Share via

Microsoft Entra customer considerations under DORA

  • Article

Note

This information is not legal, financial, or professional advice and shouldn't be viewed as a complete statement of, nor the actions necessary to comply with, the requirements of the law. It is provided for informational purposes only.

The Digital Operational Resilience Act (DORA) is a regulatory framework established by the European Union, aimed at fortifying the operational resilience of the financial services sector amidst the rapidly evolving landscape of Information and Communication Technology (ICT) risks. Regulated entities can consider incorporating Microsoft Entra features and capabilities into their frameworks, policies, and plans to align with certain requirements under DORA.

While Microsoft Entra ID offers controls that can help meet certain DORA requirements and provides modern identity and access management (IAM) capabilities, relying solely on an IAM platform isn't sufficient for protecting financial entity data. It's important to review this article and all DORA requirements to establish a comprehensive digital operational resilience program. For official DORA resources, visit the official European Insurance and Occupational Pensions Authority website.

Microsoft Entra and DORA

Microsoft Entra, consisting of Microsoft Entra ID (formerly Azure Active Directory) and other Microsoft Entra capabilities is an enterprise identity service that can help secure applications, systems, and resources in support of DORA compliance efforts. Microsoft Entra ID underpins Microsoft enterprise offerings such as Microsoft 365, Azure, and Dynamics 365, improves overall security and identity protection and can play a crucial role in aligning with the broader ICT risk management requirements under DORA.

Regulated entities can consider incorporating Microsoft Entra capabilities into their frameworks, policies, and plans to align with certain requirements under DORA:

  • ICT risk management framework
  • ICT business continuity policy
  • ICT response and recovery plans

Each of the aforementioned items may encompass various strategies, policies, procedures, ICT protocols, and tools that financial entities are required to implement. The above list shouldn't be considered exhaustive.

Further, an internal governance and control framework that ensures effective and prudent management of ICT risk is critical to mitigating the risks that DORA seeks to address. Where such a framework is supported through use of Microsoft Entra controls, there should be regular evaluation of the controls and other risk mitigations for the supported workloads, with particular attention to those that are integral to the delivery of financial services.

Microsoft Entra guidance for customers in scope of DORA

Microsoft Entra's geographically distributed architecture combines extensive monitoring, automated rerouting, failover, and recovery capabilities to deliver continuous high availability and performance. Microsoft also takes a comprehensive approach to security incident management, supplier management, and vulnerability management.

Microsoft Entra ID functionality may assist financial entities in meeting their DORA compliance obligations. The following table outlines Microsoft features, capabilities, and service offerings along with related guidance and a nonexhaustive list of examples of DORA articles for consideration as part of a comprehensive digital operational resilience program.

The articles referenced in the table below provide guidance to financial entities on how Microsoft Entra ID can be configured and operationalized in a way to promote effective Identity and Access Management (IAM) best practices as part of their DORA compliance obligations.

Note

For brevity, we have referred to the RTS on ICT risk management framework and on simplified ICT risk management framework (Ref. JC 2023 86) as “RTS on ICT risk management frameworks”.

Microsoft feature, capability or service offering Guidance for customer consideration Example DORA articles for customer consideration
Multiple Microsoft Entra ID capabilities enable organizations to build resilience into identity and access management. Financial entities can enhance resilience in systems protected by Microsoft Entra ID, by following the recommendations included and referenced in the following article:
DORA Act:

  • Article 7: ICT systems, protocols, and tools
Microsoft Entra Backup Authentication system Financial Entities can consider the Microsoft Entra backup authentication system, which increases authentication resilience if there's an outage. Financial entities can take steps to help ensure that users can authenticate using the backup authentication system in the event of an outage, such as:
 DORA Act:
  • Article 7: ICT systems, protocols and tools
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations.
Microsoft Entra Continuous Access Evaluation Financial entities can consider usage of Continuous Access Evaluation (CAE), which allows Microsoft Entra ID to issue longer-lived tokens while enabling applications to revoke access and force reauthentication only when needed. The net result of this pattern is fewer calls to acquire tokens, which means that the end-to-end flow is more resilient.

