To qualify for funding, the following strategic elements are required to be included in Cybersecurity Plans, based upon the National Institute of Standards and Technologies (NIST) Cybersecurity Framework (CSF):

• Implement multifactor authentication (MFA).
• Implement enhanced logging.
• Data encryption for data at rest and in transit.
• End the use of unsupported or end-of-life software and hardware that are accessible from the internet.
• Prohibit the use of known, fixed, or default passwords and credentials.

SLTT governments have many options across a variety of vendors for the products and solutions that meet the above criteria. It is essential to have a detailed plan and well-structured strategy to advance applications for federal funding. In support of these efforts, we want to call attention to the following offerings from Microsoft that can help SLTT governments make their case for federal funding in these key areas.

Implement multifactor authentication

Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra, offers an array of MFA methods, be it in the form of a single multifactor authenticator or the form of two single-factor authenticators (read the full list of supported multifactor authentication methods). To set the bar higher, SLTT governments can further strengthen their MFA and enforce the use of phishing-resistant MFA using Azure AD certificate-based authentication, FIDO2 security keys, Conditional Access Authentication Strengths, or Windows Hello for Business. Products like Microsoft Intune can make it easy to configure Windows Hello for Business, supporting your organization’s move to MFA. Azure AD’s External Identities cross-tenant access settings are an ideal way to securely collaborate with external users coming from other Azure AD organizations and other Microsoft Azure clouds. Cross-tenant access settings give you granular control over how external users from other Azure AD organizations collaborate with you (inbound access) and how your users collaborate with other Azure AD organizations (outbound access). These settings also let you trust MFA and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.

Implement enhanced logging

Microsoft Sentinel provides capabilities to centralize log data from other software and systems to track incidents and events across the enterprise. An expansive hub of rich integrations allows for the ingestion, enrichment, and delivery of log data, including cloud access security broker, identity, endpoint, network and operational technology (OT) security, and IT capabilities with bi-directional integrations. Archived logs allow for the storage of data for up to seven years to meet compliance requirements.

For Windows devices, you can collect diagnostic logs remotely and without interrupting the user with Microsoft Intune by device or in bulk.  

Data encryption for data at rest and in transit

Data at rest encryption for Microsoft 365 provides Customer Key-based encryption across multiple Microsoft 365 workloads. Tenant administrators can configure a single data encryption policy using customer-managed keys and assign it to the tenant. Once assigned, the tenant-level encryption policy starts encrypting all customer data for multiple Microsoft 365 workloads.

With Microsoft Purview Advanced Message Encryption, you can control sensitive emails shared outside the organization with automatic policies. You configure these policies to identify sensitive information types, such as personally identifiable information, financial, or health IDs, or you can use keywords to enhance protection. Once configured, you can pair policies with custom-branded email templates and then add an expiration date for extra control of emails that fit the policy.  

Microsoft Intune also helps you enforce data protection on your devices to be compliant with your organization’s policies. This combined with Conditional Access policies helps verify that when data leaves your organization, it can only go to compliant devices that are encrypted and meet the standards defined by your organization (including data-at-rest protection). Intune also can configure and enforce encryption on Windows endpoints with BitLocker specifically and require encryption across the mobile device landscape.

Prohibit use of known, fixed, or default passwords and credentials

SLTT governments are required to change password policies that are proven ineffective, such as complex passwords that are rotated often. This includes the removal of the requirement for special characters and numbers, along with time-based password rotation policies. Instead, consider doing the following:

• Use password protection to enforce the blocking of a common list of weak passwords that Microsoft maintains. You can also add custom banned passwords.
• Use self-service password reset to help users reset passwords as needed, such as after an account recovery or credential compromise.
• Use Azure AD Identity Protection to be alerted about compromised credentials so you can take immediate action.

How Microsoft Security solutions help support grant applicants

The products mentioned are several suggested offerings of which SLTT governments can take advantage when considering their applications for federal cybersecurity grant funding. For further information on other required elements and how Microsoft solutions map to the NIST CSF, organizations can read the US Cybersecurity Grant Readiness Assessment and Microsoft Technical Reference Guide.

