Managing Azure AD – Regardless of How You Use It

Welcome to our KuppingerCole webinar "managing Azure AD regardless of how you use it". Azure AD is the reality in most businesses, how to best deal with it in your IAM strategy. This webinar's supported by empowerID. And the speakers today are Patrick Parker, who is founder and CEO of empowerID, and me, Martin Kuppinger - I'm principal analyst at KuppingerCole.
Welcome Patrick. So before we start, a little bit of housekeeping information and a little bit of information about upcoming events with KuppingerCole. So the highlights in 2021 will be our European identity and cloud conference, which we moved to September to be on the right time done. And we're looking forward to meet Gaza in person again, then September, 2021 in Munich. So don't miss Disneyland. It will be, I would say the must attend the event after one year of break to be there regarding the housekeeping.
There's not much to do for you. We have audio control enabled. So we are controlling audio of our end. We do a recording and we will provide also the slide X for download so that you don't need to take much notes. You always can listen to the replay and there will be a Q&A session by the end of the webinar. However, the more questions you enter during the webinar course of the webinar, the more interesting, the more lively, the more interactive this Q&A session will be with staff. Let's have a look at the agenda. This is usual in most of our webinars split into three parts. The first part I'll talk about the teacher growth after Eddy complete and identity management versus strategies were x-rayed use trusted target system. And I also look a little at the interplay of Azure AD on premises, active directory, which is also very common scenario normality, so to speak for many organizations.
And the second part, then Patrick Parker, we'll talk about how to manage extra active directory on prem 80 and other services consistently in our crew, your identity management in the efficient manner. So to deliver the I M D Deandra cloud needs, for instance, for dev ops. So he looked really at a broader picture about what are the options and how to deal with these options in a very efficient manner. When we are talking about x-ray D S one important element in our strategy. And I think this is the starting point at the end, I for ID is very relevant to many businesses because if you have Microsoft 365, which many do you have ready? And then the question is, what do you do with it? And that's a little difficult we will do, and not like to start with one slide. And I know Patrick will also sort of three to four, some of these statements, but I think they're at the point where you really need to understand where you need to look at this, that the strategy of Microsoft is very clear on Azure active directory versus the on-premise active directory, Azure active directory in the focus of the Microsoft strategy.
On-premise Ady is not the strategic scene anymore. It's an important element. It's still all of backers of delivers, but then you look at it from a strategy perspective, their emphasis, their focuses on Azure active directory. And so we can, I can phrase this in a simple sentence. Microsoft active directory on prem emphasis is on its road to legacy. And so when we look at a lot of things which happened over the last few years, specifically over the past year, then in the strategy, it is that as I've said, on-prem active directory. It's not a strategic system anymore. It's something which will be continued to Lilly, but the investments are targeted on, on active directory. That also means for customers that investments, which flow into on-premise active directory must be aware very well sought out. And you, you need to think about nothing really makes sense.
Doesn't make sense, for instance, to do anytime if my creation or a restructuring of an on-premise activity nowadays, or is it better to focus you on minutes or the future? When I have very key perspective, you should be extremely careful when it comes to matron Westmans into on-premise active directory, because this is what you have and what you need to maintain for certain periods, but the future looks different. So , he's also in many areas that we had preferred choice right now. So it comes with Microsoft 365 and sear, but it's also that when you look at a lot of things that are changing, it's that the tendency is that you don't use ADFS or other things to move from 80 to 80, but it's the other way around. Yeah. Being sort of the, the primary system who, when you look at how ossification is changing, and probably most of the ones who are attending this webinar are currently thinking about what to do around authentication, shifting to multifactor authentication, shifting to a new authentication scheme, supporting thought more authenticated, et cetera.
It was obvious because we need to be better in that space today. We need to invest in that. And again, the tendency is very clear. It is not the on-prem 80 vitreous has been there. The prime rails syndication system for many years, for many origins, it will be a different system that can, and many cases will be Azure, active directory, not necessarily the options, but it is something where we see if you see a change. And this change is really, that is for teaching thing. You need to look first, it's not the on-prem 80 anymore. If it's in the Microsoft space, then it's still Azure active directory. If it's beyond that, then there are also other options. But when we look at this part, what we, what we are looking at. And so when we, when we look at a sort of a very simplified pattern of, of an employee centric, I am architecture.
