Good afternoon, ladies and gentlemen, welcome to our equipping or cold webinar identity and access management for Microsoft Azure and SharePoint online. This webinar is supported by empower ID. The speakers today are Patrick Parker, who is founder and CEO of empower ID me Martin equipping, I'm CEO, founder, and principal Analyst at clip a call in this webinar. We will look at specifically the Microsoft Azure active directory and SharePoint environments, and what's related to it.
And the question about what do we need in identity and access management and how do we do identity and access management best for these environments? So this is our topic for today. Before we start some quick information about keeping a call and some housekeeping information for the webinar, and then we'll directly dive into the topic. Keeping a call is an Analyst company. We have been founded back in two, four. We are providing neutral advice and expertise.
And so our leadership, particularly in the areas of information security, we have a strong emphasis on identity and access management, identity access governance, but also look at a lot of other areas which are affected by digital transformation, by the growing impact of security, but also other changes which are related to our expertise. We do this in three areas, which is our research. So we provide reports, other types of research, including our leadership documents. We do it three events like our conferences, webinars like that one and others.
And we do it through our advice services, where we support and use organizations in setting their strategies, doing their tools, choice, understanding their maturity, assessing their maturity and their readiness for certain topics. So that's what we are doing here. We have a couple of upcoming events in December. We will do the third of our consumer identity world events.
We already did Seattle and Paris. And in December, we'll do Singapore end of February, early March.
We will do the digital finance world that looks, which looks at the transformation of the finance business and what it means from identity perspective, from a consumer perspective and also dedication perspective and the shift for, for the applications cetera. So a lot of topics in there. And then we will do our flagship event, European identity cloud conference, which we run 12 time. This will be done in mid may, 2018 and Munich, just give you an idea of what we are doing in and advisory.
We, for instance, have a brand offering, which is our GDPR readiness assessment, where we evaluate the readiness, the state of organizations for its upcoming regulation. So for the webinar itself, let's look at some aspects here. So you muted centrally. So you don't have to mute on with yourself.
We are controlling these features. We will record the webinar and put the post cost recording online, latest by tomorrow. We also will provides the PDFs of the slide X we have been using, and there will be a Q and a session at the end of the webinar.
So you can enter questions at any time using the question and the go to webinar control panel, which you usually find at the right side of your screen. The more questions we have the better. So if you have any questions, enter these questions and we will try to pick them at the end of the webinar. The agenda for today is split to three parts as usual. So in the first part, I will talk about why you need a unified, I am approach for your hybrid.
It, the options you have and what Microsoft Azure and office 3, 6, 365 need.
The second part then will be done by Patrick Parker, who will do a deep dive into the specific challenges of incorporating Microsoft cloud services into access existing IM infrastructure, who the focus on Azure active directory and office 365, as I've said. And he will also talk about an example of a successful project at a large European organization. The third part then will be the Q and a session as I've already said. So let's then start with our contempt.
So the I'd like to start with where does this entire challenge come from? And it comes from the hybrid reality of businesses. So when we look at businesses today, we see an increasing number of businesses following a cloud first strategy, there a strategy, which is about the rapid deployment of services, new services from the cloud standard services about at least a perceived cost reduction would even say in many cases are realistic and real cost reduction about the availability of services also for smaller medium enterprises.
So that many services, smaller and medium business kind of for right now, which is never, which it never was been able, has been able to, to, to, to procure before. So I think there are a lot of good reasons.
However, if you're realistic, most business still have a strong on premises. It, so if you look at banks and insurance companies, they run the banking course, the insurance course, and they run it on the mainframe frequently still. And these will be there for at least a very long period of time. Or if you look at it and manufacturing, so the factory floor will not go away. It will not be the cloud factory floor. It will be a factory floor. So there are many, many good reasons for still having on premises.
It not, everything is easy to, to shift to the cloud. So most businesses it will remain or hybrid for the foreseeable time, but we have a hybrid reality.
