Azure AD B2B User Lifecycle Management

>> Today, I wanted to talk a little bit and have a discussion on lifecycle management of guest users within AD tenant and within that I’ll give some context on what we are thinking all up are on identity governance and show you some of the new capabilities that we are going to shift fairly soon and then where we think we are heading and get our feedback and insight as to okay what are those are right then to be focused in or not So, hopefully, this will be an interactive session Mark Hall, on my team, will be here, I’m sure most of you know him We’ll walk you through some of the demos as we go through the session so feel free to ask questions as we go All right The main thing is how can partners, like yourself, help customers with lifecycle managing? What do you guys do today for guest users with customers? Anything, nothing? >> We don’t have guest users >>You don’t have guest users >>It’s not supported >>It’s not supported so that’s as the customer says, “I wanted to have all these partners I want to collaborate with including yourself.” We tell them, “No.” We know it’s a challenge today in Enterprise and when we talk to customers often they tell us, is one of the biggest pinpoints that they have They have processes for regular employees but for guest they often have to either add them as employees within their AD tenants or they are on-premises AD and then manage them like employees However, when people leave the organization, it’s not clear You have all these accounts authenticating to your resources How do you get rid of them? How do you know? Actually, they haven’t left the company that they work for so it’s a big challenge and a potential security risk One of the things that we’re trying to do Azure Active Directory is as Alex talked about earlier, we are introducing the B2B capabilities so they use authenticates against DR home tenant or whatever and we, in Azure AD, we are going to provide some more controls around the access so that when they leave the organization, you can block the access, you can remove them, or you can have them do certain things like attestation, etc Now, we are not only doing it for guests It’s part of a broader picture around Identity governance that we’ve started working on and so the B2B gets into just one piece of it First, I want to give a little context for how we think of Identity governance that Alex mentioned earlier The first principle thinned out we want to do all we hear customers ask or talk about and ask, who has access to our resources? That’s the first thing so how do we help customers or partners, like yourself, understand or help these customers know who has access to work resources? What are those people or those users doing with these resources? Do you have effective controls? Are there policies? Are there rules? I did attestation on the, etc When somebody wants access to a resource is there an approval process you know, is it auditable, etc., how do you provide all those controls within Azure Active Directory today to help organizations meet all these certifications and other requirements? I talk to customers and they say, “Hey, you know, often when they’re going to a governance solution or they’re looking for governance solution, the first thing is because either they failed an audit and then the board wants them to go figure out how they made their audit financed.” In the next year, with every three months, they need to come what are you doing with the progress? Or they were small app whole, they bought a companies and now they need to grow up and how do they put effective processes in there These are the four main pillars that is going to drive our governance capabilities Clearly, we don’t have all the capabilities on day one We are not going to have on day one There are partners like SalePoint, Mader, CVN, a whole bunch of people that how point governance today they are providing solutions out there But, over time, we are going to add more capabilities to our solution Within that context of how you do governance all up, the first thing that we hear when it comes to guests is around, “We are scared.” You mentioned earlier We don’t do it because we don’t know how to do it, but companies are scared about guest users. What are they going to do? Are they going to get access to resources? You think of the Edward Snowden case He’s a contractor within NSA and he

was able to get access to a whole bunch of stuff How do we prevent that from happening within our own organization? Office groups is coming, who is scared of office group or who loves office groups? Is that a sarcastic laugh or, pardon me? >> You guys bark, we voted for both >>You voted for both, right? But what are your customers telling you or what’s the opinion about the office group? >>They’re much scared that they don’t know enough data they could use >>Okay >>Yeah, if they are implemented with the grassroots within millions, then, great >>So, yeah. Go ahead >> There’s a bunch of things we’re about to know >>Okay, right There’s a broad spectrum of feelings and when we talk to customers when we Ignite last year some people were excited about it and that is also very scared It’s like wow, so meaning, all employees are now going to be able invite anybody from other companies What if the documents they’re sharing are confidential documents? How do we prove to the auditors that we have process for these confidential information? The burden on us, as the identity provider and as a solution, how do we help? You help customers that actually help ease some of the concern because for productivity purposes, organizations need to collaborate but how do you put the right safeguards in there? And so that’s one of the things they are working on so we want to make sure that when guest collaborate, because they have the right controls, they can have the report and they can have the