🚨 Microsoft just moved MSA token signing to Azure Confidential VMs, a major step forward in securing its identity infrastructure after the high-profile Storm-0558 breach.
This move, along with the ongoing migration of Entra ID signing services, is part of Microsoft’s broader Secure Future Initiative (SFI) — described as the largest cybersecurity engineering project in its history.
Here’s what’s changing:
- MSA signing keys now protected inside Azure Confidential VMs
- Entra ID token signing is also being migrated to confidential infrastructure
- Access tokens are generated, stored, and auto-rotated via Azure-managed HSM
- 90% of identity tokens for Microsoft apps now validated via hardened SDKs
- 92% of Microsoft productivity accounts use phishing-resistant MFA
- 81% of production code branches are protected with proof-of-presence MFA
- Security logs have a mandatory 2-year retention period
- A new tenant provisioning system auto-registers tenants into the emergency response process
Microsoft is also piloting isolated customer support environments to reduce lateral movement, a direct response to risks exposed in the 2023 Storm-0558 breach, which involved forged Entra ID tokens using a compromised MSA key.
The attack, attributed to a China-linked threat group, led to unauthorized email access across U.S. and European entities.
This update builds on the lessons from the U.S. Cyber Safety Review Board (CSRB) report and pushes forward a model where signing keys, support processes, and token validation are more tightly controlled than ever before.
At @Efani, we support these kinds of structural shifts — because real security isn’t just about patching flaws after the fact, it’s about re-engineering trust from the foundation up.
#CyberSecurity #Microsoft #EntraID #CloudSecurity #SecureFutureInitiative #Storm0558 #IdentitySecurity #EfaniSecure
