cyber threats.
The company has made strides in securing its production systems, with 81% of production code branches now protected by MFA through proof-of-presence checks. Additionally, Microsoft has implemented two-year retention policies for security logs and has isolated customer support workflows to reduce the risk of lateral movement.
Enhancing Microsoft Security Baselines
As part of its broader security efforts, Microsoft has enforced security baselines across all types of Microsoft tenants. A new tenant provisioning system automatically registers new tenants into the company’s security emergency response system, enhancing the overall security architecture.
These initiatives are part of Microsoft’s Secure Future Initiative (SFI), which the company refers to as the “largest cybersecurity engineering project in history” and the most extensive cybersecurity effort undertaken at Microsoft to date.
The SFI gained momentum following a critical report by the U.S. Cyber Safety Review Board (CSRB), which criticized Microsoft for errors that led to the 2023 breach of nearly two dozen companies across Europe and the U.S. by the China-based Storm-0558 nation-state group.
In July 2023, Microsoft revealed that a validation error in its source code allowed Storm-0558 to forge Azure Active Directory (Azure AD) or Entra ID tokens, using an MSA consumer signing key. This enabled the attackers to infiltrate organizations, gain unauthorized email access, and exfiltrate sensitive mailbox data.
Windows Resiliency Initiative: Ensuring System Reliability
In addition to cybersecurity advancements, Microsoft launched the Windows Resiliency Initiative late last year to enhance security and reliability. This initiative was partly in response to issues like the CrowdStrike update incident in July 2024. One key feature of this initiative is Quick Machine Recovery, which allows IT administrators to run fixes on Windows PCs even if the machines are unable to boot. This feature is built into the Windows Recovery Environment (WinRE).
According to Rudy Ooms of Patch My PC, unlike traditional repair methods that require user intervention, Quick Machine Recovery activates automatically when system failure is detected. The cloud-based remediation process checks for specific flags and settings, and if the system environment meets the conditions, it triggers the recovery process silently, without user involvement.
