The recent RSA Conference, a globally recognized nexus for cybersecurity innovation and discourse, served as the backdrop for two pivotal announcements from industry giants Microsoft and RSA. Both unveilings underscored a critical and evolving imperative for organizations: the urgent need for a more flexible, unified, and robust approach to identity security, particularly as artificial intelligence (AI) agents increasingly integrate into and operate alongside human workforces. These developments signal a proactive adaptation to the shifting digital landscape, where the traditional perimeter has dissolved, and identity has become the new control plane, further complicated by the burgeoning presence of autonomous AI entities.
Microsoft leveraged the high-profile platform of the conference to declare the general availability of its external multi-factor authentication (MFA) support within Microsoft Entra ID. This move significantly broadens the interoperability and reach of Microsoft’s identity platform. Concurrently, RSA Security unveiled an expanded strategic partnership with Microsoft, a collaboration meticulously designed to secure what it has termed the "AI workforce." This partnership aims to extend sophisticated identity governance and access management capabilities to the rapidly growing ecosystem of AI agents operating within enterprise environments.
The RSA Conference: A Bellwether for Cybersecurity Trends
Held annually, typically in San Francisco, the RSA Conference is an unparalleled gathering of cybersecurity professionals, thought leaders, vendors, and government agencies. It serves as a vital forum for discussing emerging threats, showcasing cutting-edge technologies, and setting the agenda for the future of digital security. Announcements made at RSA often reflect the industry’s most pressing concerns and future directions. This year, the pervasive theme of AI’s impact on cybersecurity—both as a threat and a defensive tool—was front and center, making the identity security pushes by Microsoft and RSA particularly timely and resonant. The conference environment allowed for immediate peer review and industry feedback, underscoring the perceived urgency of these solutions.
Microsoft Entra External MFA Achieves General Availability: Enhancing Interoperability and Choice
A cornerstone announcement from Microsoft at this year’s RSA Conference was the general availability of its external MFA feature within Microsoft Entra ID. This capability, previously in preview, represents a significant leap forward in enterprise identity management. As detailed in a company blog post coinciding with the announcement, the feature empowers organizations to seamlessly integrate third-party MFA providers directly into their Entra ID infrastructure. Crucially, this can be achieved without necessitating a complete overhaul of their existing authentication systems or compromising the granular control offered by Microsoft’s Conditional Access policies.
The strategic importance of this development cannot be overstated for large enterprises. Many organizations, especially those operating across diverse regulatory landscapes, engaging in frequent mergers and acquisitions, or utilizing highly specialized legacy systems, have made substantial investments in non-Microsoft MFA solutions. These solutions might be mandated by specific industry regulations (ee.g., PCI DSS for financial data, HIPAA for healthcare, various national data privacy acts), tailored for unique operational requirements, or simply represent a long-standing IT infrastructure choice. Previously, integrating these external MFA solutions with Microsoft’s identity ecosystem often involved complex workarounds or required enterprises to forgo the advanced security features of Entra ID.
Built upon the widely adopted OpenID Connect (OIDC) standard, Microsoft’s external MFA capability fosters an open and interoperable environment. OIDC, an authentication layer atop OAuth 2.0, allows clients to verify the identity of the end-user based on the authentication performed by an authorization server. This adherence to an open standard ensures broader compatibility and reduces vendor lock-in. For IT teams, the integration is designed for simplicity: external MFA operates within the same administrative console as Microsoft’s native MFA methods, providing a coveted "single pane of glass" experience for comprehensive authentication management. This consolidated view simplifies policy enforcement, auditing, and troubleshooting, reducing operational overhead.
Security remains paramount, and Microsoft has confirmed that sign-ins utilizing external MFA still undergo a full policy evaluation, including real-time risk assessments. This means that an organization’s Conditional Access policies—which allow administrators to enforce specific access requirements based on factors like user group, location, device compliance, and application—remain fully functional. Administrators retain the flexibility to align authentication prompts with specific business objectives through configurable sign-in frequency and session controls. However, Microsoft also issued a crucial caution, informed by its extensive telemetry and security research: overly aggressive reauthentication policies can inadvertently increase phishing risk. Users conditioned to approve frequent, sometimes unnecessary, prompts may develop "MFA fatigue," leading them to approve malicious prompts without proper scrutiny. This insight underscores the delicate balance between security enforcement and user experience.
Microsoft’s long-standing research has consistently highlighted the transformative impact of MFA adoption. The company’s data, drawn from billions of authentication events, unequivocally demonstrates that implementing MFA reduces the risk of account compromise by more than 99%. The external MFA feature is a direct extension of this commitment, broadening that critical layer of protection to organizations whose authentication stacks exist outside or alongside Microsoft’s native ecosystem, thereby elevating the overall security posture across the digital economy.
RSA Security’s Proactive Stance: Securing the AI Workforce
In a complementary yet equally forward-looking announcement, RSA Security unveiled its strategy to secure the burgeoning "AI workforce" through an expanded partnership with Microsoft. This initiative is tightly integrated with Microsoft’s newly introduced Microsoft 365 E7: The Frontier Suite. This comprehensive suite bundles Microsoft 365 productivity tools, the AI-powered Microsoft Copilot, essential Entra identity services, and Agent 365—a governance platform specifically designed for AI agents. RSA is positioning its ID Plus for Microsoft offering as the crucial identity trust layer that sits atop this powerful new platform.
