NTT Communications achieves a safe hybrid work environment with Microsoft Entra ID and Intune

The Zero Trust security supporting hybrid work

As a Creator of New Value and Accelerator of a Global Sustainable Society, NTT Group has been working to enhance Employee Experience (“EX”). Having led the group’s ICT-based work style innovations, NTT Communications Corporation (“NTT Communications”) focused on “Zero Trust” and now contributes to the improvement of EX by renewing the existing work environment and making it “safe and comfortable anytime, anywhere.” Zero Trust is a cybersecurity strategy that assumes all access to company information assets is "not trustworthy and therefore must be verified.”

NTT Communications adopted Microsoft solutions to achieve a safe hybrid work environment based on Zero Trust; Microsoft Entra ID (“Entra ID”, formerly Azure Active Directory), a cloud-based identity/account management service, combined with Microsoft Intune (“Intune”) that manages devices and apps.

Previously managed by on-premises Active Directory and Microsoft Endpoint Configuration Manager (MECM), employee IDs and associated 40,000 “Secured PCs”, developed by NTT Communications, are now managed by a new system using Entra ID and Intune. The new system provides a more secure and easy-to-use hybrid work environment for employees through unified ID authentication and stronger security through multi-factor and device authentication, and also supports diversifying work styles. Secured PC is NTT Communications' own Windows PC achieving both convenience and security. Simplified device management was realized through these efforts, which led to a reduction in labor hours and costs associated with operating the system, quicker response to urgent issues, and a reduction in the time and resources required for device kitting.

NTT Communications utilizes ICT to create communications that open up new possibilities for people and the world. The company engages in initiatives to better support employees in their autonomous career development through higher EX, which is one of the pillars of the NTT Group's management strategies. To strengthen support for autonomous career development, NTT Communications has been establishing work environments adaptable to employees’ various work and life styles.

As the foundation for various work styles and environments, NTT Group launched the Remote Standard System based on hybrid work as the standard work policy in July 2022, giving employees the freedom to live anywhere in Japan. EX has been improved by freeing employees from restrictions on when and where they work as well as where they live.

“The security strategies based on Zero Trust are crucial for creating a hybrid work environment that is safe and secure regardless of where users work,” says Tsuyoshi Toyoshima, Director of Digital Innovation, Digital Transformation at NTT Communications.

While the COVID-19 pandemic necessitated hybrid work, the company suffered cyberattacks on its internal servers around the same time. The incident triggered the company's commitment to Zero Trust Security. "We decided to move away from the on-premises environment to prevent unauthorized access,” Toyoshima continues. “Until then, we had created a secure environment by blocking connections to the internal network from the outside. Today, the use of cloud computing/SaaS and working-from-home has become the norm, and this created difficulties in establishing clear "boundaries" due to changes in the environment. We needed to consider the cloud as the basis for management of devices, software, internal systems, authentication, networks, and IDs to implement the Zero Trust strategies, where security measures are taken with the assumption that no access is trusted.”

Phased transition to Entra ID and Intune

NTT Communications chose to shift from on-premises to cloud-based environments in phases, specifically from Active Directory (“AD”) to Entra ID and MECM to Intune.

Identifying potential issues internally and resolving them before full migration

Phase 1 involved discontinuing Active Directory Federation Service (the AD authentication method also known as ADFS) and transitioning from federation authentication to authentication by Entra ID alone. Yukito Nakajima of Digital Innovation, Digital Transformation at NTT Communications, commented on this process: “To discontinue ADFS, we rolled out Entra ID in stages, conducted trials with a limited number of users at each stage, and resolved any issues as they surfaced. We repeated this process prior to completely turning off ADFS. So, the transition went smoothly and quickly without any problems when we entered the full migration.”

The on-premises file servers were also discontinued in Phase 1. Shuji Inoue, Senior Manager of Information System, Digital Transformation of NTT Communications, recalls migrating 550 terabytes of all existing files to Microsoft OneDrive and Microsoft SharePoint: “Initially, there was significant resistance to migrating from the familiar file-sharing interface to SharePoint. We explained the importance of cloud migration for achieving Zero Trust and asked employees to migrate their existing data by themselves. We also introduced the SharePoint Migration Tool (SPMT) to reduce the burden of the migration task and implemented phased migration, organization by organization, to even out the network load and inquiries to the support desk.”

