Securing our future: April 2025 progress report on Microsoft’s Secure Future Initiative

April 21, 2025 TH Author

The Microsoft Secure Future Initiative (SFI) stands as the largest cybersecurity engineering project in history and most extensive effort of its kind at Microsoft. Since inception, we’ve dedicated the equivalent of 34,000 engineers working full-time for 11 months to mitigate risks and address the highest priority security tasks. Now, we are sharing the second SFI progress report, which highlights progress made in our multi-year journey to improve the security posture of Microsoft, our customers, and the industry at large.

We have made progress across culture and governance by fostering a security-first mindset in every employee and investing in holistic governance structures to address cybersecurity risk across our enterprise.

To better protect our customers, engineering teams across the company are delivering innovation aligned with our security principles, such as the new Secure by Design UX Toolkit which we tested with 20 product teams, rolled out to 22,000 employees, and shared publicly. This toolkit embeds security best practices into product development and is already delivering results. It includes best practices, conversation cards, and workshop tools to help teams build security capability, pinpoint vulnerabilities in products, and prioritize where to focus.

We have also made progress in every engineering pillar and objective, continuously hardening our identity security, reducing the risk of lateral movement across networks and tenants, improving our ability to detect and respond to cyberthreats, and partnering with the industry to protect customers from zero days. Insights and learnings from this progress inform ongoing innovations in our Microsoft Security portfolio—Microsoft Entra, Microsoft Defender, and Microsoft Purview—that helps better protect customers and Microsoft.

To better protect signing keys, in September 2024 we announced that we have moved Entra ID and Microsoft Account (MSA) access token signing keys to hardware-based security modules (HSMs) and virtualization-based security in Windows, with automatic rotation. Since then, we’ve applied new defense-in-depth protections in response to our Red Team research and assessments, migrated the MSA signing service to Azure confidential VMs, and are migrating Entra ID signing service to the same. Each of these improvements help mitigate the attack vectors that we suspect the actor used in the 2023 Storm-0558 attack on Microsoft.

We have also improved our ability to detect and respond to cyberthreats, adding more than 200 additional detections against top tactics, techniques, and procedures (TTPs), which will be integrated into Microsoft Defender where applicable. Partnering with the security research community proactively discovered 180 vulnerabilities in the high-impact areas of cloud and AI, and expanded our program to address vulnerabilities within a reduced time to mitigate to cover more products, environments, and lower severities.

Key highlights from the full SFI progress report can be found below:

Secure by Design, Default, and in Operations

In this report, you’ll find examples of how we’re building in protections from the start, aligned with our security principles:

New Secure by Design UX Toolkit, tested by 20 product teams and rolled out to 22,000 employees as well as a publicly available version, is helping teams build more secure, user-centered experiences.
The launch of 11 new innovations across Microsoft Azure, Microsoft 365, Windows, and Microsoft Security that help improve security by default.
AI development processes that now include dedicated security and safety reviews led by the Artificial Generative Intelligence Safety and Security Organization.
Applying secure operations practices across our AI systems, as outlined in our Responsible AI Transparency Report.
New policies, behavioral-based detection models, and investigation methods that thwarted $4 billion in fraud attempts.

These advances help protect our customers and Microsoft.

Security-first mindset, company-wide

Security starts with people. In the past year, we’ve activated a security-first culture across every corner of the company, from engineering to operations to customer support.

Every Microsoft employee now has a Security Core Priority tied directly to performance reviews.
50,000 employees have participated in the Microsoft Security Academy to improve their security skills.
99% of employees have completed our Security Foundations and Trust Code courses.

This shift isn’t about compliance, it’s about empowerment. We want every person at Microsoft to understand their role in keeping our customers safe and to have the tools to act on that responsibility.