And you might know from a lot of the webinars, a lot of the Casey life, we went to a lot of the talks we did over the past years, but many other scenarios, and we have far bigger picture, but right now I really want to shed a light on these sort of speak to the baseline, very abstract, high level ITI. Part of this sudden you have a serious of, of, of applications of services to deal with. That might be a few that might be hundreds, maybe even thousands of them. Some of these are SAS services. Some of them are traditional on premise services. And clearly in this pattern, you also find active directory where you have users and you find Azure active directory, and a lot of utter sense. Then you have, on the other side, you have to get HR and other sources of identities, and you need to bring them these things together.
This is where identity management comes into play. You have the identity lifecycle management, you have to access governance, which is frequently referred to as IHS and a combination, identity governance and administration. And so data goes from HR to D services and it goes from there to all the other applications. So you're provisioning to DC. Yes, you might have, and do some things which are a little bit more complexity. You, whatever, push some things into your it, service management and the it service management then creates tickets for manuals, fulfillment, et cetera. They can be a little bit more complexity in that picture. No doubt. So it, service management frequently, something you integrate into this picture, and then there's the outer side. So the first POTUS is motor deployed time, identity management. In a sense, we created a user. We deployed that user to the systems. We grant certain, certain access rights and we give them an islands.
And then there's the excess management portion off of that, which is we also need to authenticate day by day and maybe continuously. So at that call, it indication the entire access management piece coming into play, which also need to deal with the system civil right, a single sign-on experience to also act as another of security where we control, who can access, which of these applications at all. We have privileged access management of which also should ensure to the privileged access to all these applications is handled well. So this is a picture we have what's in our identity next as my trend, yes, there are identity management services and our related security services, which also play into this equation or this structure we have for, or our identity management, the active directory then might also be it. A system frequently is where applications were lie on.
So if you look at this active directory integrated authentication, if you look at applications, relying on active directory cruise, then we have a applications that integrate with active directory. And the same is true for Azure active directory. So there are other applications such as office 365. Today, it's going to be called Microsoft 365, which the panel is Azure active directory. And so active directory also might be in effect that, that the one thing which, which really delivers the adaptive authentication in this picture, or it might be extra Ady, which in fact are the components, which, which, which yet the authentication is, is based on. So it doesn't, this is a picture we have here. And so when we look at this picture, then we kind of look at the one, a lot of where I end up, how does picture could look like? So if we remove a little bit of death, so we removed our, our, our active directory and Azure active directory entries here.
And what is related to that, then there's a picture where Azure active directory takes an active role in a future identity management deployment. So Azure active directory, something which then is a system which takes a role in providing a set set of services where then the standard on-prem active directory is just the target system. In that case, after active directory with specifically bladed role of being the system, which is here in da excess management space, providing the active hell's indication, delivering the access management to all these applications, there are also IGA capabilities, but the common focus clearly in this scenario system saying, I booths some pieces of my access management or the central pieces of my access management on that system. So this is something we had an Azure active directory, also controls, so to speak the on-prem ID as a system, and clearly also serves as the system, which office 365 relies on data pattern for the future.
When you say we have after active directory, it might be, you say, it's not that active, that strategic element, which, which we have, which build certain capabilities of our overall identity management infrastructure. That's what we call and you'll find a lot of publications on the, what do you call it? Identity fabric at KuppingerCole. So it's not an essential element in the ed fabric. You might also say it's just a target system. And that this is something which was a strategic decision. That is a decision you need to make. And in that case is that another system doesn't really manage us the Azure ID. So they're going in some way back to, to that picture we had, we had earlier, those approaches are YML approaches, Boudreau pose are meaningful approaches have to pros the cons. The important thing is that you understand, you need to make a decision.
You need to understand where are you heading with this entire strategy? And it also might be a sort of, so dual blade, for instance, we see a lot of companies which use more than one access management, for instance, for, for different use cases in certain combinations today are different. You can play different architectures. You can go for what you need to understand that you need to make a decision at that time. It is that step you need to, to, to be clear of because the world is changing. And the one thing is clear. On-prem 80 will not be the long-term strategic front-end and sort of central element. This is definitely about to change that this way you need to adapt. So you kind of look right now at a couple of factors that influence this decision, and I'd like to touch some of these. So clearly one aspect, this be, you were about it.
