Howdy folks,
Today, we present the next part of our “Eight Essentials for Hybrid Identity” blog series, based on what we’ve learned from working with tens of thousands of organizations on securing their hybrid environments.
In the first part of the series, we covered how the average enterprise collectively uses more than 300 software-as-a-service (SaaS) apps. Relying on an on-premises identity solution as the control point makes connecting to all these cloud applications a nearly impossible task. Next, we discussed establishing identities in the cloud as a step toward setting up single sign-on (SSO) for your employees and partners to all these SaaS applications.
In today’s post, we cover how you can use Azure Active Directory (Azure AD) to automate user account provisioning and de-provisioning to those SaaS applications to improve your organizational efficiency and increase security.
To help walk you through this, I’ve invited Aaron Smalser, the program manager on my team working on cloud-based automated user provisioning, to share his insight. I hope you find his blog useful!
As always, we’d love to hear any feedback or suggestions you have.
Best regards,
Alex Simons (Twitter: @alex_a_simons)
Corporate VP of Program Management
Microsoft Identity Division
#5 Automate user provisioning and de-provisioning to SaaS applications
Hi folks,
I’m Aaron Smalser, and for the last five years, I’ve been part of a great group of people at Microsoft helping enterprise customers manage user provisioning, SSO, and access to SaaS applications.
Among the many challenge’s customers face with managing SaaS apps, automating the ongoing creation, and updating and disabling of SaaS user accounts is among the most challenging. This is made especially difficult due to a lack of consistency in:
- How users are uniquely identified in each SaaS app, ranging from user names to email addresses to employee IDs.
- How SaaS apps implement user management, ranging from web-based portals to CSV uploads to SOAP or REST-based management APIs.
- What baseline set of user attributes each SaaS app needs for users to have a functional experience.
- How users are authorized within the SaaS app, ranging from app-specific roles to profiles to permission sets.
On top of this, large enterprise businesses need a consistent, automated way to manage who gets access to these apps, what level of authorization they should have based on their organizational profile, and when they should lose access.
Without a ready-made cloud-based solution that enables this for multiple SaaS applications, enterprise businesses are faced with standing up expensive on-premises and/or custom automated solutions for each individual app, or worse: subsist on manual user provisioning and deprovisioning where people are tasked with ongoing account creation and removal.
Enter Azure AD user provisioning
The Azure AD user provisioning service enables automated, policy-based provisioning and deprovisioning of user accounts to a variety of popular SaaS applications, including ones that implement the SCIM 2.0 standard. This service manages over 40 million user identities stored across various SaaS apps and cloud services today. Unlike traditional provisioning solutions, which require on-premises infrastructure and custom code, the provisioning service is hosted in the cloud, and features pre-integrated connectors that can be set up and managed using the Azure portal.
The benefits of using the service include:
- Eliminating manual processes—No more manual and error prone processes to create, update, or disable employee user accounts when they join, move within or leave the company.
- Increasing timely access—Reduce the time to enable productivity for employees joining or moving within the company.
- Protecting your organization—Automatically disable user accounts in a timely fashion when employees leave the organization, closing any backdoors.
- One set of policies—Manage user access to apps, using a single set of access policies that span SSO, user provisioning, and access.
User provisioning that can be customized to your individual organization’s needs
To address the challenges posed by managing identities in SaaS applications, Azure AD provides a wealth of capabilities that let you customize how users should be provisioned within your environment including:
- Match existing users—You can provision new users, as well as take over provisioning management of existing users by choosing how the ID values in Azure AD and the SaaS app should matched.
- Map attributes between systems—Customizable attribute mappings allow you to control what attributes should flow from Azure AD to the SaaS application. For ease of use, Azure AD provides attribute mappings for each app that can optionally be customized.
- Transform attribute values—You can transform attribute values from Azure AD into any format required by the application using expressions.
- Scope which users and groups should be provisioned—Determine who should be provisioned and who shouldn’t using the standard group-based assignments used for SSO, or by using attribute-based scoping filters that filter on specific attribute values.
- Provision groups and group memberships—Some SaaS apps have their own internal groups, where users provisioned to those apps need to be added as group members. For these apps, Azure AD can provision groups and group memberships based on assigned groups in Azure AD.
Once Azure AD user provisioning is set up and enabled for a SaaS app, users and groups are automatically provisioned and kept up to date as changes are made to them in Azure AD. For detailed information about what operations Azure AD performs during user provisioning, see What happens during provisioning. For information about how frequently users and groups are provisioned, see How long will it take to provision users.
SCIM is the emerging standard for simplifying user provisioning in the cloud
An exciting development in recent years has been the emergence and popularization of SCIM, which is standard protocol and schema that aims to drive greater consistency in how identities are managed across systems. The number of SaaS applications that support SCIM is growing, and we’ve seen the number SCIM app integrations with Azure AD grow 500 percent just in last 12 months.
Many of our most popular apps in our list of supported applications support SCIM. In addition, customers can connect unlisted apps that support SCIM 2.0 using our non-gallery integration option in the Azure portal.
For more information on the Azure AD SCIM implementation, including requirements for developers and sample code, see Using SCIM to automatically provision users and groups from Azure AD to applications.
Migrating to cloud-based HCM is a major inflection point for adopting cloud-based provisioning solutions
Among the requests we receive to support provisioning for selected apps, we’re seeing red-hot interest from enterprise customers in automating user provisioning from cloud-based Human Capital Management (HCM) systems like Workday and SAP SuccessFactors, to both Azure AD and on-premises AD. To that end, we shipped a public preview of a user provisioning from Workday, which we’ve been iterating on since its release. For more information, see Configure Workday for automatic user provisioning.
Get started with Azure AD user provisioning
To get started, find your SaaS applications in our list of supported applications and review the tutorials. We’re always listening to requests, so if you don’t find the applications you need, you can file and track your request at Azure AD application requests.
For a quick overview of the steps required to set up and troubleshoot automatic user provisioning for a SaaS application: watch this video!
Finally, we have a sample deployment guide to help you plan your deployments of Azure AD user provisioning for SaaS apps in your organization.
Check out the other posts in this series:
- Eight Essentials for Hybrid Identity: #1 A new identity mindset
- Eight Essentials for Hybrid Identity: #2 Choosing the right authentication method
- Eight Essentials for Hybrid Identity: #3 Securing your identity infrastructure
- Eight Essentials for Hybrid Identity: #4 Federate any app with Azure Active Directory