Microsoft partners with governments around the world to ensure the safety and integrity of their critical systems. We are committed to assisting our SLTT government customers in improving the state of cybersecurity for their regions and the people they serve.

Additional resources for SLTT customers: 

• Download the US Cybersecurity Grant Readiness Assessment & Microsoft Technical Reference Guide. 
• Check out the webinar with Conquest and Microsoft discussing this IIJA state and local cybersecurity grant program.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Discover Microsoft Security solutions for SLTT government grant readiness appeared first on Microsoft Security Blog.

MVP Health Care modernizes and simplifies the way members gain access to health plan information

As both Chief Technology Officer and the Chief Information Security Officer at MVP Health Care, I believe you must design your technology solutions with security as the foundation and then overlay the functionality. When building online portals to be accessible to four groups—individual members, employers, healthcare providers, and brokers—MVP Health Care prioritized security as much as ease of use and the user experience (UX). After all, stolen healthcare data is highly prized by cybercriminals, and we have a duty to protect members’ information.

MVP Health Care is a regional, not-for-profit health plan with 700,000 members and 1,700 employees in New York and Vermont. When I joined in 2018, the company was eight to nine years behind on technology. Our objective was to embark on digital transformation so the company could more easily and efficiently serve our constituents. As a Microsoft-first organization, that meant turning to Microsoft technology as we reinvented our infrastructure and replaced our traditional authentication methods with Azure Active Directory (Azure AD) External Identities for B2C user journeys.

The technology running previous portals was antiquated and cumbersome

Comparing healthcare plans can be confusing. We knew we had data that could make it easier. To do that, our portals needed to cut through complexity and deliver the right content for each constituent group.

The old portals—fueled by the IBM WebSphere Application Server—were cumbersome to use and support. MVP Health Care developers sometimes had to go through the back-end to fix an account. No back-end identity process existed to authenticate people who needed to access a portal, so anyone could create an identity for anyone.

Partner Edgile becomes an extension of MVP Health Care’s team

We considered augmenting what we already had with biometrics features, but those plugins didn’t mesh well with our infrastructure. In 2018, we brought on Edgile as a partner and shared our Zero Trust security approach—assuming breach and giving people the least privileged access possible. With extensive knowledge of Azure AD B2C, Edgile designed the identity infrastructure around the new portal and trained our team on best practices.

Edgile built B2C custom policies with user flows, such as seamless single sign-on and self-service password reset. Single sign-on lets people access all their apps after signing in once, while self-service password reset enables people to unlock or reset their passwords without the help desk. To preserve the user accounts from MVP’s previous identity provider, Edgile designed a migration path for users to move to Azure AD B2C the first time they signed in.

Microsoft provided feature previews to Edgile and worked with an MVP Health Care developer to port the UX designs into the HTML, JavaScript, and cascading style sheets (CSS) to refine the experience. A collection of Azure functions and a .NET Core RESTful web application from Edgile helped maintain data synchronization and the execution of complex operations.

“Edgile teamed up really well with MVP Health Care expertise in identity management including external identity management. We started first with a strategy that was followed by a successful quickstart/proof of concept that led to the broader implementation.”—Tarun Vazirani, Edgile Account Partner

Custom policies help create user journeys

MVP Health Care leveraged the custom policies, which are configuration files that define the behavior of MVP’s Azure AD B2C tenant user experience. While user flows are predefined in the Azure AD B2C portal for the most common identity tasks, a custom policy can be edited by an identity developer to be fully configurable and policy-driven. It orchestrates trust between entities in standard protocols, including OpenID Connect, OAuth, and SAML, and a few non-standard ones like REST API–based system-to-system claims exchanges. The framework creates user-friendly, white-labeled experiences to:

• Federate with other identity providers.
• Address first- and third-party multifactor authentication challenges.
• Collect user input.
• Integrate with external systems using REST API communication.

Each user journey is defined by a policy. One can build as many or as few policies as required for the best user experience.

Figure 1: Microsoft’s identity experience framework.

A more unified and streamlined customer experience

Three portals have launched—with the provider portal expected to go live soon. Members appreciate the simpler, modern way they access their portal.

We now have modern authentication that integrates with modern technology. We can easily connect to Google, Facebook, and other verification methods. The experience is familiar for MVP Health Care’s constituents because it’s the same as the graphical interface they see elsewhere.

