Home
Microsoft

Ignite Recap 1: Automating the Identity Lifecycle Process

 

Hey there! 

 

As promised, we are recapping the Identity news from Ignite over the next few blogs. This first one is penned by Adam Steenwyk (@ajamess) and Sree Akula. They are going to help you fully automate your identity lifecycle process - from existing on-premises systems to key apps for end users. It's all made easier with the cool new capabilities we announced at Ignite!

 

I am a huge fan of this work from the security perspective:

  • automating provisioning means we don’t leave excessive permissions lying around or drive people to share creds;
  • moving authentication for all your apps to Azure AD gives you the best possible user telemetry, risk analysis, compliance and security controls;
  • pulling data into tools like Azure monitor or your own systems like Splunk give you better insight into anomalies, excessive access, and user experience – all of which helps you create a more secure, productive environment for your users!

As always, we’d love to hear any feedback or suggestions you have.

 

Enjoy!  

 

Alex Weinert (@Alex_t_weinert)

Group Program Manager, Identity Security and Protection, Microsoft Identity Division

A ton of new stuff!

Many of you have told us you want to move Identity functionality from on-premises to the cloud. In this blog we’ll focus on a few of the new capabilities that give you improved agility, cost, and confidence:

  1. Automate user provisioning from Workday with Azure AD - then manage that user access with dynamic groups.
  2. You can easily move authentication to Azure AD from AD FS (or other providers) with our new app management capabilities.
  3. Gain clarity about your Azure AD environment with Azure Monitor integration.
  4. You can get going now with pre-built guidance that helps you to get these projects off the ground in no time!

Automate user provisioning from Workday 

At Ignite we released our public preview of Workday inbound user provisioning, which enables IT admins to automate end-to-end provisioning of users from Workday to on-premises Active Directory, Azure Active Directory, Office 365, SaaS apps, and more… all from the cloud, using pre-built connectors.

 

Some of you have already successfully adopted and deployed this solution in your organization! Our Ignite session on Modernize your identity lifecycle management with Azure Active Directory showcased how customers are using this capability in concert with Azure Active Directory features such as SSO and Self-Service Password Reset to enable modern business workflows driven by HR events.

 

20181126_Fig1.png

 

We have made several improvements based on customer feedback and we are very close to making this capability generally available to all customers.

  • Access to more Workday data – provision data from any attribute supported by the Workday Get_Workers operation of the Workday Human Resources API, including photos, cost center data, employee categories, and custom user IDs. For details, see Customizing the list of Workday user attributes in the tutorial.
  • Provisioning of new hires prior to start date – provision user data as soon as it becomes available in Workday, instead of waiting until the user is set to “Active” in Workday.
  • Improved performance, reliability, and diagnostics – We have addressed many performance and reliability issues and consolidated all provisioning events from the on-premises agent and cloud-based service into the Azure AD audit logs.

Check out the detailed deployment guide on how you can automate lifecycle management of your users from Workday with Azure AD.

Manage ongoing access with Dynamic Groups

Azure AD Dynamic Groups allow IT admins to automate the critical task of granting, modifying, and removing users’ access to apps and systems access based on user profile data. This not only ensures users have correct permissions, but they are reevaluated whenever user profiles change.

Move off on-premises federation with ease

Once you get all your users in place, moving off on-premises federation solutions quickly and easily is a great next step to modernizing your identity system. We covered many of the benefits in Eight Essentials for Hybrid Identity: Federate any app with Azure Active Directory.

Cloud federation is easier than ever to configure! With your feedback, we have redesigned the UI including integrated testing, one-click setup features, and more of the claims transforms you need to move off other federation solutions.

Simplified SAML Single Sign-on Configuration UI

With our updated configuration UI, it’s simple to see what you need to fill in and to understand what the app expects. We’ve added more in-line guidance and simplified terminology to ensure you know just what to set up in the app.

 

To try this new experience out, click the Try out our new experience button from an Enterprise Application’s Single sign-on navigation item:

20181126_Fig2.png

 

 Next, let’s look at all the changes we’ve made in each of the five steps shown below:

 

20181126_Fig3.pngSimplified SAML Single Sign-On Configuration Page

In Step 1: Basic SAML Configuration you’ll get app-specific guidance and improved field validation as you fill out fields. This will to ensure you set it up right the first time. You’ll also see support for uploading application metadata documents that will automatically configure the app in Azure AD:

20181126_Fig4.pngSupport for uploading a metadata certificate, and app-specific validation

In Step 2: User Attributes & Claims, you’ll notice support for many new claims rules and transformations, including:

  • Adjust Name Identifier format
  • Specify ObjectID as Name Identifier
  • ToUppercase(), ToLowerCase()
  • Set Directory Extension Properties as Name Identifier

