Identity Panel for Zero Trust with Microsoft Azure Entra

For Software IDM and our partner community our focus is firmly on improving the security posture of our many clients, and adopting a "Zero Trust" approach to Identity and Access.  This is made possible at scale with the Identity Panel Suite of services.

Identity Panel

Identity Panel is a vendor neutral identity management umbrella for companies managing identities, identity lifecycle systems, and identity platforms.  While this web application incorporates a suite of features to test and operate a multi-system, multi-vendor identity ecosystem, it is the underlying data model allowing related identity data to be instantly presented in the UI that makes it so compelling.

The UI which supports lookup and display of identity details is designed mainly with the Service Desk and Administrator users in mind, and consists of the following key components:

• Time Traveler is the name of the unique UI architecture which allows the viewer to not only traverse the links between related records, but also to move forwards and backwards in time and observe the way attribute values change and new joins established.
• Shutter Views allow Time Traveler data to be minimized to limited set of attributes and silos.  Each shutter is named, and with assigned access, can be granted to an Identity Panel user.  Shutter Views enable the viewer to restrict the amount of data displayed, so important information can quickly be identified visually.
• Security is provided at the attribute level for targeted audiences in both the Web Service API and database application layers.  This security is provided to all data access inside and outside of the Time Traveler, including Reporting.

Beyond the identity lookup features, key operational features for a holistic platform for managing identities include:

• Customisable Dashboards,
• Monitoring with Health Checks, Probes and Self-Healing,
• Extensible Workflow design,
• Reporting and Charting with downloads to Excel, PDF, and other formats,
• Scheduling incorporating PowerShell support,
• Download/upload configuration migration with full change history, and
• Environment variables for configuration mobility.

Identity Panel Suite

Identity Panel is also the core component required by the Identity Panel Suite of applications:

• HyperSync Panel is a fully customizable synchronization engine to propagate identity information across systems.
• Service Panel is a customizable portal for fulfilling self-service identity management requests, and approvals.
• Access Panel is a governance application providing features such as RBAC, ABAC, Access reviews, and access management.
• Test Panel provides automated testing for identity lifecycle and provisioning systems.

The Identity Panel Suite is Azure-based, natively connecting to cloud applications and directories, with an on-premises agent for managing legacy systems. This makes it an ideal way to combine the management of multiple identity platforms via a common architecture using:

• Providers for extending the data model to incorporate new connected systems in one or more silos,
• Join Rules for connecting silos together using common unique keys, and
• A Rule Engine for consistently defining query filters and data transformations.

Integrating with On-premises Systems

While on-premises systems are many and varied, in a Microsoft eco-system the following are most common:

• Microsoft Active Directory where every Microsoft Azure hybrid identity is presently mastered,
• Microsoft ADLDS where custom application authentication stores have been established,
• Microsoft SQL Server for application databases in which identity profiles are often found,
• Microsoft Azure AD Connect for providing automated provisioning from AD to Azure AD; and often
• Microsoft Identity Manager 2016 for custom joiner/mover/leaver (JML) lifecycle management.

Integrating with Microsoft Azure Entra

Today, Microsoft continues to build out the Entra Identity Framework in Azure, with the JML hub being Azure AD to achieve this at a global scale. This consists of 4 core concepts which work together to deliver a Zero Trust outcome:

• Entra HR Provisioning,
• Entra App Provisioning (with SCIM),
• Entra Identity Governance (IGA), and
• Entra B2B Guest Provisioning (trusted partners and vendors not in HR).

With these elements in place, organizations can confidently align to clearly published Identity Architecture patterns, and plug into the roadmap as it rapidly evolves, ultimately ensuring "Modern Authentication" concepts (multifactor authentication, conditional access, etc.) are built into every enterprise application user interaction.

However, in the short to near term, as the Microsoft roadmap is constantly developed and refined, organizations looking to adopt are invariably running into the inevitable feature/capability limitations that exist today.  To address these "gaps", organizations must be confident that anything new that is put in place is:

• Compliant to Enterprise standards,
• Supportable within available budget,
• Modular for planned obsolescence, and
• Eliminates technical debt without contributing more.