Together, all the features of Azure AD add huge value. Azure AD multifactor authentication and Conditional Access support Zero Trust’s baseline security. We’re audited on how well we protect confidential information. Multifactor authentication requires identity verification, such as entering a code sent to a phone. Conditional Access policies are if-then statements for how someone gains access.

On launch day, I tested the capabilities of Azure AD B2C and the new portals. I’ll never forget that feeling of knowing we’d chosen our technology wisely. It was slick. It was effective. It was fast. And it’s been an incredible asset for our organization ever since.

Voice of the Customer: Looking ahead

Many thanks to David for sharing MVP Health Care’s story. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers’ security and implementation insights more broadly. Bookmark the Microsoft Security blog so you don’t miss the next in this series!

To learn more about Microsoft Security solutions visit our website. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post MVP Health Care secures member portal access with Microsoft Azure Active Directory B2C appeared first on Microsoft Security Blog.

Securing a remote workforce with fewer resources with Azure Active Directory

At Medius, we develop cloud-based spend management solutions, including the accounts payable workflow solution Medius AP Automation, formally known as MediusFlow (Microsoft offers an online tutorial on configuring Medius AP Automation for automatic user provisioning). We’re one of the largest Microsoft partners in the Nordics to build and offer an entire solution in Azure. Because we advocate the value of cloud for customers, we decided it was fitting to turn to the cloud solution offered by Azure AD to meet our identity requirements.

Providing a fully remote work environment

Our 3,500 customers typically want to restrict access to their financial documents by title or division. Since most have more than 200 employees, it would be cumbersome to manually set access for each employee. Being able to assign users through Azure AD using known Microsoft protocols is a big selling point of our spend management solution.

We can relate to our customers’ need for secure authentication in systems and applications; it’s important to us too. While headquartered in Sweden, Medius has offices in eight other countries and our employees work from across the globe. Teams are both distributed and virtual. It’s not unusual for project meetings with customers to include Medius employees from three countries. We’ve prioritized providing a fully remote environment, in part because the consulting nature of our business requires that some employees travel to customer sites.

That fully remote experience extends to offboarding. When employees leave Medius, Azure AD identity and access management makes it easier to abide by our HR processes, which are reviewed by external auditors. Each employee is associated with an active ID. When an employee is offboarded, we can disable accounts and block user access to everything at once from Azure AD.

Freeing up IT time with features and user self-service

As a small IT team, we couldn’t support Medius’ 400 employees without the increased security and high reliability offered by Azure AD. Time savings is among the biggest benefits of using Azure AD for secure management of users and identities. If a partner requires access, Medius can add them as a guest in Azure AD so the external identity is trusted in required Medius’ internal systems.

Azure AD serves as a trusted source of information that we can depend on in every situation. Rather than navigating islands of systems with unique identities, Azure AD is our single place for everything related to identity management. Because of that, we can help users in any time zone from wherever we’re working. However, users appreciate that the solution is user-friendly, and they can handle some identity tasks themselves. This frees up the IT service desk to focus on other work, and in a growing company, there’s plenty to do.

Users tell us they appreciate the simplicity of single sign-on, which allows them to log in with a single ID and password to SaaS apps like Salesforce, Zuora, Jira, Confluence, DocuSign, and Freshdesk. They also like the flexible integration, ease of use for frictionless workflow, and convenience of Azure AD multifactor authentication, which lets them verify their identity via multiple credentials.

Self-service password reset is another popular feature. We operate in just about every time zone, but our IT team is located in European time zones. Before self-service password reset, it could take as long as two days for an employee to have a password reset by the IT team. Now, employees can reset a forgotten or locked password themselves 24/7 and stay productive.

Connecting during the health crisis

Before the recent healthcare crisis sent employees home, Medius switched from Skype to Microsoft Teams, making it easier for everyone to remotely collaborate and share files. That’s been even more valuable now that in-person meetings are not possible.

Medius is a growing company that has been hiring throughout the crisis. With Azure AD, we can ship laptops directly to the homes of new employees and have them login remotely using Windows Autopilot, which is a collection of technologies to set up and pre-configure new devices.

