In a significant security enhancement following last year’s high-profile Storm-0558 breach, Microsoft has completed the migration of its Microsoft Account (MSA) signing service to Azure confidential VMs.
This development, detailed in Microsoft’s April 2025 Secure Future Initiative (SFI) progress report, represents a critical defense upgrade that provides additional hardware-based isolation between token signing processes and the underlying hosts.
The migration comes as part of Microsoft’s ongoing response to the 2023 Storm-0558 attack, where threat actors were suspected of compromising token signing processes.
.png
)
According to the report, Microsoft has implemented multiple layers of defense-in-depth protections for both Microsoft Entra ID and Microsoft Account (MSA) token signing keys.
“We have applied new defense-in-depth protections, migrated the Microsoft Account (MSA) signing service to run on Azure confidential VMs, and we are migrating the Entra ID signing service to Azure confidential VMs,” states the report, highlighting that these improvements “help mitigate the attack vectors that we suspected the actor used in the 2023 Storm-0558 attack on Microsoft”.
Validation Through Rigorous Testing
To ensure the effectiveness of these security enhancements, Microsoft conducted thorough Red Team research and response drills. These assessments validated that their improved auditing telemetry and reduced key validity periods significantly enhanced the company’s ability to investigate potential attacks.
The report notes that “this research has also informed our detection strategies and provided insights into how we can defend against more sophisticated attacks,” demonstrating Microsoft’s proactive approach to security testing.
The migration is a component of Microsoft’s Secure Future Initiative (SFI), described as “the largest cybersecurity engineering project in history” with investments equivalent to “34,000 engineers working full-time for 11 months”.
The initiative focuses on six engineering pillars, with “Protect identities and secrets” being particularly relevant to the MSA signing service migration. Under this pillar, Microsoft aims to protect cryptographic signing keys through hardware storage and protection with rapid, automatic rotation.
Beyond the MSA signing service migration, Microsoft reports significant progress in related security areas:
- 90% of identity tokens from Microsoft Entra ID for Microsoft apps are now validated using one standardized implementation.
- 92% of employee productivity accounts use phishing-resistant multifactor authentication (MFA).
- 100% of production system accounts utilize phishing-resistant MFA.
This move represents a significant step in Microsoft’s efforts to strengthen its security posture following several high-profile security incidents.
The company is also working on preparing its identity and public key infrastructure systems for a post-quantum cryptography world, having added support for quantum-resistant algorithms in the Windows core cryptographic function library.
Microsoft is now in the process of migrating the Entra ID signing service to Azure confidential VMs as well, further enhancing the security of its identity infrastructure.
Additionally, the company is partitioning foundational key systems in the Entra infrastructure to isolate datacenter management layers and Azure regional services, which will prevent a compromised key from allowing traversal to higher-security privilege layers.
These ongoing security enhancements underscore Microsoft’s commitment to what they describe as “security above all else” as they continue to address vulnerabilities revealed by past breaches and prepare for future security challenges.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
