>> Today, I wanted to talk a little bit and have a discussion on lifecycle management of guest users within AD tenant and within that I’ll give some context on what we are thinking all up are on identity governance and show you some of the new capabilities that we are going to shift fairly soon and then where we think we are heading and get our feedback and insight as to okay what are those are right then to be focused in or not So, hopefully, this will be an interactive session Mark Hall, on my team, will be here, I’m sure most of you know him We’ll walk you through some of the demos as we go through the session so feel free to ask questions as we go All right The main thing is how can partners, like yourself, help customers with lifecycle managing? What do you guys do today for guest users with customers? Anything, nothing? >> We don’t have guest users >>You don’t have guest users >>It’s not supported >>It’s not supported so that’s as the customer says, “I wanted to have all these partners I want to collaborate with including yourself.” We tell them, “No.” We know it’s a challenge today in Enterprise and when we talk to customers often they tell us, is one of the biggest pinpoints that they have They have processes for regular employees but for guest they often have to either add them as employees within their AD tenants or they are on-premises AD and then manage them like employees However, when people leave the organization, it’s not clear You have all these accounts authenticating to your resources How do you get rid of them? How do you know? Actually, they haven’t left the company that they work for so it’s a big challenge and a potential security risk One of the things that we’re trying to do Azure Active Directory is as Alex talked about earlier, we are introducing the B2B capabilities so they use authenticates against DR home tenant or whatever and we, in Azure AD, we are going to provide some more controls around the access so that when they leave the organization, you can block the access, you can remove them, or you can have them do certain things like attestation, etc Now, we are not only doing it for guests It’s part of a broader picture around Identity governance that we’ve started working on and so the B2B gets into just one piece of it First, I want to give a little context for how we think of Identity governance that Alex mentioned earlier The first principle thinned out we want to do all we hear customers ask or talk about and ask, who has access to our resources? That’s the first thing so how do we help customers or partners, like yourself, understand or help these customers know who has access to work resources? What are those people or those users doing with these resources? Do you have effective controls? Are there policies? Are there rules? I did attestation on the, etc When somebody wants access to a resource is there an approval process you know, is it auditable, etc., how do you provide all those controls within Azure Active Directory today to help organizations meet all these certifications and other requirements? I talk to customers and they say, “Hey, you know, often when they’re going to a governance solution or they’re looking for governance solution, the first thing is because either they failed an audit and then the board wants them to go figure out how they made their audit financed.” In the next year, with every three months, they need to come what are you doing with the progress? Or they were small app whole, they bought a companies and now they need to grow up and how do they put effective processes in there These are the four main pillars that is going to drive our governance capabilities Clearly, we don’t have all the capabilities on day one We are not going to have on day one There are partners like SalePoint, Mader, CVN, a whole bunch of people that how point governance today they are providing solutions out there But, over time, we are going to add more capabilities to our solution Within that context of how you do governance all up, the first thing that we hear when it comes to guests is around, “We are scared.” You mentioned earlier We don’t do it because we don’t know how to do it, but companies are scared about guest users. What are they going to do? Are they going to get access to resources? You think of the Edward Snowden case He’s a contractor within NSA and he
possible for these processes or reviews to be created? >> Okay. So there are couple ways you can do the review One of the ways that we are seeing a lot of interest for the guests is actually ask guests to confirm their own access And so we are working on that scenario right now I have a couple different ideas for how to do that Here is one view, in which you can send guests a question It comes in e-mail. Could be every quarter or every month We have some scripts for that And then you can say, do you still need access? Now here is kind of a generic full view in which you can see the user and they are just attesting themselves Oh, I haven’t signed in I think. Yeah, I just invited you yesterday So we can see also recommendations One thing that is very important for us is to optimize the end user experience whether you are asking the guests themselves to review or asking let’s say a group owner or someone else in the organization to review I don’t want to simply give them a big list of 10,000 names and say here you go Here is 10,000 names, tell me what you think? Attestation fatigue will set in will go approval So we give them some highlights One of the highlights we have is, have you signed into