Improving processes with support from Atea

Our partner Atea, one of the leading providers of IT infrastructure in the Nordic and Baltic regions, offers a full range of hardware and software from the world’s leading technology companies and a team of consultants. The company played a key role in our effort to migrate apps to Azure AD and ramp up new employees.

Atea has told us that they do a lot of work for their customers when it comes to migrating apps to the cloud, helping them to benefit from the security and time-saving benefits of Azure AD. For instance, the pre-defined instructions on configuring applications in the app gallery facilitate the process of setting up a new integration.

Atea calls the partnership with Microsoft “extremely important” and has appreciated seeing product roadmaps and gaining access to private previews, which help it shape future offerings.

We look forward to sharing our next big successes: the introduction of the Conditional Access feature and a broader rollout of passwordless identity authentication.

Voice of the Customer: Looking ahead

Many thanks to Jacob and Fredrik for sharing the benefits they’ve realized with Azure AD. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers’ security and implementation insights more broadly. Bookmark the Microsoft Security blog Voice of the Customer so you don’t miss the next blog in this series!

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Medius’ small IT team supports distributed workforce with Azure Active Directory appeared first on Microsoft Security Blog.

Read more from Tony and Jon to learn how you can use Azure AD to improve your customer experience.

Azure AD simplifies user provisioning and protects Firstline Workers’ identities

As America’s largest specialty mattress retailer, Mattress Firm aims to deliver a personalized experience to all our customers no matter how they interact with us. An exceptional customer experience requires a connected workplace. When a customer makes a purchase online and then visits a store for a second purchase, our sales associates, or “Firstline Workers,” should understand their full story and total lifetime value. If a customer needs to change the delivery time of a mattress, it should be easy for a customer services rep to contact the driver and reschedule the delivery. These connection points are invisible to the customer but can turn an ordinary interaction into a great one. To help us realize this aspiration, we deployed several Microsoft 365 products—one of which was Azure AD—to securely and simply unite communication across corporate and all the stores.

The foundation of strong cross-company collaboration is secure and simple user authentication. Our sales associates access several different software-as-a-service (SaaS) and on-premises apps to communicate and complete tasks. Many of these apps require a separate account, which meant users signed into multiple accounts throughout the day. We were concerned that some were reusing passwords, opening us up to risk. Our identity team was also overburdened. They were responsible for setting up accounts for each user, updating permissions as needed, and revoking accounts when users left the company. To resolve these challenges, we deployed Azure AD, which allowed us to decrease the size of the identity team, deliver a simpler user access experience to our employees, and gain more visibility into security threats.

Migrated identity and access management from Okta to Azure AD

Before we selected Azure AD, we investigated various identity and access management (IAM) options. We had previously deployed Okta, which fulfilled many of our requirements. However, we were simultaneously increasing our investment in Microsoft 365. We reviewed both Okta and Azure AD and discovered that Azure AD delivers better controls and security for Office 365 and its data than Okta at a much lower cost in addition to single sign-on (SSO) to other applications. At that point it was an easy sell, and we migrated all our users to Azure AD.

Decreased the size of the identity team

We are a large company with over 8,500 employees, stores in 49 states across the country, and 73 distribution centers across the biggest markets. Our physical footprint allows us to deliver a mattress within an hour to 89 percent of the population. Like many retailers we have a lot of employment churn. Each day, we process between 10-100 user identity status changes. Before Azure AD, a team of 12 people were responsible for provisioning the right accounts and access to each user. Twelve people is a large team, but it was required because for each change—whether that was a new hire, a promotion, or someone leaving the company—an identity team member needed to manually grant access or change privileges to them one at a time. This took a lot of time, and it was error prone.

Once we deployed Azure AD and set up automated provisioning, the onboarding process sped up significantly. Today, someone in human resources sets up a new employee in our HR system and within four hours the employee is onboarded to all their accounts. Our Identity Manager was able to redeploy most of the people on the provisioning team to higher priority work. Now there are just two people who manage the environment. We’ve realized a huge costs savings from this transition—about $500,000 per year in hard dollars, but tons of soft costs saved!

Azure AD automated provisioning simplifies the process of provisioning the right access and applications to each user.

