The summer of 2020 saw Microsoft roll out Azure AD Premium 1 features to all Microsoft 365 Business Premium accounts. This meant the one-stop shop for the majority had landed when it came to user identity management and security, so all problems solved. Or were they?
This blog is our experience and customer feedback over the past 12-24 months, covering key considerations and reasons organisations look outside of their Microsoft licensing scheme:
- Deployment Flexibility
- Simplified Administration & Management
- Protecting Desktop Logon
- Advanced Radius Support
- Increased Granularity of Authentication Policies
- Handling Multiple Directory Environments
- Enhanced Concierge Style Customer Support
1. Deployment Flexibility
Analysts state that organisations are accelerating cloud adoption to modernise, streamline and capture new growth opportunities. The reality is that organisations are all at different stages of this cloud journey, with some having to take different routes due to security or compliance restrictions.
On-Premise & Private Cloud Deployment
A key USP for SecurEnvoy is the ability to offer flexible deployment methods of its identity solutions. The offering can be deployed either as a public cloud, fully Managed Service (MSP) or On-Premise in a Private Datacentre or Private Cloud Environment. This flexibility is key for clients where dedicated security is paramount, or where clients are bound by specific data sovereignty and compliance regulations.
Speed of Deployment
SecurEnvoy product offerings are based around a quick time to deploy. The on-premise platform is light on requirements – and the intuitive installation process offers to install any missing requirements. In addition, no separate databases are required to install the software. SecurEnvoy IAM offers comprehensive synchronisation agents that once installed, can enable synchronisation of user identities from Active Directory in moments. Also, adding additional cloud directories is completed in just a few clicks.
2. Simplified Administration & Management
An IAM platform that is easy to use, and manage, is one of the main deciding factors in an organisation’s vendor selection process. The platform must also prove its value through rich reporting information, otherwise it’s a pointless investment. Throw securing cloud identities into the mix, having an IAM platform that adapts to an organisation’s cloud journey is absolutely critical.
Simple Intuitive Administration
The SecurEnvoy administration console is clutter free. The menus and navigation are intuitive, fresh and clear. Configurations are easily accessible, and not hidden within nested menus. This enables administrators to familiarise their way around the UI quickly. Configurations are only typically applied once, so there is little need to constantly tweak the solution.
Proven Application Integrations Out of the Box
Take advantage of prebuilt, proven SAML & WSFED application integrations from the vast application catalogue. Automatically generating identity provider (IdP) URLs and certificates, with built in documentation, enables single-sign-on (SSO) to the applications in a couple of clicks. Application access centralised from day one.
Single Pane of Glass Management
An elegant, easy to interpret dashboard provides the capability to visualise both live and historical activity, capturing user metrics such as logon activity, license count, agent connection status and throughput and application access.
Reduce helpdesk overheads by providing the user population with self-service password reset securely. The forgotten password remediation can by initiated and completed from either a web portal, point of logon or the mobile app itself.
For users who have lost or forgotten their mobile device, a self-service helpdesk portal can be enabled to allow the user to securely provision a new temporary method of authentication.
User Lifecycle Management
Onboarding is automatically controlled from the parent directory, (Azure AD, Microsoft AD, Google Directory) where accounts are synchronised to SecurEnvoy IAM. The synchronisation control is very granular depending on domain, OU or group membership. Once onboarded, the user can continue to use their existing password, reducing friction and ease of adoption.
3. Protecting Desktop Logon
Securing the logon process for Windows itself with MFA is something Microsoft hasn’t really been able to crack yet. On a wider enterprise scale, at least. Windows Hello isn’t reliable enough and is incredibly difficult to manage.
Protect Windows Logon & RDP with MFA.
SecurEnvoy Windows Logon Agent can be installed across Windows workstations and Windows Servers. Both console and RDP logins can be secured with MFA. This ensures that anyone attempting to access Windows directly or remotely via RDP (or other configured connection) will be prompted for MFA. Combined with the SecurEnvoy authentication types, MFA can still be provided if a user is attempting to authenticate whilst offline.
The Logon Agent can be configured to protect logon and unlock, so if a user manually locks their machine, they’ll be prompted for MFA on their return. Users can be enabled for MFA with Group Memberships. For example, only Domain or Local Administrators can be prompted for MFA when RDP’ing into servers, restricting access for users outside of this group – mitigating the risk of credential misuse.
The Windows Logon Agent seamlessly integrates with Microsoft OS, providing a native workflow for users. Additional features include emergency access and self-service password reset for users from the endpoint itself.
Protect macOS Desktops with MFA
Adoption of macOS endpoints in the corporate environment is on the rise, with threat actors increasingly targeting these endpoints. Users of these devices are typically business executives, board members, software developers and security teams, meaning securing this attack vector should be a priority.
SecurEnvoy macOS Logon Agent can be simply deployed to augment the standard workflow to enable secure access to the macOS devices, further reducing the risk of unauthorised access into the corporate environment. No compromises on functionality – fully native integration with macOS and the SecurEnvoy MFA options.
4. Advanced RADIUS Support
Despite companies beginning to move their IT environments to the cloud, existing on premise environments are often protected by a VPN or other remote access methods. Predominantly, these methods support the RADIUS protocol.
Microsoft Azure AD MFA can support the RADIUS protocol for these types of deployment, however it requires additional components such as Network Policy Server (NPS) which increases complexity. The RADIUS capability is limited and does not always play well with all vendor VPNs.
Full Feature Support for RADIUS–Based Clients with MFA.
SecurEnvoy offers a fully featured RADIUS capability. This serves to support a wide range of legacy use cases, including traditional VPN based technologies and Remote Desktop environments.