The core premise behind RSA’s initiative is straightforward but carries profound implications for enterprise security: as AI agents increasingly take on autonomous roles, executing automated workflows, accessing sensitive corporate data, and operating with privileged access within enterprise systems, traditional identity governance frameworks that focus solely on human users become woefully inadequate. The emergence of agentic AI—AI systems capable of independent decision-making and action—introduates a new class of digital identities that demand the same, if not greater, scrutiny and control as their human counterparts.
Supporting this urgent need, research has already shown a dramatic shift in the identity landscape: non-human identities, encompassing service accounts, APIs, bots, IoT devices, and now AI agents, already outnumber human users by a staggering factor of 17 to 1. This imbalance is only set to grow exponentially with the widespread adoption of generative AI and autonomous agents. Industry analysts like Gartner reinforce this trajectory, predicting that by 2028, a significant 33% of enterprise applications will incorporate agentic AI capabilities, a monumental leap from less than 1% in 2024. This rapid proliferation necessitates a paradigm shift in how organizations perceive and manage identities.
RSA’s identity trust layer for the Microsoft 365 E7 suite is designed to address this complex challenge across three critical dimensions:
- High-Assurance, Phishing-Resistant Authentication for Human Users: While the focus is on AI, securing human access remains foundational. RSA provides robust authentication methods that are resistant to phishing attacks, ensuring that human users accessing the E7 suite and interacting with AI agents are properly verified.
- Risk Intelligence for Contextual Access: The solution incorporates advanced risk intelligence capabilities that continuously evaluate contextual signals associated with access attempts. This enables the platform to flag suspicious access patterns or deviations from normal behavior, whether originating from a human user or an AI agent, providing real-time threat detection and adaptive access controls.
- Secure Access Controls for Privileged AI Operations: As AI agents assume more autonomous and often privileged tasks, managing their access permissions becomes paramount. RSA’s framework establishes granular, secure access controls for these privileged operations, ensuring that AI agents only have the necessary permissions to perform their designated functions, adhering to the principle of least privilege. This mitigates the risk of an compromised AI agent being exploited for widespread unauthorized access.
Further demonstrating the synergy between the two companies’ announcements, RSA Security confirmed its availability as an external MFA provider through Microsoft Entra’s newly generally available framework. This means organizations already utilizing RSA authentication solutions can deploy them directly within their Entra configurations, leveraging the new external MFA integration. This offers a streamlined path for enterprises to unify their identity strategies, integrating their existing RSA investments within the broader Microsoft ecosystem.
Broader Industry Context and Implications for IT Professionals
These dual announcements signify a maturing understanding within the cybersecurity industry regarding the evolving nature of digital identity and the profound impact of AI. The shift from a perimeter-based security model to an identity-centric, Zero Trust architecture has been ongoing for years. Zero Trust, with its core tenet of "never trust, always verify," requires that all users, devices, and applications are continuously authenticated, authorized, and validated before being granted access to resources, regardless of their location. The moves by Microsoft and RSA align perfectly with this philosophy, extending its principles to a new class of digital actors: AI agents.
For IT professionals and security administrators, these developments carry significant implications and necessitate strategic planning:
- Migration from Custom Controls: Microsoft’s deprecation of the older Custom Controls approach in favor of the new Entra external MFA framework, with a deadline of September 2026, means that organizations currently relying on Custom Controls must begin planning their migration immediately. The new GA feature offers a cleaner, more standardized, and likely more secure migration path, reducing technical debt and improving future interoperability.
- Proactive AI Security Planning: The RSA-Microsoft E7 integration story is inherently forward-looking. While AI agents as full-fledged enterprise workers are still an emerging model, their rapid adoption rate demands proactive engagement from identity teams. Waiting until AI agents are deeply embedded within critical business processes to implement governance and security controls would expose organizations to significant, unmitigated risks. The need for consistent identity controls for AI agents, mirroring those applied to human users, will become a core IT challenge in the immediate term. This includes defining AI agent identities, managing their credentials, auditing their actions, and enforcing access policies.
- Strategic Investment and Skill Development: Organizations will need to assess their current identity infrastructure and consider strategic investments in unified identity platforms that can accommodate both human and non-human identities. Furthermore, IT professionals will need to develop new skills in AI governance, machine identity management, and advanced risk intelligence to effectively manage and secure these emerging AI workforces. Understanding the nuances of OIDC, Conditional Access, and how to integrate diverse authentication providers will be critical.
- Regulatory Compliance in the AI Era: As AI systems become more autonomous and handle sensitive data, new regulatory frameworks are likely to emerge, or existing ones will be adapted to address AI-specific risks. Having a robust and flexible identity governance framework, like those offered by Microsoft and RSA, will be crucial for maintaining compliance and demonstrating accountability.
- Bridging the Gap Between IT and AI Development: The integration of AI agents into enterprise workflows necessitates closer collaboration between traditional IT and security teams and AI development teams. Identity professionals will need to work with AI developers to ensure that security is baked into the design of AI agents from the outset, rather than being an afterthought.
In conclusion, the announcements from Microsoft and RSA at the recent RSA Conference are not merely product updates; they represent a strategic response to the seismic shifts occurring in the cybersecurity landscape. By championing flexible, unified, and comprehensive identity security solutions, these industry leaders are equipping organizations with the tools necessary to navigate the complexities of a world increasingly driven by AI, ensuring that security and trust remain foundational pillars of digital transformation. The era of the AI workforce has arrived, and securing its identities is paramount to unlocking its potential safely and responsibly.
