Identity Governance - the Value of Leveraging IGA Functions from the Cloud

Good afternoon, ladies and gentlemen, welcome to our equipping cold webinar identity governance. The value of leveraging IGA functions from the cloud. This webinar is supported by Microsoft. The speakers today are choice of Dae, who is principle product manager at Microsoft and me Martin could I'm principle Analyst at Ko a call. Before we dive into the topic, I quickly want to provide some information about Cola, about upcoming events and some housekeeping information for the webinar. And then we directly will start with the topic of today. Ko.

A call is an independent neutral Analyst from, we are found. We are founded back in 2004.

We're focusing on information on cyber security and identity and access management, identity governance, and other areas concerning the digital transformation we do so about delivering contempt by supporting communities, by coaching you to your success with our research services, such as our leadership documents, where we compare vendors in certain market segments, such as our events, I'll touch in a minute and such as our advisory services, where we support you in your strategy, roadmap, choice of tools and related stuff.

So for advisory, we do benchmarking, we do strategy, support, architecture, support, technology, selection, and project guidance, supporting you in doing what you need to do the right way, identifying the right tools for your challenges, et cetera. Regard. From an event perspective, we have a couple of upcoming events. So the next one will run next week, which is our European identity and cloud conference, our flagship event, which will run next week, Tuesday to Friday in Munich, you shouldn't miss attending this event. It's sort of our must attend event.

And we have a couple of other events in the autumn between September and the end of the year. Some in the us like our consumer identity world and our cyber next summit, others in Europe, like our artificial intelligence event, like other cybersecurity events, the digital finance world and our blockchain enterprise days for the webinar, some housekeeping information, you are muted C so you don't have to mute arm yourself. You're controlling these features. We are recording the webinar and we'll make the podcast rev recording available very short term.

We also will make the slide X available as PDF versions for your download. So you will get this as well, if you want. And there will be a Q and a session at the end. So if you have questions to Joseph, for me, enter your questions during the webinar, we will pick them and we will answer them after the webinar. The more questions we have, the more lively the Q and a session. So looking forward to receiving your questions. So let's have a look at the agenda, the content of today's webinar.

I'll start with talking about some of the challenges organizations are facing in today's IGA deployments, the reasons for that and, and how to avoid such challenges and the broader context of the, sort of the big trends we are, are observing IM and IGA. Cetera. IGA stands for identity governance and administration. It's factually the combination of identity provisioning and access governance, core area of what we have in identity access management. And the second part, then Joseph, that'll talk about over, or give you an overview on Microsoft. I solutions.

He will look at the benefits provided by cloud-based IGA and how Azure ad is poised to set you up for quick wins and the wide, the pitfalls of expansive long drawn on premises based IGA deployments, and to serve part. Then we will have RQ and a sessions already announced. So when looking at the reality of today, I, I wanna touch some, some aspects more from an architectural perspective, but also talk a little bit about what are challenges we are observing and factually.

When we look at how to do identity management, they should start with thinking about what is really the target of this entire exercise. And the target of this exercise is that we have our users, which from a perspective, which they all business take today are more than the employees. So when I go back a couple of years, 10, 12, 15 years, identity management was very much focused on the employee that has fundamentally changed. We see more and more projects that are very consumer heavy.

We see also that literally all of the projects we, we are in some way involved in with our advice or where we just learn about cover the entire breadth of identities from the consumer to the employee. And on the other hand, we have these targets, the applications and services, which to some extent are partially run internally still, but also where we see more and more cloud services. And it's for my observation, it's, it's really that we are even over here in Europe, we are really at this tipping point where the cloud becomes the normal and the on premise is more the exception.

So we are really shifting more and more to the clouds with some cloud first or cloud preference strategies. But we also have other types of applications writing at business products. Some of them supporting Federation standards, others not supporting Federation standards. And we have all these internal apps, some of them supporting modern standards, some being more on the legacy end, factually, what we need to enable is what we do in identity management is that everyone on the left hand side can access what he needs to access on the right hand side. This is what we do.

