cellcentric secures assignment of administrative privileges with Microsoft Entra Verified ID and Microsoft Entra entitlement management

Visions of sustainability

cellcentric is on a mission to become the world’s leading manufacturer of fuel cell technology. The German-based company is a 50:50 joint venture between Daimler Truck AG and the Volvo Group specializing in fuel cells for heavy-duty, long-haul commercial vehicles and other application areas across the entire value chain for fuel cell systems. Its capabilities include development through production, marketing and sales, and applications outside of vehicle use cases. Fuel cells convert chemical energy and an oxidizing agent into electricity, providing significantly lower or zero emissions when compared to combustion engines. The company aims to help the world become climate-neutral and use more sustainable vehicles by 2050.

Protecting critical data

The core cellcentric IT team is based in both Germany and Canada and works in close collaboration with internal and external partners for implementing its core Azure infrastructure, Microsoft 365, and cloud-only Microsoft Entra ID environments. The company’s data comprises everything from production data on product quality, suppliers, customers, finances, and inventory, to engineering data on machines, analytics, and time series. Only a small number of employees and partners have access to the company’s data, and an even smaller number has access to the highest-privileged roles within its environment.

Previously, cellcentric used Microsoft Entra ID Privileged Identity Management (PIM) for role elevations and managed privileged user accounts from a joiner/mover/leaver (JML) process manually. The main reason for this approach was that managing accounts with critical roles in Microsoft Entra ID, like Global Administrator or Privileged Role Administrator, would require any provisioning service to have very high permissions within Microsoft Entra ID. Using a third-party system could run the risk of it being compromised and endangering the tenant as well. Additionally, if a former employee in a highly privileged role still had access to the company’s tenant due to the manual process, they could compromise or even sundown the entire company. As a cloud-only customer who manages its identities natively in Microsoft Entra ID, cellcentric did not want to take this risk. Christian Lang, IT Architect at cellcentric emphasized, “We had a manual process for deactivating privileged accounts and manual processes are more error prone than automated processes. It’s hard to keep privileged accounts up to date, especially if someone leaves the company or their role has changed.”

The company wanted to improve its efficiency and security posture around privileged accounts in its Microsoft Entra ID tenant by relying more on automation without providing tools with the highest privileges in the tenant. “The company is protective over its critical privileged roles, and we wanted to be able to limit access to them very quickly,” says Christoph Dörr, Product Owner for IT Backend & Cloud at cellcentric. The company needed a solution that could maintain its security posture by ensuring the accounts of its privileged users have access at just the right time. It also needed to ensure that an appropriate JML process solution did not allow the respective system executing it the highest permissions in the tenant and thereby endangering it.

Fast and automated security factors

cellcentric created a solution using Microsoft Entra Verified ID, a managed verifiable credential service, and Microsoft Entra entitlement management an identity governance feature that enables organizations to manage identity and access lifecycle at scale by automating access request workflows, access assignments, reviews, and expiration. From the perspective of the privileged user, cellcentric uses Microsoft Entra entitlement management to request eligibility for a privileged role in Microsoft Entra ID. Eligibility in this scenario means the privileged account is provisioned into an application role for the directory role in the issuer application. The app reveals credential issuance for every role in the directory a user is eligible for, meaning that for each directory role displayed, there is an access package for eligibility and an app role defined on the issuance application. The user can access the issuance application with their privileged account and select every role that they are eligible for. After selecting the role the user needs, the Verifiable Credential (VC) issuance process for this credential definition starts and the user receives their VC for the requested role. Before issuance starts, automatic checks are done to ensure there is an active primary account in the tenant. The cellcentric process for issuing Privileged Admin Credentials is seen below in Figure 1.

With the VC, the user can visit the My Access portal to activate the respective role by requesting a role activation access package and presenting the acquired verifiable credential. After successfully requesting the access package, the privileged user account is provisioned into a role-assignable group permanently assigned to the directory role. The access package is valid for eight hours, after which the administrator needs to request access again, presenting the respective VC which was previously issued.

Fast and automated security factors

cellcentric created a solution using Microsoft Entra Verified ID, a managed verifiable credential service, and Microsoft Entra entitlement management an identity governance feature that enables organizations to manage identity and access lifecycle at scale by automating access request workflows, access assignments, reviews, and expiration. From the perspective of the privileged user, cellcentric uses Microsoft Entra entitlement management to request eligibility for a privileged role in Microsoft Entra ID. Eligibility in this scenario means the privileged account is provisioned into an application role for the directory role in the issuer application. The app reveals credential issuance for every role in the directory a user is eligible for, meaning that for each directory role displayed, there is an access package for eligibility and an app role defined on the issuance application. The user can access the issuance application with their privileged account and select every role that they are eligible for. After selecting the role the user needs, the Verifiable Credential (VC) issuance process for this credential definition starts and the user receives their VC for the requested role. Before issuance starts, automatic checks are done to ensure there is an active primary account in the tenant. The cellcentric process for issuing Privileged Admin Credentials is seen below in Figure 1.

With the VC, the user can visit the My Access portal to activate the respective role by requesting a role activation access package and presenting the acquired verifiable credential. After successfully requesting the access package, the privileged user account is provisioned into a role-assignable group permanently assigned to the directory role. The access package is valid for eight hours, after which the administrator needs to request access again, presenting the respective VC which was previously issued.

A continued journey with Azure

Thanks to the new process, cellcentric is the first customer to use Microsoft Entra Verified ID and Microsoft Entra entitlement management in production. The company has worked with Microsoft Entra ID and Azure since its start and looks forward to continuing to integrate Microsoft solutions to protect its business. “Our identity and access management system is entirely based on Microsoft Entra ID. The integration of Microsoft Entra Verified ID and Microsoft Entra entitlement management is now also a critical component for securing privileged access. It empowers and increases security for our whole organization,” says Christian Lang.

Find out more about cellcentric on LinkedIn.