That's the point. So some services will move to the cloud, but really totally cloud only enterprises still will be rare. And we need to understand that we need to get a crib on these enterprises then. So when we look a little bit on, on what has happened over the past years to put it in a very simple picture, so there's sort of the, the inside world. So the enterprise itself is the its own data standard. There's the outside world.
So people sitting out outside of that parameter, which doesn't exist that way anymore and application sitting outside. So very traditionally the employees were within that sort of inner part using their computers, accessing staff, client applications. And then sometime times later, also quite a while ago, we saw the web applications. So then we started, there was the need to have access to the business partner, web applications.
Others came from outside, for instance, the business partners, but also mobile users saying, oh, we need to access these applications also from outside.
Sometimes even the fed applications, cloud services appeared, which also need be accessed from everywhere. Plus, oops, this one, a little too fast. Plus also the, the, the, the mobile devices where right now have what we have today is in fact, a situation where we have an environment where people sitting inside or outside are using different types of devices to access variety of applications and variety of deployment models.
And we need to make that work and not only work we need also to ensure that everyone has access the right access, the access he needs and exactly the access he needs, that we can do the governance that we can manage it, and particularly for the cloud service. And that will be the main theme for today.
When we look at what does it mean for cloud services for cloud service? We also need to bring in a good level of IM so IM for the hybrid reality of businesses.
In fact, means I am must support hybrid environments, and that's more than single sign on. It's far more than singles and on. We need to be good in a broad variety of topics.
So what, what do we concretely need here? And that's the question I wanna spend a little time on. So when we look at identity management for the cloud and that applies to each and every cloud service we consume, but it clearly applies also in a very big extent to these core services. Like we have our actual active directory where we manage to uses. We have our, our office 365 with SharePoint online environment. We all know that SharePoint, isn't the simplest simplest tool and environment to manage.
So it's definitely not easy to ensure that only the right people have the access, the right access to certain types of sites, documents cetera, about all we built there on our, in our shape environment. So what do we need? We need some form of a single sign on experience. That's what our users want. And if you keep our users happy, if we make our users happy, then we definitely have one of the successes we can achieve with access management. So it's other entities we need to manage with their passwords, the attributes of identities, all that stuff, but also the groups and the roles.
And that's where things start getting interesting. So the single is easy to do. Managing the identities is a little more complex with Azure ID. I think there, the good thing is Azure idea is very popular. It provides good interfaces. So it's easier to manage many of the other cloud services out there.
So things definitely, again, can get worse than, than with the office 365 and the Azure ID environment. But anyway, we need to do it. We need to manage the groups or, or roles, whatever concept we are following, or to map roles to groups, we need to manage these things.
That's highly important for the entire entire management space. So ensuring that only the right access is granted, as I've said, it's for SharePoint. It's really a very specific, very complex thing with a lot of sort of dynamics within how SharePoint environments tend to grow and tend to evolve and the need to anyway, keep a grip on the information, hold there. We need to, to have to try to move lever and more processes. So it's not only trying to move lever, but these are obviously the most relevant, the most prominent ones we need access governance. Yes.
Access governance is a key element of that who has access to what does it still needed? Access, access, reviews, all these things need to be done there as well.
Analyzes of the, the current entitlements, all that stuff counts into access governance. And then also there's privilege management. So we have highly privileged users. And I think this is one of the things I feel is, is, is critical from the very beginning.
When you move to these environments, Azure ad office 365 SharePoint online, getting a grip on the people who have administrative rights, really setting up a good concept here, ensuring that sort of the, the standard administrator account, which is used from at the beginning, it's well protected because it's sort of a shared account and ensuring that things don't go wrong in this environment, which is because it's so heavily used a very critical, very essential environment for your organizations.
And I think the one, one sentence really to keep in mind, and that's true for office 365 ad SharePoint or online, but it's true for every other cloud services, your requirements on managing and governing governing identities and access will not disappear when moving to service to the cloud.