Migrating 40,000 devices to “Entra ID joined” in 4 months, using Intune and Autopilot

The authentication infrastructure used by SaaS and internal system applications was subsequently migrated from AD to Entra ID in Phase 2. Rikiya Sakuma, Manager of Digital Innovation, Digital Transformation at NTT Communications, says that governance was the key to migration. “We collaborated with the IT Security Department to establish the use of Entra ID as the authentication infrastructure in our internal system regulations. Enforcing IT governance helped deter the use of new AD instances. Additionally, the internal system administrators proactively migrated AD-integrated applications to Entra ID during system updates or other maintenance cycles. As a result, only a small number of applications had to be migrated from AD to Entra ID at this stage.”

When apps required migration, it was also necessary to change the app administrators' preconception of “Entra ID = cloud version of AD.” By communicating the potential need to change application methods, and even products in some cases, the project team increased understanding among the internal stakeholders. The team also helped them develop and execute migration plans tailored to the new authentication method. Thanks to their support, many internal applications were made compatible with Entra ID, achieving cloud shift.

It is easy to focus on the migration of internal applications when discontinuing AD. However, the scope of migration tasks is broad, extending to the various elements that make up the office ICT. “The network, certifications, printers, license authentications... They all had to be migrated. It was important to involve all internal stakeholders from the early stages to ensure the discontinuation of AD," Sakuma recalls.

Simultaneously, the management tool of on-premises devices and apps was migrated from MECM to Intune. By incorporating Windows Autopilot ("Autopilot"), one of Intune’s features, in setting up devices and apps, NTT Communications successfully migrated 40,000 existing devices from Microsoft Entra Hybrid Join (formerly Hybrid Azure AD Join) to Microsoft Entra ID Join (formerly Azure AD Join) in just four months. To make a full transition to Entra ID joined, Microsoft Entra Hybrid joined devices had to be reset. Tatsuya Inada, Senior Manager of Digital Innovation, Digital Transformation, NTT Communications Corporation, explains a key element of the switchover: “Employees can reset their devices by themselves simply with Intune wipe (initialization) at their own convenience while working from home. Autopilot automatically set up the devices and completed the switchover via the Internet.”

“Device migration required getting both supporters of the change within the company and top-down leadership,” recalls Keiko Kawamura, Manager of Digital Innovation, Digital Transformation, NTT Communications. 

“We held briefing sessions for IT administrators in each organization ahead of time and lent them prototype devices so that they could test the transition and better understand the planned migration steps. Employees should have understood the benefits of switching to Entra ID-joined devices in order to have them perform the resetting steps by themselves. So, we worked hard to communicate the benefits to everyone through the IT administrators. We also used Intune data and Power BI to visualize the device switchover rates by department. The rate of progress was shared with the department managers, and they were encouraged to make the switch from the top down as well.

Planning for de-synchronization of 160,000 objects based on in-advance validation

The third and final phase was to stop the synchronization of Microsoft Entra Connect (formerly Azure AD Connect), which synchronized AD objects to Entra IDs, and completely separate on-premises and cloud environments. Nakajima describes the process of de-synchronization: "It only takes a single command to switch over, but a lot of preparation went into it. There are 160,000 objects to be de-synchronized, including user accounts, distribution groups, and security groups for all employees, which are essential to business operations. In order to minimize the period of object unavailability due to turning off synchronization, we validated how long it would take to de-synchronize 160,000 objects beforehand and developed a work plan that would allow provisioning with Entra ID to begin immediately after turning off synchronization.”

“Since the synchronized configuration of AD and Entra ID was the basis of the in-house environment, the impact of de-synchronization was going to be significant, and we felt that we could not be fully prepared with theoretical discussions alone. That is why we constructed a separate tenant that mimicked the actual environment and ran rehearsals. We provided information to teams that would be affected by de-synchronization and asked them to prepare necessary measures. Because we were able to identify every potential issue in minute detail beforehand, we were able to turn off synchronization without major issues.”

Then, as part of the IGA (Identity Governance and Administration) switchover, the management of AD-controlled objects (user accounts, distribution groups, security groups) was shifted to Entra ID.