It's a wonder luck. And if you say our bill, every single round for IDM by Microsoft 365 and all these other things, then there's some sort of way don't lock in which you have with other windows as well. You might have had it for long enough into business Visio. IBM mainframe. You might have it with your SAP system and certain other types of business applications. So it's not that this is new, but I'm a big believer in saying, okay, when our logins are totally okay, as long as you do it, based on clearly made decision, and you need to understand what, what are the consequences? How can you get away from that? And then, but that's a decision if you, if you, if you do it right, then do it right. Usually the a D by the way, is the consequence that the cost for the login, because it starts with saying, oh, I go for office 365 from them. Then you've made a very important step here on the IRI frequented asked the question was, which one are you got the login, the application support. Do you need to look up? If it's a central element, can it support all these applications? You have all this legacy of applications, all the outer downstream applications, all the new SAS services to support broadened, not only brought us a deep enough, that assumption you need to add only at the very much actually penciled the application landscape you have in your organization.
Overall capabilities, have a Seraph look at what do you need. So by the way, starts with requirements and alliances, understand your requirements. And from there, Ironmans then understand what that is. There is options you have, but there are many windows of the access management market, understand which winners best two requirements, which fit best since you infrastructure make the decision. Very, so roughly that's a two stressing. And then you will also observe for in 2021, we started, or this year, but in 2021, KuppingerCole provide a lot of virtual events looking at the tools choice done, right? So to speak for various sequence of the identity management and ended the cyber security market, which might give you some interesting guidance here as well. What do you have? So is it a replacement? Is it closing a gap? So w w how, how does your infrastructure look like?
And, and that is the next question. Clearly, if you, you have something which is super cool and super smart as well, doesn't make sense to, to change it. How's the interplay between x-ray. Do you have any way for office 365 for CRM? So you might have a use cases to be better or so also look at the interplay, tried how seamless works this due to the features x-ray D provides for IGN pen work for you. Well, deeply a role looking out of factors like cloud risk, the measurement and assessment. You get this, this question about what is the level of risk? What are the mitigations? You have this whichever title of cloud service, and this is something that must be a standard processes, standard level. Yes, every, I would say it service your procure risk analyzes and understanding the consequences of that. The licensing aspects are important aspect regularly requirements for protecting critical applications.
So maybe you need more than one IDP for certain different use cases for high risk use cases, et cetera. It's it is really not a simple decision. That's not a wrong or right in depth, but it's something you need to consider. You need to sing about how will you do that if you should, because it's a decision you make for a couple of years. And so you better do it right here. So let's sum it up. They're all of 80 stranger. It's 81st from Microsoft perspective. When you look at one from 88 or relationship versus extra Ady, that must be considered actually, deacon, take a pass for an active role. You need to understand the options you need to understand. What does that mean? How you deal with other elements of technology you might have, or you might want to add here, what is the better choice here and put is the overall identity management texts.
So what does it mean at the end for your overall identity management picture and what is the right way to proceed here? This is what you really need to think about to make a good decision. So clearly stretch, she said are putting on-premise Ady at the center are outdated. You need to redefine them investing. This is the starting point. And then you kind of think about what is the best way to proceed. And there's, as I've said, there's not a single correct as are enough to have many options on all of them have their strengths and their weaknesses, but you need to think about it because for most organizations x-ray D is it's there. So you need to decide about what is the right place for that you conduct your making that decision was that I'd like to hand over to Patrick puts the next speaker right now.
Okay, great. Well, thanks everyone. As Martin mentioned, I'm Patrick Parker, I'm the CTO. And one of the co-founders of a power ID, and here to talk about Azure AB and its role in your organization. So looking at Azure, a D so the big questions that I hear from my customers right now, we've been hearing this over the last year. A lot of things have shifted Microsoft strategy or guidance on Azure Ady versus with ADFS has shifted last year. And this is triggered a lot of questions from customers. The big first question would be should Azure Ady become the strategic primary authentication directory, or should it remain just another directory, which is required by a system Microsoft 365. That's the big question. What is the strategy? Which active directory you should take the lead. That's the second question. And then when should you make the switch? How do you know for your organization when it's a good time to make the switch?
Third question we hear a lot is how to make the switch. If you are going to switch from Azure from active directory, on-prem as being the primary central identity and authentication hub to Azure, how can you make that switch seamlessly over time with low risk? And then the last question we always hear, of course, because as a, an I am IGA vendor is which IGA services does Azure aid the need as Rady does provide a lot of different capabilities. So the question is, where does Azure AB end, and where do we need to pick up with a system like empowerID to cover the gaps or to provide a complete solution? So those are the top questions that we here to try to address those today. So the visualizing, the first question is really at the center of your organizational strategy of all your different systems, whether they're the on-prem systems, whether they're the windows and Mac and PC based authentication, or your, or your legacy systems, really what's going to be at the heart of the strategy.
