Microsoft Entra ID's backup authentication system

Organizations around the world depend on the high availability of Microsoft Entra authentication for users and services 24 hours a day, seven days a week. We promise a 99.99% service level availability for authentication, and we continuously seek to improve it by enhancing the resilience of our authentication service. To further improve resilience during outages, we implemented a backup system in 2021.

The Microsoft Entra backup authentication system is made up of multiple backup services that work together to increase authentication resilience if there's an outage. This system transparently and automatically handles authentications for supported applications and services if the primary Microsoft Entra service is unavailable or degraded. It adds an extra layer of resilience on top of the multiple levels of existing redundancy. This resilience is described in the blog post Advancing service resilience in Microsoft Entra ID with its backup authentication service. This system syncs authentication metadata when the system is healthy and uses that to enable users to continue to access applications during outages of the primary service while still enforcing policy controls.

During an outage of the primary service, users are able to continue working with their applications, as long as they accessed them in the last three days from the same device, and no blocking policies exist that would curtail their access:

In addition to Microsoft applications, we support:

  • Native email clients on iOS and Android.
  • Software as a service (SaaS) applications available in the app gallery, like ADP, Atlassian, AWS, GoToMeeting, Kronos, Marketo, SAP, Trello, Workday, and more.
  • Selected line of business applications, based on their authentication patterns.

Service to service authentication that relies on managed identities for Azure resources or are built on Azure services, like virtual machines, cloud storage, Azure AI services, and App Service, receives increased resilience from the backup authentication system.

Microsoft is continuously expanding the number of supported scenarios.

Which non-Microsoft workloads are supported?

The backup authentication system automatically provides incremental resilience to tens of thousands of supported non-Microsoft applications based on their authentication patterns. See the appendix for a list of the most common non-Microsoft applications and their coverage status. For an in depth explanation of which authentication patterns are supported, see the article Understanding Application Support for the backup authentication system article.

  • Native applications using the Open Authorization (OAuth) 2.0 protocol to access resource applications, such as popular non-Microsoft e-mail and IM clients like: Apple Mail, Aqua Mail, Gmail, Samsung Email, and Spark.
  • Line of business web applications configured to authenticate with OpenID Connect using only ID tokens.
  • Web applications authenticating with the Security Assertion Markup Language (SAML) protocol, when configured for IDP-Initiated single sign-on (SSO) like: ADP, Atlassian Cloud, AWS, GoToMeeting, Kronos, Marketo, Palo Alto Networks, SAP Cloud Identity Services, Trello, Workday, and Zscaler.

Non-Microsoft application types that aren't protected

The following auth patterns aren't currently supported:

  • Web applications that authenticate using OpenID Connect and request access tokens
  • Web applications that use the SAML protocol for authentication, when configured as SP-Initiated SSO

What makes a user supportable by the backup authentication system?

During an outage, a user can authenticate using the backup authentication system if the following conditions are met:

  1. The user successfully authenticated using the same app and device in the last three days.
  2. The user isn't required to authenticate interactively
  3. The user is accessing a resource as a member of their home tenant, rather than exercising a B2B or B2C scenario.
  4. The user isn't subject to Conditional Access policies that limit the backup authentication system, like disabling resilience defaults.
  5. The user hasn't been subject to a revocation event, such as a credential change since their last successful authentication.

How does interactive authentication and user activity affect resilience?

The backup authentication system relies on metadata from a prior authentication to reauthenticate the user during an outage. For this reason, a user must have authenticated in the last three days using the same app on the same device for the backup service to be effective. Users who are inactive or haven't authenticated to a given app can't use the backup authentication system for that application.

How do Conditional Access policies affect resilience?

Certain policies can't be evaluated in real-time by the backup authentication system and must rely on prior evaluations of these policies. Under outage conditions, the service uses a prior evaluation by default to maximize resilience. For example, access that is conditioned on a user having a particular role (like Application Administrator) continues during an outage based on the role the user had during that latest authentication. If the outage-only use of a previous evaluation needs to be restricted, tenant administrators can choose a strict evaluation of all Conditional Access policies, even under outage conditions, by disabling resilience defaults. This decision should be taken with care because disabling resilience defaults for a given policy disables those users from using backup authentication. Resilience defaults must be reenabled before an outage occurs for the backup system to provide resilience.

Certain other types of policies don't support use of the backup authentication system. Use of the following policies reduce resilience:

Workload identity resilience in the backup authentication system

In addition to user authentication, the backup authentication system provides resilience for managed identities and other key Azure infrastructure by offering a regionally isolated authentication service that is redundantly layered with the primary authentication service. This system enables the infrastructure authentication within an Azure region to be resilient to issues that might occur in another region or within the larger Microsoft Entra service. This system complements Azure's cross-region architecture. Building your own applications using MI and following Azure's best practices for resilience and availability ensures your applications are highly resilient. In addition to MI, this regionally resilient backup system protects key Azure infrastructure and services that keep the cloud functional.