Delivered a simpler and more secure user access experience

Our users have also benefited from the rollout of Azure AD and automated provisioning. We enabled SSO so users can sign in once and access all the apps they need for work. We integrated Azure AD with about 40 apps, including Workday, Back Office, Salesforce, our VOIP administrator, Citrix, Tools video, Microsoft Dynamics 365, Concur, Tableau, WebEx, our benefits portal, our 401K provider, and all the Office 365 apps. Our employees love the new process. It is now rare that they must use another account to access work apps.

With Azure AD SSO, users sign in once and have access to all their apps.

Azure AD has also given us peace of mind. Our customers provide a full set of information when they purchase a mattress from us. They trust us to protect their first-party data. Azure AD offers tools to better safeguard our identities. We control access to the first-party data based on employment status. We also enabled Multi-Factor Authentication (MFA) to Workday and off-premises sign-ins. That means whenever a user attempts to sign in to Workday or if they attempt to access any other system from off-site, we force a second form of authentication. Users get a secure code from the Microsoft Authenticator app, which validates their identity with Azure AD. This significantly reduces our security risk, and employees find it easy to use—a win for everybody.

We also enabled conditional access policies to reduce or block access when sign-in circumstances are risky. For example, Azure AD can evaluate the riskiness of a client app or the location of a user trying to gain access. If the risk is high enough, we can block access or force a password reset to confirm identity. Another good example of our conditional access approach is the leave of absence policy. While users are on a leave, we limit the apps they can access to the ones they really need: Workday and our benefits portal. These flexible, customizable policy strike the right balance between enabling productivity while minimizing our exposure.

Azure AD can evaluate user and location, application, device, and real-time risk before allowing access.

Improved threat visibility

Security doesn’t end with our access policies. Azure AD also provides tools that Security Operations (SecOps) use to better understand security incidents. The Azure AD authentication logs and the Office 365 application access information provides useful insights. We now better understand when users try to access applications with VPNs or from unauthorized networks. This intelligence informs our security strategy and policies.

Azure AD has provided the foundation for a secure and connected employee experience. As we operationalize communication tools like Microsoft Teams, we are confident that the information that employees share is less likely to get compromised. Employees are empowered to work together to meet and exceed customer expectations. We rest easy because our customer data is more secure.

Learn more

I hope you’re able to apply Mattress Firm’s learnings to your own organization. For more tips from our customers, take a look at the other stories in the Voice of the Customer blog series. Also, check out the Mattress Firm case study to see how other Microsoft 365 solutions have helped them improve the customer experience.

Here are several additional resources:

• Azure AD automated user provisioning
• Azure AD MFA
• Identity and access management solution

Finally, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other appeared first on Microsoft Security Blog.

Happy New Year and welcome to the next installment of the Voice of the Customer blog series. My name is Sue Bohn and I am the director of Program Management for Identity and Access Management. I’m really excited about our next blog in this series. Last time, we featured The Walsh Group. Today, I am sharing a story from lululemon, who really inspired me to think more broadly about what you can achieve when you step back and look at where you want to go.

Simon Cheng, responsible for Identity and Access Management at lululemon, is today a strong believer that every step towards cloud Identity and Access Management makes you more secure, but that wasn’t always the case. Read on to learn more about lululemon’s experience implementing Azure Active Directory (Azure AD).

Too many apps, too many passwords

At lululemon, our journey to Azure AD began with two overarching business requirements: 1. Secure all our apps and 2. Simplify user access. We knew, based on the typical behavior we’ve seen in the past, that most of our users were likely using the same corporate password across all the apps they use, including the ones we don’t manage. This meant that if even just one of these apps had security vulnerabilities, a hacker could exploit the vulnerability to get into our corporate resources. And we would have no idea! Our security is only as strong as the weakest app being accessed, and so if you can imagine the challenge was that we had over 300+ applications! To protect our corporate resources, we needed to ensure that the authentication process for each app was secure.