Is it going to be active as it is today for most organizations, most corporate organizations, not all but most, or are we going to be moving Azure into that central role and then relegating active directory to being a secondary directory on premise. So will Azure Ady become the hub of your central identity strategy. That's really the question that everyone's wrestling with. So just the little look back at where we started. So markets are become fragmented in the beginning. They coalesced at certain points, they fragmented again, and they coalesce. So around 1999 through 2005, I'd say we were in a fragmented directory market, but around, around 2005, it coalesced around a very common pattern for organizations or strategy where active directory was really the central authentication hub for windows PCs and for applications. Typically through web access management Ady was really at the heart of it exchange and required active directory, which brought it into organizations.
And then the windows integration with active directory really promoted it to be the logical source at the primary directory. So that changed over time with the advent of the cloud, you have all these new cloud applications that really Luth no, no interest by them to do windows authentication didn't really make any sense because they needed to be, you know, a cross firewall outside the organization who really Federation with a requirement to be able to have a single sign on to these applications. So the natural next step in the evolution for organizations was fins active directory with the center. It was very easy to roll out an ADFS server for Federation adding on those cloud protocols to integrate with the cloud systems, active directory, still being the primary login for both the web now, as well as at previously the windows desktop. And then of course, since you had adopted office 365, you had this Azure Aidy out there, office 365 required as your AB.
I mean, didn't really have much in the way of Federation at that time. So it didn't make sense that it would be the primary. So you would synchronize it from your primary active directory. That was really the pattern that emerged a little bit later, but again, the market starts to fragment. Lots of IDASS offering out there and organizations are thinking, well, ADFS is a little bit behind in technology Federation. Wasn't as advanced in some of the use cases at some of the pure-play cloud vendors. And of course it was a heavy infrastructure investment to manage on premise. So a lot of organizations at that point moved to where they would have an a cloud-based identity provider as the primary authentication for their cloud apps, the cloud apps would be federated. And then that identity provider still really active directory with that. The center customers even federating with us customers would say, well, we have all the bulk of our users are logging into windows.
So still windows was really the driver. It was still in driver fetus, the primary authentication directory, even though you're federating with another identity provider, a non-Microsoft type over time, Azure built a lot of new, exciting capabilities for Federation for passwordless authentication, new announcement, Jasper. They announced HTTP header based authentication for legacy apps on prem. So it matured and evolved. And sometime last year, Microsoft started giving the guidance to unfederated your Azure eight D don't use ADFS active Azure active directory has the Federation capabilities, unfederated Azure active directory, and started using a lot of the feature sets within that. And really customer started looking at this and that wasn't enough of a driver there, but really what started to push them to that direction and brought up the question of, should we unfederated our Azure, a D and ma, and, and have it being a primary authentication source were some of the features around the windows, desktop, at least from my customers, windows integrated authentication into Azure Ady windows, hello, multi-factor authentication at the desktop level and even the most exciting areas, which would be passwordless authentication into the windows desktop all the way through to cloud apps.
That's really what it brought up. The question, should we unfederated Azure, a D and Andrew D takes a much, much bigger role in our infrastructure. So looking again, why are people looking at Azure ID versus active directory? It is more secure because it is more, has more innovation. Azure is aggregating a lot of data and a lot of the development of the password lists and the multifactor authentication. It's all been focused around a windows, desktop integrating into Azure, and that's really where the direction it's headed. Just this slide just shows Microsoft's authentication and risk technology. They're analyzing a huge amount of data daily, daily, which you can only do because it's a cloud infrastructure to identify threats. So that authentication experience can only be a benefit, more secure and benefit from this information. That's cross tenant, that's using a lot of advanced technology such as artificial intelligence.
And then again, tying in that desktop security with windows, hello for business, you get that passwordless or multifactor experience. That's really what we see as the primary driver from customers. I also see that the rapid growth in teens, we basically, and with the explosion of remote homeworking teams, adoption went through the roof and team that option is using behind the scenes Microsoft's B2B Federation. So it's super easy and teams to invite someone from another organization they're added as a guest user to your ad rating tenant, really, without any even thinking about Federation or the complexities. So that's really driven. A lot of the adoption of Azure Ady is just the teams. It's also much more modern as Alex things from Microsoft that basically they bolted on to Azure. All of the native protocols needed by cloud applications, which that's not really going to happen for active directory on premise.
