Working with Office365 and Azure raises several issues where organizational security, compliance, and lifecycle management are concerned.

Not least because of the scale of operations, but also because of the lack of integrations.

In this document, we look at how EmpowerID addresses and solves the following issues:

  • Manual provisioning and deprovisioning of users, and other lifecycle management events (refer to EmpowerID Identity Lifecycle for Office 365 and Azure)
  • The Office365 and Azure permission-based system is too broad and out-of-date for the modern world (Zero Trust Delegated Administration for Office 365 and Azure)
  • The cost and problem of managing SaaS licenses (Manage Office 365 and Azure Licenses)
  • Privileged access and the massive risk and abuse that organizations face (Privileged Session Management for Azure)
  • Auditing Azure is difficult and time-consuming (Office 365 and Azure Compliance and Recertification)
  • The current user password practices that are your organization’s weakest link (Adaptive MFA for Office 365 and Azure)
  • Will EmpowerID work with your organization’s current system? (Integrate with Existing Federated Systems)

Watch a short demo video of how EmpowerID Handles Identity Lifecycle Management with Office365 and Azure:

The Jelly Bean Problem

The Challenge of Authorization Management in a Multi-Cloud World

EmpowerID Identity Lifecycle for Office 365 and Azure

EmpowerID Identity Lifecycle for Office 365 and Azure automates account provisioning and license assignment for Active Directory and Office 365.

Automating policy-based “Compliant Access” offers significant advantages, including eliminating security problems and all human errors associated with manual user creation for Active Directory, Exchange, or Office 365.

Though lifecycle events can be, and are often, triggered manually by workflows, it is far more efficient to trigger the automatically in response to HR or other system changes.

Knowing full well that some lifecycle management software is limited to a single environment (either on-premise or cloud only) EmpowerID handles provisioning and deprovisioning for both Cloud only and hybrid environments.

In either scenario, EmpowerID manages this effectively via your organization’s own preconfigured policy settings: On provisioning, EmpowerID will set up and administers accounts with the correct licenses, entitlements, and settings.

On deprovisioning, EmpowerID will use the relevant policy settings to allow for the graceful handover of responsibilities, the transfer of data ownership, and the downgrading/disabling/deleting of appropriate accounts.

Zero Trust Delegated Administration for Office 365 and Azure

Zero Trust Principles

  • Never trust
  • Always verify
  • Always enforce least privilege

From a security perspective, one of the main problems that the out of the box roles and security model that Office 365 and Azure uses is the broad permissions granted.

For organization’s pursuing a Zero Trust strategy—and EmpowerID adheres fully to a Zero Trust strategy—this is a massive challenge.

One of the key tenants of the Zero Trust model is that users should never be granted permanent unproxied access to systems.

Not only because unproxied access cannot be easily monitored but also because such access permissions are easily overlooked.

(This is particularly relevant to organizations with a large userbase or where a considerable number of user-defined roles are in operation.)

Such loopholes, especially where permanent privileged access is concerned, is a disaster waiting to happen.

An attacker can easily compromise and exploit such openings. EmpowerID will either plug or prevent this gap.

By its very design, EmpowerID was designed to ‘wrap itself’ around any system to enable and transform the existing non-granular security model into a fine-grained control that:

  1. The native system was incapable of providing.
  2. Adheres to Zero Trust.

With Office 365 and Azure, EmpowerID overlays a single, unified security model and, in doing so, intercepts and modifies the broad permission system of both.

As previously mentioned, this then allows your organization to delegate granular administrative privileges to users within specific business units or partner organizations (even though this level of granularity is simply unavailable in the Azure security model).

Such capability allows EmpowerID to offer significant advantages to even the most complex global organizations and multi-tenancy scenarios.

Being able to control exactly who may see which objects and identities and who may perform which tasks is one thing, but to do it without granting any native administrative privileges and where the organizations or systems themselves lack the capability to provision and support such fine-grained delegations is another.

This not only provisions your enterprise with hitherto unheard-of levels of control, ease, and function, but also presents considerable new opportunities on the basis of this new, enhanced, and efficient Zero Trust security model.

Manage Office 365 and Azure Licenses

Though Azure and Office 365 solved the traditional software deployment and upgrade maintenance challenges faced by organizations, this changed with the introduction of the SaaS licensing model.

Unfortunately, though this new licensing model has made obtaining licenses much easier, the burden for managing them has increased.

As a result, and given the costs involved, effective license management and reporting has become ever more business critical.

EmpowerID’s SaaS service for Azure and Office 365 license management eases this burden by providing an inventory of all licenses available to an organization.

This includes their current usage, an automated mechanism for granting and revoking licenses, as well as being able to provide granular services to users based on organizational data and lifecycle events.

The EmpowerID solution provides a rapid ROI by ensuring that organizations are able to implement accurate internal billing procedures, to perform bulk license updates as needed, and to ensure that costly licenses are reclaimed from “over-licensed” users who are failing to use the features they are given.

Privileged Session Management for Azure

Privileged accounts in Azure are both a necessity and a liability. With their nearly unlimited access to system resources they are essential for everyday IT operations.

Unfortunately, abuse of privileged accounts is attributed as the cause of 64%1 of security breaches and, due to the potential security risk to your organization, needs to be managed and controlled better than ever before.

The 3rd principle in the Zero Trust model states to ‘Always enforce least privilege’.