Our shadow IT environment wasn’t just a security challenge, it also frustrated our users. Over and over we heard there are “too many portals and too many passwords.” This sentiment drove our second business requirement, which we boiled down to an overriding principle: “Not another portal, not another password.” So, our solution needed to address security and simplify user access without reducing business flexibility. The obvious answer was to consolidate identities, and this quickly led us to Azure AD and Microsoft Enterprise Mobility + Security (EMS). As an Office 365 customer, our users were comfortable and familiar with the Office 365 sign-in experience, and so it was an easy decision. Once we had chosen a solution, our next big task was rolling it out without disrupting our users, which is really where my concern was—would our users embrace it?

Single Sign On (SSO) sells itself

When we began the rollout of Azure AD, our top concern was whether our employees would comply. As it turns out I completely underestimated our users, and my concerns were really nothing. Within three months of the Azure AD rollout, our users loved the SSO experience so much that the business units came to us requesting that additional apps get rolled on. Even risk-based Multi-Factor Authentication (MFA) enforced by Azure AD conditional access policy feature went smoother than I expected. We hardly heard any complaints and even fewer calls on how to set it up. For highly sensitive apps, such as our financial and HR apps, we followed a recommended approach to enforce MFA at every sign-in. For several other less sensitive apps, we were able to prioritize user experience and protect them with risk-based conditional access rules.

In 2013, we had two apps onboarded: ServiceNow and Workday; now we have over 200! And every single one of our 18,000 users are protected by conditional access and MFA. I am really proud of this accomplishment as it has enabled higher productivity for our organization while maintaining stronger security because our employees are using it! This experience taught me not to underestimate our users, and I think this is because they are familiar with security measures, having already learned to do so through consumer services such as social media. Had I known this when we started, I would have deployed Azure AD much sooner.

The cloud allowed us to implement more security features faster than we ever could on-premises

Once we had Azure AD deployed, our next project was to implement Azure AD Privileged Identity Management (PIM). Azure AD PIM allows us to enable “just in time” administrative access, which significantly reduces the possibility that our administrative accounts will get compromised. Launching PIM was an eye-opening experience! This is a capability that is very labor intensive and time consuming to operate typically.

I am constantly delighted with how fast I can deploy services in the cloud, Azure AD PIM being a prime example. More often than not, the trap I’ve seen organizations fall into is that they plan based on capabilities that exist within solutions rather than what’s needed to secure their users. This is exactly where Azure AD and cloud wins over on-premises solutions. My takeaway has been that it is better to step back and plan what needs to be done for my organization and then just let the cloud services roll in almost automagically. Of course, where there are gaps, I work directly with the Azure AD engineering team!

Just in the last year, we have deployed, from pilot to production:

1. Azure AD Connect implementation and Self Service Password Reset (SSPR) migration from the old tool (6 weeks)
2. MFA registration, Azure AD conditional access, and Azure AD Identity Protection (7 weeks)
3. Microsoft Advanced Threat Analytics (3 weeks)
4. Group-based licensing (3 days)
5. Azure Information Protection (8 weeks)
6. Azure AD Privileged Identity Management (3 days!)
7. Countless apps (each in a matter of hours!)

Learnings from lululemon

A big thanks to Simon! It is always great to learn from our customers’ deployments. In lululemon’s case, the need to take a step back and develop a plan based on the security goals, rather than a set of capabilities, really hits home. We can always plan something in the confines of what we currently have, but the fact is that new features get rolled out at cloud speed. It is great to see customers like lululemon deploy services in the cloud so quickly and benefit from them. Come back to our Secure blog to check in on our next customer blog and also read some other articles around Identity and Access Management and Zero Trust Networks.

The post Voice of the Customer: Azure AD helps lululemon enable productivity and security all at once for its employees appeared first on Microsoft Security Blog.

Hello!

This is Sue Bohn from the Customer & Partner Success team for the Identity Division. I’m delighted to announce the next post in our Voice of the Customer blog series. This series is designed to help you by sharing stories from real customers who are solving their identity and security challenges using Azure Active Directory (Azure AD). I hope you find valuable insights and best practices that you can apply to your own projects. If you haven’t already, check out the first blog from in the series, Voice of the Customer: Walmart embraces the cloud with Azure AD.