So Azure is much more modern can plug into all of your fields. Okay. Excuse me, corrections also highly reliable, you know, it's, it's globally distributed load balanced, backed up by Microsoft with an SLA. And of course it's affordable. The licensing for BSE. B2B is extremely inexpensive. The infrastructure costs kind of disappear because Microsoft's really managing that for you. So a lot of reasons why you would choose Azure AB over active directory as the driver for your central primary authentication directory, your strategy there. So the next question that comes up from customers is, well, if we've federated a lot of our apps with a, another identity provider, likened, how ID or category, what do we do? What does that mean to LeBron richest benefit where the windows desktops can use windows hello for business and password. With that, we need to do a big bang cut over of all of our apps or else there'll be prompted and prompted and prompted to login to all these different apps.
And it, thank goodness. The answer for that is not at all. I mean, really to get the benefits of the Azure aid, the integration to the windows, desktop, that passwordless authentication, that more secure login experience. You don't have to migrate all of your applications. You can really do a mixed strategy where your applications that are federated with their current identity provider, they can stay like that. That identity provider might have lots of features that, that you need like user managed access for IOT and use-cases, or it might have features like claims are lots of different things that you need that would not be handled if you migrated them. So there's no need to migrate those, your identity provider, as long as it supports federating or Azure native authentication, it can just trust your Azure ID. So your desktop PCs can do their hybrid login into active directory on premise and Azure ID.
You can even have cloud only windows, 10 PCs that log directly into Azure. You can get that, start getting the benefits of a more secure desktop experience with adaptive authentication, with risk-based authentication and passwordless authentication without interrupting your organization or incurring heavy costs to migrate the apps in a very disruptive project. You can just let that go. So really you can use the best of Azure AB unfederated with the desktops and still get the benefits of leading your existing infrastructure in place. And then it's your decision in the future? Whether when new applications come on board, do I federate them with my existing IDP because I need some of those capabilities or do I federated with Azure really? It's it seamless? So it doesn't really matter. It's just an organizational decision.
Okay. If we're deciding to migrate unfettered Azure ID, if that decision is made, if you decide that you really want the benefits of a more secure desktop log-in and server logging experience, then what are some of the strategies to make that transition more seamless and more gradual and to lower the risk? So, one of the things that Azure has is they have what they call Azure AB domain services, which is basically your active directory, like your on-premise active directory except up in your Azure cloud. And it has a lot of interesting features where it become a kind of sub directly off of your Azure, AP. So you can have an infrastructure like we see here where you're doing synchronization of your legacy active directory on and synchronizing the users, and even the PA hash word password hashes into Azure 80. So that users have a seamless flow into on-prem or Azure.
And you also get the fault tolerance. If one's down, you can still log in and then you have the active directory domain services in the cloud for your workload, your windows servers, and your other services that require an active directory. Now you can start moving them into infrastructure as a service running in the cloud, leveraging active directory authentication. And since that active directory is always in sync all the way through, from your on-premise to your Azure ID, to the AGVs, then really it's a seamless environment where you can balance what your infrastructure investment in one side versus the other. And over time, more things will move to the cloud and you can be emphasized that on-premise directory. So this gives you the best of both.
I think maybe he's saying, well, Hey, you sold me on Azure Ady and you're, you're an ISP competitor. So why can't I just use it for everything? And that's a question comes up a lot. So where Azure Ady has a lot of features, it has our back, it has role management. It has provisioning. It has some of the new features, entitlement management. So really why do I need empowerID or any other IGA vendor? Why, why, why do I need that? Well, the first question first, the answer to that is that it's really a different Azure. A B is a directory. It is one of your directors, every organization, not every, but almost all organizations have many directories. So addre D is one. You might even have multiple Azure AB tenants. You might have AWS Google your SAP, your line of business applications. So being at the directory level, you really can't manage other directories or have a view of the global picture. Now, empowerID is an identity warehouse and identity and entitlement warehouse, which means that we have a data model that encompasses all your directories. We're designed for that all your users, all your permissions, all your fine grain roles and entitlements. And you have the ability to understand the past state, the current state, and to have a policies for desired future states. You're managing a security state based on policies. And it can do that because it can encompass all of your directories regardless of the technology, but really that's the big difference. Paradigm.
Azure does a great job. You can provision applications in Azure and Azure can provision into these systems. So you register an app like Salesforce, and you can provision Azure users, assign them to the app or assign groups to the app. And it'll provision into those systems now, but Azure manages the link identity. So it knows what it provisioned and what it's linked an Azure user to an object and an external system, but it doesn't have a full picture. It really has no visibility to the other objects in those systems, to the permissions, to the roles. It's really just managing the linked objects, provisioning, deprovisioning, just very simple and many escapes require a meta directory approach. You really have to know all the data. If you're going to do active research vocation, you're certifying that a person's access is appropriate in all of the key systems, not just being measured. You have to know their, their access in the SAP systems, the Oracle database systems, all the systems, you have to have all that data, rich management, to understand your risks. You really need to know their access to do roll mining, or to do least privilege delegated administration. You need admins to be able to have access across multiple systems of different types, not just Azure, but your AWS or .