Where Privileged Session Management (PSM) and privileged accounts are concerned we extrapolate that further to ‘only grant minimal access for the minimal time period and, where possible, all access should be both proxied and monitored at all times.’

EmpowerID provides you with that full capability.

EmpowerID’s Privilege Session Manager is a web-based gateway that you deploy as a microservice container in your Azure environments.

This PSM gateway provides authorized users with RDP or SSH access to Azure Windows or Linux virtual machines through a web interface but without ever exposing the servers to actual network access.

This best practice approach avoids most common malware and hack exploits which rely on network connectivity to the servers they are targeting.

In addition, enforcing strong adaptive identity verification and secure password vaulting eliminates the potential for credential sharing or misuse by never revealing privileged credential passwords.

Finally, all PSM sessions within EmpowerID can be monitored live and optionally recorded as videos for training or auditing purposes, compliance investigation, or verification.

Office 365 and Azure Compliance and Recertification

In the past, Azure’s sprawling and dynamic nature has posed a huge headache for auditors.

Though proving who has access to critical systems and roles to complete a certification process is often difficult, it has always been time-consuming.

However, with its full and configurable tracking and reporting capability, producing this proof becomes almost automatic with EmpowerID. This ensure your Azure team can breeze through audits, makes your teams’ lives much easier, and saves both you and them a considerable amount of time and frustration.

EmpowerID maintains an up to date audit of your system and can provide complete control over who has access to what across all your Azure and Office 365 tenants.

Auditing this critical infrastructure is a major annoyance but, with its built-in attestation policies, rapid periodic recertification of Azure and Office 365 group and role assignments, auditing with EmpowerID is made simple and easy.

Furthermore, and in response to feedback from our customers, a previously common problem was allowing external users to have their access reviewed and analyzed separately.

EmpowerID now categorizes them accordingly and both simplifies and removes the complexity from another aspect of organizational compliance and recertification.

Separation of Duties

EmpowerID also has a risk-based Separation of Duties (SoD) engine that scans, analyses, and updates your system and allows you to define toxic combinations of access.

This engine detects and flags toxic combinations as they occur and automatically notifies appropriate reviewers (as per your configured business rules and policies). The reviewers can then approve or reject the combination.

This not only prevents harmful role conflicts from occurring, but also helps minimize risk, the potential for fraud, and other losses within your organization.

Adaptive MFA for Office 365 and Azure

It is an unfortunate and widespread practice for organizations to store their most sensitive and critical information as content in Office 365 email or on SharePoint portals.

Consequently, ensuring the identity of those accessing this information is critical in both preventing data loss and averting damaging and costly [public] security breaches.

Overwhelmingly, research shows once again that passwords continue to be the weakest link in an organization’s security strategy.

Today, the only proven means to plug this long-standing weakness in your organization’s security perimeter is via Multi-Factor Authentication (MFA).

There are varying levels of MFA, and EmpowerID uses Adaptive MFA to ensure that your organization can implement the exact level and type of security that it needs—it provides the ultimate flexibility.

Adaptive MFA allows you to apply granularity to your organization’s security based on differing criteria.

Criteria includes where users are (within or without your network), what country they’re in (if without), what device they’re using, who they are, what their login success frequency has been, i.e. have they been locked out recently or done several password resets, and a multitude of other considerations and attributes.

In addition, EmpowerID allows you to provide a weighted score to each component (user, device, location, etc.), which means you can establish the precise level of security needed. This might sound onerous to the uninitiated, but the case is otherwise.

Indeed, one primary use and advantage of Adaptive MFA is to ease users into a new login feature by not forcing them to perform MFA on every login; rather only when circumstances warrant it.

EmpowerID comes with over 20 MFA methods, including a wide range of userfriendly options such as one-time password, FIDO/Yubikey tokens, 3rd parties such as DUO, as well as the EmpowerID Mobile phone app which allows users to simply click to authenticate and approve their login.

Integrate with Existing Federated Systems

Finally, and as mentioned previously, EmpowerID ‘wraps itself around’ and can integrate with any organization’s existing system.

Doing so not only elevates their existing security but also provisions them with enormous flexibility and scope beyond what is currently impossible.

This ability to integrate with systems is key to EmpowerID’s success and makes federation much simpler.

One example is for organizations that already have an SSO infrastructure in place.

EmpowerID's broad support for federation standards integrates easily with existing SSO solutions such as Microsoft ADFS, Ping, Okta, OneLogin, etc.

This simple and seamless integration provisions your users with an uninterrupted SSO experience regardless of which identity they select for authentication or application to which they wish to login.

Conclusion

Your current security around Azure and Office 365 is ineffective for your organization’s needs today. The permissions-based system is too broad for legal and compliance concerns and is incapable of meeting security requirements.

Not only that, your current O365/Azure setup is too time-consuming and costly to maintain and is lacking in many other areas.

In contrast, EmpowerID was created to provide the exact security that you need but without the gargantuan expense and inconvenience of having to change your entire system.

many other advantages, including a full recording and tracking capability that enables you to meet all your audit and compliance needs, a Separation of Duties engine to prevent fraud and costly losses, and Privileged Session Management to prevent direct access to critical systems.

These and many other features ensures that EmpowerID integrates easily and quickly with your own system and elevates it to an entirely different level: EmpowerID, delivering Next-Generation Azure and Office 365 Security today.