Summary of infrastructure authentication support

  • Your services built-on the Azure Infrastructure using managed identities are protected by the backup authentication system.
  • Azure services authenticating with each other are protected by the backup authentication system.
  • Your services built on or off Azure when the identities are registered as Service Principals and not "managed identities" aren't protected by the backup authentication system.

Cloud environments that support the backup authentication system

The backup authentication system is supported in all cloud environments except Microsoft Azure operated by 21Vianet. The types of identities supported vary by cloud, as described in the following table.

Azure environment Identities protected
Azure Commercial Users and managed identities
Azure Government Users and managed identities
Azure Government Secret Managed identities
Azure Government Top Secret Managed identities
Azure operated by 21Vianet Not available

Appendix

App Name Protected Why Not protected?
ABBYY FlexiCapture 12 No SAML SP-initiated
Adobe Experience Manager No SAML SP-initiated
Adobe Identity Management (OIDC) No OIDC with Access Token
ADP Yes Protected
Apple Business Manager No SAML SP-initiated
Apple Internet Accounts Yes Protected
Apple School Manager No OIDC with Access Token
Aqua Mail Yes Protected
Atlassian Cloud Yes * Protected
Blackboard Learn No SAML SP-initiated
Box No SAML SP-initiated
Brightspace by Desire2Leam No SAML SP-initiated
Canvas No SAML SP-initiated
Ceridian Dayforce HCM No SAML SP-initiated
Cisco AnyConnect No SAML SP-initiated
Cisco Webex No SAML SP-initiated
Citrix ADC SAML Connector for Azure AD No SAML SP-initiated
Clever No SAML SP-initiated
Cloud Drive Mapper Yes Protected
Cornerstone Single Sign-on No SAML SP-initiated
Docusign No SAML SP-initiated
Druva No SAML SP-initiated
F5 BIG-IP APM Azure AD integration No SAML SP-initiated
FortiGate SSL VPN No SAML SP-initiated
Freshworks No SAML SP-initiated
Gmail Yes Protected
Google Cloud / G Suite Connector by Microsoft No SAML SP-initiated
HubSpot Sales No SAML SP-initiated
Kronos Yes * Protected
Madrasati App No SAML SP-initiated
OpenAthens No SAML SP-initiated
Oracle Fusion ERP No SAML SP-initiated
Palo Alto Networks - GlobalProtect No SAML SP-initiated
Polycom - Skype for Business Certified Phone Yes Protected
Salesforce No SAML SP-initiated
Samsung Email Yes Protected
SAP Cloud Platform Identity Authentication No SAML SP-initiated
SAP Concur Yes * SAML SP-initiated
SAP Concur Travel and Expense Yes * Protected
SAP Fiori No SAML SP-initiated
SAP NetWeaver No SAML SP-initiated
SAP SuccessFactors No SAML SP-initiated
Service Now No SAML SP-initiated
Slack No SAML SP-initiated
Smartsheet No SAML SP-initiated
Spark Yes Protected
UKG pro Yes * Protected
VMware Boxer Yes Protected
walkMe No SAML SP-initiated
Workday No SAML SP-initiated
Workplace from Facebook No SAML SP-initiated
Zoom No SAML SP-initiated
Zscaler Yes * Protected
Zscaler Private Access (ZPA) No SAML SP-initiated
Zscaler ZSCloud No SAML SP-initiated

Note

* Apps configured to authenticate with the SAML protocol are protected when using IDP-Initiated authentication. Service Provider (SP) initiated SAML configurations aren't supported

