AzureFeeds

Coauthored by Issa Khoury

Universal Print is a comprehensive cloud-based printing solution and platform designed to enhance security, simplify management, and improve user experience. This post outlines the security posture of Universal Print, detailing its principles, architecture, and operations. 

Evolution of Printing at Microsoft 

The Beginning: Print Servers 

Print servers have been around for decades. They are flexible and easy to set up, but they are also more challenging to manage and keep up to date for security due to the plethora of print drivers involved. They support a variety of printers, drivers, architecture, and scaling as an organization grows. Microsoft is working with the industry to evolve the Print server role and make it based on standards to eliminate the need for installing, managing and updating custom print drivers.  Some customers want to migrate to a pure cloud solution, and this is where Universal Print steps in to provide an option.  

Universal Print: The Move to the Cloud 

Universal Print is a Microsoft cloud-based standards-based print solution designed to support various devices and platforms without the need for on-premises print servers or custom print drivers. Its integration with Entra ID allows for seamless management and deployment within Microsoft 365 environments. As an enterprise-level service, Universal Print simplifies the print management process while introducing security measures to protect sensitive data. 

Universal Print was launched in 2021. It offers fully centralized and simplified cloud management, and it is secure by design and by default. It also offers printer manufacturers and print ISVs the ability to add features on top including Badge Release and Print Support Apps, for example. Universal Print leverages IPP/Mopria, adheres to GDPR, and is hosted on FedRAMP Accredited Infrastructure. This document outlines the security posture of Universal Print, detailing its principles, architecture, and operations. 

A list of natively supported printers can be found here: https://aka.ms/UPReadyPrinterList. 

Universal Print is a solution built with security as a core design goal. Universal Print supports zero-trust networking. Printing does not require a trusted company network or VPN. All connections are encrypted using HTTPS and TLS 1.2. All connections are initiated by the user devices or the printers as outbound/outgoing connections. Therefore, there’s no need to open ports in your organization’s firewalls for inbound/incoming connections. Additionally, connections from users, printers, and connectors are all authenticated using Microsoft Entra ID. Because Universal Print is built on standard print industry protocols, it doesn’t require printer drivers to be installed on user devices. Therefore, driver patching and the threat of security bugs in drivers are no longer something the admin needs to worry about. 

Universal Print works best with printers that are Universal Print ready (communicate directly with Universal Print). To support existing non-Universal Print ready printers, Universal Print offers a connector (software). Only communication between the Universal Print connector and printers requires a trusted network which can be isolated and used only for that purpose. While the connector requires a LAN or VPN to communicate with printers, communication between the connector and Universal Print cloud service can be done over a zero-trust network. User devices communicate with the printers via Universal Print, and all communication between the user’s device and Universal Print is done via public internet – this too works seamlessly in a zero-trust environment. 

Print data is stored in the same secure and compliant storage, the Microsoft 365 core data platform. This is the underlying data service that supports all Microsoft 365 services like Exchange, Teams, and SharePoint and is the platform service behind Microsoft Graph. Universal Print meets enterprise and government certification requirements. The data is encrypted at rest using Microsoft managed keys (MMK). However, customers can use their own encryption keys (CMK) if they choose. 

Security Principles 

Universal Print follows Microsoft’s security principles, which include being secure by default, secure by design, and secure in operations (outlined here: Secure Future Initiative blog post). Being secure by default means that the system is inherently secure out of the box. Being secure by design means that security is a core design goal. Secure operations involve rigorous processes to ensure high quality and security. Microsoft has a set of security principles that Universal Print subscribes to. All these principles and pillars are described in further detail in the Secure Future Initiative blog. 

Universal Print is secure by default and by design – Universal Print is secure right out of the box, no complex setup or fine-tuning required. Just deploy with confidence and get seamless, built-in protection.  

Operational Security Principles are about everything around the code and deployment practices – The way code is written and deployed, the requirements to access Production systems, and how threats are monitored. A rigorous set of Software Development Lifecycle (SDL) processes that systematically ensure high quality and security and are also continuously improving: 

• Protect identities & secrets – use of Managed Identities in Entra to eliminate secret-related issues. 


• Protect tenants & isolate production systems – production systems run exclusively in an isolated environment. 


• Protect networks – production resources are not internet-accessible and require Just-in-Time (JIT) elevation of privilege to access. 


• Protect engineering systems – Universal Print is built using the same engineering systems as other Microsoft products, such as SharePoint and Exchange. 


• Monitor and detect threats, accelerate response & remediation – continuous monitoring and on-call engineers ensure systematic issue resolution around the clock. 

Security Architecture 

Tenant Separation 

Tenant separation ensures that customer data remains solely in their hands. It uses Tenant ID to separate the processing and storage of customer data. The data is also secured at the application level. In other words, even at the tenant level, the data accessed by Universal Print cannot be accessed by other applications even if it is built by Microsoft. All customer data is stored in the same way as Microsoft Office storage like Teams, Outlook and is architected to provide layers of security.  

• Using a Tenant ID (and additionally, a User/Printer ID) from a request’s auth token to separate the processing and storage of all customer data, end-to-end. 


• Creating separate shards (by Tenant ID and/or User/Printer ID) to store data & logs in the Microsoft 365 core data platform. Anytime data needs to be accessed, it requires an authentication token. Each token contains information about the tenant of that entity (user, device or application). This ensures an entity can access data only from the tenant where it belongs and authorized. 

Standard tools & Processes: 

• Microsoft Entra ID is the single source of truth for identity. Every request to Universal Print starts with Microsoft Entra ID authentication. Entra ID is used for identity and access management, and Azure Key Vault is used for secret storage. 


• Microsoft 365 core data platform handles customer content. Universal Print uses Azure Front Door for secure connections, and Geneva for monitoring and logging. 

