Matt Suiche of Magnet Forensics talks about top security threats for organizations and strategies for effective incident response.
Azure Active Directory (Azure AD) is becoming Microsoft Entra ID. Learn more.
Today’s post was written by Sue Bohn, partner director of Program Management and Ben Byford and Gerald Corson, senior directors of Identity and Access Management at Walmart.
I’m Sue Bohn, partner director of Program Management at Microsoft. I’m an insatiable, lifelong learner and I lead the Customer & Partner Success team for the Identity Division. I’m jazzed to introduce the “Voice of the Customer” blog series. In this series, the best of our customers will present their deployment stories to help you learn how you can get the most out of Azure Active Directory (Azure AD). Today we’ll hear from Walmart. I love the convenience of Walmart; where else can you buy tires, socks, and orange juice in one trip?
Walmart teamed up with Microsoft to digitally transform its operations, empower associates with easy-to-use technology, and make shopping faster and easier for millions of customers around the world. But this strategic partnership didn’t just happen overnight. In the beginning, Walmart’s cybersecurity team was skeptical about the security of the public cloud and Azure AD. Ben Byford and Gerald Corson, senior directors of Identity and Access Management at Walmart, share their team’s journey working with Microsoft to embrace the cloud with Azure AD:
Working closely with our Microsoft account team convinced us we could safely write back to on-premises and enable password hash synch
In the beginning, we were willing to feed to the cloud but at that time not comfortable allowing the syncing of passwords to the cloud or write back to on-premises from cloud. We were skeptical of the security controls. We involved Microsoft in the strategy and planning phases of our initiatives and made slow but steady progress. As we worked with the Microsoft team, representatives were eager to get any and all feedback and to provide it to their product groups. This led to our critical Azure AD enhancement requests being received and solutions were delivered. When we ran into bugs, we were able to troubleshoot issues with the very people who wrote the application code. Our Microsoft account team was right there with us, in the trenches, and they were committed to making sure we were confident in Azure AD’s capabilities. Over time, as we learned more about Azure AD and the new security features we were enabling, our trust in Microsoft’s Azure AD security capabilities grew and many of our security concerns were alleviated.
Given our scale, validating and verifying the security capabilities of Azure AD was key to empowering our users while still protecting the enterprise. Walmart currently has over 2.5 million Azure AD users enrolled, and with that many users we need very granular controls to adequately protect our assets. The entire team, including Microsoft, rolled up our sleeves to figure out how to make it work, and together we’ve enabled several features that let us apply custom security policies. Azure Information Protection (AIP), an amazing solution that is only possible with Azure AD, allows us to classify and label documents and emails to better protect our data. Azure AD Privileged Identity Management (PIM) gives us more visibility and control over admins. Azure AD dynamic groups lets us automatically enable app access to our users. This is a huge time saver in an environment with over half a million groups. With all of the work we did with Microsoft and our internal security team, we were able to turn on the two features we previously did not think we would be able to—password hash synch and write back from cloud to on-premises. This was critical to our journey as we had never allowed a cloud solution to feed back into our core environment in this manner.
Driving down help desk calls with self-service password reset
One example that shows how much we trust the security of Azure AD and the cloud is self-service password reset (SSPR). The biggest driver of help desk calls at Walmart is people who get locked out of their accounts because of a forgotten password. It wastes a tremendous amount of our help desk’s time and frustrates associates who lose time sitting on the phone. We believed that letting users reset their passwords and unlock their accounts without help desk involvement would go a long way and improve productivity, but we had always been nervous about giving people who weren’t on Walmart PCs that kind of access. Another hurdle was ensuring that our hourly associates were only able to utilize this service while they were clocked in for work. Microsoft helped us solve this with the implementation of custom controls.
Our Microsoft team supported us the entire way, and we’re proud to say that SSPR is being rolled out. When we started this journey, we would never have believed that we would allow people to reset their passwords from a public interface, but here we are, and the user experience is great!
Engage Microsoft early
If there is one thing we would have done differently, it would be to engage Microsoft at a deeper level earlier on in the process. Our public cloud adoption didn’t really take off until we brought them in and spent time with their backend product engineering teams. Microsoft’s commitment to improving security and the cloud is clear. Their work to safeguard data has continuously improved, and while we work closer with them, they also continue to incorporate our feedback into future feature releases. It is the relationship that has allowed us to securely implement Azure AD at our scale.
We look forward to sharing our next big success: implementation of Azure AD B2B.
Voice of the Customer: looking ahead
Many thanks to Ben and Gerald for sharing their journey from on-premises to Azure AD. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers’ security and implementation insights more broadly. Bookmark the Microsoft Secure blog so you don’t miss part 2 in this series. Our next customer will speak to how Azure AD and implementing cloud Identity and Access Management makes them more secure.