This is what we need to do. And this is about authentication. It's about Federation. It's about single sign on, and it's about this IGA piece, creating the user account, managing the entitlements, implementing access governance and identity governance, ensuring that we only have the accounts that we need, ensuring that they only have the entitlements. They need enforcing least privileged principle doing stuff like that. And we have different types of identity providers today.

So we, yes, we still have our internal active directory. We might have our Azure active directory. We might have another types of, of identity services. We run internally. We have social logins. We might accept for certain types of authentications. We might accept external users from the IDB of our business partners and they all come in and we need services.

And yes, part of the service is really federating in from the external IDPs federating out to our target applications, that support Federation standards, but also web access management and adaptive force indication, which are essential pieces. There might be other things like cons and privacy APC. I security might integrate touches in a minute again with enterprise mobility management or advanced security analytics, other services. And we also need these capabilities of governance of auditing reporting, and not only federated, but also federated provisioning.

So this it piece, the core of it comes into play again here, and we need to do it in a way that supports more than in our traditional employee identity management, where it was the employee to our primarily internal applications. This has fundamentally changed. So the way we do it also needs to change. We also need to look at sort of the, we can look at architecture also from a little bit different perspective, which is a little bit more modular.

So we say, okay, what we do, we have here, we have these types of applications. So we have systems. We connect indirectly because they are based on active directory or Azure ID. We have systems we connect to with some single on which are, we have others which don't have a federated single. So we have mobile applications. And on the other hand, we get data about identities from HR, but also from other sources. So the more identities we have, the more of these we have, and the, the core of that then is where we really look at our, how does our IGA, which was very, very cost screen.

In the previous slide, we look at it a little bit more in detail, and we have one element which is frequently very, very implicit functionality, somewhere down in the I or identity provisioning tool, which is really mapping different identities, managing the identity, quality, improving the identity quality, adding persistence to that, which is a directory service. To some extent, when we have to connectors out to the systems directly or indirectly, we have some workflows for requesting the access for all the changes we need with our provisioning piece.

And then we have this access governance piece and within IHA there's governance pieces where things frequently become somewhat complex. So provisioning also can be somewhat complex. The more systems you intend to connect, the more complex it gets. Obviously there's always one piece which is about manual provisioning to through it, service management, different story, but the access governance piece can become quite challenging. Setting up the models for your entitlements, maybe even role models, running the access review. We need to do it very efficient, very, very quickly.

And we all knew that many of these projects take quite a long time for setting up the platform for integrating, for, for making all the customizations. Maybe sometimes more customization than should be done, et cetera. So this access governance piece, we have some service Porwal on top of it, it service management. And we also have this access management piece, which then enables us to access these applications. So this is a little bit different perspective here, which basically is split into some related services, which are a little bit out of scope of what we had discussed today.

The runtime piece. So indicate federated cetera. The deploy time identity management, the IGA piece was, was the, the blue color around. And this is basically so, as I've said, there are a couple of related services, which also could be a perspective on how our identity access management looks at, looks like. And overall it's, we, we need to cover all these things. We need to understand how they work together, how they fit into each other. But we also need to understand that we have different perspectives.

And, and one of these things, which from my perspective is, is gradually changing is that IHA for itself is not enough anymore to successfully mitigate our access risks. Why is this?

So for, for a long time, our, our, our main focus of what we did in identity management, and it's still the main focus of IGA is really what I also, the previous slide called deploy time identity management. It's about setting up an identity, requesting the access, approving it, technically assigning the entitlements in the, in the target systems, creating the accounts for that identity, running the access governance.

We do it, we set up, we allow say, okay, these are your entitlements. You can use them. And then the access happens. That's where runtime identity management comes into place. So also indicated user should have happened in that context. Look at the context, understand what does the user really do? Analyze it, put together a lot of information and to mitigate risks. I personally believe, and I'm very convinced of that, that we need to do both and that we need to do both in combination. We need to better integrate these things.

