In today’s “work from anywhere” model, cloud-based identity management solutions are quickly becoming the norm. Nowhere is this more evident than with Microsoft’s shift away from on-premise Active Directory federating with Office 365 to Azure AD as the primary identity. De-emphasizing and even eliminating ADFS and federation are bold Cloud First moves by Microsoft and it is the future. Microsoft makes this even more apparent with its integration of the System for Cross Domain Identity Management (SCIM) protocol into Azure. SCIM was created as a powerful means of standardizing, simplifying, and automating identity management of users, groups, and devices across cloud-based applications and services and Microsoft is betting big on it. The problem with SCIM is that it has yet to become widely adopted and many applications simply do not support it. So, if you have custom applications with repositories of identity information or use an on-premise or cloud application like SAP S/4 HANA or SAP Ariba or even a major HR system like UltiPro, you are not going to be able to integrate those systems with Azure unless you or the vendor builds a SCIM interface for each. This is no small task, because while the protocol is simple, building the interface is not. EmpowerID has stepped into the gap and built a Workflow-Driven SCIM Virtual Directory Server (VDS) that can sit between Azure and your non-SCIM applications. You simply connect those applications to EmpowerID and register the EmpowerID SCIM VDS in Azure. There is no need to wait for vendors or put in the time and effort needed to build a SCIM interface. EmpowerID takes care of everything for you.
WATCH A SHORT OVERVIEW OF OUR
Webinar on Azure Indentity Management
Azure Identity Management
Azure Active Directory has grown in importance from merely being one of an organization’s directories to becoming the hub for all of an organization’s applications and digital identities. As organizations undergo a “Digital Transformation” in how they operate, the work of IT has grown more complicated by new challenges to deliver access and ensure compliance for an ever more complex web of on-premise and Cloud applications at all times. Azure Active Directory is now at the heart of these efforts and a new breed of Identity Platform is required to ensure its success.
Fills in Azure AD Provisioning Gaps
Azure is here to stay and so is the shift away from on-premise user directories like Active Directory to Azure AD. Microsoft has invested heavily in the cloud and part of the investment includes elevating Azure AD as the primary identity and AD on-premise secondary. If you haven’t yet adopted this approach and begun the transition toward the cloud, you eventually will. There are simply too many reasons not to do so. And especially so when you add EmpowerID to the mix.
Microsoft’s aim is to make Azure AD the central point for authentication, conditional access and MFA. They want you to use Azure AD for all your identity-aware applications. The idea is that you do identity in Azure and Azure propagates that to your other systems. So, for example, if you provision new users in Azure AD, those users should be provisioned in a connected HR system and vice-versa. Well that sounds about right, there is a huge problem: The process is blind to your business logic. Users are provisioned and de-provisioned as may be the case, and that is that. There currently is no way to interrupt the process to do other things.
EmpowerID changes that
When added to Azure, EmpowerID gives you the following abilities:
Easy Integration for All Your Identity Aware Applications
By adopting SCIM as the identity protocol, Microsoft paved the way for integrating any SCIM compliant application with Azure.
Their aim is to make Azure AD the central point for authentication, conditional access and MFA.
They want you to use Azure AD for all your identity-aware applications. While this sounds great, the reality is that many vendors have yet to adopt SCIM.
And without SCIM adoption, there is no way to connect their applications to Azure AD. That goes the same for any non-SCIM applications your organization may have developed.
You must either wait for vendors or invest the time and effort into developing a SCIM framework yourself. For most organizations, this is simply not feasible.
This is where EmpowerID comes into the picture. We are the first company to create a stable, fully functioning SCIM Virtual Directory that allows you to connect all your identity-aware applications to EmpowerID, and then by virtue of your connection to EmpowerID connect to Azure AD.
How does this work?
The SCIM Virtual Directory is a microservice and a SCIM server created by EmpowerID that can be deployed as an App Service in Azure tenants.
This makes the SCIM VDS the go-between for Azure and any applications registered in EmpowerID.
Provisioning calls are made to the EmpowerID SCIM VDS and the call is then directed to the appropriate system.
For example, if you have connected EmpowerID to Salesforce and an HR system and a new user is provisioned in Azure AD, EmpowerID intercepts the call to provision the new user and directs it to the appropriate systems in EmpowerID.
This allows for any policies and other business logic to be evaluated first.
Once your business logic completes, the account is provisioned in the appropriate systems and everything is kept up to sync.
The natural question arises as to how does EmpowerID know what system to update. The answer to the question is the URL you set for your applications in EmpowerID.