lifecycle management on that Self-service capabilities often it’s like IT kind of manage all the office groups out there How do they delegate group management but also have controls like A request that group owners attest to members of the group on a periodic basis so that at least there’s some responsibility If a group owner knows that every three months, every quarter, they are going to have to attest then they are more likely to be more responsible who they invite, etc., into that group and they’ll be reporting based on that To give you a good idea of how we do this, one of the things is, “Okay, we talk about attestation.” That then is, “What’s your compliance policy for sharing documents?” Today, what do you guys do, email? So people come in and say, “Hey, make sure this, you don’t leak confidential information.” How about in health care what do you guys do? Anybody do health care related stuff, FR regulations? There are things around making sure people understand the requirements or the sensitivity of data that they maybe access and all the resources that you’re going to be accessed so that from a compliance perspective, they can hold them accountable That’s something that, today, we haven’t provided capabilities for years so customers are doing our ad hoc If the other accounts then say, “Hey, did this guest person know that they needed to treat the customer data confidentially and secure it?” So we know, yes, we told them but I never knew that How do you make sure that all these policies and stuff in the organization? The first thing that we’re going to do as part of this in the lifecycle is when guests are coming into the organization, how do you make them aware of the policies and terms with the organization? We call that capability terms of use How do you require, configure, and force an audit compliance with company policies? It’s a new capability to be in a private preview for a little while, but think of the scenario where you can set a policy all guest that come into AD tenant, or all guest that access a particular application have to read and accept a particular terms of use for your company We make that process very easy It’s PDF they may get from the legal department The PDF then gets uploaded and used in the same condition access framework that the guest using a lot When the user goes to sign in, they’ll be able to accept the policy or the terms of use It gets recorded, and if they don’t accept,

they don’t get access to a resources That’s an example of an effective control that we’re going to be able to provide or you can help your customers institute to first make sure that when guests are coming in, they know the policies of the companies so that if you don’t meet it, you can either go find them or you accept that this on this date and you are no longer accepting following that policy Does this make sense? Do you guys think that some of this is going to help you? >>I know that people always bring those- >> Yes >> Or did they just like I agree >> One of the feedback that we’ve heard is you could have it just click on accept, all understands that we are going to provide as part of the controls is that require that we actually scroll through, like we’re working with a hospital that said they want to make sure people actually scroll through before they are set, right? How do you provide this level of capability for it to be able to do that? >>What is being enforce? Is it Azure tenant or is it going to affect users from SharePoint and want it? >> This user, any servers that authenticates with Azure AD, so SharePoint online, etc., it will have them because we are using the condition access framework Now, to actually show you how it works, Mark, you want to do a little demo, to see this stuff working in a real-world scenario, access resource >> Yes. Let me show you what it would look like >> You have question >> Does that require conditional access and what is the impact on meaning premium for this condition >> Yes. This feature requires conditional access and so you need AD premium to use it >> Only to succeed >> Pardon me? >> Only to succeed >> Only to what? >> Only to succeed >> Yes >> We can study terms of use, and again, I’ve got one here, it’s a PDF file, it’s pretty simple, I guess we made it in Word, you can have whatever document you want And I had this terms of use show up here when a user accepts a B2B guest invite Now, we’re not limited to that scenario, that’s just one example If I can just go down here and scroll to the end and say, “Yes, I’m going to accept that.” And then after I accept that, it’s wherever it’s going to take me for the B2B invite scenario, so it could be the access panel Now, again, I can set up other scenarios besides that one as well I can configure multiple terms of use, different ones I would try out for guest, I can configure for different kinds of applications, so only for SharePoint online, only for Salesforce, only for any of your own applications And then, to come back to your question before, doing them linked to the applications through these conditional access policies You can say, “Well, I have this policy that’s only for guests on non-registered devices going to Salesforce.” And then this policy will then get triggered, the user will have to see, consent to the terms of use on the way to the app Is there a question over there? >> Yeah. How does the app run the customization page? Is anybody customize before we look at the terms of page is and the conversations stays on one? >> Yes, yes. Yes, great question The first, easiest one, multiple languages It would support multi-language so you can upload different language versions of a terms of use document and it would detect the language that the user is accessing the application with and render that proper language for it One terms of use can have multiple language versions as we see over there >> Right. That’s one