So it's the same challenge you have. You need to support these capabilities regardless of where the service runs hybrid enterprises does need a hybrid IM I'm not a believer in saying, oh, we have a little bit of IM only for our cloud service and maybe it's even runs in the cloud.
And we have one IM for which we already had for a while for our on-premise environment at the end, the same users are accessing services, running the cloud and on premises. So it's not that you can really make a hard split here. So you need a hybrid. I am. So you need to be more open more at agile, more connected. We need to support this change. And so we will end up in an enterprise today with an hybrid it and that in fact needs requires this hybrid identity management approach. So what does this mean specifically for Azure ID 365 SharePoint?
And so I'll bring in my, my sort of my general view on what are the areas you need to look at. It's not necessarily a fully complete list, but some of these aspects, and then Patrick will continue from there and go more into the details. So what do we need? We need single sign on. So sign in with your active directory account, to the Microsoft cloud and beyond. So that's usually the way user users are used to use that account.
They also might want to, if they're don't have this active, their own premise active directory account, it might be a different way, but they want to have a simple experience, a single sign on experience, and you need to provide this experience. You should reuse your identities and manage them consistently across ever singer.
You need to understand how to manage groups and roles. So particular managing the groups and SharePoint, managing the access and SharePoint. This is really one of the highly interesting and foreign areas.
So control what is allowed, who's allowed to do what, again, particularly in SharePoint, it's essential doing that because in many organizations, SharePoint environments hold highly sensitive information. So you need to get a grip on that. You need to have to try and move a lever, etc processes. So both the user-centric perspective of the process, how can I request access, et cetera, and the admin centric once, how can I efficiently manage under control access governance finally, so know who can do what SharePoint and beyond.
Ideally you do that in a way which works well with what you have, which extends what you had and have, but which is done in a way, which allows you to add other services well beyond 365 and SharePoint. So with these initial thoughts about what you do and the clear message I am requirements for the cloud are at least the same as one premise environments. So they don't go away.
I hand over to Patrick, Patrick right now will give you more insight, delivering a deep dive into the specific challenges of incorporating Microsoft cloud service into existing IM infrastructures on provider showcase a use case of a project in that space. Patrick, it's your tone.
Okay.
Well, thank you, Martin. Thanks. Thanks everyone for joining today. So I'm gonna go just a little bit deeper on identity and access management for Microsoft Azure and SharePoint online, stretching your tradi, your internal organizational policies and securities. How can those be applied to these new cloud resources? Should they be applied? How can they be applied and what are the, with the quirks and differences or things that you have to overcome challenges with being in the cloud.
So when you're looking at identity and access management for Azure and office 365 above the water, you know, the tip of the iceberg that everyone sees coming is that we have to get single sign on working users don't want another password. And we have to be able to do basic provisioning. We have to be able to get user accounts provisioned into office 365 and get them a license assigned.
And that's the one thing that's typically planned for in an office 365 rollout, but often those are the only two items that are planned for, and then underneath the water, you know, the, the larger pro hidden problems that often are not discovered or thought out until later in the project is real world provisioning, which we'll talk about, which is, you know, a typical enterprise organization had a lot more complicated provisioning process.
How are we going to delegate administration, which we'll dive into because at Azure active directory and other cloud directories don't really fit our traditional LDAP model or active directory model for delegation, we're gonna be rolling out these cloud resources often to engage with our partners and our customers.
How are we gonna manage those external identities? Are we gonna do it all ourselves? Can we let partners manage, do some of the identity management in a secure way? How are we gonna govern access?
You know, how can we audit and control these external cloud resources to be able to prove that the access is the appropriate and that we have the proper controls in place with GDPR, lots of new requirements there that you are building in privacy and information control into your architecture. That's not something that's an afterthought.
And then with all of these resources being in the cloud, lots of different cloud resource types, how do you present the user with a single access request system so that they're not going here to access request this they're going there to access request that approvals are happening to places. How do you streamline that into one business process?
