As promised, we are recapping the Identity news from Ignite over the next few blogs. This first one is penned by Adam Steenwyk (@ajamess) and Sree Akula. They are going to help you fully automate your identity lifecycle process - from existing on-premises systems to key apps for end users. It's all made easier with the cool new capabilities we announced at Ignite!
I am a huge fan of this work from the security perspective:
As always, we’d love to hear any feedback or suggestions you have.
Alex Weinert (@Alex_t_weinert)
Group Program Manager, Identity Security and Protection, Microsoft Identity Division
Many of you have told us you want to move Identity functionality from on-premises to the cloud. In this blog we’ll focus on a few of the new capabilities that give you improved agility, cost, and confidence:
At Ignite we released our public preview of Workday inbound user provisioning, which enables IT admins to automate end-to-end provisioning of users from Workday to on-premises Active Directory, Azure Active Directory, Office 365, SaaS apps, and more… all from the cloud, using pre-built connectors.
Some of you have already successfully adopted and deployed this solution in your organization! Our Ignite session on Modernize your identity lifecycle management with Azure Active Directory showcased how customers are using this capability in concert with Azure Active Directory features such as SSO and Self-Service Password Reset to enable modern business workflows driven by HR events.
We have made several improvements based on customer feedback and we are very close to making this capability generally available to all customers.
Check out the detailed deployment guide on how you can automate lifecycle management of your users from Workday with Azure AD.
Azure AD Dynamic Groups allow IT admins to automate the critical task of granting, modifying, and removing users’ access to apps and systems access based on user profile data. This not only ensures users have correct permissions, but they are reevaluated whenever user profiles change.
Once you get all your users in place, moving off on-premises federation solutions quickly and easily is a great next step to modernizing your identity system. We covered many of the benefits in Eight Essentials for Hybrid Identity: Federate any app with Azure Active Directory.
Cloud federation is easier than ever to configure! With your feedback, we have redesigned the UI including integrated testing, one-click setup features, and more of the claims transforms you need to move off other federation solutions.
With our updated configuration UI, it’s simple to see what you need to fill in and to understand what the app expects. We’ve added more in-line guidance and simplified terminology to ensure you know just what to set up in the app.
To try this new experience out, click the Try out our new experience button from an Enterprise Application’s Single sign-on navigation item:
Next, let’s look at all the changes we’ve made in each of the five steps shown below:
In Step 1: Basic SAML Configuration you’ll get app-specific guidance and improved field validation as you fill out fields. This will to ensure you set it up right the first time. You’ll also see support for uploading application metadata documents that will automatically configure the app in Azure AD:
In Step 2: User Attributes & Claims, you’ll notice support for many new claims rules and transformations, including:
You can set the new identifier formats by clicking the edit icon to the right of the “Name identifier value” field:
You can see the new transformations by clicking the “Add new claim” button:
In Step 3: SAML Signing Certificate, you’ll see two new changes. At the top of the page, you’ll see that by clicking Import Certificate, you can customize the certificate used for signing the SAML token. Further down, you can specify multiple emails to notify when certificates are about to expire:
In Step 4: Set up the App, you’ll notice you have the option to manually configure Zendesk by following our inline tutorial (see all SaaS app tutorials:(
And now you can auto-configure the application using the My Apps Secure Sign-in browser extension available for Chrome, Edge, and Firefox to automatically fill out the fields in the application automatically – now you don’t have to manually copy and paste information between Azure AD and the app!
This functionality is supported today for Zendesk, JAMF Pro, and ArcGIS, and we’re expanding it to more apps soon. Want to see it in action in real time? Check out our Hybrid Identity and Access Management Best Practices Ignite session!
Finally, in Step 5: Test single sign-on, you’ll find automated guidance that troubleshoots and automatically fixes over a dozen common configuration errors in just a couple of clicks!
To get started, click the “Sign in” button on the testing blade, and then enter your credentials. If you have the My Apps Secure Sign-in browser extension installed and are signed in to the extension as your administrative account, any errors will automatically be passed back and diagnosed. Otherwise, you will need to manually copy-paste the error text on the sign in screen to get resolution guidance.
In the screenshot below, I forgot to assign the test user to the application – the system detects the problem, and I just click “Fix It” to automatically address the error:
Once you successfully sign in, you’ll also notice that you get a full dump of all the SAML information exchanged between the app and Azure AD. No more fiddler required!
We heard you loud and clear that you need a way to seamlessly access all the data your modernized identity management system creates for you, whether for long term retention or to integrate with your favorite analytics tools. Over the last year, we have made several enhancements in all these areas.
As we mentioned in recent blog post we have enhanced the Azure AD Sign-in reports to include information about conditional access policies and give you great visibility on the impact of your policies at scale:
If you need to retain audit logs beyond Azure AD’s 90-day period or consume them in your tools like Splunk or SumoLogic, Azure AD activity logs in Azure Monitor Diagnostics is the answer. With just a few clicks (and no scripts!) you can route the logs to your Azure Storage account or Event hub. Check out this recent blog post and our real-time demo at Ignite to learn more!
We also announced the ability to forward your Azure AD activity logs to Azure Log Analytics, giving you the power to query all you Azure AD data to find events, analyze trends, and create rich visualizations within minutes.
We hear more and more from you about the pressures of the modern IT environment, and how you have to be efficient focus your efforts where they count.
While many of the new features we’ve discussed help, they aren’t enough to get a project off the ground. We understand how important it is to have great documentation available to help you get projects going quickly.
For example, we’ve developed a new content hub to help you move apps to cloud authentication, covered in Eight Essentials for Hybrid Identity: Federate any app with Azure Active Directory.
We’ve built many of our Deployment Plans right into our portal experiences for all the apps in our Gallery, so you can get them when you need them most.
Check them out! Go to any Enterprise Application and click on the Deployment Plans navigation item.
As always, we’d love to hear any feedback or suggestions you have. Please let us know what you think in the comments below or send us an email at firstname.lastname@example.org.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.