So I IHA from my perspective really has to change particularly the identity and access governance piece or identity governance. However, you'd like to phrase this governance piece needs to change because these are two elements of the equations. And for employees, the, the detailed entitlements are more important. When you look at the other proofs of use the partners, customers, consumers, it's really more about managing the access at run time. And so when we look at how identity access governance should evolve, we should go beyond what is the traditional, what has been the traditional focus.

We need to take a broader perspective for identity and access governance, which is so when we look at the lower left box, this is actually the current focus of access governance. If we strictly follow the regulatory compliance requirements, I had an interest interesting conversation with was one of the, the audit. So partner at one of the large audit firms recently, and he said, you know, the, the point is factually what we are required to audit this financial risks. And basically they look at static entitlements, financial risks, that's the part, but there are other business risks.

There are your intellectual property rights, which are not the financial data. There are many other things PII as a personally identifiable information, other risks, which are part of your business access risks, and the static entitlements are only one piece of it. They say what you are allowed to do, or what use are allowed to do, but they don't tell you about how these entitlements are used. And even while people might be allowed to do something or to access certain information, they might still do it in a fraudulent or own erroneous way.

And so for an access governance, my perspective is we need, we should broaden our perspective beyond the financial risks, to all business access risks, and beyond the sort of the deploy time perspective of IM towards not only the, what you could do, but also what you factually do perspective. That is from my perspective, very important when we look at I, the other element is, and we could, this looks a little similar, but it's, it's, it's fairly different.

So when we look at the, the, the, the vertical access it's in that case about the deployment model at the horizontal access, we again have static entitlements and runtime access, but there's also more information we can derive from external services, such as our information about the status of an device, because devices are usually the entry point for the attacker. So they go to, they get access to the account of a certain employee. And then from there, they start, if it's targeted attack, they started journey towards the, towards the ground tools of your organization.

Thread information informs about us about where where's the specific current risk. And on the other hand, as I've said, it's about looking at all types of services. And traditionally it was the reality, our, our core business systems, our SAP are three and, and others, they were to the, the majority of these services were on premises, running on premises. And that is really about to change. So we see this, this massive adoption of cloud service, not only as infrastructure as a service, but really as software, as a service, as the core business services, we see more and more of these.

And so the focus of IGA must be to support all of these services and a broader perspective, give you a broader perspective on what is really covered. And there's some difference between the, when we look at the, the elements on the, the horizontal access. So device and threats are somewhat different because the static entitlements, runtime access, this is really about application system and data access. This is the standard domain of IGA while the other one is the device network access, but it gives you some background, some information about how are the risks changing.

So that information really helps you better understand the risk, better control access. When we look at the, for instance, the adaptive authentication piece of everything, and together, they, they form sort of the foundation for, for really the supporting the zero trust paradigm, where, where we don't trust the single entity, but we, where we look at a lot of factors always prove and put together our perspective and say, okay, that's allowed, that's not allowed.

And obviously this is also an element of a broader and more modern perspective on, on identity and access governance beyond trust compliance tracks and, and checklist compliance. That's a better term where we say, okay, we, we have to release privilege it first to what's really mitigating our business access risks, Dennis, the one thing, and with talking about the cloud services, that, and what I already touched before that we really see this shift towards cloud being the, the normal deployment model on premises for stuff we do new being more the exception than the norm.

We also need to think about where do we run this IGA? And there are a variety of reasons. So a lot of these strateg intelligence services that are already run as a service. So if you run everything in the cloud, there's an advantage of, of probably easier integrating it, getting it all as a service, running it from the cloud also is definitely attractive from the perspective of deployment using standard configuration, setting up the stuff.

But basically the point is, if you are really following a cloud first or a cloud preferred paradigm, then your, your platform, a service services such as IGA, I would rate them in the broader senses. PAs services should start there, but that's very essential. It's not having a cloud service for managing the cloud park. It's not about something which supports your entire existing hybrid infrastructure. So the traditional focus has been delivering IGA for the existing on-premise it infrastructure, but where most it ran on premises and sometimes still does.