So if we look at above the water line, the, the typical and this would fit most small customers, small customers have easy. They have the simpler networks, they might have a single active directory domain on premise.
They have a single office, 365, 10 in the cloud. And Microsoft provides the basic tools that makes this pretty easy to do.
You know, you synchronize one to one. If you want a, a user in Azure in the cloud, then you just provision one in your on premise directory. And then the sync tools will create one in ad and provision and access. So it's very, very simple. You can use free tools. You can use ADFS for single signon, you know, it's perfect simple world and covered very well by that. But most organizations are faced by more complex environments. They're not the smaller organizations that are just connecting a one to one environment.
So if we look at some of those in depth, a typical, more advanced provisioning scenario is that well active, active directory and office 365 are simply one step in a long chain of provisioning events. It's not, once you solve provisioning a user in office 365, that's really not time for celebration. That's simply a checkbox on very long list. In those environments, you often have via mergers and acquisitions, multiple active directories, multiple directory force. That for cost reasons, you can't just consolidate them. You need to keep them for a while.
You have other authoritative systems or multiple authoritative systems St. P work days, lots of different internal applications. And your typical employee will have user identities across all of those with different login names, different identifiers. And then you'll have a mix of cloud applications as well in there that that need provision two. And then some of them can be serving as yet another authoritative source. And often you'll have contractors or other types of identities that do not exist in any of your HR systems.
So it's a lot more complicated, simple provisioning and synchronization where you're creating everyone no matter what type of user they are in a single active directory. And then pushing them out to Azure is, is not doesn't mold for these types of customers.
So what's needed in that case is that you really, you cannot manage a hybrid environment with multiple directories on premise and in the cloud from within a single directory. So Azure has a lot of functionality, but it is one of those directories.
It's almost like it's all of the directories are brothers and sisters trying to have one of the brothers manage the other brothers and sisters. It's really typically not gonna work out. They're gonna be fighting. They don't really have the, the view over them or the authority.
So you need a system that has a, a level above an, an identity warehouse or a meta directory perspective, so that you can be automating provisioning across all of your systems from a single point that represents a, a person or a human being, and that you have the flexibility for your process to be implemented as some type of visual workflow. So the workflow can match your process. It handles all of the complexity of who should get access into which systems and when, and how and why, and which mail might need to be included. And then you're pushing that information down into directory.
So you're getting out of the directory by directory management perspective, into a higher level, more holistic view of provisioning people with access to resources.
Now, this one's probably the biggest challenge with the cloud. And surprisingly it is the one that people realize last, and I call it the jellybean problem and a tip organ, typical organization. You might have internal users, you'll have internal divisions initiative. In my case, I have the north American division, which manages certain brands for this company. They have their own it administrative staff.
They have their own sub-departments, you have internal European division. So the European division has their own brands. They have their own share some resources, and then you have your supplier networks, you have their various suppliers that access and need identities need application access. And then again, you'll have another class which would be your consumers or your customers. So these are all the different types of identities that need to be managed. And when you look at the cloud, well, before we get the cloud, if you look at traditionally, traditionally, it was very easy.
Most of these applications could point to active directory or some type of L a system. And in LDAP, you can structure it into various OUS or containers so that you can say, okay, everybody who's in division one is, or below this location, everyone who's in division two will put our suppliers over here. And then it's easy to see where people reside and to delegate the policies, to control who can manage them, what access they have and what they can see. So moving to the cloud, that the training wheels with having this nice tree structure, it disappears.
So now in the cloud in Azure ad, and in almost all cloud systems, all the jelly beans are in one big jar. So you have, you know, supplier a, you have your consumers, you have your favorite divisions. And the way it works is that in Azure ad, there are very few roles and these roles are global in perspective.
So if I have one of these roles, I have that role to manage everybody European division, north American division, customer suppliers, and anyone who has one of these admin roles. There's no role in it, on the privacy. They can see each other.