The second question was customize Customization, all the branding on the page that are marked should, it’s all based on the customization you do for the access panel experience If you’ve done company branding with your logo and all that stuff, that will be the experience that he sees It will be Contoso’s tenant-branded information and you just see the terms of use in there >>Would it be your experience or the user experience? >> The access panel experience? >> Or you mean the sign-in experience? >> Exactly >> Right now, it’s in the old experience Before we actually go geo with it, would align with the new sign-in experience, will be consistent >> Yes, because we’ll have different ways of rendering it, so all the narrow way of rendering it If you’re like on an iPhone or something when you go and you’re doing your sign in, we’re going to be able to present your terms of use without having a little teeny tiny PDF file on there You can load it up and actually read it if you are into reading legal documents Question? >> So this is all triggered at log-in time to that particular application >> Yes >> So, once I say yes, I agree, it kind of goes away, I don’t have to do it again? >> You don’t have to do it again It’s recorded

>> If those terms of use are updated over time, is there a mechanism you can say that, okay, of course, everybody’s doing it, it wouldn’t choose >> Yes, yes. When you update that policy, we create a new version and it can say, this version should be required, or supersedes the other one, or this version doesn’t need to replace the previous one, only just for new one We have got two cases You could have a case where the whole policy change or you missed a typo on one thing and want to give the text for both scenarios We think it’s a cool capability that A, first make sure people are complying And also, the comments with GDPR is making sure people are aware of the privacy policies on how the company is going to use their data This becomes one unique way of being able to present those policies so those users are aware of this policies before. Yes? >> Is this feature an extension of TOU, terms of use a feature or is it separate? >> Yes. Question, is this extension of the TOU? It’s separate And actually, we’re working on unifying the two together >> It kind of sounds the same, the security you’re talking about >> Yes. It’s similar but what today, in the terms of use, is this pure text That you can set, and you can set it on a paired device or user and, in this case, it’s all PDF, so you can take the policy from your legal department, you have more richness in the content and the formatting, and then you will be able to apply in the same scenario We actually work with them to make sure it works and there’ll be some guidelines around that Now that the user have accepted the policy, is not the only tenant How do you make sure that they are consistently being reviewed and that they are, accesses are properly in terms of an ongoing business We call this new capability, access reviews I don’t call a test station or whatever, but it’s the idea of do they still need access If you’ve given them access, standalone to particular app, you’ll be able to trigger these access reviews Or if they’re are members of a group, you’ll be able to trigger, they are guest users, there is actually attest themselves or the group owners attest them, attest for membership within the group Or you can select particular individuals to attest to those capabilities It works for all users and we’ve done some unique scenarios for guest users so that automatically we detect who the guests are and apply the policy to them There’s a question there and I will show you how that works in a second >>Is this user experience around gathered and what’s the extent being able to certify that 0.198 is- >> So the question is, will this only work Cloud or will they also work on-premises? It will be able to work with on-prem identities that gets synced up to AAD We will be able to run that test session on it, give your result and then be able to use, we will provide a bunch of APIs They can actually process They can actually go apply in the on-premises world in the first instance Over time we will provide a way for you to automatically reach directory back on-premises to clean it up >> [inaudible] >> So in the sync, to get the group members, the groups need to come to AAD So today you will come through AAD comment You don’t need mail for any of these scenarios >> And one thing that we have some samples, if you are interested we can show you some sample Powershell So if you have some other system of record, maybe the group comes out of Oracle or SAP or some weird thing Then you can get the changes back from the attestation and then send those changes back to your system record on-prem >> So this solution does not presume or preclude you using whatever, whether sale point or some other tool, right? We are trying to provide this option also if you are just using pure AAD, how do you do governance within AAD? And if you have other systems you are going to provide flexibility and keep [inaudible] for you to integrate with those other systems So it is up to your particular use case or use your scenarios that you want to elaborate >> Yes. We will be providing the APIs that we mentioned before to sale point to our other partners so that if they say, hey, we want to kick off one of these access reviews from within an external governance system or maybe Archer runs and it triggers something, then yeah we can do that We will show you some APIs for that >> There is a [inaudible] in the back there [inaudible] Okay, all right So Mark let’s walk through the demo, how we do that? And one of the key principles is making it as easy as