So it was logical to run IGA on premises, adding some support for provision to cloud services, and sometimes more separately doing some single sign onto cloud services in whichever way with the shift in the paradigms. So delivering it for the hybrid, it, this picture is changing. So the more it runs in the cloud with services that are best in the cloud, less complex project, turnkey solutions, etcetera. There's the point where it's becomes more and more logical to deliver IHA as a service, which supports that's important again, which supports everything.

So you need to figure out ways to support your hybrid infrastructure, to connect back to your hybrid infrastructure, which from my perspective, that are best sort of black boxes, which you manage from the cloud, totally integrated your identity as a service solution. I, that is something you it's, I would say it's about time to consider shifting that approach. So we are really, from my perspective at this tipping point where critical services, critical business services are increasingly deployed as cloud services.

And so we need to ask ourselves the question, shouldn't the critical supporting services, such as IGA with our identity governance, our access governance also be better deployed from there with that. And that question to think about, I hand over to Joe who right now will dive into the details of what Microsoft does in that space.

Joe, it's your turn. Thanks Martin Martin for providing the context for what IGA solutions target today and what they do. And some of the things customers should think about as we move to the cloud paradigm. My name is Joseph Dozi and I'm a principal program manager in the Azure ad team. I lead a team responsible for the product strategy and features for identity governance in Azure active directory.

Today, I'll talk to you about the Microsoft's approach to identity governance, especially as customers move to the cloud and their risk profile for access and governance changes in this new world at Microsoft. We believe that identity governance solution is actually Azure active directory. So let me walk you through that to start off.

It's good to understand the context about why identity in the cloud is important or, and understand what's been happening over the past few years as part of digital transformation efforts, organizations are increasingly adopting cloud apps, SaaS apps, applications like Martin mentioned, and are writing their own applications to take advantage of these cloud services on the business side, most organizations undergoing digital transformation, and in that transformation effort, collaboration with outside partners or engagement with vendors in real time, it's super critical to enable, especially as business decisions have to be super fast and agile.

It teams no longer have to cater to just their own employees access. They must provide services to enable these business units to facilitate fast collaboration with external users in the past, it would create accounts for these external users in their own directories on premises, but that's no longer scalable, especially as the increased demand for collaboration increases. These collaboration may happen on all sorts of devices and it has to figure out ways to provide access, but do it in a secure manner, the comfort or the network that in the past is okay.

If they are my network, they are all good and everything outside the network is bad. It's no longer applicable. So in this new world, identity is the only way that an it organization or any organization can really gain access to resources and make sure that the right people have access. We at Microsoft believe that Azure ad or Azure directory is the solution to help in this new world. It provides capabilities to allow organizations to securely manage and govern access for both employees to either access applications, Microsoft on Microsoft, on premises apps and from any devices.

Now it's important to talk about or address some of the challenges that Martin mentioned. So in this new world, that everybody is moving to the cloud, some of the requirements for IGA changes, it's no longer about defining role roles and do a lot of role modeling and pro work. Before you can have a governance solution, it must be more dynamic than that in general. Customers tell us that it often takes them years to deploy basic idea capabilities like access request or recertification programs. Years is no longer sustainable.

The business units are no longer accepting that to get a process for giving access to business partners will take months or even years to complete. So what are some of the key expectations for an IGS solution or a modern IG solution in the cloud?

First, the solution must be quick and easy to deploy. It must be configuration based and AB productive to their business requirements. As they change, especially as projects, new projects start get completed, different partners get brought into collaborate to ensure business agility. The IGA solution must decentralize the creation and management of these access policies or these project creation to people in the business unit so that it is no longer the bottleneck for these collaboration efforts.

Secondly, the solution must address some of the new requirements around collaboration and this collaboration also inherently introduces new risk.

As Martin mentioned, how do you make sure that employees are not sharing, you know, business confidential data, intellectual property with folks from outside the organization that should not have access, especially as end users start using team slack box and other collaboration tools in the cloud or cloud services provide ability to get insights and analytics about this usage pattern so that the IGA solution must leverage those to be able to effectively provide the right data and insights to organizations, to make informed decisions about who should get us access or whether they are risks in the particular environment.

