{"id":10546,"date":"2023-10-30T08:13:26","date_gmt":"2023-10-30T15:13:26","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=10546"},"modified":"2023-11-07T11:28:25","modified_gmt":"2023-11-07T19:28:25","slug":"managing-user-identities-and-secure-access-at-microsoft","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/","title":{"rendered":"Managing user identities and secure access at Microsoft"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"112\" class=\"size-medium wp-image-7498 alignright\" style=\"margin-top: 0px;\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories-300x112.png\" alt=\"Microsoft Digital technical stories\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories-300x112.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories.png 500w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><em>[Editor\u2019s note: This content was written to highlight a particular event or moment in time. Although that moment has passed, we\u2019re republishing it here so you can see what our thinking and experience was like at the time.]<\/em><\/p>\n<p>Managing identities and network access at Microsoft encompasses all the processes and tools used throughout the identity life cycle for employees, supplier staff, and partners. As a cloud-first company, our Microsoft Digital Employee Experience (MDEE) team uses features in the Microsoft Enterprise Mobility + Security suite, powered by Microsoft Azure, along with on-premises identity and access management solutions to enable our users to be securely productive, from anywhere.<\/p>\n<p>We\u2019re on a multi-year journey of transforming into a cloud-first, mobile-first enterprise. Though we operate in a hybrid cloud environment today, we\u2019re moving on-premises identity technologies to the cloud, giving our employees flexibility they need. Plus, application owners can use the power of <a href=\"https:\/\/developer.microsoft.com\/en-us\/graph\/\" target=\"_blank\" rel=\"noopener\">Microsoft Graph<\/a> to effectively manage access to applications and resources.<\/p>\n<p><em>[<a href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/implementing-strong-user-authentication-with-windows-hello-for-business\/\">See how we\u2019re implementing strong user authentication with Windows Hello for Business<\/a><\/em><em>.\u00a0<a href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/verifying-identity-in-a-zero-trust-model\/\">Learn more about verifying identity in a Zero Trust model internally at Microsoft.<\/a><\/em>\u00a0<em><a href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/implementing-a-zero-trust-security-model-at-microsoft\/\">Unpack implementing a Zero Trust security model at Microsoft.<\/a>]<\/em><\/p>\n<h2>Unifying the environment<\/h2>\n<p>To enable a single user identity for authentication and offer a unified experience, we integrated on-premises Windows\u00a0Server Active\u00a0Directory forests with Microsoft Azure Active Directory (Azure AD). Our geographically distributed Active\u00a0Directory environment uses Windows Server 2016. We use Azure\u00a0AD\u00a0Connect and Active Directory Federation Services (AD FS) when an Azure-based application needs user attributes\u2014for example, their location, organization, or job title. User information is available if the service has the right permissions to query for those attributes.<\/p>\n<p>As shown in the image below, our identity and access environment is hybrid, federated, and cloud-synced.<\/p>\n<figure id=\"attachment_10540\" aria-describedby=\"caption-attachment-10540\" style=\"width: 594px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-10540 size-full\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/6556_graphic1.png\" alt=\"A diagram that illustrates how our identity and access environment is hybrid, federated, and cloud-synced.\" width=\"594\" height=\"334\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/6556_graphic1.png 594w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/6556_graphic1-300x169.png 300w\" sizes=\"(max-width: 594px) 100vw, 594px\" \/><figcaption id=\"caption-attachment-10540\" class=\"wp-caption-text\">A high-level overview of the Microsoft identity and access environment.<\/figcaption><\/figure>\n<p>The Microsoft identity environment includes:<\/p>\n<ul class=\"c-list\">\n<li>131,300 employees<\/li>\n<li>303,000 global identities<\/li>\n<li>488,000 partner identities<\/li>\n<li>10,400 privileged identities that have some level of elevated access<\/li>\n<li>15 million authentication requests per month<\/li>\n<li>1.6 million cloud applications\u201499 percent of our apps\u2014using Azure Active Directory (Azure AD)<\/li>\n<li>3,000 applications using Active Directory Federation Services (AD FS)<\/li>\n<\/ul>\n<h3>Microsoft Azure Active Directory Connect<\/h3>\n<p>Microsoft Azure Active Directory Connect integrates on-premises directories with Microsoft Azure Active Directory. It gives users a single identity in Office\u00a0365, Azure, and software as a service (SaaS) applications that are integrated with Azure AD. Azure AD Connect consists of three main components:<\/p>\n<ul class=\"c-list\">\n<li><strong>Synchronization services.