Azure resources and their status

resource Azure resource name Status
Microsoft.ApiManagement API Management service in Azure Government and China regions Protected
microsoft.app App Service Protected
Microsoft.AppConfiguration Azure App Configuration Protected
Microsoft.AppPlatform Azure App Service Protected
Microsoft.Authorization Microsoft Entra ID Protected
Microsoft.Automation Automation Service Protected
Microsoft.AVX Azure VMware Solution Protected
Microsoft.Batch Azure Batch Protected
Microsoft.Cache Azure Cache for Redis Protected
Microsoft.Cdn Azure Content Delivery Network Not protected
Microsoft.Chaos Azure Chaos Engineering Protected
Microsoft.CognitiveServices Azure AI services APIs and Containers Protected
Microsoft.Communication Azure Communication Services Not protected
Microsoft.Compute Azure Virtual Machines Protected
Microsoft.ContainerInstance Azure Container Instances Protected
Microsoft.ContainerRegistry Azure Container Registry Protected
Microsoft.ContainerService Azure Kubernetes Service (deprecated) Protected
Microsoft.Dashboard Azure Dashboards Protected
Microsoft.DatabaseWatcher Azure SQL Database Automatic Tuning Protected
Microsoft.DataBox Azure Data Box Protected
Microsoft.Databricks Azure Databricks Not protected
Microsoft.DataCollaboration Azure Data Share Protected
Microsoft.Datadog Datadog Protected
Microsoft.DataFactory Azure Data Factory Protected
Microsoft.DataLakeStore Azure Data Lake Storage Gen1 and Gen2 Not protected
Microsoft.DataProtection Microsoft Defender for Cloud Apps Data Protection API Protected
Microsoft.DBforMySQL Azure Database for MySQL Protected
Microsoft.DBforPostgreSQL Azure Database for PostgreSQL Protected
Microsoft.DelegatedNetwork Delegated Network Management service Protected
Microsoft.DevCenter Microsoft Store for Business and Education Protected
Microsoft.Devices Azure IoT Hub and IoT Central Not protected
Microsoft.DeviceUpdate Windows 10 IoT Core Services Device Update Protected
Microsoft.DevTestLab Azure DevTest Labs Protected
Microsoft.DigitalTwins Azure Digital Twins Protected
Microsoft.DocumentDB Azure Cosmos DB Protected
Microsoft.EventGrid Azure Event Grid Protected
Microsoft.EventHub Azure Event Hubs Protected
Microsoft.HealthBot Health Bot Service Protected
Microsoft.HealthcareApis FHIR API for Azure API for FHIR and Microsoft Cloud for Healthcare solutions Protected
Microsoft.HybridContainerService Azure Arc-enabled Kubernetes Protected
Microsoft.HybridNetwork Azure Virtual WAN Protected
Microsoft.Insights Application Insights and Log Analytics Not protected
Microsoft.IoTCentral IoT Central Protected
Microsoft.Kubernetes Azure Kubernetes Service (AKS) Protected
Microsoft.Kusto Azure Data Explorer (Kusto) Protected
Microsoft.LoadTestService Visual Studio Load Testing Service Protected
Microsoft.Logic Azure Logic Apps Protected
Microsoft.MachineLearningServices Machine Learning Services on Azure Protected
Microsoft.managed identity Managed identities for Microsoft Resources Protected
Microsoft.Maps Azure Maps Protected
Microsoft.Media Azure Media Services Protected
Microsoft.Migrate Azure Migrate Protected
Microsoft.MixedReality Mixed Reality services including Remote Rendering, Spatial Anchors, and Object Anchors Not protected
Microsoft.NetApp Azure NetApp Files Protected
Microsoft.Network Azure Virtual Network Protected
Microsoft.OpenEnergyPlatform Open Energy Platform (OEP) on Azure Protected
Microsoft.OperationalInsights Azure Monitor Logs Protected
Microsoft.PowerPlatform Microsoft Power Platform Protected
Microsoft.Purview Microsoft Purview (formerly Azure Data Catalog) Protected
Microsoft.Quantum Microsoft Quantum Development Kit Protected
Microsoft.RecommendationsService Azure AI services Recommendations API Protected
Microsoft.RecoveryServices Azure Site Recovery Protected
Microsoft.ResourceConnector Azure Resource Connector Protected
Microsoft.Scom System Center Operations Manager Protected
Microsoft.Search Azure Cognitive Search Not protected
Microsoft.Security Microsoft Defender for Cloud Not protected
Microsoft.SecurityDetonation Microsoft Defender for Endpoint Detonation Service Protected
Microsoft.ServiceBus Service Bus messaging service and Event Grid domain topics Protected
Microsoft.ServiceFabric Azure Service Fabric Protected
Microsoft.SignalRService Azure SignalR Service Protected
Microsoft.Solutions Azure Solutions Protected
Microsoft.Sql SQL Server on Virtual Machines and SQL Managed Instance on Azure Protected
Microsoft.Storage Azure Storage Protected
Microsoft.StorageCache Azure Storage Cache Protected
Microsoft.StorageSync Azure File Sync Protected
Microsoft.StreamAnalytics Azure Stream Analytics Not protected
Microsoft.Synapse Synapse Analytics (formerly SQL DW) and Synapse Studio (formerly SQL DW Studio) Protected
Microsoft.UsageBilling Azure Usage and Billing Portal Not protected
Microsoft.VideoIndexer Video Indexer Protected
Microsoft.VoiceServices Azure Communication Services - Voice APIs Not protected
microsoft.web Web Apps Protected

Next steps