So, as we see in this, the IGA is really a complex mix of technologies. And as your performance, one key critical piece, but to have a complete governance model around your Azure, plus your other systems, you need to fill in those other gaps. And that's really where impiety plays is that we compliment Azure. We extend some of its existing functionality, and we, we plug in those gaps so that you have a full government and how we do it, what she needs, we'll empower it. He has a concept called compliance access delivery, where you always know what should people have and the system can measure what they have. And it's always measuring, well, what can I make their accents compliant? Can I give them what they're missing? That they should have that's job appropriate. And can I take away what they have that they should? Yeah.
Azure, if we decided that Azure is going to be your primary directory, your most important system will, Azure is not active directory. It's much more sophisticated, much more modern. And it requires a much deeper understanding of the system to understand the risk and to manage it though, Azure traditional systems manage the users and groups provision provision, but really with Azure, a lot of your risk. And the complexity is in the, our back structure, new types of identities, like service principles and managed identity, and really to fully manage it, to manage the privileged access, to manage the life cycle and the governance. You have to have a full picture because you see a famous quote that really, if you fall in the least privilege model that even in a security breach, where someone gets authenticated to your cloud system in a lease privileged environment, they really don't have any access to do damage because the access is least privilege just in time. And just enough. And Martin you on timelines this point a couple checks.
Oh, we are good on time.
Okay. Off few minutes. Great. Great. Okay. Thank you very much. So least privilege becomes extremely important. Recent studies have shown that of security breaches in cloud environments, at least 75% of those are customer induced and could have been avoided with proper least privileged management. So empowerID really adds that layer on top. So we see in this picture as an admin logged into a web interface, even any native Azure or back access, I could be granted broad capabilities and this case I can manage multiple Azure tenants. I can see the structure for management groups, the subscriptions, the resource groups, and I can do broad enterprise level delegations of who has access to what I can do reporting on who I've access to what I can automate things. And this is not just across Azure, but across your on-premise active directory, your AWS, your Google, your service.
Now it's really that least privilege umbrella is extremely important. As we're moving workload to the cloud, the cloud is more sophisticated and more complex, and it becomes an attack surface. So least privileged becomes extremely critical. This year probably will be the least of the year of least privilege and IGA. I would just try that out and you'll see contracting that broad privilege. You need to be able to go extremely granular. So if you're doing, you know, third party identities and you need partners or developer to have access for dev ops, for Kubernetes, for microservices using your Azure infrastructure, you really want to give them tight control. And in the preferred world, you wouldn't give them direct access to the Azure portal. They'd have to go through a proxy zero trust interface, like we'd be here and you can get extremely granular. So in this case, I have a Germany project team working on a microservice app called project divergence and a designated German.
Our back admin can only see that one resource group in that subscription, in that management group in one Azure tenant, they can only be 10 users. They can only see two Azure, our bank roles, and three Azure, 80 directory roles. And they can completely manage the permission with, of course, with approvals audit trail recertification. Do you need to be able to go down to the object level to really have least privilege access, and also to add the time-based element to it? So that access is never permanent. It has to be activated when it's needed to be used going into this, the admin experience, but the end users should be able to shop for access and they should be able to request Azure are back assignments again, which are complicated. They have scopes, where are you requesting it for which subscription, which resource group. So you need a system that handles that complexity and understand the data models and can have workflows approvals, audit trails, and temporary access.
You also have, we spend Azure on the provisioning side. So it's great that you can connect Azure to your enterprise applications. And it has an ever growing list of those, especially those that support skim, which is an open standard for provision between applications and identity systems in the cloud. So it probably extends us with what we call the skim virtual directory. We're empowering exposes a single SCIM service where Azure, you can register any application connected to them, how it as if it were a directly connected SCIM app in Azure. So Azure sees it as an app. It can provision deep provision, but really those calls are coming to them. Piety and impiety is translating them for legacy systems that do not support skim. And it's adding on workflows approvals and enterprise requirements like naming conventions, uniqueness, and other things like that. But really, again, the idea is to embrace your investment and extended with all of the enterprise features that organizations require conclusions.