<\/strong> Microsoft Azure AD Connect sync services creates users, groups, and other objects. It makes sure that the on-premises identity for users and groups matches the cloud identity.<\/li>\n<li><strong>AD Federation Services.<\/strong> Federation is an optional part of Microsoft Azure AD Connect that\u2019s used to configure hybrid environments using an on-premises AD FS infrastructure. It supports single sign-on and enforces Active Directory sign-on policy with smart card or third-party, multifactor authentication.<\/li>\n<li><strong>Health Monitoring.<\/strong> Microsoft Azure AD Connect Health offers a central location in the Microsoft Azure portal to monitor system health.<\/li>\n<\/ul>\n<h3>Enabling identity models in Microsoft 365<\/h3>\n<p>Microsoft 365 supports <a href=\"https:\/\/support.office.com\/en-us\/article\/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9\" target=\"_blank\" rel=\"noopener\">three identity models<\/a> that support a variety of identity scenarios. Depending on how you manage identities, you can use a cloud identity model, federated identity model, or the synchronized identity model.<\/p>\n<p>We use the federated model where we synchronize on-premises directory objects with Microsoft 365 and manage our users on-premises. The users have the same password on-premises and in the cloud, and they do not have to sign in again to use Microsoft 365. The user password is verified by AD FS\u2014the password hash doesn\u2019t need to be synchronized to Microsoft Azure\u00a0AD, and the user doesn\u2019t have to sign in again to use Microsoft 365.<\/p>\n<h2>Enabling users<\/h2>\n<p>Every employee, supplier staff, or partner that needs access to the corporate network receives an email address to sign in to their primary account. That primary account is synced to Microsoft Azure AD and gives the user access to corporate resources, Microsoft\u00a0365, Microsoft SaaS, and corporate business unit and third-party SaaS and platform as a service (PaaS) applications (such as apps for expenses or travel).<\/p>\n<h3>Strong authentication<\/h3>\n<p>We require multifactor authentication to verify a user\u2019s identity before giving them access to corporate resources when they\u2019re not connected to the corporate network. People use multifactor authentication in a few ways, including certificate-backed virtual and physical smart cards, Windows Hello for Business with PIN or biometric sign in, and Microsoft Azure\u00a0Multi-Factor Authentication (MFA) that uses a phone or the Microsoft Authenticator app. On domain-joined devices that we manage, multifactor authentication has become almost transparent to users.<\/p>\n<p>Currently, the use rate for each authentication method is approximately:<\/p>\n<ul class=\"c-list\">\n<li>Certificate-based using virtual or physical smart cards\u201421 percent.<\/li>\n<li>Windows Hello for Business\u201425 percent.<\/li>\n<li>Microsoft Azure MFA using phone authentication or an authenticator app\u201454 percent.<\/li>\n<\/ul>\n<h4>Certificate-based<\/h4>\n<p>For many years, certificated-based physical and virtual smart cards were the main method of multifactor authentication. As the other options have been enabled, smart card use has been declining.<\/p>\n<h4>Windows Hello for Business<\/h4>\n<p>With the deployment of Windows 10 and Windows 11, we enabled <a href=\"https:\/\/www.microsoft.com\/itshowcase\/Article\/Content\/756\/Implementing-strong-user-authentication-with-Windows-Hello-for-Business\">Windows Hello for Business<\/a>, which can replace passwords with strong two-factor authentication that combines an enrolled device with a PIN or biometric (fingerprint or facial recognition) to sign in. Windows Hello was easily implemented within our existing identity infrastructure, by extending certificates to include the use of a PIN or biometrics as an enterprise credential; plus, it allows remote access. Users can sign in to their Microsoft account, an Active Directory account, or an Azure AD Premium account.<\/p>\n<h4>Microsoft Azure MFA<\/h4>\n<p>Although Windows Hello has become the preferred method for our Windows 10 and Windows 11 domain-joined devices, we support access using mobile platforms such as iOS and Android. Microsoft Azure MFA is the best solution for securing our users and data on these platforms, and it integrates seamlessly with our existing AD FS infrastructure.<\/p>\n<h3>Enabling partner access<\/h3>\n<p>For Microsoft partners, we\u2019ve started using <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/mt715805.aspx\" target=\"_blank\" rel=\"noopener\">Microsoft Azure Active Directory business-to-business (B2B) collaboration<\/a>. Microsoft Azure AD B2B collaboration make it easier to enable single sign-on access to Microsoft extranet applications and collaboration spaces.