In today’s “work from anywhere” model, cloud-based identity management solutions are quickly becoming the norm. Nowhere is this more evident than with Microsoft’s shift away from on-premise Active Directory federating with Office 365 to Azure AD as the primary identity. De-emphasizing and even eliminating ADFS and federation are bold Cloud First moves by Microsoft and it is the future. Microsoft makes this even more apparent with its integration of the System for Cross Domain Identity Management (SCIM) protocol into Azure. SCIM was created as a powerful means of standardizing, simplifying, and automating identity management of users, groups, and devices across cloud-based applications and services and Microsoft is betting big on it. The problem with SCIM is that it has yet to become widely adopted and many applications simply do not support it. So, if you have custom applications with repositories of identity information or use an on-premise or cloud application like SAP S/4 HANA or SAP Ariba or even a major HR system like UltiPro, you are not going to be able to integrate those systems with Azure unless you or the vendor builds a SCIM interface for each. This is no small task, because while the protocol is simple, building the interface is not. EmpowerID has stepped into the gap and built a Workflow-Driven SCIM Virtual Directory Server (VDS) that can sit between Azure and your non-SCIM applications. You simply connect those applications to EmpowerID and register the EmpowerID SCIM VDS in Azure. There is no need to wait for vendors or put in the time and effort needed to build a SCIM interface. EmpowerID takes care of everything for you.

Why SCIM?

  • All the Advantages of SCIM without the effort – Created in 2011 as an open standard, lightweight provisioning protocol for the “Cloud age,” SCIM provides a uniform way for applications to communicate identity information to each other. Adoption of SCIM has been slow, but it is the way forward. With EmpowerID’s SCIM VDS, organizations can convert their applications to SCIM without waiting for vendors to come onboard or doing the heavy lifting of converting their legacy proprietary applications to SCIM.
  • Seamlessly Integrate All Your Applications with Azure Provisioning Services – The EmpowerID SCIM Virtual Directory is a microservice and a SCIM server that can be deployed as an App Service in any Azure tenant. Simply plug the VDS into any Azure environment, secure it with an Azure managed identity and then register as many of your enterprise applications as needed. If the VDS knows about these applications, it will pass Azure provisioning commands to that system, SCIM compliant or not.
  • Workflow-Driven Virtual Directory Services – More than just a “SCIM gateway,” that is, more than just an application that simply passes identity lifecycle commands like – “provision this user” or “add this user to that group” – from one system to another, the EmpowerID VDS treats everything as a workflow. This keeps your business logic in the process. Commands are evaluated by the VDS, which can trigger policies, invoke naming conventions, generate strong passwords and send policy violations for human approval before any final provisioning action occurs. You determine what needs to happen when Azure makes a provisioning call.
  • New Azure SCIM Microservices – Beyond the SCIM VDS, EmpowerID has built several SCIM microservices specifically geared toward the Azure platform. Designed to make Azure more manageable and cost-effective, these microservices lift the lid off the black box of Azure license expenses and role delegation, providing organizations with the tools needed to more effectively manage their subscriptions. These microservices include the EmpowerID SCIM Microservice, the Azure Analytics Microservice and the IT Shop Microservice. We’ll talk about each of these more in-depth below. Suffice it to say, they will make managing your Azure subscriptions much easier and perhaps even a little pleasant.

WATCH A SHORT OVERVIEW OF OUR
Webinar on Azure Indentity Management

Azure Identity Management

Azure Active Directory has grown in importance from merely being one of an organization’s directories to becoming the hub for all of an organization’s applications and digital identities. As organizations undergo a “Digital Transformation” in how they operate, the work of IT has grown more complicated by new challenges to deliver access and ensure compliance for an ever more complex web of on-premise and Cloud applications at all times. Azure Active Directory is now at the heart of these efforts and a new breed of Identity Platform is required to ensure its success.

Fills in Azure AD Provisioning Gaps

Azure is here to stay and so is the shift away from on-premise user directories like Active Directory to Azure AD. Microsoft has invested heavily in the cloud and part of the investment includes elevating Azure AD as the primary identity and AD on-premise secondary. If you haven’t yet adopted this approach and begun the transition toward the cloud, you eventually will. There are simply too many reasons not to do so. And especially so when you add EmpowerID to the mix.

