Hello! I’m Sue Bohn, Microsoft Vice President of Program Management for Identity and Network Access. In today’s Voice of the Customer blog post, Chief Technology Officer and Chief Information Security Officer David Swits of MVP Health Care shares how Microsoft Azure Active Directory B2C, part of Microsoft Entra, helped the organization modernize and simplify portal authentication.
MVP Health Care modernizes and simplifies the way members gain access to health plan information
As both Chief Technology Officer and the Chief Information Security Officer at MVP Health Care, I believe you must design your technology solutions with security as the foundation and then overlay the functionality. When building online portals to be accessible to four groups—individual members, employers, healthcare providers, and brokers—MVP Health Care prioritized security as much as ease of use and the user experience (UX). After all, stolen healthcare data is highly prized by cybercriminals, and we have a duty to protect members’ information.
MVP Health Care is a regional, not-for-profit health plan with 700,000 members and 1,700 employees in New York and Vermont. When I joined in 2018, the company was eight to nine years behind on technology. Our objective was to embark on digital transformation so the company could more easily and efficiently serve our constituents. As a Microsoft-first organization, that meant turning to Microsoft technology as we reinvented our infrastructure and replaced our traditional authentication methods with Azure Active Directory (Azure AD) External Identities for B2C user journeys.
The technology running previous portals was antiquated and cumbersome
Comparing healthcare plans can be confusing. We knew we had data that could make it easier. To do that, our portals needed to cut through complexity and deliver the right content for each constituent group.
The old portals—fueled by the IBM WebSphere Application Server—were cumbersome to use and support. MVP Health Care developers sometimes had to go through the back-end to fix an account. No back-end identity process existed to authenticate people who needed to access a portal, so anyone could create an identity for anyone.
Partner Edgile becomes an extension of MVP Health Care’s team
We considered augmenting what we already had with biometrics features, but those plugins didn’t mesh well with our infrastructure. In 2018, we brought on Edgile as a partner and shared our Zero Trust security approach—assuming breach and giving people the least privileged access possible. With extensive knowledge of Azure AD B2C, Edgile designed the identity infrastructure around the new portal and trained our team on best practices.
Edgile built B2C custom policies with user flows, such as seamless single sign-on and self-service password reset. Single sign-on lets people access all their apps after signing in once, while self-service password reset enables people to unlock or reset their passwords without the help desk. To preserve the user accounts from MVP’s previous identity provider, Edgile designed a migration path for users to move to Azure AD B2C the first time they signed in.
“Edgile teamed up really well with MVP Health Care expertise in identity management including external identity management. We started first with a strategy that was followed by a successful quickstart/proof of concept that led to the broader implementation.”—Tarun Vazirani, Edgile Account Partner
Custom policies help create user journeys
MVP Health Care leveraged the custom policies, which are configuration files that define the behavior of MVP’s Azure AD B2C tenant user experience. While user flows are predefined in the Azure AD B2C portal for the most common identity tasks, a custom policy can be edited by an identity developer to be fully configurable and policy-driven. It orchestrates trust between entities in standard protocols, including OpenID Connect, OAuth, and SAML, and a few non-standard ones like REST API–based system-to-system claims exchanges. The framework creates user-friendly, white-labeled experiences to:
- Federate with other identity providers.
- Address first- and third-party multifactor authentication challenges.
- Collect user input.
- Integrate with external systems using REST API communication.
Each user journey is defined by a policy. One can build as many or as few policies as required for the best user experience.
Figure 1: Microsoft’s identity experience framework.
A more unified and streamlined customer experience
Three portals have launched—with the provider portal expected to go live soon. Members appreciate the simpler, modern way they access their portal.
We now have modern authentication that integrates with modern technology. We can easily connect to Google, Facebook, and other verification methods. The experience is familiar for MVP Health Care’s constituents because it’s the same as the graphical interface they see elsewhere.
Together, all the features of Azure AD add huge value. Azure AD multifactor authentication and Conditional Access support Zero Trust’s baseline security. We’re audited on how well we protect confidential information. Multifactor authentication requires identity verification, such as entering a code sent to a phone. Conditional Access policies are if-then statements for how someone gains access.
On launch day, I tested the capabilities of Azure AD B2C and the new portals. I’ll never forget that feeling of knowing we’d chosen our technology wisely. It was slick. It was effective. It was fast. And it’s been an incredible asset for our organization ever since.
Voice of the Customer: Looking ahead
Many thanks to David for sharing MVP Health Care’s story. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers’ security and implementation insights more broadly. Bookmark the Microsoft Security blog so you don’t miss the next in this series!
To learn more about Microsoft Security solutions visit our website. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.