So if you wanted a supplier admin to have some responsibility, they would be able to see and manage another supplier. There's no easy way or out of the box way to limit that. So you left with very granular rules that over grant access, if you grant them, which really you're in a position where you can't in most times due to privacy. And then it's not really possible to sub delegate who can manage what, who can see what cuz everybody's in the same jar.
So it's a, it's a big challenge. It's not often thought of ahead of time. And if you look at it, Azure ad is just one of these jars.
Every cloud application that pops up is gonna be another jar where all the jelly beans are in there and you have to think, well, how am I gonna manage this? I can't go to every system and try to implement some type of security work around or some type of delegation model and with no visibility, centrally of what's going on in those systems or who has access to what, or are we compliant with new regulations? So they're all mixed up. So a very big challenge.
So one of the solutions, the solutions that we use is that we separate out these different types of identities, partner, suppliers, divisions in virtual tenants or virtual containers. So we kind of jar them up that way. You have them as in each container supplier, one's in a container supplier, two internal division that allows you to create like a virtual directory structure.
So you again, have that structure that you know, where people reside and where resources, entitlements, and reside, and you can grant fine grained access.
So you can say, okay, if you're a supplier administrator, then you have these rights to manage people, but only in your container in your organization and the privacy of it would be enforced. They never see another supplier. Internal divisions can do the same thing between competing brands. So that brand a and brand B can't see the same people manage the same people or access the same content. So this allows you to transition cloud, to fit back into your traditional security model that you're used to using for bridging your internal it resources.
So it brings back the skillset that your, your admin team is used to. So how does that happen? Basically? What happens is you have inability or in the it management system, you have your organizational tree.
So that's the tree that you build. It can come in from SAP HCM or work there, some other system in which you're already managing the structure. It's really the, the representation of your business and how you break things out responsibilities and how you see the world. And then there are rules.
It's called our act mapping, where in each of those actual systems, the jelly beans in, in the jar, we use their attributes to put them in virtual tree that map them into your single unified organizational tree. So automatically the internal European people from all these various systems are mapped into one location where, where the policies applied Europe, your suppliers are mapped into their location. And if the data changes in those actual systems in ServiceNow or directory, they might be moved to a new location.
So if I was a, an internal European division employee, and now my attributes in the external system changed, or even if it comes from another system like HR, then I can be a mover.
Then I can be moved to a new location and everything changes my access, my disability, my delegated admin rights.
So it allows you to basically take this unstructured data that's in single container in these external systems and map it into a structure where you can do granular delegated, administrative responsibilities, automated policy access, and, and lots of privacy control over who exactly can see you, what to whom so that that's the solution for the jelly beam problem. Now here's an implementation of it. So in this case, in, in this system, we have thousands and thousands, I think 30,000 different partner locations.
But at, when I look in here as very white Barry white is a partner admin role in a partner called a you'll see, because he's in his virtual container. He can only see the existence of his organization in the tree. And he can only see people in his organization.
And then because he has a role partner admin for his people, he can do help desk assisted resets, unlocks provisioning, deprovisioning, whatever you have granted for partner admins to be able to do. So this single policy allows you to leverage your continuous to say, okay, partner admins could only see people in their organization.
And then they can only do these things to them. Instead of having to try to really mainly code some way around that, which would be difficult, costly. It might not even be possible. You can see just one more example. When Barry goes to provision or onboard a new person, he's only allowed to pick that they're going to be created in his organization, his bucket. And he can only onboard them as either a supplier or supplier admin.
So he cannot pick that there's gonna be an HR person or an accounts payable or accounts receivable because those roles are related to internal vision, then not to this partner division. So everything is security enforced privacy enforced throughout the system, based upon who you are in which virtual bucket you fall into.
So now moving on to SharePoint. SharePoint is SharePoint, super popular platform, phenomenal growth.
It seemed to go through a wall where they were finding what was their new direction and, and their new direction over the last 12, 18 months have become very clear that SharePoint is the hub is the backend repository on which Microsoft is building all of their collaboration and information worker apps. All of a sudden new applications are appearing. And if you look under the covers, they're all, they may be different front ends, but they're all leveraging SharePoint as their content repository, as their backend services.