Microsoft’s aim is to make Azure AD the central point for authentication, conditional access and MFA. They want you to use Azure AD for all your identity-aware applications. The idea is that you do identity in Azure and Azure propagates that to your other systems. So, for example, if you provision new users in Azure AD, those users should be provisioned in a connected HR system and vice-versa. Well that sounds about right, there is a huge problem: The process is blind to your business logic. Users are provisioned and de-provisioned as may be the case, and that is that. There currently is no way to interrupt the process to do other things.

EmpowerID changes that

When added to Azure, EmpowerID gives you the following abilities:

  • Cross-System Password Reset – If you initiate an Azure password change that syncs to your Active Directory, EmpowerID catches that password change and syncs it to other systems that do not have SSO but need the new password.
  • Access Certification – To maintain compliance, your users need to have the appropriate access for their roles. With the considerable number of systems and apps available, this is becoming more complicated and challenging. EmpowerID provides you with the capability to not only manage your access certification and governance, but also to audit your critical systems and users, recertify them, provide revocation fulfilment and much more.
  • Compliant Risk Management – One goal of any organization is to efficiently deliver Compliant Access. In your organization’s sense, Compliant Access means access that is both “position appropriate” and that adheres to your risk-related “business policies.” By adding your own organization’s risk policies into its calculations, EmpowerID can determine if the least privilege ‘level’ would produce an unacceptable risk to your organization. This allows risk control owners to make informed decisions about whether to accept risks and apply mitigating controls, or to reject them. EmpowerID’s risk engine also supports both preventive and detective SOD simulation and validation. It does so using user-friendly dashboards and workflow processes that automate remediation and revocation.
  • Role Mining Analytics – A security challenge that develops over time is understanding why roles and role assignments were initially created, by whom, and if they are still needed. EmpowerID’s Role Mining engine provides automated processes that harvest data of who has access to what and uses that data to recommend an optimal initial set of roles. As your business environment changes and roles evolve, EmpowerID ensures the roles adhere to Zero Trust and only grant least privilege access.
  • Delegated Identity Administration – Azure AD only cares about those objects in your systems that have a direct correlation in Azure. With EmpowerID standing between Azure and your systems, however, you can manage all the security objects in all your systems. You can see and manage them, delegating responsibility for those objects to the appropriate people within your organization.
  • End User Email Notifications – EmpowerID sends email notifications to end users and their managers when provisioning events occur. Was a new user account created or a user added to a group? The user, their manager and anyone else who needs to know will receive an email about it.
  • Much more – Adding EmpowerID to your Azure fills in the gaps by giving you all the features associated with the EmpowerID platform. For more information, we invite to take a further look at our site.

Easy Integration for All Your Identity Aware Applications

By adopting SCIM as the identity protocol, Microsoft paved the way for integrating any SCIM compliant application with Azure.

Their aim is to make Azure AD the central point for authentication, conditional access and MFA.

They want you to use Azure AD for all your identity-aware applications. While this sounds great, the reality is that many vendors have yet to adopt SCIM.

And without SCIM adoption, there is no way to connect their applications to Azure AD. That goes the same for any non-SCIM applications your organization may have developed.

You must either wait for vendors or invest the time and effort into developing a SCIM framework yourself. For most organizations, this is simply not feasible.

This is where EmpowerID comes into the picture. We are the first company to create a stable, fully functioning SCIM Virtual Directory that allows you to connect all your identity-aware applications to EmpowerID, and then by virtue of your connection to EmpowerID connect to Azure AD.

How does this work?

The SCIM Virtual Directory is a microservice and a SCIM server created by EmpowerID that can be deployed as an App Service in Azure tenants.

This makes the SCIM VDS the go-between for Azure and any applications registered in EmpowerID.

Provisioning calls are made to the EmpowerID SCIM VDS and the call is then directed to the appropriate system.

For example, if you have connected EmpowerID to Salesforce and an HR system and a new user is provisioned in Azure AD, EmpowerID intercepts the call to provision the new user and directs it to the appropriate systems in EmpowerID.

This allows for any policies and other business logic to be evaluated first.

Once your business logic completes, the account is provisioned in the appropriate systems and everything is kept up to sync.

The natural question arises as to how does EmpowerID know what system to update. The answer to the question is the URL you set for your applications in EmpowerID.

Without going into detail, you simply specify the path to the application registered in EmpowerID. The below image depicts this.

In the image, the last part of the path points to the application. This is how EmpowerID knows where the direct the call made by Azure.

