In a sweeping security reset, Microsoft says it has moved all token-signing keys tied to Microsoft Accounts and Entra ID into secure environments, aiming to block the attack technique used in a damaging nation-state hack. As part of what it’s calling the largest cybersecurity engineering project in history, the tech giant has placed those keys inside hardware security modules (HSMs) or Azure confidential virtual machines—both of which now include automatic key rotation to stop future breaches before they start.
This major upgrade is a core piece of Microsoft’s broader Secure Future Initiative (SFI), which was launched in late 2023 after a major security lapse and damning criticism from U.S. federal agencies. Just 18 months later, Microsoft’s security head Charlie Bell says the company is closing in on real progress. Out of 28 key objectives under SFI, five are nearly complete, and 11 more have already made what Bell calls “significant progress.”
One of the most urgent fixes? Hardening identity and access infrastructure. More than 90% of Microsoft’s internal productivity accounts now use phishing-resistant multi-factor authentication. And 90% of first-party identity tokens are being validated through a newly reinforced SDK designed to withstand modern attack methods.
Bell also confirmed that Microsoft’s Red Team assessments directly informed several of these upgrades. The Microsoft Account (MSA) signing service has already moved to Azure confidential VMs, with the Entra ID signing service not far behind. These transitions are designed to neutralize the very tactics used in a breach attributed to a Chinese advanced persistent threat (APT) actor.
That now-infamous attack stemmed from a compromised crash dump. The dump, stolen from a Microsoft engineer’s corporate account in 2021, contained an MSA consumer key. With that key, the attackers forged authentication tokens and gained unauthorized access to Outlook.com and OWA inboxes.
In a bold move to tighten its cloud perimeter, Microsoft has also purged 6.3 million inactive Azure tenants. According to Bell, this step was critical to protect the platform’s multi-tenant infrastructure and minimize lateral movement across accounts. Meanwhile, 88% of active Azure resources have been migrated to Azure Resource Manager, allowing for stricter policy enforcement. Additionally, Microsoft segmented 4.4 million managed identities, locking them to specific network locations for authentication—a clear bid to reduce exposure to malicious traffic.
Launched in November 2023, the Secure Future Initiative promised faster patching cycles, more secure software development practices, and a stronger default security posture across Microsoft’s cloud offerings. These recent updates show tangible progress—but challenges remain.
Critics still question Microsoft’s cloud vulnerability disclosure process, pointing to slow or incomplete patch rollouts and a surge in zero-day exploits targeting Windows systems. While Microsoft continues to lead the enterprise cloud sector, it’s under growing pressure to rebuild trust after repeated high-profile lapses.
With this cybersecurity overhaul, Microsoft is betting on layered defenses, stronger identity protection, and a rebuilt cloud architecture to prevent future breaches. But with nation-state actors growing more sophisticated, the true test may come sooner than expected.