<\/p>\n<p>Invitation lists are created using manually exported lists in the form of comma-separated value (.csv) files. We\u2019re working on automating the process to reduce the potential for error and increase our speed.<\/p>\n<h3>Enabling mobile access<\/h3>\n<p>As a cloud-first company, many of our corporate resources are in the cloud. People can use multifactor authentication to securely access their work from anywhere. To enable mobile access to on-premises resources, we use a couple of remote access solutions:<\/p>\n<ul class=\"c-list\">\n<li>We help ensure the security of cloud resources and remote access at Microsoft by validating who the user is through multifactor authentication.<\/li>\n<li>We check system health to ensure that the user accesses corporate resources on a device that\u2019s managed through System Center Configuration Manager or Microsoft Intune, and that the device has all the latest updates installed.<\/li>\n<\/ul>\n<p>We introduced Conditional Access in a Windows 10 update and are continuing its use with Windows 11. To help ensure that users sign in from a healthy device with strong authentication, we also configure device management policies for remote access.<\/p>\n<h3>Role and user attribute access roles<\/h3>\n<p>We\u2019ve started to implement role-based and user attribute\u2013based access. We created a couple of dynamic groups that set up parameters for variable access to resources based on device, location, and type of user. We\u2019ve focused on large user categories\u2014such as employees and supplier staff\u2014but we\u2019re working on adding more specific roles.<\/p>\n<h3>Self-service<\/h3>\n<p>Cloud services gave us the ability to introduce more self-service capabilities for identity and access management. These services have helped reduce manual administrative tasks and Helpdesk support calls for help with password and identity management changes.<\/p>\n<ul class=\"c-list\">\n<li><strong>Password management.<\/strong> Microsoft employees can change their passwords using an internal, cloud-based, self-service password management solution. We integrated Azure MFA, including verification with a phone call or mobile app, as part of the process. Users are prompted to answer verification questions when they change a password. When users need to change their password, they do so without calling Helpdesk.<\/li>\n<li><strong>Security and distribution group management.<\/strong> Tools like Microsoft 365 Teams help users manage their teams without going through an administrator or Helpdesk to create and manage their groups. Group owners can set up access policies to user groups rather than individual.<\/li>\n<li><strong>Microsoft Azure AD Join.<\/strong> At Microsoft, we support bring your own device (BYOB) scenarios; many employees do part of their work on their personal device. In Windows 10 and now in Windows 11, our users can add an Azure AD account, and their device will be enrolled in mobile device management through Microsoft Intune.<\/li>\n<\/ul>\n<h2>Managing the service<\/h2>\n<p>To manage on-premises and cloud identity services and enable day-one productivity for new users, we use established processes for provisioning and deprovisioning user identities, and to monitor and audit account usage.<\/p>\n<h3>User account life cycle management<\/h3>\n<p>User account life cycle management includes all processes for provisioning and deprovisioning user identities for both full\u2011time employees (FTEs) and supplier staff. New identities are created in our accounts provisioning system and in Active\u00a0Directory. After an account is created, user sync enables it in Microsoft Azure AD. Account provisioning is the same for both FTE and supplier staff identities, but they are granted different levels of access. For example, by default, FTEs are granted remote access, but it\u2019s granted for supplier staff only upon manager approval.<\/p>\n<h4>Provisioning<\/h4>\n<p>To provision an active user account:<\/p>\n<ol class=\"c-list\">\n<li>A business manager or Human Resources employee submits a provisioning request, which includes information such as the legal name of the user, the domain, their physical location, and if they have an office number or are a mobile worker.<\/li>\n<li>After the request is submitted, the data is consumed by SAP, which generates a unique employee ID number for each person. New employee data automatically goes through the SAP web service to the accounts provisioning service.<\/li>\n<li>The accounts service receives the employee ID from the SAP web service, with an action to provision the user account. We create the user identity, alias, and a temporary password. We also create the mailbox where the mailbox object is stamped in Active Directory.<\/li>\n<li>The user employee ID number and provisioned alias are provided as a key pair back to the SAP web service.\n<ul class=\"c-list\">\n<li>SAP publishes the data through an HC01 feed, which gives the user identity access to Human Resources productivity sites, including finance and benefits.