the directory at all? Also highlights are on have you signed into a particular application? So, for example, a testing guest access to sales force, you can say this guest has not actually used sales force Maybe they will get inadvertently put in a group or someone thought they might have needed access but turns out they didn’t So they can do this clean up. And then of course you can provide justifications Still need this for the demos And of course all this then is audited So you can go in and have these attestation campaigns run and re-certify the guests You can also have a group owner go and review all the office groups and security groups or groups originating from on-prem And then when that review completes then you will see the audit history for a particular access review So let’s go in the guest user life cycle You will see here some of the new things we are trying out here using a programs and controls model so that the organizations that are subject to multiple different compliance initiatives like GDPR or Sarbanes-Oxley or PCI can start to separate out Why are we doing these things? What are these access tools used for and just scope down the access tools they need for showing to particular auditors, showing as part of a particular compliance driver Here we can look at the results of this review, the one we did earlier and see what happens We have a whole bunch of users They haven’t been notified They haven’t done anything yet but then we can look at the user we saw earlier and see the history for this >>Network is kind of slow There he is. And we can see the result Who reviewed it, the reason why Again this is available to have it poured out into a CSV file and show it to your auditor or push it off into big governance archiving tool Or we can also have API So if you want to say I need to take the results from this and send it back to sale point or an Oracle or an SAP or a Greenlight or whatever then we will have interfaces to do that as well We also have a few other scripts we are talking about in the weeks to come that go and tie-in access reviews to other scenarios like cleaning up the guest from unmanaged tenants or being able to use this for specific applications or specific uses of Office groups for sponsors >> So one of the key things that access highlights, we have heard a lot about machine learning earlier so we’re going to invest a lot in machine learning too So look are the stakes about whether you should give the person access or not There is a constant feedback we get is, we don’t know whether this person should have access or not How do you provide more insights or information to their reviewer, the non-IT person to be able to give them access so we will be able to provide more contacts? They have an access of resource They will be removed from their guest tenant or from their home tenant Those kinds of things to help inform that review Question >> Can you possibly deny access if a review is submitted but it hasn’t been reviewed? >> Yes. So one of the things, there are two ways you can do that The question was, can you revoke access if it’s being ignored? There are two ways One, once you have a recommendation in there, you saw a recommendation denied, so if the recommendation is there you will be able to set up policy and say automatically apply the recommendation from IT perspective at the end And the second thing you can do is that the results for the recommendations come to the IT and the IT can choose okay, I want to apply them or not, right? So you have that flexibility to do that >> Okay >> The thing is we were working with some of our customers is doing a soft delete for the guest, if the guest doesn’t respond, maybe they have left that company We just go and soft delete them Now if they call back and complain that I was away on vacation,
they go re-request access or renewal of their permissions The system automatically age out their permissions from that directory, or you can time limit them and also require them to JIT whenever they need to activate to go do a privileged operation That’s another level of control that we are bringing to the privileged access >> [inaudible] >> We don’t have separation of leaders right now, but something we’re going to add where you can say, hey, I don’t want people to be in these two roles at the same time or somebody global would help us make global admin because then they can go change people’s password and then reusing them, et cetera But to show you the Azure RBAC, let Mark walk you through it and see some of the controls that we have there to time limit and do the activation You can also then require approvals for those with JIT elevation >> Yeah. I mean, you’ve probably seen some of the previews, I don’t imagine for the enterprise scenarios, but we also now have this not just for the Office 365 rules but also now in a private preview for Azure Again, this works for employees as well as for contractors and guests and some other scenarios for device management as well I can pick, for example, a role within an Azure subscription, let’s go down here to, let’s say a Contributor role Now, something you can already do in Azure, I can go and add a user to a Contributor role, that’s fine and they’re permanently on that role forever But I could also do something now that’s a little bit more fine-grained I could pick a particular user, let’s just try it myself, here I am, and then we can set some more constraints on that Rather than just saying, well, Mark’s now permanently always a contributor, he can take down the web site whenever he wants, I