Two of the most significant authentication announcements to emerge from the recent RSA Conference in San Francisco both underscored a critical, converging theme: the imperative for organizations to adopt a more flexible and unified approach to identity security, particularly as artificial intelligence (AI) agents increasingly operate alongside and interact with human workers within enterprise ecosystems. These developments signal a strategic pivot in cybersecurity, recognizing identity as the new perimeter in an era defined by distributed workforces, hybrid cloud environments, and the rapid proliferation of intelligent automation.
The RSA Conference, held annually, serves as a pivotal gathering for the global cybersecurity community, often acting as a barometer for the industry’s evolving priorities and a launchpad for groundbreaking technologies and partnerships. Its 2024 iteration, themed "The Art of Possible," heavily featured discussions around AI’s dual nature – both a potent tool for defense and a sophisticated weapon for attackers – making identity security for AI a paramount concern. Against this backdrop, two major players, Microsoft and RSA Security, unveiled initiatives designed to fortify identity frameworks for this complex future. Microsoft announced the general availability of its external multi-factor authentication (MFA) support within Microsoft Entra ID, while RSA Security revealed an expanded partnership with Microsoft specifically geared towards securing what it terms the "AI workforce."
Microsoft’s Strategic Move: Entra External MFA Hits General Availability
Microsoft’s declaration that its external MFA feature is now generally available (GA) in Microsoft Entra ID marks a significant milestone for enterprises grappling with diverse authentication infrastructures. The capability allows organizations to seamlessly integrate third-party MFA providers directly into their Entra ID environments without necessitating a complete overhaul of their existing authentication investments or compromising the robust security policies offered by Microsoft’s Conditional Access framework. This move addresses a long-standing challenge for many large enterprises, particularly those with complex IT landscapes, stringent regulatory requirements, or a history of mergers and acquisitions that have resulted in disparate security solutions.
Unpacking General Availability and Architectural Flexibility
The shift to general availability means the feature is production-ready, supported, and recommended for broad deployment. Prior to this, organizations often relied on less integrated or more cumbersome methods to incorporate external MFA solutions, such as the now-deprecated Custom Controls approach. The new external MFA functionality is built on the OpenID Connect (OIDC) standard, a modern authentication protocol that provides a flexible and secure way for applications to verify the identity of end-users based on the authentication performed by an authorization server. By embracing OIDC, Microsoft ensures broad compatibility with a wide array of existing third-party MFA solutions, from hardware tokens and biometrics to specialized software authenticators.
This architectural flexibility is critical for organizations that have made substantial investments in niche MFA solutions designed to meet specific compliance mandates, operate across highly segmented network environments, or cater to unique operational security needs where Microsoft’s native MFA options might not have been a perfect fit. For IT teams, the immediate benefit is the ability to manage all authentication methods – both Microsoft’s native offerings and integrated third-party solutions – from a single administrative console within Entra ID. This "single pane of glass" approach dramatically simplifies identity management, reduces operational overhead, and enhances visibility across the entire authentication landscape.
The Power of Conditional Access and Risk Assessment
A core strength of Microsoft’s identity platform lies in its Conditional Access policies, which allow administrators to define granular access controls based on real-time signals such as user risk, device state, location, application sensitivity, and more. Crucially, sign-ins utilizing external MFA still pass through this full policy evaluation, including Microsoft’s sophisticated real-time risk assessment engines. This ensures that even when an external MFA provider verifies a user’s identity, the access request is still subject to the same level of scrutiny and adaptive security policies as a native Entra ID authentication.
Administrators retain the power to align authentication prompts with specific business objectives through sign-in frequency and session controls. However, Microsoft’s announcement also included a critical caution: overly aggressive reauthentication policies, while seemingly increasing security, can paradoxically heighten phishing risk. By conditioning users to approve frequent, sometimes unnecessary, authentication prompts, they may become desensitized and less scrutinizing of legitimate versus malicious requests, making them more susceptible to phishing attacks that mimic genuine MFA challenges. This highlights the delicate balance between security friction and user experience, a persistent challenge in modern cybersecurity.