To use CAE, both the service and the client must be CAE-capable. Therefore, financial entities can consider these implementation steps to update code to use CAE-enabled APIs, ensure that compatible versions of Microsoft Office native applications are used and optimize reauthentication prompts.		 DORA Act:
  • Article 7: ICT systems, protocols and tools
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations.
Microsoft hybrid authentication architecture options Financial entities that require a hybrid authentication architecture can consider the resilience of mechanisms for hybrid authentication, including on-premises dependencies and potential points of failure.
  • Microsoft consider Password hash synchronization (PHS) to be the most resilient hybrid architecture option, as it has on premises dependencies only for synchronization, not for authentication. This means that users can continue to authenticate with Microsoft Entra ID in the event of a PHS outage.
  • Pass-through Authentication (PTA) has an on-premises footprint in the form of Microsoft Entra PTA agents. These agents must be available for users to authenticate with Microsoft Entra ID.
  • Federation requires usage of a federation service such as Active Directory Federation Services (ADFS). Federation has the highest dependency on on-premises infrastructure and, therefore, more authentication failure points.
  • Organizations using PTA or federation can consider also enabling PHS for leaked credentials reporting and the ability to switch over to using cloud authentication in the event of an on-premises outage (e.g., due to a ransomware attack).
 DORA Act:
  • Article 7: ICT systems, protocols and tools
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations.
Multiple Microsoft Entra ID capabilities enable organizations to tighten their tenant security posture. Financial entities can deploy critical recommended actions:

  • Strengthen your credentials
  • Reduce your attack surface area
  • Automate threat response
  • Utilize cloud intelligence
  • Enable end-user self-service
 DORA Act:

  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations
Single sign-on (SSO) for enterprise applications in Microsoft Entra ID helps assure the benefits of credential policies, threat detection, auditing, logging, and other features add to those applications. Financial entities can configure applications to use Microsoft Entra ID as their identity provider in order to benefit from credential policies, threat detection, auditing, logging, and other features that can help to adequately protect and monitor applications.

Follow application management recommendations to help ensure that applications are secured, governed, monitored, and cleaned up.		 DORA Act:

  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations.
  • Article 18: Classification of ICT-related incidents and cyber threats.


RTS on ICT risk management frameworks:
  • Article 20: Identity Management
Multifactor authentication in Microsoft Entra ID requires two or more authentication methods to increase security. Financial entities can implement multifactor authentication (MFA) in Microsoft Entra ID to help substantially reduce the risk of unauthorized access and ensure the security of ICT systems:

  • Authentication methods in Microsoft Entra ID include strong phish-resistant MFA methods such as Windows Hello, Passkeys (including FIDO2 security keys and device-bound passkeys in Microsoft Authenticator) and certificate-based authentication.
  • Microsoft provide options to build resilience with credential management, including the option of using passwordless authentication methods.
  • Security defaults in Microsoft Entra tenants can be used to quickly enable Microsoft Authenticator for all users.
  • Conditional Access overview policies can be used for more granular control of events or applications that require MFA.
 DORA Act:
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations
  • Article 15: Further harmonization of ICT risk management tools, methods, processes, and policies

RTS on ICT risk management frameworks:
  • Article 11: Data and system security
  • Article 21: Access Control
  • Article 33: Access Control (Simplified framework)
Conditional Access in Microsoft Entra ID is Microsoft's Zero Trust policy engine taking signals from various sources into account when enforcing policy decisions. Financial entities can implement the following controls within Conditional Access, for all users:

We also recommend that financial entities review and consider recommended policies in our Conditional Access deployment guidance.

Implementing the above controls for privileged accounts can be considered a critical requirement, as these accounts can have a severe impact to the security and functioning of Microsoft Entra ID.		 DORA Act:
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations
  • Article 15: Further harmonization of ICT risk management tools, methods, processes, and policies

RTS on ICT risk management frameworks:
  • Article 11: Data and system security
  • Article 21: Access Control
  • Article 22: ICT-related incident management policy
  • Article 23: Anomalous activities’ detection and criteria for ICT-related incidents’ detection and response
  • Article 33: Access Control (Simplified framework)
Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization. Robust security controls can be implemented for privileged roles to help prevent accidental or malicious Microsoft Entra ID availability, misconfiguration and/or data loss:
 DORA Act:
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations.

RTS on ICT risk management frameworks:
  • Article 11: Data and system security
  • Article 21: Access Control
  • Article 33: Access Control (Simplified framework)
Microsoft Entra ID provides role-based access controls (RBAC), including both built-in roles and custom roles. Financial entities can follow the principle of least privilege to limit access to what is required for legitimate and approved functions and activities, helping to minimize the potential impact of a security breach.