<\/li>\n<li>In parallel, the accounts service sends account details (alias, temporary password, and mailbox) to the manager, sponsors, and other designated recipients identified in the original provisioning request.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h4>Deprovisioning<\/h4>\n<p>When we receive a deprovisioning request from a business manager or Human Resources, we terminate and disable the user account from corporate access, including alternate and elevated access credentials. We reset the user\u2019s network password and disable remote access, Office Web Access, and Skype for Business.<\/p>\n<h4>Automating our processes<\/h4>\n<p>For the past several years, we\u2019ve automated our core service scenarios to help ensure an active user account is provisioned before an employee\u2019s start date, so employees will be productive on their first day. This includes provisioning scenarios for new hires, rehires, new supplier staff, and supplier staff to FTE conversions. We plan to automate additional post-provisioning activities, such as renaming aliases, domain moves, and remote access requests. We also plan to migrate the service to a third-party platform that will provide increased efficiency, integration, and provide more identity-related self-service capabilities.<\/p>\n<h3>Auditing and monitoring<\/h3>\n<p>Auditing identities is like other services\u2014we collect event types in our central log management system. For monitoring identity events, we coordinate with the engineering team to define use cases and the monitoring conditions that would alert us. Those correlated conditions could come from any of the different monitoring pipelines, including Microsoft\u00a0Cloud App Security.<\/p>\n<p>Network monitors and endpoint monitoring, like Windows Defender Advanced Threat Protection (ATP), feed in to our security and information event management (SIEM) solution. When we get an alert, the service operations team determines whether the alert is valid and if it needs to be opened for investigation. If we determine that it\u2019s a real alert, we use the information in the SIEM and in the Defender ATP console to begin investigating. Depending on the severity of the alert, it could be escalated to the incident response team, the legal department, or even law enforcement.<\/p>\n<p>To help us deal with the number of alerts, we use a third-party behavioral analytics tool that helps reduce event noise and helps us better identify real events.<\/p>\n<h2>Cloud-enabled protection<\/h2>\n<p>Our traditional approach was to protect all the assets on the corporate network. Because we\u2019ve moved most of our assets to the cloud, we now focus on security at the user level. We do that by introducing better user and admin accountability with security and governance, including:<\/p>\n<ul class=\"c-list\">\n<li>Controlling access to resources.<\/li>\n<li>Requiring strong user authentication.<\/li>\n<li>Responding to advanced threats by monitoring for specific risk-based scenarios.<\/li>\n<li>Mitigating administrative risks.<\/li>\n<li>Governance of on-premises and cloud identities.<\/li>\n<\/ul>\n<h3>Using privileged identities to manage elevated access<\/h3>\n<p>Privileged identity management is an important part of a larger effort within Microsoft Digital to secure high-value corporate assets. Of the roughly 303,000 identities that we manage, approximately 10,000 on\u2011premises and 400 Microsoft Azure\u00a0AD users need elevated access to data and services. We have other tools and a process for the subset of users that have administrative\u2014or elevated\u2014access to data and services at Microsoft.<\/p>\n<p>One important way we protect elevated access accounts is through just in time (JIT) access. Rather than have separate credentials or a persistent admin session, JIT elevates access for a specific duration. Access expires at the end of that time.<\/p>\n<p>We also protect elevated accounts by requiring on-premises admins to sign in on secure access workstations, and we plan to expand that requirement to cloud admins.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"74\" class=\"alignnone size-medium wp-image-7448\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways-300x74.png\" alt=\"Key Takeaways\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways-300x74.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways.png 500w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><br \/>\nAs our identity and access management solution has evolved, we\u2019ve discovered a few best practices, including:<\/p>\n<ul class=\"c-list\">\n<li>If your Human Resources systems are primarily on-premises, you can use a hybrid approach to create user identities in Active Directory and sync them to the cloud.<\/li>\n<li>Assess your environment honestly to determine how to best use the cloud to reduce complexity for on-premises process points. Migrating to the cloud offers an opportunity to reassess existing processes and identify ways that the cloud can make your identity infrastructure more efficient. The scalability of Azure solutions offer advantages that can help modernize processes and technology dependencies.