Zero Trust 

The zero-trust model means that no device or connection is trusted by default. All connections require Entra ID authentication, and there is no need for VPN or opening firewall ports. Printer identities are backed by certificates that are created by Azure Device Registration Service (ADRS) at registration time. Only admins can register printers. 

To prevent unauthorized access and minimize the attack surface: 

• All users and printers have identities in Microsoft Entra ID. 


• All requests are authenticated. 


• No inbound network connections are established. No firewall ports need to be opened, and a VPN is not needed. 

To reduce over-privileged users in organizations: 

• Scoped admin roles are available to assign only as much control to admins as they need in their role. Two Entra ID roles: Print Administrator and Print Technician, which provide just enough access to IT admins who need to configure the print environment. In addition, there is a provision enabling delegated admins. 


• Granular access control is available so users can only access printers they need to use. Granular access control per-user and per-printer ensures users can only access the printers they need to. 


• Microsoft Entra ID is also the single source of truth for admin role assignments and access control configuration. 

To minimize the blast radius and lateral movement resulting from a breach, we always “assume breach” and maintain several layers of protection to minimize the impact of a breach: 

• All data is encrypted in transit (TLS 1.2/1.3) and at rest (AES-256) 


• Customers can provide their own key to doubly encrypt data at rest 


• Certificates are autorotated and use Managed Identity, meaning no users can access them. The printer certificate is used to get an access token. Each device token lasts up to one hour. 


• Each printer can only access jobs sent or authorized to it (not jobs for other printers) 

Additional information on Universal Print Zero-Trust: Universal Print support for Zero Trust networks | Microsoft Community Hub. 

Certificate-Based Authentication: A Robust Security Measure 

Certificate-based authentication is a proven method for securely verifying the identity of users, devices and applications. By using digital certificates, this approach eliminates the vulnerabilities associated with password-based authentication methods, such as password theft or phishing attacks. 

In the context of Universal Print, certificate-based authentication offers several key security benefits: 

• Enhanced identity verification: Digital certificates provide a strong mechanism for confirming the identity of users and devices, ensuring that only legitimate print requests are processed. 


• Seamless integration with Entra ID: Universal Print leverages Entra ID for certificate management, allowing IT administrators to easily provision and manage certificates within existing infrastructure. 


• Improved compliance: By adhering to industry standards for authentication, organizations can demonstrate compliance with regulatory requirements and reduce the risk of data breaches. 

By integrating certificate-based authentication, Universal Print reinforces its security posture and alleviates concerns associated with traditional authentication methods. 

Universal Print Ready Printers 

The list of Universal Print ready printers in the market by major manufacturers is growing. These printers offer several benefits, including not requiring any custom drivers, not connecting directly to the corporate intranet, and not requiring a VPN. This ensures a more secure and efficient printing experience for organizations. 

Secure Operations during development 

The process for releasing updates to Universal Print enforces test gates that must be passed before code can be checked in or a build can be deployed. Static analyses are performed to find any fundamental security and quality problems. Credential scans are performed to remove any credentials from the code. Then a fuzzing of the API surface (for Microsoft Graph API changes) before generating a Software Bill of Materials (SBOM) to keep track of all the binaries and libraries that were included in each build. Tools used: 

• Azure DevOps ensures all builds complete the full pipeline 


• Roslyn, BinSkim, PREfast and more are used for static analysis 


• Unified Remote Scanning Architecture (URSA) is used for Fuzzing Graph endpoints that require an App Token 

Leveraging Microsoft Learn Resources 

For organizations looking to implement Universal Print, Microsoft Learn offers a wealth of resources to guide the adoption process. These resources include detailed tutorials, best practices, and hands-on learning modules that cover various aspects of Universal Print deployment and security. 

Key Topics Covered by Microsoft Learn 

• Introduction to Universal Print: Comprehensive overviews of the service’s capabilities and benefits, including setup and configuration guides. 


• Security best practices: Instructional content on implementing zero trust and certificate-based authentication within Universal Print environments. 


• Troubleshooting and optimization: Tips and solutions for common issues, as well as strategies for optimizing print performance and security. 


• Simulation guide to help admins easily experience Universal Print. 

By utilizing Microsoft Learn, IT professionals can ensure a smooth transition to Universal Print while maintaining a strong security foundation. For more information visit the Universal Print Tech Community and for feature asks visit the feature request site.   

Universal Print has Simplified and Secured Print Management 

Universal Print is a secure, cloud-based printing solution that adheres to Microsoft’s rigorous security principles and practices. It provides a robust and scalable platform for organizations to manage their printing needs securely and efficiently. 

We’d love to hear about your experience with Universal Print.  Your input really does guide our future investments. Please share your ideas and feature requests with us or start discussions in the Universal Print Tech Community.  

About the Authors 

Robert Cunningham serves as a Senior Product Marketing Manager, responsible for Windows AI and Cloud marketing. He has more than 30 years of experience in the technology industry, with a focus on enterprise and business-to-business marketing.  Overall, he’s pretty awesome.  

Issa Khoury serves as a Principal Program Manager Lead at Microsoft, where he drives innovation at the intersection of enterprise cloud services and customer-centric design. With more than two decades of experience spanning Software Engineering, Program Management, and Product Management, Issa brings deep technical and strategic expertise to everything he builds. Over his 24-year career at Microsoft, he has led initiatives across Windows, Office, and Azure, shaping key user experiences and delivering scalable solutions—including cloud-based print enablement for enterprise environments. He holds an MBA, a Master’s in Engineering, and is the inventor on 21 issued patents. A passionate technologist and business leader, Issa is relentlessly focused on turning bold ideas into real-world impact.