You can set the new identifier formats by clicking the edit icon to the right of the “Name identifier value” field:

20181126_Fig5.pngSetting a Name Identifier format with ObjectID as the identifier

You can see the new transformations by clicking the “Add new claim” button:

20181126_Fig6.pngAdding a new claim using the ToLowercase() transformation on an extension attribute

In Step 3: SAML Signing Certificate, you’ll see two new changes. At the top of the page, you’ll see that by clicking Import Certificate, you can customize the certificate used for signing the SAML token. Further down, you can specify multiple emails to notify when certificates are about to expire:

20181126_Fig7.pngImporting custom certs and setting multiple certificate expiration notification email addresses

In Step 4: Set up the App, you’ll notice you have the option to manually configure Zendesk by following our inline tutorial (see all SaaS app tutorials):

20181126_Fig8.pngOption to manually or automatically configure the app with the Secure Sign-in Extension

And now you can auto-configure the application using the My Apps Secure Sign-in browser extension available for Chrome, Edge, and Firefox to automatically fill out the fields in the application automatically – now you don’t have to manually copy and paste information between Azure AD and the app!

20181126_Fig9.pngAutomatic configuration of Zendesk with the MyApps Secure Sign-in Extension

This functionality is supported today for Zendesk, JAMF Pro, and ArcGIS, and we’re expanding it to more apps soon. Want to see it in action in real time? Check out our Hybrid Identity and Access Management Best Practices Ignite session!

 

Finally, in Step 5: Test single sign-on, you’ll find automated guidance that troubleshoots and automatically fixes over a dozen common configuration errors in just a couple of clicks!

To get started, click the “Sign in” button on the testing blade, and then enter your credentials. If you have the My Apps Secure Sign-in browser extension installed and are signed in to the extension as your administrative account, any errors will automatically be passed back and diagnosed. Otherwise, you will need to manually copy-paste the error text on the sign in screen to get resolution guidance.

In the screenshot below, I forgot to assign the test user to the application – the system detects the problem, and I just click “Fix It” to automatically address the error:

20181126_Fig10.pngFixing an error automatically with our new testing experiences

Once you successfully sign in, you’ll also notice that you get a full dump of all the SAML information exchanged between the app and Azure AD. No more fiddler required!

20181126_Fig11.pngViewing SAML token information for a successful sign-in

Monitor with Log Analytics or your favorite Analytics tool   

We heard you loud and clear that you need a way to seamlessly access all the data your modernized identity management system creates for you, whether for long term retention or to integrate with your favorite analytics tools. Over the last year, we have made several enhancements in all these areas.

Conditional Access information in Azure AD Sign-in report

As we mentioned in recent blog post we have enhanced the Azure AD Sign-in reports to include information about conditional access policies and give you great visibility on the impact of your policies at scale:

20181126_Fig12.pngConditional Access in Sign-in report

Azure AD Activity Logs in Azure Monitor Diagnostics

If you need to retain audit logs beyond Azure AD’s 90-day period or consume them in your tools like Splunk or SumoLogic, Azure AD activity logs in Azure Monitor Diagnostics is the answer. With just a few clicks (and no scripts!) you can route the logs to your Azure Storage account or Event hub. Check out this recent blog post and our real-time demo at Ignite to learn more!

20181126_Fig13.pngAzure AD logs in Azure Monitor

Azure AD Activity Logs in Azure Log Analytics

We also announced the ability to forward your Azure AD activity logs to Azure Log Analytics, giving you the power to query all you Azure AD data to find events, analyze trends, and create rich visualizations within minutes.

20181126_Fig14.pngAzure AD Logs in Azure Log Analytics

Speed up all your projects with pre-built plans

We hear more and more from you about the pressures of the modern IT environment, and how you have to be efficient focus your efforts where they count.

 

While many of the new features we’ve discussed help, they aren’t enough to get a project off the ground. We understand how important it is to have great documentation available to help you get projects going quickly. 

 

For example, we’ve developed a new content hub to help you move apps to cloud authentication, covered in Eight Essentials for Hybrid Identity: Federate any app with Azure Active Directory.

This includes a new apps migration whitepaper, tooling that helps discover apps on ADFS and transition them to Azure AD, and deployment plans that you can use to get going right away.

We’ve built many of our Deployment Plans right into our portal experiences for all the apps in our Gallery, so you can get them when you need them most.

 

Check them out!  Go to any Enterprise Application and click on the Deployment Plans navigation item.

20181126_Fig15.pngPre-built deployment plans in the Azure Portal

Tell us what you think

As always, we’d love to hear any feedback or suggestions you have. Please let us know what you think in the comments below or send us an email at aadappfeedback@microsoft.com