The Data Behind MFA Efficacy
Microsoft’s extensive research into account compromise consistently underscores the transformative impact of MFA. The company’s data has repeatedly demonstrated that MFA reduces the risk of account compromise by more than 99%. This compelling statistic has driven Microsoft’s broader push for widespread MFA adoption across its entire ecosystem. The external MFA feature extends this crucial layer of protection to organizations whose authentication stack previously sat outside Microsoft’s native ecosystem, effectively broadening the reach of this highly effective security measure and contributing to a more resilient global digital infrastructure.
Navigating the Transition: Deprecation of Custom Controls
For IT professionals managing hybrid environments with legacy MFA investments, the GA of Entra external MFA opens a cleaner, more streamlined migration path compared to the previous Custom Controls approach it replaces. Microsoft has set a deprecation deadline of September 2026 for Custom Controls, meaning organizations currently relying on this method must plan their transition to the new OIDC-based external MFA integration. This timeline creates an urgent imperative for IT departments to assess their current authentication infrastructure, identify dependencies on Custom Controls, and begin strategizing their migration to the more modern and secure external MFA framework. Proactive planning is essential to avoid potential service disruptions and maintain a robust security posture.
RSA Security’s Vision: Securing the Autonomous AI Workforce
In parallel with Microsoft’s authentication advancements, RSA Security unveiled a significant expansion of its partnership with Microsoft, centered on securing what it provocatively yet presciently calls the "AI workforce." This initiative directly addresses the rapidly emerging paradigm where AI agents and intelligent automation increasingly act as autonomous entities within enterprise systems, executing workflows, accessing sensitive data, and performing operations traditionally reserved for human employees.
Introducing the AI Workforce Paradigm
The concept of an "AI workforce" is no longer futuristic speculation but an accelerating reality. These are not merely passive tools but active agents – intelligent bots, automated processes, large language model (LLM) powered assistants, and robotic process automation (RPA) systems – that require their own identities, permissions, and security controls. As these AI agents take on more sophisticated and privileged roles, their identities become critical attack vectors if not properly managed and secured. RSA’s announcement reflects a proactive stance on this evolving threat landscape.
The Microsoft 365 E7 Frontier Suite Integration
RSA Security’s new focus is specifically tied to Microsoft’s recently launched Microsoft 365 E7: The Frontier Suite. This comprehensive suite bundles Microsoft 365 productivity tools, the advanced AI capabilities of Microsoft Copilot, essential Entra identity services, and Agent 365 – a dedicated governance platform designed for managing AI agents. RSA is strategically positioning its ID Plus for Microsoft offering as the essential "identity trust layer" that sits atop this foundational platform. This integration aims to provide a unified and robust security framework for both human and non-human identities operating within the M365 E7 ecosystem.
RSA ID Plus: A Comprehensive Identity Trust Layer
The core pitch from RSA is straightforward but increasingly urgent: as AI agents begin executing automated workflows, accessing sensitive data, and operating with privileged access inside enterprise systems, identity governance cannot, and must not, stop at human users. RSA’s identity trust layer for the E7 suite is designed to cover three critical areas:
- High-Assurance, Phishing-Resistant Authentication for Human Users: This foundational element ensures that human access to the M365 E7 suite and associated resources is secured with the strongest possible authentication methods, resistant to common attack vectors like phishing.
- Risk Intelligence for Contextual Evaluation: RSA’s platform incorporates advanced risk intelligence capabilities that continuously evaluate contextual signals surrounding access attempts. This allows for real-time flagging of suspicious activities, whether originating from human users or AI agents, enabling adaptive security responses.
- Secure Access Controls for Privileged AI Operations: This is arguably the most forward-looking aspect. As AI agents increasingly take on autonomous and privileged tasks, RSA provides robust access controls to govern their operations, ensuring that AI agents only access the data and perform the actions they are authorized to, minimizing the blast radius in case of compromise.
