Today, we present the next part of our “Eight Essentials for Hybrid Identity” blog series, based on what we’ve learned from working with tens of thousands of organizations on securing their hybrid environments.
In the first part of the series, we covered how the average enterprise collectively uses more than 300 software-as-a-service (SaaS) apps. Relying on an on-premises identity solution as the control point makes connecting to all these cloud applications a nearly impossible task. Next, we discussed establishing identities in the cloud as a step toward setting up single sign-on (SSO) for your employees and partners to all these SaaS applications.
In today’s post, we cover how you can use Azure Active Directory (Azure AD) to automate user account provisioning and de-provisioning to those SaaS applications to improve your organizational efficiency and increase security.
To help walk you through this, I’ve invited Aaron Smalser, the program manager on my team working on cloud-based automated user provisioning, to share his insight. I hope you find his blog useful!
As always, we’d love to hear any feedback or suggestions you have.
Alex Simons (Twitter: @alex_a_simons)
Corporate VP of Program Management
Microsoft Identity Division
I’m Aaron Smalser, and for the last five years, I’ve been part of a great group of people at Microsoft helping enterprise customers manage user provisioning, SSO, and access to SaaS applications.
Among the many challenge’s customers face with managing SaaS apps, automating the ongoing creation, and updating and disabling of SaaS user accounts is among the most challenging. This is made especially difficult due to a lack of consistency in:
On top of this, large enterprise businesses need a consistent, automated way to manage who gets access to these apps, what level of authorization they should have based on their organizational profile, and when they should lose access.
Without a ready-made cloud-based solution that enables this for multiple SaaS applications, enterprise businesses are faced with standing up expensive on-premises and/or custom automated solutions for each individual app, or worse: subsist on manual user provisioning and deprovisioning where people are tasked with ongoing account creation and removal.
The Azure AD user provisioning service enables automated, policy-based provisioning and deprovisioning of user accounts to a variety of popular SaaS applications, including ones that implement the SCIM 2.0 standard. This service manages over 40 million user identities stored across various SaaS apps and cloud services today. Unlike traditional provisioning solutions, which require on-premises infrastructure and custom code, the provisioning service is hosted in the cloud, and features pre-integrated connectors that can be set up and managed using the Azure portal.
The benefits of using the service include:
To address the challenges posed by managing identities in SaaS applications, Azure AD provides a wealth of capabilities that let you customize how users should be provisioned within your environment including:
Once Azure AD user provisioning is set up and enabled for a SaaS app, users and groups are automatically provisioned and kept up to date as changes are made to them in Azure AD. For detailed information about what operations Azure AD performs during user provisioning, see What happens during provisioning. For information about how frequently users and groups are provisioned, see How long will it take to provision users.
An exciting development in recent years has been the emergence and popularization of SCIM, which is standard protocol and schema that aims to drive greater consistency in how identities are managed across systems. The number of SaaS applications that support SCIM is growing, and we’ve seen the number SCIM app integrations with Azure AD grow 500 percent just in last 12 months.
Many of our most popular apps in our list of supported applications support SCIM. In addition, customers can connect unlisted apps that support SCIM 2.0 using our non-gallery integration option in the Azure portal.
For more information on the Azure AD SCIM implementation, including requirements for developers and sample code, see Using SCIM to automatically provision users and groups from Azure AD to applications.
Among the requests we receive to support provisioning for selected apps, we’re seeing red-hot interest from enterprise customers in automating user provisioning from cloud-based Human Capital Management (HCM) systems like Workday and SAP SuccessFactors, to both Azure AD and on-premises AD. To that end, we shipped a public preview of a user provisioning from Workday, which we’ve been iterating on since its release. For more information, see Configure Workday for automatic user provisioning.
To get started, find your SaaS applications in our list of supported applications and review the tutorials. We’re always listening to requests, so if you don’t find the applications you need, you can file and track your request at Azure AD application requests.
For a quick overview of the steps required to set up and troubleshoot automatic user provisioning for a SaaS application: watch this video!
Finally, we have a sample deployment guide to help you plan your deployments of Azure AD user provisioning for SaaS apps in your organization.
Check out the other posts in this series:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.