The Unstoppable Force of Community: Global AI Bootcamp 2025 Ignites Greater China!
May 9, 2025Rewriting the IT Playbook: Empowering CIOs to Lead with Confidence in the AI Era
May 9, 2025
The rapid advancements in technology are reshaping the way organizations, including banks, insurers, investment firms, and other global financial services industry (FSI) firms secure their businesses. Strong operational resilience and the ability to recover quickly from disruption or cyberattack is more critical than ever as infrastructure is required to respond to a complex and dynamic risk environment coupled with an evolving regulatory landscape.
The financial services sector is experiencing increased regulatory oversight aimed at enhancing its stability, security, and resilience. On January 17th, 2025, the European Digital Operational Resilience Act (DORA) was enacted, introducing a unified framework to achieve a high level of digital operational resilience across the industry. Microsoft is committed to supporting digital resilience and cybersecurity in Europe, as was reinforced last week with the expansion of Microsoft’s European Digital Commitments.
Identity and Access Management (IAM) is a crucial element of operational resilience. By combining threat protection, response, and recoverability with extensive monitoring, automated rerouting, failover, and recovery capabilities, Microsoft Entra provides high availability and performance for our customers. This resilience is further strengthened by Microsoft’s comprehensive approach to security incident and vulnerability management, which enables organizations to withstand, and adapt to, a wide range of threats and disruptions, including cyber-attacks, IT failures, and other operational risks. These capabilities enable FSIs following effective IAM best practices and cybersecurity principles—including a Zero Trust security strategy—to protect their users and mission critical business apps from identity threats using modern Microsoft Entra cloud-hosted services.
Read about the identity-centric Microsoft Security solution of a leading northern European banking and financial services provider:
DORA compliance information for Microsoft Entra customers
As previously blogged about, Microsoft has been helping customers in the financial industry meet the resiliency requirements of DORA. Microsoft provides built-in Information and Communications Technology (ICT) risk management capabilities across a broad range of Microsoft cloud and enterprise product offerings.
Recognizing the vital role of identity and access management in operational resilience and the industry’s need for support in navigating the complex requirements of DORA, Microsoft has published Microsoft Entra customer considerations under DORA on Microsoft Learn. This documentation provides information for financial entities on how Microsoft Entra ID can be configured and operationalized in a way to promote effective IAM best practices as part of their DORA compliance obligations.
Regulated entities can incorporate Microsoft Entra capabilities into their frameworks, policies, and plans to align with specific requirements under DORA, offering several key benefits for organizations aiming to minimize their operational disruptions and comply with the regulation. These benefits include:
- Enhanced risk management: Microsoft Entra has built-in features that help organizations to establish a robust internal governance and control framework. This framework supports effective and prudent management of ICT risks, which is critical for mitigating the risks that DORA seeks to address.
- Operational resilience: Microsoft Entra’s geographically distributed architecture combines extensive monitoring, automated rerouting, failover, and recovery capabilities to deliver continuous high availability and performance. This helps financial entities build operational resilience into their identity and access management systems.
- Incident management, business continuity, and recovery: Microsoft Entra helps organizations detect, investigate, and remediate identity-based risks, plus offers recoverability best practices and incident response playbooks that organizations can operationalize in service of their DORA compliance obligations.
- Improved security: By incorporating Microsoft Entra controls, organizations can enhance their security posture. Regular evaluation of these controls and other risk mitigations helps supported workloads, especially those integral to the delivery of financial services, remain secure.
Robust support for operational resilience from Microsoft Entra
Many Microsoft Entra capabilities can help support operational resilience, for customer workloads running in both the cloud and on-premises. Some of the features that we’ve mapped to DORA articles for customer consideration include:
- Passwordless credentials and multifactor authentication: Microsoft Entra ID includes strong authentication mechanisms including phish-resistant MFA methods such as Windows Hello for Business, passkeys (including FIDO2 security keys and device-bound passkeys in Microsoft Authenticator) and certificate-based authentication.
- Privileged Identity Management (PIM) enables organizations to manage, control, and monitor access to important resources. Time-based and approval-based role activation can mitigate the risks of excessive, unnecessary, or misused access permissions on resources, preventing misconfiguration and/or data loss.
- Microsoft Entra ID Protection helps financial entities to automatically detect, investigate, and remediate identity-based risks, for both human and workload identities. This can be achieved via native integration with Conditional Access in Microsoft Entra ID for automated remediation, and Security Information and Event Management (SIEM) tools such as Microsoft Sentinel for archiving, further investigation, and correlation.
- Microsoft Entra ID Governance automatically ensures that the right people have the right access to the right resources at the right time, across both cloud and on-premises resources. This is achieved through identity and access process automation, delegation to business groups, and increased visibility. Features include entitlement management, access reviews, lifecycle workflows and app provisioning, which enables automatic provisioning and lifecycle management of users in both SaaS and on-premises applications, including legacy apps that don’t support SCIM.
- The Microsoft Entra backup authentication system enables financial entities to increase authentication resilience if there’s an outage. Multiple backup services transparently and automatically handle authentications for supported applications and services if the primary Microsoft Entra service is unavailable or degraded. This backup system helps Microsoft keep our promise of a 99.99% service level availability for authentication.
- Continuous access evaluation allows Microsoft Entra ID to issue longer-lived tokens while enabling applications to revoke access and force reauthentication only when needed. The net result of this pattern is fewer calls to acquire tokens, which means that the end-to-end flow is more resilient.
- Microsoft Entra ID recoverability features including soft delete and Microsoft Graph APIs enable financial entities to regularly export the current state of supported Microsoft Entra ID configurations and recover from certain deletion and misconfiguration scenarios. Financial entities can incorporate these features into recovery procedures and ICT business continuity tests (or similar activities).
- Financial entities that require a hybrid authentication architecture can consider Password hash synchronization (PHS), which enables users to continue to authenticate with Microsoft Entra ID in the event of an on-premises outage (e.g., due to a ransomware attack), and leaked credentials reporting. Customers using Pass Through Authentication (PTA) or federation can consider also enabling PHS for these benefits.
Ultimately, we’re helping customers build systems that work even when the network doesn’t and protect mission-critical identity data and services.
Final Thoughts
As your organization embraces increasing digital transformation and AI advancements, the challenge of securing access for your workforce and customers to a myriad of apps and resources intensifies—as does the need to defend against increasingly sophisticated identity-based attacks, build operational resilience, and comply with best practices and regulations.
Financial services organizations that need to comply with DORA or any organization that wants to meet stronger resilience requirements can follow these guidelines to help protect critical data. For more information, explore Microsoft Entra customer considerations under DORA or contact a representative to learn how Microsoft Entra can support digital operational resilience efforts.
DORA guidance and resources from Microsoft:
- What is DORA? – DORA | Microsoft Learn
- Navigating DORA resilience with Microsoft: Operational resilience in Action | An E-book from Microsoft
- Microsoft Entra customer considerations under DORA – DORA | Microsoft Learn
- Microsoft Contract Stack Mapping Document for the EU Digital Operational Resilience Act (DORA) – DORA | Microsoft Learn
- Microsoft Product to DORA Regulation Mapping – Guide for Customers
More Microsoft Entra resiliency resources:
- Learn more about Microsoft Entra architecture, including extensive monitoring, automated rerouting, failover, and recovery capabilities.
- Get technical guidance on building resilience into identity and access management with Microsoft Entra ID.
- Read how improvements to monitoring systems in Microsoft Entra help enhance tenant health and observability.
- Learn more about Microsoft Entra commitment to transparency and resilience.
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.