It was important to familiarize users with the new user interface in advance in order to minimize the business impact of the cloud migration. Hitomi Nishioka, Digital Innovation, Digital Transformation, NTT Communications, explains the key points of the migration phase: "We made the new Entra ID-compliant system available to users ahead of time, which helped to avoid confusion after the switchover. Also, in cases where specifications would be changed after shifting to the new system, we provided information through workshops and the intranet portal sites. We made sure users/employees were fully supported and worked hard to reduce their worries and concerns as much as possible.”

“The difficulty was that some of the group policies managed by AD were not compatible with Intune configuration profiles,” says Inada, looking back on the efforts for a smooth switchover. “Microsoft Japan suggested that we use a group policy analysis tool, which was a private-preview version at the time. The tool analyzed whether the existing group policies were compatible with Intune and showed us how to configure them when found to be compatible, which made the transition smooth. We were also able to identify all incompatible group policies so that we could prepare where necessary. It made our migration management easier.”

Simple device management with Entra ID and Intune

The implementation of Entra ID and Intune has led to simplified device management as well as security improvements.

“There is no need to execute complex policies developed through enormous resources. The key is that Entra ID easily provides the "advanced and secure identity authentication" and "comprehensive and dynamic authentication and authorization" required for Zero Trust,” recalls Sakuma. Instead of ending with a one-time authentication, changes in devices and network conditions are detected for each access, and users are asked to authenticate again or change their passwords according to the degree of risks, thereby improving measures to prevent unauthorized access in the hybrid work environment.

In addition, the complete shift to a cloud environment has enabled the centralization of authentication with Entra ID, allowing advanced security monitoring through the use of log data. The shift also allows analysis and utilization of endpoint, network, and app data to implement security measures on the basis of each employee and device. These are beneficial in terms of both security and business operations.

“The shift from the on-premises MECM to Intune has also helped streamline device management operations. Before the change, updating the Windows OS for internal use required time and effort to recreate a master image. But now, rolling out is quick and flexible by using Intune's Autopilot and Windows Update for Business,” says Kawamura. Previously, a device manager had to ask the authentication manager who managed AD to change the group policy each time the security policy was changed. “With Intune, the device manager can complete the process, reducing the workload of both device and authentication managers," adds Shinpei Hatakeyama, Manager of Digital Innovation, Digital Transformation, NTT Communications.

Autopilot automatically sets up and pre-configures new devices from the cloud. Autopilot also brought significant benefits to both the device provider and the user. “Autopilot has freed the device provider from the complex kitting work, giving them more time to focus on their core operations. Currently, the number of devices managed has increased to 46,000. But deployment of new devices is now much easier with Autopilot. Staff members are grateful that they no longer have to come to the office to set up devices. In addition, if an employee faces a problem with their device while working from home, it can be reset and reconfigured using Autopilot without having to come to the office, which is also a great business advantage,” explains Hatakeyama about the benefits of using Autopilot.

Migrating the authentication and device management to the cloud was challenging, even for NTT Communications. “Migration could not have been successful without the support from Microsoft Japan and FastTrack, a cloud implementation support service," Inoue comments on the migration support. “When Microsoft Japan responded to our inquiry and proposed the use of tools and other specific solutions, I felt that they were addressing the issues as if they were a part of our team while collaborating with Microsoft's U.S. headquarters."

NTT Communications has been able to reduce the cost and workload of operating and managing internal systems by eliminating the need for AD-related equipment and application/patch distribution servers.

The project achieved a complete migration from the existing on-premises environment to a cloud environment with Entra ID and Intune as its core. Looking back on the entire project, Nishioka comments, “We eliminated on-premises Active Directory and achieved centralized management of ICT resources using Entra ID and Intune. Now that all data resides in the cloud, we can visualize and utilize data in a way that was never before possible.”

Toyoshima has a future vision: "From a perspective of devices, I have high expectations for Copilot + PC to utilize AI. Before the project, we were in a domain participation model in a closed LAN environment within the company or at home. Now that we have shifted to a cloud participation model in an open Internet environment, we have a foundation that can flexibly respond to changing times. In order for AI to be truly effective, data must be in the cloud. Now that we have the foundation for it, we want to work on improving EX and CX using AI, such as Copilot for Microsoft 365, as well as further upgrading security.”

NTT Communications has demonstrated that a complete migration to a cloud environment can improve security and provide better work styles for employees. There is no doubt that they will continue to embrace the latest technologies as they seek to grow and innovate their business.