Access grants must be flexible in this new world also, right? You cannot require that every end user in an organization has to file a support ticket before adding a partner to work with. And lastly, the authentication must be decoupled from the authorization so that the process is much faster than it is traditionally last but not the least requirement is as much meant. Martin mentioned. We live in a hybrid world. Organizations have some assets on premises.

So any new modern IG solution must integrate with and complement some of the existing on-premises applications or middleware that companies have, it can no longer, it can only be a cloud only solution. It must support the reality of the hybrid world.

So given these requirements and these expectation of a modern AGA what is Microsoft's approach Microsoft's approach is basically to extend the strong access management capabilities in Azure active directory with IGA functions to ensure a seamless and integrated solution that is easy and quick to deploy the approach integrates the traditional life cycle capabilities, access rights management, and privilege. Admin rights features into a cohesive solution that makes it easy and quick for it to deploy these functions. It shouldn't require years to go deploy idea solution.

And in the end, the goal is to have Azure active directory, provide the tools to it, to balance the needs of security and productivity, right where the right people have the right access to the right resources to ensure secure productivity. And this is done at a level where the business users are now empowered to do that. So with that, let me quickly walk you through a few examples of some of the IGA features in Azure active directory, I'll be able to walk through all of them given the short time we have. So first of all, let's start with the most privileged users in an organization.

These users are your administrators. And often they require a lot of permissions and any change they make can be a great success to fix a problem, or it could cause a bunch of damage to systems in your organization. In Azure active directory, we have the privilege identity management capabilities that provide just in time and time limited access for admin roles across Azure, active directory itself, Azure compute resources, and the office 365 services. It provides controls for it to set policies for what should happen when and admin wants permissions or wants to go to administrative task.

Admins are eligible for those rights, but they never have permanent permissions so that they can just in time and go through an approval process before they get those four admin rights and it's time limited to an R or two hours to reduce their risk to the organization. This provides a nice integrated process for making sure that you reduce the risk of admins in the organization.

Now, I have a, a simple screenshot here of some of the admin UI that is in the privileged identity management solution. As you can see here, it has, it's built in alert where you can see alerts like, you know, roles being outside, outside of pain. For example, if you give an administrator rights and they go try to add backdoor accounts, it would flag and catch those users. And it will give, you know, information or alert around potential, still accounts that can quickly be resolved with one click in the organization.

Now, this solution is something that we ourselves are using at Microsoft heavily. And we actually have published about how Microsoft, for example, when Microsoft started using privilege identity management, we were able to reduce global administrators by 98% where the two permanent admins are there break glass accounts that can be used for emergencies. They also facilitated a great discussion around who really should have access or not within the organization.

So for the first level, that's something that I encourage you to take a look at in terms of, you know, governing their rights and processes for privilege admins. Now, lemme walk through another ex example, right? Switching to the end user side, let's look at some, a common IGA requirement around recertification of access to resources and group management. In Azure active directory.

We have group expiration capabilities built in, and we have access reviews, which allows it or the organization to be able to set up recurring policies for reviewing access to resources that they may have and, and involve business users in whether users access should be granted or not. It's supposed normal capabilities around, you know, you know, send an email, you know, to reviewers, have them review and resolve it.

But the nice thing that we do in Azure active directory, where we leverage on the cloud capabilities is we can leverage insights about the users signing and other information to make recommendations about their access combined with the group expiration capabilities, an it or an organization can set policies for the group lifecycle, who can create groups, when do the groups expire, should they be renewed, et cetera. So this combination of capabilities allowed to really make sure that the right people have access to the resources.

It has the intelligence to have their users doing their reviews, make informed decisions. For example, this is the end user experience where here you can see there's some access information to say, Christy, we recommend denying Christie's access because they have not signed their last 30 days. And end users can accept their recommendations or they can change it. It then can apply those policies on the group expiration side. It can set policies around which users should have access or how long the group should live in this case.