As part of a least privilege strategy, we recommend financial entities follow best practices for Microsoft Entra roles.		 DORA Act:
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations.

RTS on ICT risk management frameworks:
  • Article 11: Data and system security
  • Article 21: Access Control
  • Article 33: Access Control (Simplified framework)
Protected actions in Microsoft Entra ID are permissions that have been assigned Conditional Access policies. When a user attempts to perform a protected action, they must first satisfy the Conditional Access policies assigned to the required permissions. To help increase the number of administrative actions that are within the scope of protected actions and reduce the risk of tenant lockout, follow best practices for protected actions in Microsoft Entra ID.

To help protect against accidental or malicious hard deletions of some soft-deleted directory objects from the recycle bin and permanent data loss, you can add a protected action for the following permission: Microsoft.directory/deletedItems/delete

This deletion applies to users, Microsoft 365 groups, and applications.		 DORA Act:
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations.

RTS on ICT risk management frameworks:
  • Article 11: Data and system security
  • Article 21: Access Control
  • Article 33: Access Control (Simplified framework)
Microsoft Entra ID supports numerous activity log integration options for storage or analysis, to help meet troubleshooting, long-term storage or monitoring goals. Financial entities can select and implement an activity log integration approach that enables continuous analysis and monitoring, and a sufficient data retention period:
 DORA Act:
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations.
  • Article 18: Classification of ICT-related incidents and cyber threat
  • Article 19: Reporting of major ICT-related incidents and voluntary notification of significant cyber threats

RTS on ICT risk management frameworks:
  • Article 12: Logging
  • Article 21: Access Control
  • Article 22: ICT-related incident management policy
  • Article 23: Anomalous activities’ detection and criteria for ICT-related incidents’ detection and response
  • Article 33: Access Control (Simplified framework)
Microsoft Identity Secure Score indicates how aligned an organization is with certain Microsoft recommendations for security. Financial entities can regularly review Microsoft Identity Secure Score to measure and track identity security posture and plan identity security improvements.

Microsoft also offers numerous services – such as the Microsoft Zero Trust Workshop that can help organizations assess their Microsoft Entra tenant security posture, as detailed elsewhere in this table.		 DORA Act:
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations.

RTS on ICT risk management frameworks:
  • Article 34: ICT Operations Security
The Microsoft Entra recommendations feature helps to ensure tenant security and health via monitoring and email alerting. Financial entities can check Microsoft Entra recommendations regularly to ensure awareness of any new recommendations as these can help identify opportunities to implement best practices and optimize configurations for Microsoft Entra ID-related features. DORA Act:
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations.

RTS on ICT risk management frameworks:
  • Article 34: ICT Operations Security
Azure Workbooks for Microsoft Entra ID provides a visual representation of tenant data, enabling querying and visualization for a number of identity management scenarios. Financial entities can select and regularly review workbook templates in Microsoft Entra ID that can help monitor the security and functioning of relevant Microsoft Entra ID use-cases.

As examples of current Microsoft Entra public workbook templates that may help:
  • The Conditional Access gap analyzer can help ensure that resources are properly protected by Conditional Access in Microsoft Entra ID
  • The sensitive operations report workbook is intended to help identify suspicious application and service principal activity that might indicate compromises in your environment
 DORA Act:
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations
  • Article 17: ICT-related incident management process
Microsoft Graph provides API-based access to Microsoft Entra ID and a number of Microsoft 365 services. To help reduce the attack surface of an application and the impact of a security breach, financial entities can follow the principle of least privilege when building, assigning access to and auditing Microsoft identity platform-integrated application. DORA Act:
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations

RTS on ICT risk management frameworks:
  • Article 12: Logging Article 21: Access Control
  • Article 33: Access Control (Simplified framework)
Microsoft365DSC enable automated tenant configuration management. Microsoft365DSC supports certain Microsoft Entra ID configurations. To record certain Microsoft Entra ID configuration settings and track changes, financial entities can consider automated configuration management tools such as Microsoft365DSC.

Manual documentation may be required for any configuration settings that aren't available via API.		 DORA Act:
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations
Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. To help detect, investigate and remediate identity-based risks (including anomalous activities), financial entities can consider a service such as Microsoft Entra ID Protection.