Stronger governance to manage enterprise-wide risk

In May 2024, we introduced a new governance structure to improve risk visibility and accountability. Since then, we’ve deepened our investment:

We’ve appointed a Deputy Chief Information Security Officer (CISO) for Business Applications, and consolidated responsibility for Microsoft 365 and Experiences and Devices.
All 14 Deputy CISOs across Microsoft have completed a risk inventory and prioritization, creating a shared view of enterprise-wide security risk.

This kind of structure is critical for scale, ensuring security isn’t just centralized, but embedded throughout the organization.

Driving measurable progress across all pillars

We continue to make progress in every pillar and objective. Out of 28 objectives, five are nearing completion, 11 have made significant progress, and we continue to make progress against the rest. As a result of SFI our platforms and services are more secure and we have improved our ability to detect and respond to cyberthreats.

1. Protect identities and secrets: We have improved identity security for Microsoft services and customers

New defense-in-depth protections for Microsoft Entra ID and Microsoft Account (MSA) token signing keys already stored in hardware-based security modules. The Microsoft Account (MSA) signing service has been migrated to Azure confidential VMs.
90% of identity tokens from Microsoft Entra ID for Microsoft apps are validated by one consistent and hardened identity Software Development Kit (SDK).
To mitigate risk from advanced cyberattacks, 92% of employee productivity accounts now use phishing-resistant multifactor authentication (MFA).

2. Protect tenants and isolate production systems: We continue to remove legacy and unused resources, and increase isolation, to reduce the risk of lateral movement

We transitioned more than 88% of resources to Azure Resource Manager, removed a total of 6.3 million tenants (an additional 550,000 since September), and all new tenants are now automatically registered in our security emergency response system.
We use an automated lifecycle management solution for all Microsoft Entra ID applications in the production environment.
Authentication to 4.4 million production environment managed identities is now restricted to specific network locations, further protecting these critical assets.

3. Protect networks: Progress made against all objectives has improved the security of our network and delivered new innovations to help customers protect their networks

More than 99% of network assets have been inventoried and use enhanced security standards.
We continue to add additional layers of defense in depth by applying network isolation and segmentation to our network.
We introduced four new security capabilities to help customers secure their networks: Network Security Perimeter (NSP), DNS Security Extensions (DNSSEC), Azure Bastion Premium, and a private subnet feature.

4. Protect engineering systems: We have improved the security of systems we use to build, test, and deploy code

99.2% of pipelines have a complete inventory, which is enforced at creation and validated within 24 hours.
MFA protects 81% of production code branches through proof-of-presence checks.
Broad adoption of Central Feed Services, which helps to provide developers with a governed open-source feed.

5. Monitor and detect threats: To improve our ability to investigate and respond to cyberthreats

We track 97% of our production infrastructure assets centrally.
Engineering teams continue to adopt our security logging standard, including the two-year minimum retention policy.
We added more than 200 additional detections against top tactics, techniques, and procedures (TTPs). Applicable detections will be integrated into Microsoft Defender.

73% success rate addressing cloud vulnerabilities in our reduced time to mitigate, with significantly expanded program scope.
As part of Zero Day Quest, researchers identified 180 new vulnerabilities in the high impact areas of cloud and AI, enabling us to address them proactively.
We introduced new processes and playbooks to improve security incident communications to customers.

A future of secure innovation

Progress in cybersecurity is never linear. Cyberthreats evolve. Technology shifts. New risks emerge. But every step we take to secure our platforms is an investment in a safer future, for Microsoft, our customers, and the entire ecosystem.

SFI is how we’re rising to that challenge. We are applying Zero Trust principles, driving security from the engineering core, and sharing what we learn. There is more work ahead and we are committed to the journey.

We also know that security is a team sport. It takes collaboration across customers, partners, and the broader industry to move forward together. As part of our commitment to the broader ecosystem, we’re proud to continue to support initiatives like the CISA Secure by Design pledge, reinforcing our belief that security is the foundation of trust.

Thank you for your trust—and your partnership. Let’s keep building a secure future together.

Learn more with Microsoft Security

To learn more about Microsoft Security solutions and Microsoft’s Secure Future Initiative, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.