Those SharePoint has a new life you'd say, and it's become much, much more important than ever cuz almost everything you do now in some way is interacting or serving up content from SharePoint on the backend. A good example. That's Microsoft teams. Microsoft teams is a, a slack competitor with a lot more functionality as well for it's a replacement for Skype has instant messaging meetings, all kinds of team based document sharing.
So it's really become a hub, but it is just a front end for SharePoint at the back end repository plus with a lot of a lot of features.
And that's really the, the direction Microsoft's heading. So securing this, this SharePoint content, being able to say we have it under control. We know who's creating sites. We have a process for that. We know who has access to these sites. We recertify it and we know that we're not violating any separation duties, policies to bring the wrong people, access to information. They should not have. That's become more and more important than ever. So some of the SharePoint challenges and these are some of the challenges that have always been around.
One of the best features about SharePoint is that in a few clicks, you can have site. Anybody can have a site. It used to be ridiculously simple to create a calendar invite.
You say, Hey, let's create a site for this. Almost anything could create a site. It it's the same. Now there are even more ways to create a site teams create sites, office 63 65 groups, which is a new type of group they're pushing, pushing users to use. Instead of all other group types, it has a site behind it, modern site provisioning, which is using their frameworks. And then traditional click click click site provisioning. So many ways to create sites. And you can end up with sprawl people, creating duplicate sites out of control. Who's managing these sites.
If anyone even using these sites, all losing control of the information, security also site access control because you can have any type of content out there. And now you can even invite very, very easily external people who do not have an identity in your system becomes even more important to know.
Are you enforcing the regulations that you are held to as a company?
Are you keeping information private between competing partners or again, competing internal brands or divisions within your own company or is site content being shared to the wrong people where they, they can see things they're not legally allowed to see or that would present competitive information. So content and search security trimming is also key to this is controlling when someone searches, which content comes up in their search results. And there's a lot more to it in SharePoint than just permissions.
You have to use more of an aback approach to use attributes tagged on the documents, metadata and match that to attributes on the person to say which one should be filtered out, that they should not be able to see. Regardless of permissions, recertification is being able to prove who has access to what and that it is appropriate.
And then GDPR throws a whole new wrinkle in this that your design has to have privacy included by default. So you can't look at it later and say, well, how do we make this same GDPR compliant in your design?
It should be that compliance data pro protection and privacy is built in, you know, the ability for users to see which data you have to control, which type of data you're, you're holding and who has access to it. And the ability to request that information and to request the deletion of that information.
And if, if you don't have these controls in place, you, you won't to comply with deletion or even knowing what's out there, a control of site provisioning, that's a pretty easy one. You can shut down all of these various entry points where people can request sites. You can put it through some type of formalized workflow process where it can go for any number of approvals. You'll have auditing and logging. You can get routed to people in your organization who can ensure that you're not creating duplicate redundant sites.
If a site already exists for a purpose, they can get redirected to that site instead of provisioning more and more sites and having content sprawl, you can also enforce things like controlling, who can have access to different types of sites, putting metadata on them, and then not allowing certain types of people to have access to those sites, to, to enforce sod.
Now content publishing that's really the key is, is you're presenting content that's stored in SharePoint and you wanna present it to only the right people, the people who should be able to see that content now, traditionally SharePoint content publishing you'd create sites for everything. It was the old model where partner a would get a site and we'd push some content to partner. A partner B would get a site and they gave their content pushed to them, which might be some of the same content that partner a had. And you would control it by creating lots of different sites and site.
The user would access the site to see the content in new modern content publishing model with Microsoft is that you you're managing the content for authoring in these backend site collections that no users access. So you break those out for managing permissions, division, a content or content by this topic or that topic.
And that's where the content is stored, authored and managed. And then you have a single site that users, it provides the user interface where users are presented that content.
