Microsoft Entra GA Adds WAF, Bot Defense Integrations

Introduction: why this matters

Identity attacks increasingly target the entire user journey—sign-up, sign-in, and recovery—not just authentication itself. Microsoft Entra’s new GA partner integrations are notable because they combine stronger controls with faster adoption: admins can discover, purchase, and deploy select partner solutions directly in the Entra portal (and via the Microsoft Security Store) without the traditional friction of custom integrations, long implementation cycles, or bespoke contracts.

What’s new (GA): integrated partner solutions for identity security

Microsoft Entra now offers in-product integrations that add layered protections across key identity touchpoints:

1) Edge-level WAF protection for authentication endpoints

• Partners: Cloudflare and Akamai
• Scenario: Protect external-facing authentication endpoints from DDoS, OWASP Top 10 risks, and malicious bots.
• Architecture (layered): Traffic flows through Cloudflare/Akamai WAF → Azure Front Door → Microsoft Entra External ID tenant.
• Value: Blocks threats earlier (at the edge), reducing load and risk before requests reach identity infrastructure.

2) Fraud prevention during sign-up (CIAM)

• Partners: Arkose Labs and HUMAN Security
• Scenario: Add risk-based screening and adaptive challenges into Microsoft Entra External ID sign-up flows.
• Value: Increases resistance to automated account creation and fraud while aiming to minimize friction for legitimate users.

3) Stronger account recovery and secure access using government ID verification

• Partners: Au10tix, IDEMIA, and TrueCredential (LexisNexis)
• Scenario: Replace weaker recovery methods (for example, security questions) with government ID document verification and privacy-protecting face biometrics for Entra ID account recovery.
• Extension: The same verification flow can be used for Access Packages, enabling higher-assurance requests to sensitive resources.
• Follow-on benefit: Users can register passkeys after verification to reduce future lockouts.

Impact for IT administrators and end users

For admins:

• Faster onboarding and configuration for partner protections directly within the Entra experience.
• More consistent defense-in-depth across CIAM and workforce identity scenarios, with clearer placement of controls (edge WAF, sign-up protection, recovery assurance).
• Centralized acquisition and deployment via the Microsoft Security Store, reducing procurement and integration overhead.

For end users:

• Better protection from account takeover and fraudulent sign-ups, with fewer disruptive incidents.
• Higher-assurance recovery options that can be more secure than legacy recovery methods.

Action items / next steps

1. Review your identity perimeter: Identify which apps/tenants use Microsoft Entra External ID and which endpoints are exposed.
2. Pilot edge protection: Evaluate Cloudflare/Akamai WAF in front of External ID entry points (especially for high-volume public apps).
3. Harden sign-up flows: For CIAM scenarios, test Arkose Labs or HUMAN integrations to reduce bot-driven registrations.
4. Modernize recovery: Assess whether government ID verification is appropriate for your regulatory, privacy, and user populations; plan comms and support.
5. Operationalize: Update incident runbooks and monitoring to include edge/WAF and fraud signals alongside Entra sign-in logs.

Reference docs (from Microsoft): Cloudflare/Akamai WAF setup, Arkose/HUMAN fraud protection integrations, and Entra ID account recovery guidance.