This allows you to SCIM-enable any system that is connected to EmpowerID without needing to create a specific SCIM connector for that system. EmpowerID does it for you, helping you leverage Azure AD provisioning quickly and easily for many systems with some advanced features.

Workflow-Driven Virtual Directory Services

Traditional SCIM connectors simply “fire and forget.”

They pass commands from one system to another and leave it at that. There is no middle layer of logic involved.

In other words, they are more of a SCIM gateway. The EmpowerID SCIM VDS takes another approach.

Not only does it pass commands from one system to another, but it evaluates your business processes while doing so.

We call this approach “everything is a workflow” and it is central to the EmpowerID paradigm.

To have full control, organizations need to inject their business logic into the process.

The above image depicts the difference between the two approaches. In the first flow, Azure AD Provisioning Service sends commands to the EmpowerID SCIM VDS. EmpowerID then invokes the workflow appropriate to the command where business processes can be executed before sending those commands downstream to a connected system. In the second or lower flow, Azure sends the same commands to a directly connected system and they simply happen in that system. There is no control over the transactions. With EmpowerID standing in the middle, the entire process is can be evaluated and interrupted if need be.

New Azure SCIM Microservices

Beyond the SCIM VDS, EmpowerID has built several SCIM microservices specifically geared toward the Azure platform. Designed to make Azure more manageable and cost-effective, these microservices lift the lid off the black box of Azure license expenses and role delegation, providing organizations with the tools needed to more effectively manage their subscriptions. These microservices include the EmpowerID SCIM Microservice, the Azure Analytics Microservice and the IT Shop Microservice.

EmpowerID SCIM Microservice

The EmpowerID SCIM Microservice is designed to help you manage your Azure tenants and subscriptions to include licenses and roles. Beyond the licensing challenges associated with Azure subscriptions is the fluid nature of the Azure infrastructure and how quickly new services can be introduced and then decommissioned. This fluidity can make it difficult for security and audit teams to meet their regulatory obligations concerning asset management. The SCIM microservice helps you address both these issues by giving you full visibility and control over both Azure Roles and Azure licenses via Azure License Manager and Azure RBAC Manager.

Azure License Manager

Azure License Manager can connect to all your Azure and Office 365 tenants to retrieve a detailed license inventory. You’ll immediate know all your organization’s subscriptions, license counts both allocated, activated, and disabled. You’ll also have an accurate picture of which service plans assigned within the subscriptions are enabled for different user populations. License Manager allows you to enter the negotiated costs for each of your SKUs to enable accurate reporting on actual cost allocations and to identify real savings from unused or nonoptimal license assignments.

Azure RBAC Manager

Azure RBAC Manager empowers organizations to maintain an accurate understanding of their Azure security landscape, to optimize its management, and to ensure compliance with an organization’s risk policies by continuously monitoring for changes. Azure RBAC Manager continuously inventories the RBAC structure of your Azure tenants including the tenant Root, Management Groups and subgroups, Subscriptions, and Resource Groups. This structure is key to understanding the scope of your Azure Role assignments and their impact. Azure includes 3 very different types of roles including Azure AD “Directory Roles”, Azure RBAC “Resource Roles”, and Azure “Application Roles”. Azure RBAC Manager handles all three types and even reports the individual fine-grained rights granted by each role. Azure Resource Roles can be assigned at any level or scope in the Azure hierarchy, even on individual resources. Azure RBAC Manager inventories even these individual resources like virtual machines, Kubernetes clusters, and SQL databases including any of their direct role assignments.

IT Shop Microservice

The IT Shop brings a familiar shopping cart experience to the license access request process. Users simply search for the licenses they need and add items to their cart. Managers may shop on behalf of their direct reports as part of the onboarding process. When the user is done shopping, they simply submit their request. The workflow engine determines from your organizational rules, what approvals are needed, if any policies would be violated, and who must approve each request or violation. All participants are kept informed by email notifications and all requests, decisions and associated fulfillment actions are recorded and integrated into the audit process.

IT Shop Microservice






Azure Analytics Microservice

The Azure Analytic Microservice provides organizations with intelligent, real-time visual feedback on the drivers of their Azure expenses and the number of licenses being consumed by their organization at any given data point.

Azure Analytics Microservice






Conclusion

As we can see, the EmpowerID SCIM VDS is a powerful tool that can be used to bring Azure AD Provisioning Service to any of your identity-aware applications as well as make managing your Azure subscription a much easier task.