Support for RADIUS clients extends to implementing a ‘Trusted Networks’ policy, where users connecting from a specific address or hostname would not get prompted for MFA and could authenticate with just username and password. Secondly ‘Blocked Networks’ can be added on a similar basis, where authentication attempts from a specified network location(s) will get blocked outright.
‘Trusted Groups’ can also be configured, whereby users within specified groups will not require MFA when authenticating. For example, users within the “administrators” group must always provide MFA.
Attributes can be passed back to the RADIUS client, if required. Authentication can only be permitted from specific domains too, which is ideal with Managed Service Providers running multi-tenant environments.
5. Increased Granularity of Authentication Policies
Implementing effective, yet unobtrusive access policies is proving to be a significant challenge for organisations. Limitations in the granularity of options provided by Microsoft Azure AD MFA, lead to challenges in striking the balance between security and user experience.
Challenges exist around authentication methods and some configurations only available as a global ‘on /off’ setting. For example, this can leave organisations unable to configure policies to only allow mechanisms such as SMS OTP for some low-risk user activities.
It is of upmost importance that organisations have a broad range of authentication mechanisms at their disposal to address each use case and user group appropriately.
Select Individual Authentication Methods Based on Group/User Profile
SecurEnvoy offers the ability to configure a wide range of authentication methods that are available for user or user group upon enrolment. Options range from biometrically protected smart phone apps, hardware tokens, right through to simple SMS OTP options. Details can be found here.
The platform is also able to report on which users are enrolled for which authentication methods at any time, presenting a clear bird’s eye view of selected authentication types.
User Self-Service to Reduce Administration Overhead
Providing the users an ability to select their desired enrolment method (options available configured by administration) upon sign up ensures good user acceptance and highest levels of user experience.
SecurEnvoy has built-in user self-service functionality, which if enabled, allows users to change their authentication method securely, quickly and easily if perhaps they have either lost/changed their device or their working environment has changed.
When Geo-IP Is Not Enough – Implement True Location Awareness
A recent customer survey revealed the low trust organisations had with leveraging standard Geo-IP as metric to identify a user. For situations involving data sovereignty and data boundaries it may be important to more accurately know that the user is accessing from within a certain geography, or more important that they are not accessing from unauthorised locations.
SecurEnvoy can guarantee user location at time of authentication, so strict policies can be used to allow either exact pre-defined “safe” locations or an allowed amount of deviation between the request and the authentication (PUSH) response. Corporations can be assured not only the identity of the user, but also an exact location, to provide a deeper level of user access control.
6. Handling Multiple Directory Environments
Acquisitions and mergers, regionally distributed businesses or digital transformation projects can leave organisations having to manage multiple directory environments.
Projects to consolidate multi-domain environments typically take a long time, drain internal resources, are costly and if not well thought out can lead to security issues.
SecurEnvoy Universal Directory
A Universal Directory resides at the core of the SecurEnvoy IAM platform, synchronising bi-directionally against multiple directories. A wide range of directory types are supported, including but not limited to, Microsoft AD, Azure AD and Google Workspace.
SecurEnvoy becomes the identity provider (IdP), the single source of truth, creating a single digital user identity. This approach then allows for consistent security and access policies to be deployed, minimising security risks.
Universal Directory also takes the position of being a single pane of glass to enable visibility into all identities and what access they have to applications and resources. Clearer and concise reporting means auditors are satisfied. Joiners, movers and leavers (JML) are handled on an automated basis too with the Universal Directory: if a user is disabled somewhere, ALL their access from other directories is also disabled, in real time, thanks to the bidirectional synchronisation capabilities.
7. Enhanced Concierge Style Customer Support
Something we hear almost daily from clients is how important receiving effective support is to the success of any solution. Being forced to search high and low for a telephone number to speak to someone who can help or being funnelled to an unhelpful 1st line support are the biggest complaints we hear.
Organisations don’t just look for help to resolve an issue when something stops working, they also need guidance and advice on best practices or options to address business challenges.
Dedicated Focused Support Team
SecurEnvoy has a dedicated Customer Experience Team to ensure every customer interaction is of the highest level. Each call is routed through directly to experienced 2nd & 3rd line Technical Services Engineers, so calls are resolved quickly without having to navigate time consuming and sometimes frustrating faceless 1st line helpdesk functions.
We strive to maintain continuity in customer communications by routing calls to engineers who have previously worked with the customer, this provides greater perspective and deeper understanding of the customer environment to ensure optimum call closure times and customer satisfaction.
Along with providing high levels of support, working closely with our experienced development team, customers often benefit from our unique consultative service regarding solving business issues.
So, to summarise, Microsoft Azure AD MFA does work well in most environments, but certainly not all. The deployment and management can be complex and, in many areas, lacks flexibility and granular controls.
To have all your eggs in one basket with one vendor may leave you open to unexpected downtime as has been shown in recent years, particularly with Microsoft due to its global customer footprint, meaning it is likely the number one vendor target for hackers.
Customers large and small have raised concerns about the licensing model, with some commenting they feel quite locked-in. This then leaves them vulnerable to price increases, similar to those that took place on 1st March 2022 of over 10% in most cases.
Like an all-inclusive hotel, a bundled licensing model does represent great value, if you are going to eat in the hotel every night or use all the applications your bundle includes. But should you only require a few of the applications on offer, you may feel you are paying too much. So perhaps taking a Microsoft ‘plus’ approach could be the way forward, subscribing to the minimum bundle and integrating best of breed solutions to provide you with a solution that best caters for your business needs.