Azure active directory is really the future direction for Microsoft. And it's much more than a target system. This, as mark mentioned, you really need to make a decision on that. There are many security and cost benefits to leveraging Azure and lots of studies out there for that to lower your costs, reduce your, your investment in on-premise hardware. In the management Azure ID as a primary authentication directory does not require a forced migration of your apps. You can leave them where they are and still get the benefits of that windows. Desktop integration implement a plan that enables a smooth transition and the ability to lift and shift workloads to the cloud workload to the cloud. It's really want to have a plan. As Martin mentioned now is the time to make a plan, make some decisions and make sure that you have a plan that will enable a smooth transition as your people develop new skill sets as, as well.
You don't want to really do a big bang shift. And then Azure Ady is a directory, but again, you have more than one directory and a lot of IGA functions, which Pam functions require that metric for your identity and entitlement warehouse approach. And last but not least, Heidi provides a best in class solution for someone organizations focused on Azure. We, we understand Azure, we go as deep as you can go on Azure. So we offer, you know, the deepest integration to make sure you get the most out of your Azure investment, extending it. And also that you maintain that security that you need. Okay. Back to you, mark,
Thank you very much for all these insights and you, you covered so many topics. So let me make, let me make myself the presenter again, we already have a, quite a, quite a number of questions here. And I would like to do is right now, start with some Q and a, and I'll look at certain of these questions. So Q and a, we'll what we do. And if you have photo question says that the question, that's my question, or my ass to the audience end of these questions now, so that we can pick them up. We have still have a couple of minutes we can spend on answering your questions. The first question we have here as well. I really like, which is if we are moving from on-prem active directory to Azure active directory, how do we handle essentials such as coupe policies? Oh, here they are. Our crew policies. One of the, let's say most interesting features, active directory ass I afraid and unfold live. So to speak a lot of books on the handbook for my windows server, 2003, where I really went into the very detail of cruel policy. So I understand them well, and I understand the benefits of what makes them so scary and complex, but Patrick, maybe you'd like to talk about what does it mean from project perspective? Sure.
Migrating from, to use Azure. So you do the, you do support two modes. Basically you have a hybrid mode where your windows, desktop PCs have line of sight access still to a domain controller. So they can still log into the on-premise directory. And at the same time they log in to the edge reality. So you still get the benefits in that, in that environment of group policies. Now that cloud only a desktop that's logging directly into Azure DB and non-active directory really you're relying on into, at that point. So tune to ma that Microsoft's MDM solution, which it's maturing. It definitely does not have the depth of management of a group policy yet, but where you're doing some third-party as well, but, but into the future direction for Microsoft, that seems to, to provide that same experience.
Yeah. As I said, it's probably what word I think endpoint manager for today and names are changing quickly. But anyway, so, so one of the really interesting things, we, I, I would fully agree with you. I think there are doubt and I don't. So users from the endpoint management unified endpoint management market, where we have a broad variety of, of solutions available, by the way, that's also leadership Columbus from Cupertino Cola, looking at the unified endpoint management market. So comparing it with different vendors that, that space and you need to take a different approach, but that approach also might be far more adequate to let let's say up to the age of Brooke from home, because at the end of the day, I think we, we, we must sink in, in, in, in paradigms where we have end points that are accessing services that run somewhere and to end points are somewhere. And so this is changing and I think a lot of things become easier wherever we can protect that. We don't know where the end point is, and we don't know where to services, if stuff works well, then this will also work well with Ben booth our within our corporate lab. But it's far easier than to do it that way because you cover everything that the other way, rod. So there are a lot of questions in.
So, so one question here is, is the hybrid mode out of date, which is the definition would be on-prem 80 sort of at a center to ASHRAE D as a system used, or is it the first step of, I think this is the real question towards an accurate ADA strategy. So w which I think the question has a lot of elements. So is it out of date? There's still a, well, you, can it be the migration path or is it the preferred migration paths even Pedra do you like to comment with that?
Sure. So initially that's evolved over time. Initially when hybrid mode came out, everyone thought that once you've migrated your last on-premise exchange server up to office 365, that you would eliminate hybrid mode. And that's what everyone thought. But then Microsoft built a lot of capabilities into that hybrid mode, sync device, right back. They're really synchronizing a lot of additional things for the desktop integration to do the passwordless and the, the, the windows alone who really hybrid mode is a long-term component. I wouldn't expect that you're going to replace it until you really have transitioned to cloud cloud first desktops that are logging into the cloud until you remove that active directory on premise and, and machines joined to the on-premise domain. I would expect hybrid motors going to persist for a very long time, because it has a lot more features than before it was just for hybrid mode. Now it's really a lot of additional things that are getting synchronized, the device ride back the device certificates, all of that.
