Microsoft is leveraging identity governance capabilities in Microsoft Azure AD entitlement management (EM) service to give its employees access to the files and resources they need to do their jobs while preventing them from accessing information they shouldn’t see.
Until recently, those kinds of protections had to be implemented by hand for each individual work project, which resulted in a patchwork experience for employees and managers alike and was a primary driver for support tickets.
Today, this capability is enabled by Microsoft Azure Active Directory (Azure AD) EM, a transition that has centralized access provisioning and governance and has freed up resources for teams across the company.
“By centralizing this functionality into an easy-to-use service, provisioning for a whole ecosystem can be linked to a single, role-based package,” says Lionel Godolphin, a senior software engineer with the Microsoft Federal team in Microsoft Cloud and AI. “Both onboarding—and equally importantly, offboarding—are managed via a single policy with built-in approval processes.”
Integration and the implementation of seamless onboarding and offboarding experiences are challenges for every large and small organization. The way some of these integration services have been envisioned created unnatural barriers, which then require additional provisioning, access, and management. Enterprise organizations face a range of challenges when trying to implement and manage employee access, but Microsoft Azure AD entitlement management can be used to address these challenges.
It’s all about helping everyone involved in a project feel more confident in the work they’re doing.
“It’s important for us to give our employees the freedom they need to do their job while also making sure they don’t get into things that they shouldn’t,” Godolphin says. “This protects them, and it protects the company.”
Imagine you’re new at Microsoft. You’ve got your team, and not only do you have to get access to the sales systems, but you need access to all the sub-systems. They are not only disparate, but there may be different prerequisites—it is not just one provisioning. Jumping through all those hoops to get set up as a new employee is a terrible experience for anyone.
—Lionel Godolphin, senior software engineer, Microsoft Federal
The Microsoft Federal engineering team worked to build out auto-provision access to resources employees on the larger Microsoft Federal team need to do their confidential work supporting government agencies. The solution they built helps the team streamline onboarding and offboarding of employees, transforming what was a manual process into a compliant, one-click experience.
[Read about upgrading Microsoft’s core Human Resource system with SAP SuccessFactors. Explore using a Zero Trust strategy to secure Microsoft’s network during remote work. Learn more about onboarding new Microsoft employees with Microsoft Teams while working remotely.]
Getting up to speed, but without all the tickets
When a new team member joins Microsoft Federal, the organization that engineers solutions to empower governments, access must be granted to the user for each system in the environment they need to do their job.
“Imagine you’re new at Microsoft,” Godolphin says. “You’ve got your team, and not only do you have to get access to the sales systems, but you need access to all the sub-systems. They are not only disparate, but there may be different prerequisites—it is not just one provisioning. Jumping through all those hoops to get set up as a new employee is a terrible experience for anyone.”
Ensuring employees are enrolled in the right systems (and unenrolling them at the right time) can be tedious, especially if manual steps must be taken and system access is controlled by multiple teams. Each system might require its own onboarding request, which generates a lot of tickets and can introduce delays. Delays are a problem given the nature of Microsoft Federal’s sensitive tented work.
Microsoft Federal’s sales team, for example, uses a system that required multiple integration points and tools as part of the overall sales processes. From several roles in Microsoft Dynamics 365, to reporting systems, to downstream services, each employee on the sales team requires a complimentary set of permissions.
To solve this challenge, the Microsoft Federal engineering team developed a solution that leveraged Microsoft Azure AD entitlement management to streamline user access provisioning to make it a seamless, secure, and compliant experience. Additionally, with a little effort, Godolphin and his team were able to leverage Microsoft PowerApps to connect EM to the company human resources system. Thanks to auto-provisioning based on their human resources profile, an automated provision solution build on top of the Microsoft Azure AD EM service, now that same new employee shows up and has access to the entire sales ecosystem automatically.
Launched in November 2019, Microsoft Azure AD entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration.
Employees in organizations need access to various groups, applications, and sites to perform their job. Managing this access is challenging. As requirements change and new applications are added, users need additional access rights. Similarly, rights need to be added or taken away when new employees join or leave the company. This scenario gets more complicated when you collaborate with outside organizations, you may not know who in the other organization needs access to your organization’s resources and they won’t know what applications, groups, or sites your organization is using.
We are the voice of the internal customers, we work with internal customers to understand their access provision pain points, scenarios and bring requirements, gap analysis to the Azure AD Identity Governance product team and co-develop with them to enable critical Microsoft internal scenarios.
—Jennifer Jiao, principal PM manager, Microsoft
Microsoft Azure AD entitlement management can help you efficiently manage access to groups, applications, and Microsoft SharePoint Online sites for internal users, and for users outside your organization who need access to those resources.
When it comes to federal services, ensuring a lifecycle policy is in place automatically removes users after a set period that has been predetermined and established. In addition, you can comply with Cybersecurity Maturity Model Certification (CMMC) federal guidelines.
“We are the voice of the internal customers, we work with internal customers to understand their access provision pain points, scenarios and bring requirements, gap analysis to the Azure AD Identity Governance product team and co-develop with them to enable critical Microsoft internal scenarios,” says Jennifer Jiao, principal PM manager working on the project.
An improved experience for everyone
The Microsoft Federal Sales team has a commitment to create an air-gapped and separate space to manage all the sales for the federal government. The impetus for the initiative is to keep and maintain secure data, which builds confidence with government entities while supporting a secure space for discussion and planning for government requirements, with Government Community Cloud (GCC) high security. GCC is a Microsoft cloud computing environment provisioned in Microsoft’s multi-tenant data centers for exclusive use by or for governments and enrolled affiliates.
- Automate the access provision process through EM to allow requesting access across multiple resources at once through an access package to reduce the effort and time for employees to get access they needed for their job. Take the time to get your people onboarded and off boarded quickly to reduce security risk.
- Leveraging EM for access governance ensures approval workflow, access expiration/renew, and auditing are in place to secure Microsoft Federal systems.