Without going into detail, you simply specify the path to the application registered in EmpowerID. The below image depicts this.
In the image, the last part of the path points to the application. This is how EmpowerID knows where the direct the call made by Azure.
This allows you to SCIM-enable any system that is connected to EmpowerID without needing to create a specific SCIM connector for that system. EmpowerID does it for you, helping you leverage Azure AD provisioning quickly and easily for many systems with some advanced features.
Workflow-Driven Virtual Directory Services
Traditional SCIM connectors simply “fire and forget.”
They pass commands from one system to another and leave it at that. There is no middle layer of logic involved.
In other words, they are more of a SCIM gateway. The EmpowerID SCIM VDS takes another approach.
Not only does it pass commands from one system to another, but it evaluates your business processes while doing so.
We call this approach “everything is a workflow” and it is central to the EmpowerID paradigm.
To have full control, organizations need to inject their business logic into the process.
The above image depicts the difference between the two approaches. In the first flow, Azure AD Provisioning Service sends commands to the EmpowerID SCIM VDS. EmpowerID then invokes the workflow appropriate to the command where business processes can be executed before sending those commands downstream to a connected system. In the second or lower flow, Azure sends the same commands to a directly connected system and they simply happen in that system. There is no control over the transactions. With EmpowerID standing in the middle, the entire process is can be evaluated and interrupted if need be.
New Azure SCIM Microservices
Beyond the SCIM VDS, EmpowerID has built several SCIM microservices specifically geared toward the Azure platform. Designed to make Azure more manageable and cost-effective, these microservices lift the lid off the black box of Azure license expenses and role delegation, providing organizations with the tools needed to more effectively manage their subscriptions. These microservices include the EmpowerID SCIM Microservice, the Azure Analytics Microservice and the IT Shop Microservice.
EmpowerID SCIM Microservice
The EmpowerID SCIM Microservice is designed to help you manage your Azure tenants and subscriptions to include licenses and roles. Beyond the licensing challenges associated with Azure subscriptions is the fluid nature of the Azure infrastructure and how quickly new services can be introduced and then decommissioned. This fluidity can make it difficult for security and audit teams to meet their regulatory obligations concerning asset management. The SCIM microservice helps you address both these issues by giving you full visibility and control over both Azure Roles and Azure licenses via Azure License Manager and Azure RBAC Manager.
Azure License Manager
Azure License Manager can connect to all your Azure and Office 365 tenants to retrieve a detailed license inventory. You’ll immediate know all your organization’s subscriptions, license counts both allocated, activated, and disabled. You’ll also have an accurate picture of which service plans assigned within the subscriptions are enabled for different user populations. License Manager allows you to enter the negotiated costs for each of your SKUs to enable accurate reporting on actual cost allocations and to identify real savings from unused or nonoptimal license assignments.
Azure RBAC Manager
Azure RBAC Manager empowers organizations to maintain an accurate understanding of their Azure security landscape, to optimize its management, and to ensure compliance with an organization’s risk policies by continuously monitoring for changes. Azure RBAC Manager continuously inventories the RBAC structure of your Azure tenants including the tenant Root, Management Groups and subgroups, Subscriptions, and Resource Groups. This structure is key to understanding the scope of your Azure Role assignments and their impact. Azure includes 3 very different types of roles including Azure AD “Directory Roles”, Azure RBAC “Resource Roles”, and Azure “Application Roles”. Azure RBAC Manager handles all three types and even reports the individual fine-grained rights granted by each role. Azure Resource Roles can be assigned at any level or scope in the Azure hierarchy, even on individual resources. Azure RBAC Manager inventories even these individual resources like virtual machines, Kubernetes clusters, and SQL databases including any of their direct role assignments.
IT Shop Microservice
The IT Shop brings a familiar shopping cart experience to the license access request process. Users simply search for the licenses they need and add items to their cart. Managers may shop on behalf of their direct reports as part of the onboarding process. When the user is done shopping, they simply submit their request. The workflow engine determines from your organizational rules, what approvals are needed, if any policies would be violated, and who must approve each request or violation. All participants are kept informed by email notifications and all requests, decisions and associated fulfillment actions are recorded and integrated into the audit process.
IT Shop Microservice
Azure Analytics Microservice
The Azure Analytic Microservice provides organizations with intelligent, real-time visual feedback on the drivers of their Azure expenses and the number of licenses being consumed by their organization at any given data point.
Azure Analytics Microservice
As we can see, the EmpowerID SCIM VDS is a powerful tool that can be used to bring Azure AD Provisioning Service to any of your identity-aware applications as well as make managing your Azure subscription a much easier task.