With the Identity Panel Suite you can be confident you can address these same gaps today, in a way that comfortably satisfies all these criteria.  The sections below address each of the 4 Entra concepts above to explain exactly how this is done ...

Entra HR Provisioning

HR Provisioning (for upstream of Azure AD) is the process of creating digital identities based on a human resource (HR) platform - specifically in a Microsoft context in Active Directory (AD on premises) and/or Azure Active Directory (Azure AD).  Very few organizations do not have an on-premises AD that they do not need to maintain lockstep in line with their Microsoft Azure AD, and Microsoft call this "Hybrid Identity".

At the time of writing, Azure HR Provisioning supports only two major HR platforms in Workday and SAP SuccessFactors, but development is underway for a generic HR solution.

However, if your HR system is neither of these, then HyperSync Panel provides this capability in lieu of the Azure Entra feature.

Entra App Provisioning

Application Provisioning (for downstream of Azure AD) is the process of creating digital identities (user profiles) in a target application that authenticates users to Azure AD.  As is the case for an increasing number of applications (ServiceNow, Salesforce, etc.) this requires an API that implements the SCIM protocol.

This is a truly compelling reason to adopt this Entra model, and while you may encounter some limitations (e.g. no write-back to Azure), it provides a consistent and elegant way to eliminate costly manual application onboarding while meeting compliance and costly licensing optimization mandates.

However, if your downstream systems don't (yet) support SCIM, then HyperSync Panel provides this capability in lieu of the Azure Entra feature.

Entra Identity Governance (IGA)

Compliance, Security and Audit requirements for Azure identity can now be met with Azure's Entitlements Management suite for customers with the necessary P2 license.  Entra IGA provides the request-based access, access review and now segregation of duty features necessary to ensure just enough access at just the right time for Azure AD fronted application access.  Until recently, roles-based access control (RBAC) was only provided on a request basis, but now it can be applied in conjunction with an attribute-based model (ABAC).

Of course, as anyone trying to implement IGA will attest to, this is only achievable with both upstream and downstream Identity Lifecycle Management firmly in place.

However, if like many others your organization still has many business-critical applications on premises, Access Panel provides a compelling alternative.  If your answer is yes to one or more of the following questions, this may be the option for you now.

Do you have any applications which

• still authenticate and authorize users with on premises AD?
• do not yet support SCIM?
• rely on password synchronization for same sign-on?
• require on-premises AD access for external (e.g. vendor) accounts which are not and probably can never be mastered in your HR system?

While on-premises sync back from Azure AD is also supported by MIM, HyperSync Panel delivers the same functionality today without adding any further on-premises "technical debt".  If required, HyperSync password synchronization can not only be implemented, but also be deployed in such a way as to overcome some critical limitations of the MIM (PCNS) alternative.

Entra B2B Guest Provisioning

Where no authoritative source exists for an identity in your HR system, a solid alternative for vendors, partners and suppliers can be provided by establishing a B2B trust with the 3rd party organization to streamline onboarding.  By then overlaying IGA, B2B Guest policy can be used for controlling access post on-boarding, thereby enabling Access Reviews and a degree of lifecycle management afforded to HR-sourced identities.  This can include assigning guests to org units and managers within the trusting organization.

Until recently the B2B focus was on external organization relationships.  However a significant development is the emergence of the intra-organizational B2B use cases where multiple Azure tenants exist within a common entity.  In the Government sector, this might include agencies and sections (particularly after Machinery-of-Government changes) which need seamless collaboration, and in the Corporate sector those organizational structures formed by Mergers and Acquisitions.

However, where guest onboarding and lifecycle management is required for on premises guest access, Microsoft guidance invariably turns to MIM.  Once more, HyperSync Panel provides this same capability today, without the need to add to your on-premises footprint.

Discover more about Identity Panel

If any of the above resonates for your organization, speak to us or one of our solution partners to arrange an Identity Panel Suite demo and see this in action for yourself.