I don’t know who it was who first said “Identity is the new security plane”, but I expect it was someone with a Microsoft persuasion, and maybe they saw this all coming … who knows? All I can say is this: what a dynamic time it is to find myself Microsoft Enterprise Identity Practice Lead at UNIFY!
This is particularly so with the rapid evolution of three key Azure AD concepts:
- AAD HR Provisioning and App Provisioning
- AAD Identity Governance and Administration (IGA)
Some fine work last weekend by Microsoft’s Alexander Filpin completed the 6th of his series of excellent blog posts on the above topics, so if you’re new to any of these concepts, or haven’t seen any of the latest offerings to become generally available very late last year, please take the time to read all 6 in sequence – then please come back when you’re done so I can knock your socks off even more! While you’re catching up, here’s some excellent wait music for you … I’ll be here when you get back to bring us back to Earth with some innovative ideas for you.
So what about MIM?
If your thoughts were anything like mine, you’ll probably be more than curious by now, and perhaps even thinking of trying some of the concepts out for yourself, and keen to create your first “access package” so you can see what https://myaccess.microsoft.com/ looks like not only for users in your own organisation, but for B2B partners looking to access your corporate resources as well!
But what about all those 4 MIM references in that 6th post – what did you think when you saw that? I can guess – you’ve found the catch, right? If I want pull-through to my on-premises AD-secured network I need to use MIM? Well of course you can use MIM – and for 15 years that’s been the focus of my own career at UNIFY (particularly my time in the MVP ranks), so naturally that’s always been my go-to Identity and Access Management (IAM) technology base. However, for many there is no appetite to go on that journey any more – as great as that platform still is, it’s a pity it goes into Extended Support in 2021.
While MIM-like functionality has been progressively evolving in recent years, and very rapidly so in the last few months I might add, equally MIM has been “getting back to the basics” of what it has always done best:
- Some MIM components such as BHOLD have been deprecated in favour of evolving AAD IGA alternatives;
- Other MIM components such as MIM Reporting with SCSM have simply never been widely used, with superior on prem and cloud hosted options now available;
- MIM Sync is now the “support act” to a more holistic Azure-hosted IAM and IGA approach for Enterprise Identity that also incorporates B2B; and
- With B2C completing the picture for Consumer Identity, AAD is quickly becoming the complete Identity platform.
But yes there are glitches in the AAD “matrix”, or gaps rather, and you might be thinking there’s only MIM left to fill them.
So – those who know me may be surprised I am now saying no, you don’t have to use MIM! If you’d rather something perhaps cloud-hosted (not that it has to be) that not only handles Alexander’s last post topic (reach back to on prem), but also
- On premises B2B identity provisioning;
- App provisioning for apps which don’t have a SCIM API; and
- HR Provisioning for HR systems other than Workday or SAP Success Factors.
What exactly are these ‘gaps’ again?
There are still some clear gaps feature-wise, and some of these will persist for some time to come:
- HR provisioning only supports Workday, with SAP SF and Oracle HCM presently in Preview, and obviously more to come
- App provisioning only supports ServiceNow, Salesforce, Box and one other, but this is extensible for applications that support SCIM
- IGA for entitlements management with access reviews, with policy to govern both employees and externals (B2B), but no support for advanced features such as SoD, and no native support for on-prem (AD)
So what do I do about them today?
UNIFYBroker technology from UNIFY Solutions is allowing customers to embrace the new AAD feature set NOW, without waiting for the full native feature set to arrive:
- Where their HR platform is not one of the 3 supported AAD HR-provisioning platforms, UNIFYAssure (hosted) and UNIFYBroker (on prem) provide a complementary capability, with or without the need for MIM;
- Where a downstream application or service has no built-in SCIM API, but provides some degree of interoperability, UNIFYConnect (hosted) or UNIFYBroker (on prem) can proxy this API to enable this feature on behalf of the app;
- Where AAD Access Packages provide IGA features for AAD Groups and B2B users, neither of which are not synchronised to AD on prem, UNIFYConnect (hosted) or UNIFYBroker (on prem) can provide this capability, with or without the need for MIM. When used with the AAD Application Proxy capability, authorised B2B users who are synchronised to on-prem (the MIM B2B lifecycle management scenario but without the need for MIM) can authenticate to on-prem-hosted IIS applications using their company AAD credentials; and finally
- There’s also the question of how to assign birthright permissions … for now see this approach which can easily be integrated into the IAM lifecycle rules (thanks Marius Solbakken).
A footnote about ESB
The role of an Enterprise Service Bus (ESB) continues to grow in popularity in securing the use of external APIs, and for good reason. However, this can present some challenges in the Identity space.
Organisations are looking to provide a single control plane for providing application integration where 3rd party APIs are involved, including a consistent and complete approach to auditing. This trend is gaining momentum with the ever-increasing threat of cyber-attacks going undetected due to API access occurring via compromised service account credentials.
However some organisations are stumbling over Identity, which presents unique problems and use cases when compared to other datasets, especially where identity synchronisation is required.
Whether using MIM or another IAM platform such as AAD for HR and/or App Provisioning, by implementing IAM lifecycle integration (joiners/movers/leavers) with UNIFYConnect (hosted) or UNIFYBroker(on prem), ESB integration for updates can be complemented with native integration for non-transactional read operations which are critical for synchronisation state enforcement in these IAM platforms.
It’s definitely a rapidly evolving Identity landscape right now, and I expect I will be sharing more about the above when I next come up for air. In the meantime please stay safe, and thanks for your interest.