Further cementing its collaboration with Microsoft, RSA also confirmed its availability as an external MFA provider through Microsoft Entra’s newly GA’d framework. This means organizations can directly deploy RSA authentication solutions via the external MFA integration within their Entra configurations, offering another layer of choice and flexibility for enterprises seeking high-assurance authentication.
The Escalating Challenge of Non-Human Identities
The urgency behind RSA’s initiative is underscored by alarming statistics. Research has consistently shown that non-human identities – encompassing everything from application programming interfaces (APIs), microservices, and IoT devices to the burgeoning category of AI agents – already outnumber human users by a significant margin, often cited as a factor of 17:1 or more. This vast and rapidly expanding landscape of non-human entities represents a substantial and often overlooked attack surface. The security frameworks traditionally designed for human users are ill-equipped to manage the unique authentication, authorization, and governance requirements of autonomous AI agents, making dedicated solutions like RSA’s increasingly vital.
The Broader Implications for Identity-First Security
These twin announcements from Microsoft and RSA, delivered at the heart of the cybersecurity calendar, signify a profound shift in how enterprises must approach identity security. They align perfectly with the overarching principles of Zero Trust, a security model that dictates "never trust, always verify" for every access request, regardless of whether it originates inside or outside the network perimeter. In a Zero Trust architecture, identity becomes the primary control plane, and securing every identity – human, machine, and now AI – is paramount.
Zero Trust and the Converging Identity Landscape
The move towards external MFA in Entra ID reinforces Microsoft’s commitment to providing a flexible and extensible Zero Trust platform. By allowing organizations to leverage their existing MFA investments within Entra’s Conditional Access framework, Microsoft acknowledges the reality of complex enterprise environments while pushing for higher security standards. This flexibility is crucial for organizations striving to implement comprehensive Zero Trust policies without ripping and replacing established security tools.
Simultaneously, RSA’s focus on the "AI workforce" anticipates the next frontier of Zero Trust. If every human user must be verified, so too must every AI agent. The governance of these non-human identities, their permissions, and their behavior will become a core pillar of Zero Trust strategies in the coming years. This requires a fundamental shift in thinking for IT and security teams, moving beyond traditional user management to encompass the full spectrum of digital entities interacting with enterprise resources.
Strategic Imperatives for IT Leaders
For IT professionals and security leaders, these developments present both opportunities and challenges. The immediate imperative is to capitalize on the cleaner migration path offered by Entra external MFA, especially given the September 2026 deprecation deadline for Custom Controls. This involves a strategic review of current authentication stacks, a careful migration plan, and leveraging the enhanced flexibility to strengthen overall MFA adoption.
Looking ahead, the integration story around AI agents and the Microsoft 365 E7 suite is more forward-looking but no less urgent. While AI agents as enterprise workers are still an emerging model, their proliferation is accelerating rapidly. Gartner has predicted that 33% of enterprise applications will include agentic AI by 2028, a dramatic increase from less than 1% in 2024. This rapid adoption trajectory means that identity teams would be wise to get ahead of the curve. Developing security frameworks to govern these agents, including consistent identity controls that mirror what is already applied to human users, is poised to become a core IT challenge in the very near term. This includes defining roles and permissions for AI agents, monitoring their activities for anomalous behavior, and ensuring robust audit trails.
The Future of Identity: Human, Machine, and AI
The announcements from Microsoft and RSA at the RSA Conference 2024 collectively paint a picture of an evolving identity landscape where the boundaries between human and non-human entities are blurring, and where identity truly forms the bedrock of enterprise security. The ability to manage, authenticate, and govern all identities – whether a human logging into a productivity suite, an IoT device transmitting sensor data, or an AI agent autonomously executing a complex business process – under a unified, flexible, and intelligent framework will define the resilience of organizations in the age of AI. The strategic partnerships and technological advancements showcased highlight an industry grappling with, and proactively responding to, the profound implications of this new digital reality.