This post features The Walsh Group, a large construction company in the United States. The Walsh Group has been with us from the early days in adopting Azure AD. They’ve taken advantage of its capabilities to strengthen access controls, provide more flexibility to users, and reduce the time their help desk spends on password resets. Peter Vallianatos and Phillip Nottoli, directors of IT Infrastructure and Security, provide insights on how they implemented Azure AD to give them a competitive advantage in the general contractor marketplace.

Security is no longer just about firewalls, it’s how we control identity

The Walsh Group is one of the largest construction companies in the United States with offices and job sites across the country. Like many businesses, identity and security initiatives increased in priority for us a few years ago. We had recently invested in Office 365, which allowed us to shift much of the responsibility for the uptime of our core productivity suite to Microsoft. It saved us time, but it also meant we would have less control than we were used to. We needed to find a way to manage our identities and shore up security. As an example, we did not have a Multi-Factor Authentication (MFA) solution. On top of that, our help desk was begging us to come up with a solution to reduce the amount of time they spent helping our users reset their passwords.

As we researched solutions to fill our security holes, we had to balance the need for best-in-breed security products with the fact that we have tight budgets and a drive to make economic decisions. It was important that we found tools that would be effective, easy to deploy, and easy to integrate. Historically, well before the Azure days, we viewed Microsoft as a strategic partner. So we quickly zeroed in on the complete Microsoft 365 identity stack that includes: Azure AD, Microsoft Cloud App Security, Microsoft Advanced Threat Analytics, Privileged Identity Management, Azure Advanced Threat Protection, Windows Defender Advanced Threat Protection, Azure Identity Protection, Microsoft Intune, Single Sign-on, Self-Service Password Reset, among others.

Azure AD conditional access is central to our Zero Trust strategy

Using the Microsoft security stack has also allowed us to begin implementing a Zero Trust strategy. We believe identity is the foundation of our security posture. As a construction company, we have so many locations, creating opportunities for exploitation. We must properly verify identities before we give access. Azure AD conditional access has given us tools to better control access by defining geographical rules and hardware restrictions. As an example, we simply blocked all access from many countries across the world. We could do that because we operate mostly within North America. As Azure AD conditional access matured, we changed our strategy. To support our people that vacation overseas, we’ve been able to build sophisticated rules that consider if a device is Intune managed, hybrid joined, and where the device is located. Combining that rule set with MFA, we’ve been able to safely give our vacationers access to email and other business resources.

Paying attention to the sign-in events, we can adjust our ruleset to further restrict or allow for circumstances that we did not consider. For certain, nearly all the failed sign-in attempts are malicious. It is nice to have that visibility into and control over when and how our networks are accessed.

We bet the farm with Microsoft

We chose to be an early adopter of the Azure AD identity framework. At the time, the tools were just emerging, but we understood the vision, the direction, and Microsoft’s roadmap to get there. Microsoft helped us establish short-, middle-, and long-range plans, and we rely on their security and identity products more and more. We don’t have that level of confidence in nor the relationship with other vendors. For us, the evidence is clear, we chose the right partner. As a general contractor, this platform has allowed us to remain competitive in our marketplace. Our implementation of Azure AD gives us a competitive advantage that will continue to pay dividends as our cloud strategy grows and we make use of the Office 365 and Azure features. Currently, we have turned our energy towards Microsoft Cloud App Security and operationalizing the Windows Defender Advanced Threat Protection integration across platforms. Already, we are recognizing the value in having all three Advanced Threat Protection products integrated and will continue to fine tune how we manage it.

Voice of the Customer—looking ahead

Many thanks to Pete and Phil for sharing their journey from on-premises to Azure AD. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers’ security and implementation insights more broadly. Bookmark the Microsoft Secure blog, so you don’t miss the next installment in this series, where our customer will speak to how Azure AD and implementing cloud identity and access management makes them more secure.

The post Voice of the Customer: The Walsh Group found that Azure Active Directory gives them a competitive edge appeared first on Microsoft Security Blog.

Greetings!

I’m Sue Bohn, partner director of Program Management at Microsoft. I’m an insatiable, lifelong learner and I lead the Customer & Partner Success team for the Identity Division. I’m jazzed to introduce the “Voice of the Customer” blog series. In this series, the best of our customers will present their deployment stories to help you learn how you can get the most out of Azure Active Directory (Azure AD). Today we’ll hear from Walmart. I love the convenience of Walmart; where else can you buy tires, socks, and orange juice in one trip?