Financial entities deploying Microsoft Entra ID Protection can integrate the service with Conditional Access in Microsoft Entra ID for automated remediation, and Security Information and Event Management (SIEM) tools such as Microsoft Sentinel for archive, further investigation, and correlation. Both human and workload identities can be within the scope of these protections.

We recommend that enterprise defense tools are used to coordinate detection, prevention, investigation, and response. For example, Microsoft Defender XDR helps security teams protect and detect their organizations by using information from other Microsoft security products, including Microsoft Entra ID Protection.		 DORA Act:
  • Article 10: Detection
  • Article 15: Further harmonization of ICT risk management tools, methods, processes, and policies
  • Article 17: ICT-related incident management process

RTS on ICT risk management frameworks:
  • Article 22: ICT-related incident management policy
  • Article 23: Anomalous activities’ detection and criteria for ICT-related incidents’ detection and response
Microsoft Entra ID recoverability features including soft delete and Microsoft Graph APIs for many different resource types (example: Conditional Access Graph APIs). Financial entities can incorporate recoverability best practices into recovery procedures and ICT business continuity tests (or similar activities), including but not limited to:
  • Microsoft Graph APIs can be used to regularly export the current state of supported Microsoft Entra ID configurations. M365DSC provides a framework that can help achieve this.
  • Audit logs and Azure Workbooks can be used to monitor for tenant configuration misconfiguration.
  • Procedures to recover from deletions in Microsoft Entra ID can be rehearsed in a test tenant for certain object types along with the corresponding communication process.
  • Conditional Access Graph APIs can be used to manage policies like code.
  • Recovery procedures can be performed using a least privileged approach along with PIM just-in-time escalation of privileges to reduce the risk associated with tasks such as hard object deletion.
  • For Incident Response playbook books and recovery scenarios, financial entities can review and adopt Microsoft Incident response playbooks

The frequency of the above steps can be determined by the financial entity based on the criticality of information held within Microsoft Entra ID, considering any timeframes specified by DORA.		 DORA Act:
  • Article 11: Response and Recovery
  • Article 12: Backup policies and procedures, restoration, and recovery procedures and methods

RTS on ICT risk management frameworks:
  • Article 25: Testing of the ICT business continuity plans
  • Article 26: ICT response and recovery plans
Microsoft resources that provide information and training resources related to vulnerabilities, cyber threats, ICT-related incidents, and security-related product functionality. Financial entities can routinely review, track, and act upon these resources provided by Microsoft related to vulnerabilities and cyber threats that may include:

Financial entities can develop ICT security awareness programmes that incorporate Microsoft Entra ID training for relevant staff that may include:

Note that some of the above resources cover a range of Microsoft Security products and technologies. They aren't limited to Microsoft Entra.		 DORA Act:
  • Article 13: Learning and Evolving
  • Article 25: Testing of ICT tools and systems

RTS on ICT risk management frameworks:
  • Article 3: ICT risk management
  • Article 10: Vulnerability and patch management
Microsoft Entra ID Governance is an identity governance solution that enables organizations to improve productivity, strengthen security and more easily meet compliance and regulatory requirements. Financial entities can consider the deployment of an Identity Governance solution to control access management rights. Microsoft Entra ID Governance includes the following capabilities that can help apply the principle of least privilege to Microsoft Entra ID-protected resources:
  • Entitlement management enables the automation of access request workflows, access assignments, reviews, and expiration. Separation of duties checks are also supported to prevent the allocation of combinations of access rights that may enable controls to by bypassed.
  • Access reviews in Microsoft Entra ID enable regular management of resource access lifecycle.
  • Lifecycle workflows enables automation of lifecycle processes across joiner, mover, and leaver scenarios. This can include revocation of access rights.
  • Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization.
  • Least privileged roles for managing in Identity Governance features
 DORA Act:
  • Article 9: Protection and Prevention of ICT risks while ensuring the resilience and security of financial entities' operations.
  • Article 15: Further harmonization of ICT risk management tools, methods, processes, and policies

RTS on ICT risk management frameworks:
  • Article 20: Identity Management
  • Article 21: Access Control
  • Article 33: Access Control (Simplified framework)
Microsoft resources that provide guidance related to Microsoft Entra ID security operations and incident response. Financial entities can review and consider operationalizing Microsoft Entra ID security operations and incident response guidance, including but not limited to:
 DORA Act:
  • Article 17: ICT-related incident management process
Resources that provide information related to (and potentially related to) Microsoft Entra ID availability Financial entities can routinely review, track, and consider information included in these articles and sites:

