Professional services firm Grant Thornton knew that finance insights from Microsoft Power BI could prove valuable to its customers. The question was how to give them secure access to its customer portal and also make sure those insights were tailored to a client’s sector and particular interests. The firm implemented Azure Active Directory B2C, part of Microsoft Entra, and wrote user policies that enabled it to offer that secure access. In the process, the firm gave employees beyond the IT team the ability to administer client access.
“With the addition of Azure Active Directory B2C, we have a really sound platform now that customers accept in terms of the identity management and how we’re asking them to connect with us. It gives us a huge amount of opportunity.”
Greg Swift, Chief Information Officer, Grant Thornton UK LLP
Giving customers easy access to information is a key component of delivering a positive user experience. Grant Thornton wanted to provide customers with access to financial insights on a customer portal, but that meant exposing internal apps, Microsoft Power BI, and file shares. Like many other organizations, Grant Thornton struggled with the big question of how to let outsiders access its internal data securely and cautiously, exposing only the data these customers need and protecting the data they shouldn’t access. The answer? Azure Active Directory B2C (Azure AD B2C).
Grant Thornton is a leading professional services firm in London. It employs 5,000 people and offers a broad spectrum of services across audit, tax, and advisory services. The firm, part of the seventh-largest accounting network in the world, centers itself around the strength of relationships it creates, and with this, the high levels of trust its customers have in it, according to Chief Information Officer Greg Swift, who is responsible for IT services at Grant Thornton UK.
“Security is important for a number of reasons. One of them is that to be trusted as an advisor to our customers, we must be able to protect their data,” Swift says. “As an industry-regulated business, we have legal obligations around the security of data. We also have a responsibility to our IT supply chain and service providers that we rely on to protect our customers’ data. The reality is that a security breach will be remembered in the market for a very long time. It would impact our ability to do business, win new work, and recruit quality people.”
Cloud-first commitment requires shoring up customer portal
In 2012, Grant Thornton implemented a cloud-first strategy, beginning with the adoption of a human capital management solution. Since then, the company has moved to more cloud services, such as Microsoft 365 E3 security solutions and Microsoft 365. That’s included migrating from on-premises to online apps and Skype to Microsoft Teams. Most of its applications, such as for resourcing, are in the cloud.
“It’s been a very successful journey,” Swift says. “In the UK, when the prime minister stood up in March 2020 and said, ‘From tomorrow, everybody works from home,’ I can say, hand on heart, that we didn’t make any changes. We could not have done that without being a cloud-first business and without being well advanced in our implementation to the cloud.”
Driven by both business strategy and digital strategy, Grant Thornton moved to provide more data access to its customers. In fact, that was part of the strategy in moving to the cloud. One goal was to easily share Microsoft Power BI with customers via the portal. Power BI is a collection of software services, apps, and connectors that turn data into visually compelling analytics.
Grant Thornton knew that customers could make more informed financial decisions if they could see their finances transformed into easy-to-understand charts or see sector news. But that made authentication a top priority, not only to comply with security standards like ISO 27001 but also to make sure the portal served up the most relevant information for each client. “We can provide sector insights to them, for instance, without them asking for it, but we need to know who they are before we can provide that proactive information,” Swift explains.
“Grant Thornton’s vision was to create a secure, engaging, modern, easy-to-use, personalized experience for our customers and our people,” Swift says. “Before giving access to customers, we needed to secure our customer portal at both the application level and at the platform level, and that means that we needed to have granular permissions capability.”
Azure AD B2C helps secure client access to Power BI
Portal access had to be secure to protect customers’ personal information. Grant Thornton’s options were to buy a third-party solution for identity authentication off the shelf or investigate the capabilities of Microsoft technologies, specifically the identity authentication capabilities of Azure AD B2C.
“In terms of our portal, we spent a long time trying to find the right fix,” Swift says. “There were many possibilities in the market. After talking with Microsoft about our options, we started the journey with publishing Power BI reports and discussing how we could achieve published embedded Power BI. That carried us down the route to Azure Active Directory B2C.”
Given its previous investments in Microsoft technologies, Grant Thornton determined that Azure AD B2C was the right choice. Beginning in early 2020, it began enabling customers to access cloud applications on a “very controlled basis,” Swift says.
