Microsoft Moves Every Account and Entra ID Token-Signing Key into Hardware Security Modules

touting what it calls “the largest cybersecurity engineering project in history”

Microsoft is making progress on a broad cybersecurity initiative that was announced earlier this year following a high-profile hack of government email accounts that was traced to a Chinese threat actor.

In a blog post summarizing the Secure Future Initiative that was launched in November, Microsoft security chief Charlie Bell said five of the program’s 28 objectives are “near completion” and that 11 others have made “significant progress.” Among these achievements, Bell highlighted the completion of a project to put all Microsoft Account and Entra ID token-signing keys into hardware security modules or Azure confidential virtual machines and the hardening of the company’s software development kit to validate first-party identity tokens.

“We’ve applied new defense-in-depth protections in response to our Red Team research and assessments, migrated the MSA signing service to Azure confidential VMs, and are migrating Entra ID signing service to the same,” Bell said.

He noted that each of these improvements help mitigate the attack vectors that we suspect the actor used in a Chinese APT attack on Microsoft.

Microsoft has publicly blamed the incident on a crash dump stolen from a hacked engineer’s corporate account. The crash dump, which dated back to April 2021, contained a Microsoft account (MSA) consumer key that was used to forge tokens to break into OWA and Outlook.com accounts.

On the architecture side, Bell reported the purging of 6.3 million dormant Azure tenants to protect cloud tenants and isolate production systems.

Microsoft also reported the migration of 88 percent of active resources into Azure Resource Manager for tighter policy enforcement and the segmenting of 4.4 million managed identities so they can authenticate only from approved network locations.

The Secure Future Initiative was publicly rolled out in November 2023 with a promise to deliver faster cloud patches, better management of identity signing keys and a commitment to ship software with a higher default security bar.

Microsoft has itself faced intense criticism for its own approach to third-party vulnerability research of its cloud products and continues to struggle with faulty and incomplete patches and a surge in Windows zero-day attacks.