Note that some of the above resources cover a range of Microsoft Security products and technologies. They aren't limited to Microsoft Entra.		 DORA Act:
  • Article 18: Classification of ICT-related incidents and cyber threats
  • Article 19: Reporting of major ICT-related incidents and voluntary notification of significant cyber threats

RTS on ICT risk management frameworks:
  • Article 10: Vulnerability and patch management
Microsoft service offerings that can help organizations assess their Microsoft Entra tenant security posture as part of digital operational resilience testing The digital operational resilience testing program deployed by a financial entity may comprise a number of assessments, tools, and methodologies, including but not limited to:
  • The Microsoft Entra ID on-demand assessment, which analyzes and provides identity and access management (IAM) guidance for Microsoft Entra ID and related components.
  • The Microsoft Zero Trust Workshop is a comprehensive technical guide to help customers and partners adopt a Zero Trust strategy and deploy security solutions end-to-end to secure their organizations.

Financial entities can regularly perform such assessments, at a frequency in line with current DORA requirements.		 DORA Act:
  • Article 24: General requirements for the performance of digital operational resilience testing
  • Article 25: Testing of ICT tools and systems
Resources that provide information related to Microsoft Entra changes Financial entities can routinely track and consider information included in the articles and sites below. Actions taken by financial entities may include, for example, regression testing and updates to digital operational resilience-related processes and tests.
  • The Microsoft 365 Message Center can be used to track upcoming changes, including new and changed features, planned maintenance, and other important announcements
  • What's new (preview) can be used to track Microsoft Entra ID changes in the Microsoft Entra admin center
 DORA Act:
  • Article 25: Testing of ICT tools and systems

RTS on ICT risk management frameworks:
  • Article 16: ICT systems acquisition, development, and maintenance
  • Article 17: ICT change management
  • Article 34 – ICT Operations Security
Resources that provide information related to Penetration Testing and Microsoft Entra ID Financial entities wishing to perform penetration tests against their Microsoft Cloud may consider the rules of engagement listed in this article:

Financial entities may consider the above rules of engagements within the context of this European Supervisory Authorities (ESA) report:
  • JC 2024 29: Final Report on DORA RTS on Threat Led Penetration Testing (TLPT) under Article 26 of DORA.
 DORA Act:
  • Article 25: Testing of ICT tools and systems
  • Article 26: Advanced testing of ICT tools, systems, and processes based on TLPT
  • Article 27: Requirements for testers for the carrying out of TLPT

RTS on ICT risk management frameworks:
  • Article 25: Testing of the ICT business continuity plans
  • Article 26: ICT response and recovery plans
Resources related to the enablement, enforcement, and management of encryption and cryptographic controls when transmitting data to or from Microsoft Entra ID. For security reasons, Microsoft Entra ID will soon stop supporting Transport Layer Security (TLS) protocols and ciphers prior to TLS 1.2 and is rolling out support for TLS 1.3.

Financial entities may consider the following steps to help ensure usage and management of suitable encryption and cryptographic controls:
 RTS on ICT risk management frameworks:
  • Article 6: Encryption and cryptographic controls
  • Article 7: Cryptographic key management
  • Article 14: Securing information in transit

RTS on ICT risk management frameworks:
  • Article 6: Encryption and cryptographic controls
  • Article 7: Cryptographic key management
  • Article 14: Securing information in transit
  • Article 35: Data, system, and network security
Resources related to Microsoft Entra ID capacity and performance characteristics Financial entities may consider reviewing and keeping track of the following documentation to understand certain Microsoft Entra ID capacity and performance characteristics:
 RTS on ICT risk management frameworks:
  • Article 9: Capacity and performance management

RTS on ICT risk management frameworks:
  • Article 34: ICT Operations Security
Global Secure Access is Microsoft Security Service Microsoft Edge (SSE) solution Financial Services can implement controls to protect access to public internet and private networks using Global Secure Access RTS on ICT risk management frameworks:
  • Article 13: Network security management
  • Article 14: Securing information in transit
  • Article 35: Data, system, and network security
Resources related to acquisition, development, and maintenance of applications Financial Services may include the following aspects as part of acquiring, or building new applications:
 RTS on ICT risk management frameworks:
  • Articles 16 ICT systems acquisition, development, and maintenance
  • Articles 37: ICT systems acquisition, development, and maintenance (Simplified Framework)

Resources