With Azure AD B2C user policies, Grant Thornton was able to build a customized experience for customers, including letting them change their passwords. The high security of Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra, impressed the entire team, according to Senior Infrastructure Manager Tom Gilbert, who focuses on providing technology services to the firm’s people.
“With Microsoft technology, security is baked into solutions as a starting point,” Gilbert says. “With Azure Active Directory B2C, you start off highly secure and then there are things that you might need to turn off when you’re developing. We get a good feeling from that.”
Azure AD B2C “seamlessly running along” after implementation
One of the biggest benefits from choosing Azure AD and Azure AD B2C has been the ease of its interoperability with the technology that Grant Thornton was already using. The firm didn’t have to completely swap out what it already had in place, according to Gilbert.
“There’s definitely time saved with Azure Active Directory B2C. We’re already within the world of Microsoft,” Gilbert explains. “Putting a cost on learning and plugging into another solution—and all of that effort—becomes a big project, whereas implementing Azure AD hasn’t been that difficult. It didn’t involve ripping up what we already had. Azure AD was seamlessly running along after we implemented it, without great effort and without completely restructuring the way we manage our identities internally.”
The ease of implementation was especially important because of the size of Grant Thornton’s IT team and the skill set that would have been required to implement a third-party solution.
“Grant Thornton in the UK is a business of 5,000 people, but we haven’t got a huge team,” Swift says. “If I’ve got to have specialists and cover for specialists for other technologies, that really does impact on my ROI and it increases my risk.”
The adoption of Azure AD B2C has come with a realization
“One thing we’ve learned about managing identities with Azure Active Directory B2C is the importance of being able to give other employees the ability to manage those identities, so it isn’t just about IT doing that,” Gilbert says. “We’ve got an increasing number of customers using the portal to view Power BI content. IT doesn’t want to be the bottleneck in administering access, so we appreciate being able to say, ‘You are an administrator. You look after your customers, their credentials, and their permissioning.’”
In fact, Grant Thornton assigned two types of administrator roles—a “super administrator” with control of all customers and sources, and a user admin, who could control only their customers, according to Cloud App Assistant Manager Jaspreet Singh. The permissions are set at different levels so even fewer technical people could confidently handle the appropriate administration duties.
Certain Azure AD B2C features have been especially useful. Azure AD multifactor authentication and Conditional Access are among them. With Azure AD B2C, Grant Thornton has a user flow that dictates user policies.
“One group, for example, relates to accounting only so we have put the user into the accounting group, and if somebody just logs into that under that group, they will be prompted for multifactor authentication and Conditional Access rules aligned to that group,” Singh says. “We have enabled it through Azure Active Directory B2C user flow policies.”
Grant Thornton looks forward to future feature additions
While satisfied with how Azure AD B2C has improved the client experience, using Azure AD internally, Grant Thornton UK plans to add features to enhance it even more. For example, the firm had been using a third-party tool for password resets but planned to implement self-service password reset in late 2021. Gilbert says the feature has two benefits: saving the service desk significant time on password resets and empowering people to reset their own passwords.
“Self-service password reset for Azure AD is going to be a bit of a game-changer for us, such as after the holidays, when many people forget their password,” Gilbert says. “It’s all about ensuring no interruption to people using technology to provide services to our customers. That is going to be a big thing that we’re pushing over the next two months or so.”
Grant Thornton plans to further customize the user experience by enabling social login as part of the portal experience for customers. And it wants to continue to improve the user experience for customers by increasing the digital channels that enable the firm to connect with customers and customers to connect with the firm.
“This is just the beginning, but we know we can go forward with confidence now and make available third-party applications that we might subscribe to or applications that we develop ourselves,” Swift says. “With the addition of Azure Active Directory B2C, we have a really sound platform now that customers accept in terms of the identity management and how we’re asking them to connect with us. It gives us a huge amount of opportunity.”
Find out more about Grant Thornton on Twitter, Facebook, YouTube, and LinkedIn.
“There’s definitely time saved with Azure Active Directory B2C.… Azure AD was seamlessly running along after we implemented it, without great effort and without completely restructuring the way we manage our identities internally.”
Tom Gilbert, Senior Infrastructure Manager, Grant Thornton UK LLP
Follow Microsoft