But again, just the content they're allowed to see and they can search. They can browse, but they're doing it through this publishing site. They're not really interacting. They're not ever going to the back content sites.
So this, this presents challenges and opportunities. The opportunity is that you have a window that you control exactly what they can see. So you can do more aback filtering in addition to just the permissions to limit what pops up for them to be able to click on view. So the com this content is filtered using a combination of permissions and user attributes. So two things need to happen. One is the content itself needs to be tagged with metadata so that, you know, this one is audit.
This one is for brand a not brand B. It has all of the data tagged to the content.
So then when you're filtering it, you can control which users can see that content. The other side of the equation is the, the, if the content is tagged, you need the users to be tagged as well with metadata in their attributes. So that you can say, okay, if you're tagged as division one, then we're gonna filter out all the content in this library only show you content that's tagged as division one. So that's where the identity management system come in. Cuz if we go back to our, our jelly beans, the jelly beans are in the tree.
The tree tells the system that that jelly bean is associated with division one. So it's the, the identity management job then to push down those attributes. So it's basically doing the metadata management on the user so that there, there can be a match that this content with this metadata can only be viewed by users with the corresponding metadata.
So the identity management system manages and enforces the metadata on the user in Azure active directory, and then SharePoint policies manage and enforce the metadata content policies so that the metadata gets on the content.
So, so the two coming together provide the opportunity that in this case, we can see that in the authoring site collections, we might have European division content, the red S in one site collection. So there's some permissions there that controls who can see it, but it's more fine ring than that. You have the north American vision at the blue jellybeans content, and then through a combination of permissions and the user profile information in this case division set to being north America.
When the Bob here who is according to the tree, a supplier in the internal north American, he's gonna receive the attribute assigned to him by identity management of division north America.
And then when he's viewing content in this publishing site collection, it matches that, okay, the, the content has the tag division north America. Bob has the tag division north America. Andy has the permission to access it. So he is only gonna be presented with this division, north America, blue jelly bean content. And he would never have the opportunity to see the red content.
So the two systems were hand in hand to present a very dynamic interface to present content and to enforce all of your various access governance and content security policies. So to really feed each other and support each other in that, in that effort, that, that was all I had as far as the slides, I guess at this point, I'm just happy to open it up for any questions that you might have on, on any of these scenarios.
Okay.
Thank you, Patrick, for this presentation. And so, from what I understood, we are moving to Q and a right now. So I'll make, meet the presenter again. We already have a couple of questions here. And so I think we directly best start with various questions. So one of the questions I have here is what do I do to get my initial organization created since we have a very large number of suppliers?
Okay, that's a good, that's a, that is a common first challenge in a project. Well, the good thing is if you have a large list of suppliers, that data exists in one or more systems in some organizations, if you have multiple competing business units, you might have multiple Sy sources of that information, but typically that is scripted or imported in via connector on a one time basis.
If you're going to then manage it in empower ID, or if you're going to continue in a hybrid state to manage that information in those authoritative sources, then that connector will periodically pull them for changes. So any new suppliers automatically will get fed in and positioned into the tree. And often a supplier, let's say you have two major business divisions, a supplier may or may not work with both. They might have a relationship or contractual relationship with one of them. So that information could be fed in as well, which will control that, that supplier is related to that division.
It's one of their suppliers and, and therefore add another dimension that you can use to secure that access. But connector a that
Question have here is I think, a more specific one or very concrete one on a specific challenge. So a company which has office 365 enabled wire Azure ID.
So their, their point is that office 365 users have default access to the Azure. Porwal how can they manage this
Sure. Access to the Azure Porwal
Yeah.
And, or prohibiting access to the Azure Porwal or adding a fine crane access control to the Azure. Porwal whatever.
Sure. There are few ways around that. One way is you can limit who have act administrative access to the Azure Porwal so that when they log in there that if they're not an admin, they won't see anything via temporary privileged access. So that users have to request to be elevated to get into the, the, the Azure Porwal with any administrative responsibilities.
