{"id":10546,"date":"2023-10-30T08:13:26","date_gmt":"2023-10-30T15:13:26","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=10546"},"modified":"2023-11-07T11:28:25","modified_gmt":"2023-11-07T19:28:25","slug":"managing-user-identities-and-secure-access-at-microsoft","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/managing-user-identities-and-secure-access-at-microsoft\/","title":{"rendered":"Managing user identities and secure access at Microsoft"},"content":{"rendered":"
Managing identities and network access at Microsoft encompasses all the processes and tools used throughout the identity life cycle for employees, supplier staff, and partners. As a cloud-first company, our Microsoft Digital Employee Experience (MDEE) team uses features in the Microsoft Enterprise Mobility + Security suite, powered by Microsoft Azure, along with on-premises identity and access management solutions to enable our users to be securely productive, from anywhere.<\/p>\n We\u2019re on a multi-year journey of transforming into a cloud-first, mobile-first enterprise. Though we operate in a hybrid cloud environment today, we\u2019re moving on-premises identity technologies to the cloud, giving our employees flexibility they need. Plus, application owners can use the power of Microsoft Graph<\/a> to effectively manage access to applications and resources.<\/p>\n [See how we\u2019re implementing strong user authentication with Windows Hello for Business<\/a><\/em>.\u00a0Learn more about verifying identity in a Zero Trust model internally at Microsoft.<\/a><\/em>\u00a0Unpack implementing a Zero Trust security model at Microsoft.<\/a>]<\/em><\/p>\n To enable a single user identity for authentication and offer a unified experience, we integrated on-premises Windows\u00a0Server Active\u00a0Directory forests with Microsoft Azure Active Directory (Azure AD). Our geographically distributed Active\u00a0Directory environment uses Windows Server 2016. We use Azure\u00a0AD\u00a0Connect and Active Directory Federation Services (AD FS) when an Azure-based application needs user attributes\u2014for example, their location, organization, or job title. User information is available if the service has the right permissions to query for those attributes.<\/p>\n As shown in the image below, our identity and access environment is hybrid, federated, and cloud-synced.<\/p>\n The Microsoft identity environment includes:<\/p>\n Microsoft Azure Active Directory Connect integrates on-premises directories with Microsoft Azure Active Directory. It gives users a single identity in Office\u00a0365, Azure, and software as a service (SaaS) applications that are integrated with Azure AD. Azure AD Connect consists of three main components:<\/p>\n Microsoft 365 supports three identity models<\/a> that support a variety of identity scenarios. Depending on how you manage identities, you can use a cloud identity model, federated identity model, or the synchronized identity model.<\/p>\n We use the federated model where we synchronize on-premises directory objects with Microsoft 365 and manage our users on-premises. The users have the same password on-premises and in the cloud, and they do not have to sign in again to use Microsoft 365. The user password is verified by AD FS\u2014the password hash doesn\u2019t need to be synchronized to Microsoft Azure\u00a0AD, and the user doesn\u2019t have to sign in again to use Microsoft 365.<\/p>\n Every employee, supplier staff, or partner that needs access to the corporate network receives an email address to sign in to their primary account. That primary account is synced to Microsoft Azure AD and gives the user access to corporate resources, Microsoft\u00a0365, Microsoft SaaS, and corporate business unit and third-party SaaS and platform as a service (PaaS) applications (such as apps for expenses or travel).<\/p>\n We require multifactor authentication to verify a user\u2019s identity before giving them access to corporate resources when they\u2019re not connected to the corporate network. People use multifactor authentication in a few ways, including certificate-backed virtual and physical smart cards, Windows Hello for Business with PIN or biometric sign in, and Microsoft Azure\u00a0Multi-Factor Authentication (MFA) that uses a phone or the Microsoft Authenticator app. On domain-joined devices that we manage, multifactor authentication has become almost transparent to users.<\/p>\n Currently, the use rate for each authentication method is approximately:<\/p>\n For many years, certificated-based physical and virtual smart cards were the main method of multifactor authentication. As the other options have been enabled, smart card use has been declining.<\/p>\n With the deployment of Windows 10 and Windows 11, we enabled Windows Hello for Business<\/a>, which can replace passwords with strong two-factor authentication that combines an enrolled device with a PIN or biometric (fingerprint or facial recognition) to sign in. Windows Hello was easily implemented within our existing identity infrastructure, by extending certificates to include the use of a PIN or biometrics as an enterprise credential; plus, it allows remote access. Users can sign in to their Microsoft account, an Active Directory account, or an Azure AD Premium account.<\/p>\n Although Windows Hello has become the preferred method for our Windows 10 and Windows 11 domain-joined devices, we support access using mobile platforms such as iOS and Android. Microsoft Azure MFA is the best solution for securing our users and data on these platforms, and it integrates seamlessly with our existing AD FS infrastructure.<\/p>\n[Editor\u2019s note: This content was written to highlight a particular event or moment in time. Although that moment has passed, we\u2019re republishing it here so you can see what our thinking and experience was like at the time.]<\/em><\/p>\n
Unifying the environment<\/h2>\n
\n
Microsoft Azure Active Directory Connect<\/h3>\n
\n
Enabling identity models in Microsoft 365<\/h3>\n
Enabling users<\/h2>\n
Strong authentication<\/h3>\n
\n
Certificate-based<\/h4>\n
Windows Hello for Business<\/h4>\n
Microsoft Azure MFA<\/h4>\n
Enabling partner access<\/h3>\n