Yeah, I think, I think we will see different, very different scenarios, honestly, with sometimes where you're being more so Frid moving to the center on probative trust, just being the th the system, which has managed, but also we see even very large companies. Sometimes we say, okay, we go very consequently towards, for instance, windows, hello, for business, or to here. We also do approaches, which are totally independent of Microsoft. Also. That is something we w we see sit down different ways. But again, I think the point is pride. Now we see the change. We can understand a lot of the future options. We have. We understand quite well, a future requirements of how it, and identity and security needs to run and how we will deploy a service and workplaces. So I think we have enough knowledge right now to make the right decisions for the future. And this is really, I think the pint, and there's not, as I said, there's not one single right option, but I think it's very important to understand, but not be the future and that design about what is the right thing to do or a future. So this will be my last perfect next question of ID also act as an intermediary between x-ray D and G suite to be used for migration, for instance, or how does it deal with if you have to, for girls?
Yes. And that's one of the things that is the benefit of a meditation. Yeah. The meta directory approach, or that identity, where health approach, if you have a person object that has many user accounts and the, and the relationship of how the data gets synchronized between those systems is controlled by the meta directory. And you can have policies where if a user is in, let's say G suite, then these users should get migrated over and have be provisioned at Azure Ady users. And you can even map the G suite groups to Azure groups so that the users, as soon as they appear in Azure, they will get the same corollary group memberships that they had in G suite. So you can really map the two systems and Heidi will merge whatever you had in G suite. You have the corollary or the corresponding access in Azure, and keep those two in sync until you remove this.
Okay. But I have a question I have curious on how you would do, how would you handle password sync from Acker ID towards platforms or applications that kind of federate, maybe it's worth to extend the question a little, how do you deal with all these downstream applications that are not supporting to modern Federation standards, which is not necessarily passwords thing? So I would say the most provably used approach is Maura password in check, true sync ESER or credential track, or it is things like HTTP, heterosexual, light, and traditional web access management. Where are you going to have a trust from the downstream application to that, to central indication systems, which by the way, I think I already brought some, some part of the answer. They are various things ease or Iggy supports today will support you. And they are tons of access management solutions, which can be used in control trunk or alternatively to accurately, which also provide these capabilities. Some was this a very long history in supporting all these dollars for applications because they, they started long ago, otters, which are strong or disaster site. And, but also freewill is strong and stand of credential, jet attractions and things like that. So I think there are a couple of alternatives, including empowerid
Yes, yes, definitely. The header injection, the wham technique for, for web based apps and for non-web based apps. Typically in this Azure hybrid environment, you install a domain controller, password change detection agent. So impiety would be listening and detect any password change that could synchronize to on-prem D and that gets sent encrypted, sent up to a web service. And since the identity warehouse knows for that user, what are their other user accounts? And for each of the systems, is it a wham system? Is it a federated system, or is it an old school system that needs a password thing? So for the old school systems, it's going to do a password reset and organize that password changed down.
Yeah. But at the end, that goes back to understand your requirements, understand your current infrastructure from that you understand your needs as a, you understand what you need today, what you might need in future, as you might be an organization, which has hundreds or even applications that don't support Federation. I know these companies I've seen these companies and then it, then, then you need to go for, for an adequate approach that works best for these environments. Again, there are different options to do that, but we need to adjust to that changing world. We are servicing out there. And then maybe a more tactical question to the end. So we have still a few open questions, but I think at the address of the finalists, pick the pick one last question. So, so can my virtual machines, Linux and windows and Asher login using extra ID. So fairly technical
Question, they can, they can, yeah, there is a, so a lot of those we'll use, they, they do a browser-based login so that they can do more and more of a modern, modern offense off scenarios and, and log into your Azure ID. And then also Azure virtual machines, both windows and Linux, they actually support Azure native authentication. And we, and you can control who can log into which machines using Azure are back forth. You plug in, you add a plug-in like a SSS D and you point it back to an LDAP virtual directory like empowerID, which can, can, can broker that authentication.
Okay. Perfect. Patrick, thank you very much for all the answers. Thank you to all attendees for listening to this KuppingerCole webinars, all the questions you ask them. It's always very, very good. If you have a lot of questions today, we have, we will follow up on questions. We didn't have the time to answer 'em separately and hope to see you soon in one of our upcoming KuppingerCole life events, webinars, and all the otters stay well. And have you back in our one-off easy ones soon again. Thank you.