Traditionally, organizations have secured their identities and applications by storing them locally in an on-premises environment. Here, only authorized users had access to critical systems. However, with the transition to the cloud and the introduction of hybrid infrastructures, where data flows freely between on-premises and cloud-based platforms, access management has become significantly more complex.
IAM systems (Identity & Access Management) play an essential role in modern security strategies, but they alone are not sufficient to handle all the challenges associated with protecting identities in an advanced environment like Microsoft Entra ID.
What is Microsoft Entra ID and what does it do?
Microsoft Entra ID (formerly known as Azure AD) is Microsoft’s comprehensive cloud-based identity and access management solution. Entra ID helps organizations secure access to applications and resources across an entire ecosystem, including Microsoft cloud services and third-party applications.
Entra ID is designed to support a range of modern work requirements, including access management for internal employees, external partners, guest accounts, test accounts, administrator accounts, and external applications. Each of these identities has different access needs, and it is critical that they are well-protected and only have the necessary permissions they actually require.
Microsoft Entra ID offers several benefits that both enhance security and efficiency for organizations. With features like multi-factor authentication (MFA) and Conditional Access, it protects against unauthorized access. Single Sign-On (SSO) and application integrations ensure easy and fast access, improving productivity. The system can be customized to the needs of both small and large businesses and supports various user types, from employees to external partners. As part of Microsoft’s security services, Microsoft Entra ID plays an important role in managing and securing identities in our digital world.
The challenges with Microsoft Entra ID are that it is new to many, very complex, and has many configuration options that depend on the organization’s license level.
An organization’s data is now available on the internet, placing greater demands on knowing all the user accounts it has and securing them well. This is not a responsibility that an IT department can take on alone. It is up to each company leader to ensure they follow the routines for hiring, contracting, changing, and terminating employment. To assist each leader in these activities, an HR department often takes responsibility for these processes and routines.
For user types such as employees and hired consultants, an “identity and access management” system (IAM) will often help take control of ensuring these activities are carried out correctly through automation.
How an IAM System Works
IAM systems often integrate with HR systems to automate the creation, modification, and deletion of user identities. When new employees are added to the HR system, the IAM system can automatically create user accounts and assign access rights based on the employee’s role. This ensures an efficient and secure onboarding process.
In collaboration with Microsoft Entra ID, the IAM system can use Entra ID’s robust authentication and authorization mechanisms to provide access to relevant Microsoft and third-party applications. When employees change roles or leave the company, the HR system updates the IAM system, which adjusts or removes access rights. This ensures that access is always updated and in line with the company’s security policy and the users’ current job functions.
Challenges with Entra ID vs. IAM
So, what can go wrong?
Despite its many advantages, one must not fall into the trap of thinking that an IAM system solves all the challenges an IT department faces in keeping track of all identities in Entra ID.
- Lack of Comprehensive Overview: IAM systems only take control of the user accounts belonging to the people defined in the HR system, but in Entra ID, there is much more. This includes guest accounts, test accounts, administrator accounts, external users, and service accounts. This can lead to losing track of all the identities that have access to the systems. The system also does not clean up all the historical user accounts in Entra ID, and it is still possible to create user accounts directly in Entra ID that are not naturally defined in the HR system.
- Complex License and Access Management: An IAM system can assign licenses and rights based on rule sets, but can you control that the rules work as intended? We have encountered companies that discover their rule sets do not achieve the desired results when they see the actual usage in their Microsoft Entra ID environment.
Watch our webinar (in Norwegian), where we explained more about how various identities arise in Entra ID.
Conclusion
While an IAM system is useful for maintaining good control over the current employees’ user accounts, Microsoft Entra ID will contain many accounts not managed by the IAM system. Entra ID governs rights and accesses, and any identity that resides there is a form of key to the IT system with its accesses. Therefore, it is critical to know who they are, what they do, and how they are secured.
With a tool that provides insight into all identities in your Entra ID, what they do, and what accesses they have, you can also ensure that the IAM tools actually do what they are supposed to for the user accounts they are configured to handle. You gain valuable insights that enable you to secure identities and optimize licensing costs, providing flexibility and scalability in the digital age.
Implementing “zero-trust” principles won’t help if a malicious actor guesses the correct username and password combination for one of your old user accounts, registers MFA, and thus satisfies these principles. Therefore, you must know that the user account john.doe@organization.com is actually used by a person named John and not by a rogue actor.