Walmart teamed up with Microsoft to digitally transform its operations, empower associates with easy-to-use technology, and make shopping faster and easier for millions of customers around the world. But this strategic partnership didn’t just happen overnight. In the beginning, Walmart’s cybersecurity team was skeptical about the security of the public cloud and Azure AD. Ben Byford and Gerald Corson, senior directors of Identity and Access Management at Walmart, share their team’s journey working with Microsoft to embrace the cloud with Azure AD:

Working closely with our Microsoft account team convinced us we could safely write back to on-premises and enable password hash synch

In the beginning, we were willing to feed to the cloud but at that time not comfortable allowing the syncing of passwords to the cloud or write back to on-premises from cloud. We were skeptical of the security controls. We involved Microsoft in the strategy and planning phases of our initiatives and made slow but steady progress. As we worked with the Microsoft team, representatives were eager to get any and all feedback and to provide it to their product groups. This led to our critical Azure AD enhancement requests being received and solutions were delivered. When we ran into bugs, we were able to troubleshoot issues with the very people who wrote the application code. Our Microsoft account team was right there with us, in the trenches, and they were committed to making sure we were confident in Azure AD’s capabilities. Over time, as we learned more about Azure AD and the new security features we were enabling, our trust in Microsoft’s Azure AD security capabilities grew and many of our security concerns were alleviated.

Given our scale, validating and verifying the security capabilities of Azure AD was key to empowering our users while still protecting the enterprise. Walmart currently has over 2.5 million Azure AD users enrolled, and with that many users we need very granular controls to adequately protect our assets. The entire team, including Microsoft, rolled up our sleeves to figure out how to make it work, and together we’ve enabled several features that let us apply custom security policies. Azure Information Protection (AIP), an amazing solution that is only possible with Azure AD, allows us to classify and label documents and emails to better protect our data. Azure AD Privileged Identity Management (PIM) gives us more visibility and control over admins. Azure AD dynamic groups lets us automatically enable app access to our users. This is a huge time saver in an environment with over half a million groups. With all of the work we did with Microsoft and our internal security team, we were able to turn on the two features we previously did not think we would be able to—password hash synch and write back from cloud to on-premises. This was critical to our journey as we had never allowed a cloud solution to feed back into our core environment in this manner.

Driving down help desk calls with self-service password reset

One example that shows how much we trust the security of Azure AD and the cloud is self-service password reset (SSPR). The biggest driver of help desk calls at Walmart is people who get locked out of their accounts because of a forgotten password. It wastes a tremendous amount of our help desk’s time and frustrates associates who lose time sitting on the phone. We believed that letting users reset their passwords and unlock their accounts without help desk involvement would go a long way and improve productivity, but we had always been nervous about giving people who weren’t on Walmart PCs that kind of access. Another hurdle was ensuring that our hourly associates were only able to utilize this service while they were clocked in for work. Microsoft helped us solve this with the implementation of custom controls.

Our Microsoft team supported us the entire way, and we’re proud to say that SSPR is being rolled out. When we started this journey, we would never have believed that we would allow people to reset their passwords from a public interface, but here we are, and the user experience is great!

Engage Microsoft early

If there is one thing we would have done differently, it would be to engage Microsoft at a deeper level earlier on in the process. Our public cloud adoption didn’t really take off until we brought them in and spent time with their backend product engineering teams. Microsoft’s commitment to improving security and the cloud is clear. Their work to safeguard data has continuously improved, and while we work closer with them, they also continue to incorporate our feedback into future feature releases. It is the relationship that has allowed us to securely implement Azure AD at our scale.

We look forward to sharing our next big success: implementation of Azure AD B2B.

Voice of the Customer: looking ahead

Many thanks to Ben and Gerald for sharing their journey from on-premises to Azure AD. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers’ security and implementation insights more broadly. Bookmark the Microsoft Secure blog so you don’t miss part 2 in this series. Our next customer will speak to how Azure AD and implementing cloud Identity and Access Management makes them more secure.

The post Voice of the Customer: Walmart embraces the cloud with Azure Active Directory appeared first on Microsoft Security Blog.