can say it’s just in time So if he wants to be working in this site, he has to activate This is a big thing for a lot of organizations where as you probably see, people who are doing development sometimes inadvertently publish to the production side rather than to their tester staging site and interesting things happening You can also is to come back to the point before, say, well, I don’t want this person in the role forever, this person’s the contractor, they’re going to end, let’s say December 1 And so, I don’t want to have to remember to come in on December 2 and take their information out and go make sure all this happens Let’s just make sure that that is going to end automatically Now, that user is limited, they only are in this role when they explicitly ask to be in this role, we can, say they have to give a justification, we’ll be adding approvals for this as well so that you can’t just start messing around with Azure things without any adult supervision And you can also then limit how long that lasts Furthermore, we also are lining up some more audit capabilities because of things that people always want to know, what did they do in this role You can see, for example, a user and when they’re activating into that role, we can see the details about that And we can also see what they’re doing at the time that they were in that role Last week, I was going through and having this user go in and try activating/deactivating the role, and then I could see what they did They went in here to this Azure resource, IgnightMoon, and they started a virtual machine Someone is asking why this user have Azure rights? What are they doing with that? Do they still need access? We have this audit trail available for that so that then, you can surface this up and show this to an auditor or, in the future, we are showing this a part of the access review experience when you’re reviewing on a subscription Do these people still need some critical access? Well look, they’re starting and stopping VMs fairly regularly, that indicates they probably have a strong need to keep using it. Yes? >> Is there’s a session recording? >> This is not session recording in the traditional sense of recording every click that they do or whatever, how they move their mouse around But it gives you an audit trail of the specific actions that it took against the resources in Azure >> [inaudible] >> Great, yes >> Yes, that’s fine >> All right, and so that’s one area that we think for guests that are going into companies helping them build infrastructure, et cetera There’s another layer that we are providing around governance around them and their lifecycle where you can time limit them like matched If their contract ends at a particular day, you set them and automatically the system takes care of it It all goes into the audit logs so you can see, oh, this user got added for this duration and when that duration hit, they got removed from it Access reviews could’ve been doing the ongoing review and authentication process also on them That’s another new capability that we’ve provided in private preview >> Is that usage [inaudible] , can you get to that program?
>> Yes, it will all be in their audit log, so you’ll be able to get out there and all that Azure AD audit logs get exportable >> [inaudible] >> Yes, yes, exactly, right Okay, so that’s one thing And so over time, we are going to build more capabilities on that We talked earlier about the on-premises applications, we don’t have that right now but we keep hearing request about it Then how do you provision that guest access to on-premises system? I know the Sharad’s team is writing some guidance around how guest access are provisioned to on-premise system, and then we’ll look at how do we bring that governance to those on-premises applications also, we don’t have that yet Then we’ll look at is, sir? >> [inaudible] >> So we are feeding these events into the common Azure audit logging story So that thing you write up from here can be published out as well, but we all going to go beyond that That audit log is more for like seems style integration There’s more things we want to do, and we are looking at how we leverage what we already have in Azure to drive a lot of these recurring processes, and we also kick out ongoing notification So there will be some more Azure integrations beyond >> Are there even Gritz basically, we just gone on for like a month or so ago, so we have to think of what’s the right way to expose the capabilities or is it OMS, rather that we provide a way to look into OMS or not? We don’t have an answer yet That’s something we have to look at. So what I showed do right now we are in private preview Within the next few weeks, we hope to announce public preview of them It will be a bet in the two Skews, so the tens of few stuff would be because of the conditionalities of being the premium capability, the access reviews stuff will be in the P2 skew Those on there Okay. So, that’s the first set on premises up, we talked about the group owners Leavers scenarios, is one thing that we also looking at So right now, we talked about how we do this stage then, we get a disabled, stay and then, we have policy, you go delete them But increasingly here we have some different requirements for additional policies around what to do when they’re in the disabled state Do you start sending them a bunch of reminders in a file, and reminders, no responses you delete them or not? So these are additional things that we are looking at adding there, you can use IPX to get us some of this data, and