One 30 days as if for all groups or selected groups that may have business confidential information. The combination of the group management access reviews actually being used in Microsoft today to really make sure that we can empower end users to collaborate through office groups and teams, but for the highly critical ones or the groups, it sent information theirs around who should have that and expiration make sure that you don't have groups living indefinitely in organization. Now me switch over and about our leaders governance capability that we just added to Azure active directory.

It is what we call entitlement management, where it allows it and organizations to really govern access to resources in a more streamlined manner than traditional solutions to they there's no need for predetermining or modeling business roles. In order to grant access to resources and access grants are not done on a resource by resource basis. Azure eighties solution has this concept of access packages. These access packages are containers of bundles of resources that can be granted as a set for a project.

It can define policies or delegate policies about who can create these policies, the lifetime rules around these policies and auto provisional deprovisioning rules for users that get access to these access packages. There's also a nice end user experience called my access for end users with appropriate permissions, to be able to request these packages.

For example, a user coming from a group that is not in scope will dynamically either see the access that they have been granted, or if they're not in scope, they won't be able to see the access to better illustrate some of these new capabilities. Let's take the example of two organizations Contoso and let, where, who collaborate on a sales project. Contoso has a marketing group, a sales team, and they only collaborate with Litware from sales perspective because Litware helps them do lead generation for their sales organization.

The only one Litware employees to have access to sales information and no marketing information, therefore what Contoso it can do with the Azure and entitlement management is to create a set of cut logs that separate other resources for marketing and sales within those sales cut logs, they can put in their particular applications, SharePoint sites, or groups that they want have lit employees or their sales people get access to. And within the access package, they can define the specific permissions that their users that have access to those resource.

You get given that lit wear employees must be, are coming from an external organization. The it organization in Contoso will set it up such that lit wear employees require approval. Whereas their own employees, Contoso employees do not require approval. They do this by defining separate policies for these users to make sure there's the right, the right governance process around who can get access and the process for granted access.

So that only the sales people that are known to employees in control, so will be approved access to those resources in the it admin experience for Azure active directory. This is what access package looks like. You can see here, the here we define a SaaS application sales force, and we were able to dynamically figure out the role in this case chat free user that is in the Salesforce application. We picked an office 365 group and added specified that the users that get this access package will be added as members.

And we also added them to the SharePoint online site so that these users access are scoped to only the resources that are needed for the sales collaboration process. Now, as we were building this capability, it, we actually worked with quite a lot of customers that provided a lot of feedback about their real use cases and the business challenges they were having. And is one such example where they, they, it service consulting company.

So they have a bunch of clients that they engage with with engagement managers, for this access for each client in the past, what they would do is they would end up going to approve or have it be the one approving access to the resources for each client. And it was slowing down the engagement process for different projects. So what they are doing now with the entitlement management feature in directive directory is they've set up a set of access packages per client, the project manager, or the engagement manager sets these up and they define and approve who can come in or not.

It sets the policy around how long these packages can be. And then the engagement, when I can extend it in case the consultant engagement goes around, you can go check out the case study for what customers are doing and how is using this capability today. Now from the end user side, what does this look like? We have a new end user experience called my access where the user in this case is a little employee.

They can go see the access packages, the sales support, one that we talked about, they put in their business justification and they, once they require request the access, it would go to the person. And once they get approved, they'll be able to come here and quickly see what they've been granted access to in this case, the sales who the sale SharePoint side, the Salesforce application, and they can one click into those resources to start the collaboration process.

The key thing to notice here is that there was only one request for an access package and the user automatically got provision into these three resources. The user from literate did not have to manually go re-request each resource, right? So this speeds up the ability to deploy and enable access to projects without having to go through multi-step processes.

Also here, this policy had an expiration date. So on August 1st, the access to these resources will be revoked unless the policy sets for renewal or not. So hopefully this just gives an example of some of the capabilities that we have.

We, we have a short time, so I couldn't go through all the features that we have in Azure active directory today, but basically to summarize Azure active directory is the IGS solution from Microsoft will continue to add a bunch of functionality in it on top of what we already have. And small sum of those by integrating with Azure active directory, these IGA functions will leverage the strong access management capabilities. They'll be easy to deploy and configure to address some of the needs.

