The US Department of Labor’s (DOL) ambitious move toward Zero Trust security demonstrates how government agencies can harness modern identity management to improve cybersecurity while streamlining user access. Over the past several years, Microsoft has supported federal and state organizations in their transition, and DOL’s journey—centered on Microsoft Entra ID—is a prime example of these cutting-edge advancements in identity protection.
Recognizing the need for consolidation, DOL’s Identity, Credential, and Access Management (ICAM) group set out to unify these identity systems under Microsoft Entra ID (formerly known as Azure Active Directory). Using the extensive protocol support (including SAML and OIDC) provided by Entra ID, DOL achieved a seamless single sign-on (SSO) experience across more than 200 applications. This integration not only improved the user experience but also laid the groundwork for enforcing stronger, more consistent security policies.
Key benefits of this consolidation include:
• Reduced complexity through a single identity source
• Enhanced security protocol integration for SSO across various applications
• Streamlined management and compliance monitoring via centralized logging and analytics
The organization’s refined policies include:
• Differentiating between privileged and regular users
• Enforcing reauthentication based on a user’s calculated risk level
• Blocking high-risk sign-ins outright, while employing a tiered reauthentication schedule for medium-risk scenarios
These risk-based policies reinforce the Zero Trust principle by ensuring that each access request is continuously evaluated. Further, the practice of running policies in “report-only” mode allowed security teams to collect valuable insights on user behaviors without disrupting business operations. This modeling provided a clearer picture of potential vulnerabilities, enabling DOL to tailor its risk controls and eliminate policy redundancies effectively.
The process is refreshingly simple and efficient:
• A simplified policy landscape that reduces administrative overhead
• A clearer understanding of risk through enriched logging and behavioral analytics
• The agility to adapt to emerging security threats by rapidly updating policies
• Improved user satisfaction—fewer hurdles mean faster access and higher productivity
By integrating these sophisticated features, the department has not only met stringent federal cybersecurity standards but also positioned itself as a model for other state and federal agencies looking to modernize their cybersecurity practices.
• Implementing attestation mechanisms to ensure that only the genuine Microsoft Authenticator app can register new passkeys
• Centrally managing devices by joining them to Entra ID for streamlined updates and policy enforcement
• Further consolidating and refining Conditional Access policies to close any residual security gaps
This forward-looking strategy promises a more resilient defense mechanism in an environment where cyber threats are both persistent and ever-changing.
For Windows users and IT professionals alike, DOL’s approach reinforces the value of centralized identity management and adaptive security policies—cornerstones of today’s secure, efficient, and user-friendly computing environment. The successful consolidation efforts and continuous monitoring illustrate that with the right technology and strategic foresight, modern government agencies can meet today's stringent security requirements while paving the way for even more robust systems in the future.
Source: Microsoft US Department of Labor’s journey to Zero Trust security with Microsoft Entra ID | Microsoft Security Blog
Consolidating Identity Systems for a Unified Security Approach
DOL initially operated a fragmented system where multiple identity technologies coexisted. They relied on on-premises Active Directory, Active Directory Federation Services, and even Ping Federate alongside their Microsoft 365 investments. This patchwork setup meant that users had to authenticate to various applications through different systems—an approach riddled with complexity and potential vulnerabilities.Recognizing the need for consolidation, DOL’s Identity, Credential, and Access Management (ICAM) group set out to unify these identity systems under Microsoft Entra ID (formerly known as Azure Active Directory). Using the extensive protocol support (including SAML and OIDC) provided by Entra ID, DOL achieved a seamless single sign-on (SSO) experience across more than 200 applications. This integration not only improved the user experience but also laid the groundwork for enforcing stronger, more consistent security policies.
Key benefits of this consolidation include:
• Reduced complexity through a single identity source
• Enhanced security protocol integration for SSO across various applications
• Streamlined management and compliance monitoring via centralized logging and analytics
Advancing Zero Trust with Risk-Based Conditional Access
As threats grew more sophisticated, so did DOL’s security requirements. In response to emerging federal cybersecurity mandates, DOL advanced its security posture by transitioning from static Conditional Access (CA) rules to dynamic, risk-based policies. With Microsoft Entra ID Protection, DOL can now assess not only device risk, but also sign-in and user risk factors before allowing access.The organization’s refined policies include:
• Differentiating between privileged and regular users
• Enforcing reauthentication based on a user’s calculated risk level
• Blocking high-risk sign-ins outright, while employing a tiered reauthentication schedule for medium-risk scenarios
These risk-based policies reinforce the Zero Trust principle by ensuring that each access request is continuously evaluated. Further, the practice of running policies in “report-only” mode allowed security teams to collect valuable insights on user behaviors without disrupting business operations. This modeling provided a clearer picture of potential vulnerabilities, enabling DOL to tailor its risk controls and eliminate policy redundancies effectively.
Enhancing Authentication with Device-Bound Passkeys
One standout aspect of DOL’s security upgrade is its innovative use of device-bound passkeys via the Microsoft Authenticator app. Previously, privileged accounts were merely protected by usernames, passwords, and basic multi-factor authentication—a setup that left them vulnerable to phishing attacks. Recognizing that privileged accounts demand a higher level of protection, DOL introduced device-bound passkeys that offer phishing-resistant authentication.The process is refreshingly simple and efficient:
- Privileged users install the Microsoft Authenticator app on their government-issued cell phones.
- They sign in using a Temporary Access Pass during an initial onboarding process.
- The passkey is set up in a frictionless workflow, enabling much faster authentication—Microsoft testing shows that passkey sign-ins are eight times quicker than conventional methods.
The Benefits of a Unified and Adaptive Security Framework
DOL’s modernized identity system brings a host of long-term benefits:• A simplified policy landscape that reduces administrative overhead
• A clearer understanding of risk through enriched logging and behavioral analytics
• The agility to adapt to emerging security threats by rapidly updating policies
• Improved user satisfaction—fewer hurdles mean faster access and higher productivity
By integrating these sophisticated features, the department has not only met stringent federal cybersecurity standards but also positioned itself as a model for other state and federal agencies looking to modernize their cybersecurity practices.
Looking Ahead: Future Enhancements and Broader Implications
Even as DOL celebrates these improvements, its cybersecurity roadmap continues to evolve. Future initiatives include:• Implementing attestation mechanisms to ensure that only the genuine Microsoft Authenticator app can register new passkeys
• Centrally managing devices by joining them to Entra ID for streamlined updates and policy enforcement
• Further consolidating and refining Conditional Access policies to close any residual security gaps
This forward-looking strategy promises a more resilient defense mechanism in an environment where cyber threats are both persistent and ever-changing.
Final Thoughts
DOL’s journey towards a Zero Trust environment with the help of Microsoft Entra ID serves as a robust case study for the public sector. By consolidating multiple identity systems into one agile solution, the department not only simplified its security management but also laid a strong foundation for future improvements. The integration of risk-based Conditional Access and phishing-resistant authentication, particularly through device-bound passkeys, further underscores the importance of an adaptive security strategy in today’s digital age.For Windows users and IT professionals alike, DOL’s approach reinforces the value of centralized identity management and adaptive security policies—cornerstones of today’s secure, efficient, and user-friendly computing environment. The successful consolidation efforts and continuous monitoring illustrate that with the right technology and strategic foresight, modern government agencies can meet today's stringent security requirements while paving the way for even more robust systems in the future.
Source: Microsoft US Department of Labor’s journey to Zero Trust security with Microsoft Entra ID | Microsoft Security Blog