But another way to do it is that when they're SSO in, since empower in that case would be controlling the access to SSO into the Porwal. What you can implement an adaptive authentication rule that will check based upon who they are, where they're coming from, their role and where they're headed, whether or not they should have access to that and could block that process.
Okay. Another question I have coming in here is can role mining assist with any of this
Role mining can.
So initially let's say you don't have the organizational tree, you don't have any, any of these roles, but one thing you do have is you, you know, you already have the content, you already have the SharePoint groups, you already have members, you already have, the people are operating and they have the access they should have today more or less. So you can use role mining to analyze that and to say, based on the current content access patterns, how is this access being granted? What are the implicit roles that, that are being used already? And you can analyze those.
And if you, and if they're good match, you can publish them as your initial first set of roles.
Okay. Another question here, I think you already touched it, but maybe we pick it up again because you had so many things around the cell beans. So what is the next step to delegate access? Once all of my cell beans are in their virtual tenant containers.
Sure. So in empowered, it would be it's policy based. So let let's say in there various types of policies, one policy that's very common.
Let's say for the supplier, for suppliers, we have a policy that's, it's a hybrid of rback and AAC, where we call them a relative assignment. You can, and we ship them out the box for B2B. But basically the way it works is that if you assign someone as a partner admin, then partner admins have a policy assigned that says, okay, partner admins are administrators for any person in their organization. So in their same jellybean container. So then automatically when you're onboarding someone, if you assign them as a partner admin, they automatically can manage people in their organization.
Now, if you're delegating for internal divisions, the next step would be to, to break it out into the functional roles that you use for delegation today. And typically you'll have groups or something that represents help desk level one, north America help desk level two north America help us level one Europe. And those can be just imported and, and used as your starter roles to convert those members and grant that access over their containers as to what they can do.
Okay. Thank you. Back to the, in to the, to the information of, or around the organization tree.
So, so a question I have here is where, where can I get the information from our organization tree kind of come from a system like ASCM or Workday, or which other ways do you have?
Sure.
So, so those are the most common sources because in system like SAP HCM, you have all of the position assignments. So, you know, the, the, the role or the job function, and, you know, in which organization, part of the organizational tree, they have it. So that's a very, very common, those are, you know, out of the box to pull that in from Workday or from SAP HCM or any other type of HR system, it's, it's typically where you get it in smaller environments where they're active directory. Only you can leverage your active directory OUS as your location tree to get started.
And you can use active directory groups as your starter roles. So really those are the common approaches. And in some systems you're just using the attributes. So those systems might have the department attribute. They might have a division attribute, they might have a country attribute. You can build a virtual tree out of those attributes and pull that in from those systems.
Okay.
So it has, if there are first questions, it's time to rate them now to have them. Now I have one more question right now here, which is how do I do privilege access management for cloud systems?
It, that one is good, its on the system. So in the case of Azure ad ad is based on roles. So you can grant someone, a role temp, a couple ways to do it. One is role elevation where I'm a user request access to do to be elevated for specific privileges. And I'm temporarily put for the start time and end time into that role. Another approach is that you have pre users that are in those roles and the users can check them in and check them out. So I can check out one of those identities that already has the permissions to use it for a period of time to do those tasks.
Now, other systems, AWS is a different, different security model in AWS. When you are logging in via SSO, the Sam claim that is sent through from identity management system can tells for this login session, this user has this role. So it there's a more flexibility on requesting it and controlling it to deliver it a last set. Here's your role for this SSO session in AWS and you're not assign to anything AWS. It's just completely dynamic for that session.
Okay. Thank you Patrick. So I think we bounced all the questions we there done for our webinar today.
Thank you very much, Patrick, for your presentation, deep insight, you provided massive ideas. Deliver how to do that. Thank you to all attendees for listening. Hope to have you our other upcoming webinars, one, our events. Thank you very much.
Bye everybody.