And as you can, as you saw from the examples, also, they optimize for collaboration, integrating some of these cloud services and new collaboration paradigms, and with access reviews and group expiration, you can make sure that access is not long living in your directory. And lastly, all the capabilities that we provide, an objective directory, we provide Ms.

Graph, API and standard protocols, like scam to allow integration with Microsoft and non-Microsoft products, others to support the hybrid paradigm that Martin talked about. Now, this slide is an I test, but it gives you a broad capability of all their features and Azure active directory. And I only touched on just a few in this presentation. So I recommend you to have to go watch the video again, this webinar again, or go to AK, do Ms. Slash identity governance to learn more about what Azure active directory is providing for IGA to help support this new cloud environment. Thank you.

Thank you, Joe. And so let me quickly leave this here so that everyone could note down the link. We directly then we'll move to the Q and a session. And so if you have any questions, so the audience, if there are any questions, please enter the questions.

Now, as I've said, the more questions we have, the easier it is to, or the more interesting our, our Q and a session right now will be, which we directly will start. So I have already some questions here. And the first one is definitely a very interesting one. So should show is Azure active directory, the replacement for Microsoft identity manager level. So that's a good question. So think the way I think of it is Azure active directory is gonna have all the capabilities that we traditionally use to have on premises for identity and access management.

So a bunch of their capabilities that I, Microsoft identity manager that are required in this new world will be made available. For example, Microsoft identity manager had self-service password research capabilities that is now available in Azure active directory, and into includes more capabilities than what was traditionally provided in me. We have group management in Azure, in Microsoft identity manager.

And now you have, you know, some self-service group management in Azure active directory with a behold component, we have some access certification or access review capabilities, you know, have that in Azure directory. So in the long run, we see Azure active directory as being the control plane or where you manage all your identity, access and governance capabilities from, and Microsoft identity manager would provide the functions that I provide for on premises access scenarios that you cannot do today, easily from the cloud or in environments where the cloud may not work.

And these two then will work closely together. Yes, these two work closely together and actually Microsoft identity managers also in my team. So we are conscious to make sure as we provide these solutions and in the picture that I showed around, manage Azure idea as a center and being able to ride bank, we look as much as possible to leverage some of the capabilities of Microsoft identity manager to make sure that hybrid environment works really well. Okay. The next question I have here is, is pretty much around ad Azure ad.

So do you need any sync server for on premise active directory and Azure active directory to synchronize ad accounts and groups? Yes. Today we provided to call Azure ad connect that allows you to synchronize users and groups from on-premises ad to objective directory. Okay.

This, the solution you just presented is next question here, will it replace, or are you targeting at replacing other IHA? So you source your strategy more towards working with existing on premise IGA tools. So what is your overall strategy for Microsoft in, in that end? So Microsoft strategy is, you know, customers have told us over and over that they expect us to have an I IJ capabilities in Azure active directory. And so we will have, we will continue to build IJ capabilities in Azure directory.

However, there are some environments or some specific industry verticals that may have some specialized needs that we may not be able to provide those capabilities in Azure active directory. And so there, we have partnership with a bunch of the leading IGA vendors to provide, and they provide those capabilities that on premises for those industry verticals.

And so in our scenario, our strategies, how do we make sure customers have their most integrated, easy to use governance solutions and I, with Azure being their center and where necessary we'll have those partnership with the other vendors to make sure that we can integrate seamlessly to enable the customer to solve whatever governance or compliance needs they may have. Next question I have here is how is identity risk managed? So in adjuncted directory, we provide a set of capabilities for identity risk that I didn't talk about here.

So we have a capability called identity protection, where for every sign in or user that signs into Azure or authenticated, we score their sign in and that's scoring is based on learnings and threads from our machine learning system that looks at where the users coming from. Are they coming from IP addresses?

You know, are they on infected machine? Is there IP address, part of a known botnet that is going on or from, you know, behavior that is not fiscally possible? Like they user logs in from, let's say Munich and 30 minutes later, they are logging in from China. That's fiscally not possible.

