In a previous post introducing identity access management (IAM) challenges, Business System Complexities and What To Do About It, I wrote about the issues many organizations face when they attempt to connect their current and future systems with an integrated, single end-user identity, to:
- Reducing cost and improving productivity
- Quickly integrate, reducing expense, risk, and time
- Reduce risk and improve compliance
- Control provisioning and de-provisioning
There is no question implementing these systems can be complex, both from a technical standpoint as well as a business process “re-engineering”. There are great solutions out in the market today that make the technical implementation easier, but how do you choose the correct one for your business?
One place to start is with a technology and partner your organization is already familiar with. I will venture to say that your organization today is leveraging Microsoft solutions on-premises and perhaps even cloud hosted. If you are in the camp of leveraging Microsoft cloud hosted solutions (O365 or Microsoft Azure), then you may not have realized you are already on the road of being able to extend your already-familiar solutions and begin addressing some of the aforementioned organizational challenges around IAM. By leveraging Microsoft Azure Active Directory Premium, you have access to IAM functionality such as:
- Multi-factor authentication (for cloud and on-premises applications)
- Self-service password reset for users (with writeback to on-premises directories)
- Self-service group management for cloud users (to control application access)
- Advanced usage and security reports (detailed usage reports for application access, authentication activity, etc.)
Let’s take a closer look at multi-factor authentication (MFA) and how this addresses IAM concerns #1 and #3 above.
To enable MFA for Microsoft Azure Active Directory, there are essentially two steps (not kidding…):
- Create MFA provider (i.e. Azure Active Directory)
- Enable MFA for your directory users
Once MFA has been configured and enabled for users, the next time a configured user signs in, they will be promoted to go through an enrollment process by being asked to select which method of enrollment they would like to leverage. The Azure MFA enrollment methods are:
- Mobile App – Use the Multi-factor auth mobile app to receive a verification request or generate a one-time passcode (OTP)
- Mobile Phone – Use a phone call to the user’s mobile phone or receive a verification code as a text message on the mobile phone
- Office Phone – Use a phone call to the user’s office phone
This process dramatically reduces the effort required for the business to enable/empower their users, as well as greatly increases the end-user’s satisfaction of the overall process. Want to take a deeper dive on Windows Azure MFA solution? Head over to the Microsoft Azure documentation page.
You can also use Windows Azure MFA to strengthen your authentication (in the same, strong and easily deployable manner as cloud enabled applications like O365) to on-premises resources using the Windows Azure multi-factor authentication server. The Windows Azure MFA server integrates with IIS authentication to secure Microsoft IIS web applications, RADIUS authentication, LDAP authentication, and Windows authentication. If you have seven minutes, take a look at this quick MSDN Channel 9 video to learn more on this provider specifically.
Understanding there are a number of non-technical areas of concentration related to implementing an IAM solution such as updating/creating business processes, updating/creating a change control process, and user education, implementing the Microsoft Azure MFA solution goes a long way to addressing many business concerns while allowing internal technical teams the ability to efficiently and quickly respond to those concerns.