<\/li>\n<li>Identity is the new security perimeter. Azure provide the ability through it&#8217;s security products to help protect those identities much more effectively than traditional network\/datacenter monitoring.<\/li>\n<\/ul>\n<p>As for our future, we\u2019re exploring other changes to identity management, including eliminating time-bound password expiration by moving to a system where passwords stop working only when triggered by specific risks or user behaviors.<\/p>\n<p>Beyond that, we look forward to a future where our identities are in the cloud and there are no passwords. Within the next few years, we hope to move to a purely cloud-based service model, rather than our current, cloud-enabled state. Windows Hello for Business was our first step toward a future where biometrics replace passwords.<\/p>\n<p>Also, we\u2019re deploying Azure Information Protection at Microsoft. Azure Information Protection integrates with cloud identities to help protect corporate data. We continually look for ways that we can be more efficient as we move to cloud-only solutions for identity and access management.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"81\" class=\"alignnone size-medium wp-image-7482\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links-300x81.png\" alt=\"Related links\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links-300x81.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links.png 500w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<ul class=\"c-list\">\n<li><a href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/implementing-strong-user-authentication-with-windows-hello-for-business\/\">See how we&#8217;re implementing strong user authentication with Windows Hello for Business.<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/verifying-identity-in-a-zero-trust-model\/\">Learn more about verifying identity in a Zero Trust model internally at Microsoft.<\/a><\/li>\n<li>\u00a0<a href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/implementing-a-zero-trust-security-model-at-microsoft\/\">Unpack implementing a Zero Trust security model at Microsoft.<\/a><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-12081 size-full\" style=\"margin-top: 15px;\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/Customer-Survey-580x85-1.png\" alt=\"We'd like to hear from you!\" width=\"580\" height=\"85\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/Customer-Survey-580x85-1.png 580w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/Customer-Survey-580x85-1-300x44.png 300w\" sizes=\"(max-width: 580px) 100vw, 580px\" \/><br \/>\n<a href=\"https:\/\/forms.office.com\/r\/czbs6PptPe\" target=\"_blank\" rel=\"noopener\">Please share your feedback with us\u2014take our survey and let us know what kind of content is most useful to you.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[Editor\u2019s note: This content was written to highlight a particular event or moment in time. Although that moment has passed, we\u2019re republishing it here so you can see what our thinking and experience was like at the time.] Managing identities and network access at Microsoft encompasses all the processes and tools used throughout the identity&#8230;<\/p>\n","protected":false},"author":133,"featured_media":10543,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[1],"tags":[361,407,95],"coauthors":[646],"jetpack_publicize_connections":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Managing User Identities &amp; Secure Access at Microsoft<\/title>\n<meta name=\"description\" content=\"Learn how Microsoft uses a combination of tools and processes to manage identities and network access for its employees, suppliers, and partners.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Managing User Identities &amp; Secure Access at Microsoft\" \/>\n<meta property=\"og:description\" content=\"Learn how Microsoft uses a combination of tools and processes to manage identities and network access for its employees, suppliers, and partners.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/\" \/>\n<meta property=\"og:site_name\" content=\"Inside Track Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-10-30T15:13:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-11-07T19:28:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/6556-HeroALT.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1040\" \/>\n\t<meta property=\"og:image:height\" content=\"585\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Inside Track staff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Inside Track staff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/\",\"name\":\"Managing User Identities & Secure Access at Microsoft\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/6556-HeroALT.jpg\",\"datePublished\":\"2023-10-30T15:13:26+00:00\",\"dateModified\":\"2023-11-07T19:28:25+00:00\",\"author\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e\"},\"description\":\"Learn how Microsoft uses a combination of tools and processes to manage identities and network access for its employees, suppliers, and partners.