So we have a machine learning system that's caused the user sign in and risk and all those feeding to the system to determine whether users should be granted access or not as an organization, you can use our conditional access system to leverage those signals, to, and set policies for what should happen to those users based on the risk, whether they should be setting, whether they should be challenged with multifactor authentication or what we know is a compromised password, which we can detect, then we, they can reset their password.

So we have a lot of great capability, Azure active directory for scoring or checking their risk of identity and make sure that we pro you have the policies to manage that risk. Okay. The next question I have here is more about the British access management or British management capabilities. So is there, there are also support for, for non Azure ad environments or is it currently targeted at the ID world?

So today the current features that we have are mostly targeted at Azure ID world, Microsoft 365 and Azure resources for non-system or on-prem systems, we have the me Palm solution, but in Azure today, it's mostly focused on those cloud resources first as of today. Okay.

And Todd, maybe you could elaborate a little bit more about sort of the, I would say the broader senses, threat analytics, threat intelligence integrations we have, and the, the enterprise mobility management integrations, which from my perspective also form are, are parts of this, this broader offering Microsoft test today. So I, I, earlier I talked about identity being the control plan. That's something that across all the Microsoft services, we strongly believe. And with that Azure is in the center.

So our conditional access system provides a way to integrate all the threat, intelligence and capabilities from all the different systems so that an organization can set policies and bring all the intelligence to bear around grant and access.

So for example, for device threats that come through windows defender ATP, go through in tune where in tune can score a device and say that device is compliant with policies, et cetera, that can then be leveraged in the conditional access policy for whether a user should be granted access to resources or not all that threat intelligence from other systems feed into the identity protection system that I talked about earlier to score the user's risk.

And we have into integrations across identity protection, the Microsoft cloud app security capabilities, to make sure that you can block the access as sign in, and you can use the cloud app security system to go see or block the user from even exiting the firewall in other scenarios and find out what they've done in there. So we look at it as an integrated comprehensive solution across users, data devices, and identities into a cohesive threat mitigation solution. Okay. I have two more questions here, and I think that we are close to the end of the time.

So basically what we just said, and maybe a comment from my end, I think this, this aligns very well with the thinking I talked about in, in my part of the presentation. So really having this, you have this, Your, your approach on that, that falls indication, which is one part of the puzzle, plus the piece as a broader solution to mitigating access risk. And I think this is this Alliance very well with, as I've said with what we said, there's an interesting question I trust also received, which is around.

So, so currently the way, so when you say Azure active directory is at the center currently, the way primarily that you write information from the on premise ad to Azure ad, is there also then then a way back to the, the on premise ad when, when everything sort of centered and starts at Azure active directory?

Yes, there's actually, we have some capabilities today to write back and we continue to invest in that and actually the new Azure ad connect release that just went out earlier this week called late last week, provide a way to ride unified exchange groups and stuff back to on premises ad. And over time we'll be adding more right back capabilities. So that with Azure ad, as a master, you'll be able to figure out ways to not necessarily write about extend those controls, to be able to reach back into on-prem resources as necessary. That's an area that we're gonna be adding more capabilities.

Okay. And then I think the final question we can take in the interest of time is about licensing. So could you a little elaborate a little bit about on licensing? So is this, what is the licensing approach? Is it something which is part of, of other modules and, and Microsoft 365 ID etcetera, or how is, is done?

Yeah, so the, we think of the licensing as most of our governance capabilities will be part of the Azure ADP two license, which includes the access to the identity protection and any additional capabilities that we add or be part of that license. It won't be a separate license that you have to pay on top of, for your opinion. Already. The Azure ADP two license is part of the Microsoft 365 E five suite. So if you have that, then you already have access to the governance capabilities. Okay. Thank you very much, Charles.

Thank you very much to the audience for listen to this call webinar, hope to see you next week at our European identity conference shows us there'll be there as well, by the way. So a perfect opportunity to meet him in person. Thank you, Martin. As I've said, thank you very much for your time, and I hope to see you soon again, Liz in person or at a webinar. Bye.