actually provide some more value for our customers The last piece is sponsors, tracking sponsors on our own organization We don’t have a good way today to associate who is the sponsor for a company Let’s say Microsoft is working with Intel on something Intel will be working with different parts of the organization of Microsoft Right. So who is the sponsor? is it one sponsor there I guess or multiple potential sponsors, and then how do you review and figure out when their users access and within a particular time? And these are some things that we don’t have good solutions for, we’re looking at how we go enable that So, do that specific guest scenarios Basically over time, what we want to do as part of this whole governance thing is consistent joiner/mover/leaver scenarios, how do the guests join and how they use their B2B experience We have the self-service or out there on GitHub, how do we bring that into the product itself, so you have a consistent way? Whether you bring people on a one on basis or when you do tenant friendly, how do you help people within that tenet then actually come in and self provision themselves, or does it go to a manager sponsor that invites people where there’s no IT involved So a lot of scenarios that we’re going to add to make that process of managing guests and driving the accountability down in the organization to business users, this has all been IT without proper controls
on it or something Absolutely So one of the key principles that we have is all the capabilities that we do, the UI, you’ll be able to do it through graph BPS You’ll have grapgh BPS for you to be able to do that kind of process And the joiner/mover/leaver, one thing we didn’t talk about is more moving Let’s say there’s a guest in your organization, and they were working with a particular division Now, there are contract ended, but then there’s a good idea that they go hide in another division How do you manage their admissions and their rights in a different organization within that same company? So we’re going to look at the mover capabilities, and what entitlements people should have in there So that’s something that we are also working on And as we do that consistently, we know there’s going to be lots of users, and lots of data, so we are going to have to probably invest in machine learning to how to do more predictive assignment of entitlements or recommendations For example, if a guest is part of an organizing tenant branding, or to the same sponsor, ideally we should be able to provide in their entitlements automatically without having to have somebody approve them Or if one particular guest in organization is acting very differently, or accessing things differently than other people, we should generate appropriate unless so that somebody can go take a look Why is this particular guest actually accessing these resources, or logging to this and that? No other guest in that group has, is that appropriate or not? We were talking to a customer last week where we saw that leads that we are generating in privilege and then management actually help them detect the compromise One of their vendors actually have been compromised and was creating global agreements in their tenants And so that led to fire and say, “Hey people are being added to global even outside of printed, go and delete it and guess what? No, after an hour somebody goes and created it So they detected that piece and then they will start recreating So we’re going to look at more ways to sort of add those life cycle things and how people actually keep and manage those anomalous behavior to reduce risk in their environment Because ultimately I think, what it comes down to, who has access to what, right? So, knowing who the people are, but then the UI or BPS will provide out, what are they doing? We do it mostly through the audit capabilities and the access highlights and insights that we use to drive things like access reviews et cetera The effective controls, we’re going to provide more policies and features like these in the system, and then you’ll be able to then show in your reports or other information for the auditors to prove that yes you have the right control on your guest users and their life cycle within the organization So that’s where we are headed towards, and if you’re interested, you will contact us, you can get a private preview in a couple of weeks, and that’s public preview, so yourself and your customers can play with it Additional questions, etc kind of run out over time, but if that’s the case, we’ll study this Additional questions, comments, thoughts? Are we doing the things that your customers care about or not? Let’s start here On the first case, the point I made was that we don’t have a great UI based experience for all those other applications However, we will provide APIs for you to be able to bring those in the management, so that’s one In the second case, in terms of more finer grain permissions and stuff, that’s something on our road map that within the next year or so we will be able to show you some of those capabilities, they will be there in the next two weeks or so Okay, thanks for your time I think evaluate this, go do the evaluation and send feedback And if you have questions, feel free to reach me or Mark, we’ll be at Ignite also, so if you’ll be there, we can chat more about specific scenarios that you may need to help your customers out we may
not have thought about, or all things that you think we should do to help you, feel free to let us know, and we’ll be around for a while today Thanks for coming