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/6556-HeroALT.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/6556-HeroALT.jpg\",\"width\":1040,\"height\":585,\"caption\":\"At Microsoft we use a combination of tools and processes to manage identities and network access for our employees, suppliers, and partners.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Managing user identities and secure access at Microsoft\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/\",\"name\":\"Inside Track Blog\",\"description\":\"How Microsoft does IT\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e\",\"name\":\"Inside Track staff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/image\/fb338dea806293f999356f7d8a399348\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/3788032f4762be09ee17b2ec39f3d75b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/3788032f4762be09ee17b2ec39f3d75b?s=96&d=mm&r=g\",\"caption\":\"Inside Track staff\"},\"description\":\"Questions? Send us a note: msitstaff@microsoft.com\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/author\/insidetrack\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Managing User Identities & Secure Access at Microsoft","description":"Learn how Microsoft uses a combination of tools and processes to manage identities and network access for its employees, suppliers, and partners.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/","og_locale":"en_US","og_type":"article","og_title":"Managing User Identities & Secure Access at Microsoft","og_description":"Learn how Microsoft uses a combination of tools and processes to manage identities and network access for its employees, suppliers, and partners.","og_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/","og_site_name":"Inside Track Blog","article_published_time":"2023-10-30T15:13:26+00:00","article_modified_time":"2023-11-07T19:28:25+00:00","og_image":[{"width":1040,"height":585,"url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/6556-HeroALT.jpg","type":"image\/jpeg"}],"author":"Inside Track staff","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Inside Track staff","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/","name":"Managing User Identities & Secure Access at Microsoft","isPartOf":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/6556-HeroALT.jpg","datePublished":"2023-10-30T15:13:26+00:00","dateModified":"2023-11-07T19:28:25+00:00","author":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e"},"description":"Learn how Microsoft uses a combination of tools and processes to manage identities and network access for its employees, suppliers, and partners.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/#primaryimage","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/6556-HeroALT.jpg","contentUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/6556-HeroALT.jpg","width":1040,"height":585,"caption":"At Microsoft we use a combination of tools and processes to manage identities and network access for our employees, suppliers, and partners."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/insidetrack\/blog\/"},{"@type":"ListItem","position":2,"name":"Managing user identities and secure access at Microsoft"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/","name":"Inside Track Blog","description":"How Microsoft does IT","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e","name":"Inside Track staff","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/image\/fb338dea806293f999356f7d8a399348","url":"https:\/\/secure.gravatar.com\/avatar\/3788032f4762be09ee17b2ec39f3d75b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3788032f4762be09ee17b2ec39f3d75b?s=96&d=mm&r=g","caption":"Inside Track staff"},"description":"Questions? Send us a note: msitstaff@microsoft.com","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/author\/insidetrack\/"}]}},"jetpack_featured_media_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2023\/05\/6556-HeroALT.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9hcZA-2K6","_links":{"self":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/10546"}],"collection":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/users\/133"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/comments?post=10546"}],"version-history":[{"count":12,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/10546\/revisions"}],"predecessor-version":[{"id":12477,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/10546\/revisions\/12477"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media\/10543"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media?parent=10546"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/categories?post=10546"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/tags?post=10546"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/coauthors?post=10546"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}