cellcentric reduces virtual desktop costs by 33% with Microsoft Entra Suite

Designing identity as the foundation of a new company

When cellcentric was established as a joint venture between Daimler Truck AG and Volvo Group, the company faced a rare opportunity: to design its IT landscape from the ground up. Rather than inheriting legacy identity systems or network centric security models, cellcentric made a deliberate decision to place identity at the center of its architecture from day one.

The company’s mission demanded a highly secure yet flexible environment. cellcentric operates at the intersection of advanced automotive engineering, research, and manufacturing, where intellectual property protection, partner collaboration, and operational efficiency are all critical. From the beginning, leadership recognized that traditional perimeter based security would not scale to meet those needs.

“We had the chance to start from scratch, and we knew identity had to be the core of everything,” says Christian Lang, IT Architect at cellcentric. “We decided very early to follow a Zero Trust approach with Microsoft Entra ID at the center.”

Working with Microsoft, cellcentric established a cloud only Microsoft Entra ID tenant and immediately implemented foundational security controls. Conditional Access policies were enforced from the outset, multifactor authentication was required for all users, and self service password reset was enabled to reduce operational friction during onboarding. This early focus ensured that security was built in rather than added later.

Microsoft ISD, as partner, was critical in this journey by leading end-to-end, identity first solution design, delivering integrated Entra capabilities with strong governance, and turning architecture decisions into measurable business outcomes through disciplined execution.

Scaling access with governance, not manual processes

As the organization grew, so did the complexity of managing access. Employees, contractors, and external partners all required timely access to applications and resources, but manual provisioning quickly became unsustainable. Initially, users were onboarded through scripted processes, which worked at small scale but lacked consistency and long term governance.

To address this, cellcentric integrated its central HR system using native HR provisioning in Microsoft Entra ID. This shift automated joiner and leaver processes, ensuring that user accounts and access reflected employment status without relying on manual intervention.

Guest access presented an even greater challenge. Collaboration with suppliers, partners, and external engineering teams is essential to cellcentric’s business, but unmanaged guest identities can introduce security and compliance risk. To bring structure to this process, cellcentric adopted Microsoft Entra ID Governance.

Using access packages, approval workflows, and lifecycle automation, cellcentric established governed onboarding and offboarding for guest users. Over time, the same governance model was extended to internal users, standardizing how permissions were granted across applications through group based access and native provisioning integrations.

“Governance was key for us,” says Christoph Dörr, Product Owner IT Backend at cellcentric. “We needed to give people access quickly, but we also needed confidence that access was reviewed and removed when it was no longer required.”

Rethinking remote access for legacy engineering workloads

Despite its cloud first architecture, cellcentric still relied on legacy, non‑HTTP engineering applications hosted on‑premises. These applications required protocols such as Kerberos and NTLM and were integrated through Microsoft Entra Domain Services. Historically, secure access to these resources depended on a large Azure Virtual Desktop environment.

For many employees, particularly engineers, virtual desktops served primarily as jump hosts rather than full workspaces. This added complexity to daily workflows and drove significant infrastructure costs.“Users had to take extra hops just to reach the applications they needed,” Lang recalls. “It worked, but it wasn’t a great experience, and it was expensive to operate.”

The introduction of Microsoft Entra Private Access, part of Global Secure Access, fundamentally changed that model. By enabling identity aware, Zero Trust Network Access to on‑premises resources, cellcentric was able to publish engineering applications and Azure file shares directly to users’ corporate devices.

“With Private Access, employees can securely access legacy applications directly from their own notebooks,” says Lang. “They no longer need to rely on a virtual desktop just to do their work.”

Delivering measurable cost savings and better user experience

The shift from virtual desktop–based access to identity centric secure access produced clear, measurable outcomes. By reducing reliance on compute intensive virtual desktop infrastructure, cellcentric achieved a 33% reduction in monthly virtual desktop costs, expressed as a relative decrease between the environments before and after adopting Microsoft Entra Private Access.

At the same time, approximately 50–60 users were migrated off virtual desktops entirely. This group included both standard office users and power users running demanding engineering simulations. Moving these users to direct access reduced infrastructure overhead while improving performance and usability.

“The biggest change for our employees is that security is no longer something they actively notice,” Lang says. “It just works—and that’s exactly how it should be.”

Users now experience fewer steps, less latency, and a more seamless connection to the resources they need and IT teams report fewer friction points associated with remote access and fewer escalations related to virtual desktop usage.

Extending Zero Trust across the environment

In parallel with Private Access, cellcentric deployed Microsoft Entra Internet Access as part of Global Secure Access. This capability provides identity based controls for access to Microsoft 365 services and reinforces the company’s Zero Trust strategy.

Internet Access is currently being evaluated and piloted, with plans to expand coverage as the deployment matures. Together, these capabilities ensure that every access request—whether to cloud services or on‑premises resources—is continuously evaluated based on identity, device, and context.

“We deliberately chose not to implement a traditional VPN,” Dörr explains. “We wanted identity to remain the control plane, not the network.”

This approach has also simplified onboarding new scenarios, such as enabling secure access to testing environments or partner systems, without complex network configurations or bespoke integrations.

What’s next: continuing the identity first journey

While cellcentric has deployed most components of Microsoft Entra Suite, the journey is ongoing. The team continues to expand lifecycle automation, particularly for B2B guest access, and is exploring additional Global Secure Access scenarios as part of its roadmap.

cellcentric also actively tracks new Entra capabilities as they become available, building on its identity first foundation to support future growth, innovation, and collaboration.

“Our biggest lesson learned is that identity is never really finished,” Lang reflects. “But by building everything on a single, integrated platform, we know we can keep evolving without adding unnecessary complexity.”

Meet the Team

Christian Lang
IT Architect, cellcentric GmbH & Co. KG

Christoph Dörr
Product Owner IT Backend, cellcentric GmbH & Co. KG