possible for these processes or reviews to be created? >> Okay. So there are couple ways you can do the review One of the ways that we are seeing a lot of interest for the guests is actually ask guests to confirm their own access And so we are working on that scenario right now I have a couple different ideas for how to do that Here is one view, in which you can send guests a question It comes in e-mail. Could be every quarter or every month We have some scripts for that And then you can say, do you still need access? Now here is kind of a generic full view in which you can see the user and they are just attesting themselves Oh, I haven’t signed in I think. Yeah, I just invited you yesterday So we can see also recommendations One thing that is very important for us is to optimize the end user experience whether you are asking the guests themselves to review or asking let’s say a group owner or someone else in the organization to review I don’t want to simply give them a big list of 10,000 names and say here you go Here is 10,000 names, tell me what you think? Attestation fatigue will set in will go approval So we give them some highlights One of the highlights we have is, have you signed into the directory at all? Also highlights are on have you signed into a particular application? So, for example, a testing guest access to sales force, you can say this guest has not actually used sales force Maybe they will get inadvertently put in a group or someone thought they might have needed access but turns out they didn’t So they can do this clean up. And then of course you can provide justifications Still need this for the demos And of course all this then is audited So you can go in and have these attestation campaigns run and re-certify the guests You can also have a group owner go and review all the office groups and security groups or groups originating from on-prem And then when that review completes then you will see the audit history for a particular access review So let’s go in the guest user life cycle You will see here some of the new things we are trying out here using a programs and controls model so that the organizations that are subject to multiple different compliance initiatives like GDPR or Sarbanes-Oxley or PCI can start to separate out Why are we doing these things? What are these access tools used for and just scope down the access tools they need for showing to particular auditors, showing as part of a particular compliance driver Here we can look at the results of this review, the one we did earlier and see what happens We have a whole bunch of users They haven’t been notified They haven’t done anything yet but then we can look at the user we saw earlier and see the history for this >>Network is kind of slow There he is. And we can see the result Who reviewed it, the reason why Again this is available to have it poured out into a CSV file and show it to your auditor or push it off into big governance archiving tool Or we can also have API So if you want to say I need to take the results from this and send it back to sale point or an Oracle or an SAP or a Greenlight or whatever then we will have interfaces to do that as well We also have a few other scripts we are talking about in the weeks to come that go and tie-in access reviews to other scenarios like cleaning up the guest from unmanaged tenants or being able to use this for specific applications or specific uses of Office groups for sponsors >> So one of the key things that access highlights, we have heard a lot about machine learning earlier so we’re going to invest a lot in machine learning too So look are the stakes about whether you should give the person access or not There is a constant feedback we get is, we don’t know whether this person should have access or not How do you provide more insights or information to their reviewer, the non-IT person to be able to give them access so we will be able to provide more contacts? They have an access of resource They will be removed from their guest tenant or from their home tenant Those kinds of things to help inform that review Question >> Can you possibly deny access if a review is submitted but it hasn’t been reviewed? >> Yes. So one of the things, there are two ways you can do that The question was, can you revoke access if it’s being ignored? There are two ways One, once you have a recommendation in there, you saw a recommendation denied, so if the recommendation is there you will be able to set up policy and say automatically apply the recommendation from IT perspective at the end And the second thing you can do is that the results for the recommendations come to the IT and the IT can choose okay, I want to apply them or not, right? So you have that flexibility to do that >> Okay >> The thing is we were working with some of our customers is doing a soft delete for the guest, if the guest doesn’t respond, maybe they have left that company We just go and soft delete them Now if they call back and complain that I was away on vacation,

we can rehydrate their entry and they get back all their group members and everything as they were before But otherwise that intro gets time-out after 90 days and the concerns that customers have about the growth of their directory over time now start to become manageable >> So the question is, would this cover all applications in an environment or not? Is that? >> Yes >> Good summary on that, right? >> [inaudible] >>Right, so the first scenario that we are optimizing first is access for AAD integrated apps That is the first thing we are optimizing so apps in AAD or groups that could have originated on-premise that come to the Cloud you will be able to provide all in the UI Like Mark mentioned, the second thing is you can bring a list of users, using our APIs or users that are in particular apps You can bring their list into using our APIs to do attestation on them or trigger that email all that stuff and you get results and can go apply to them So I feel with those two things we can cover the broader spectrum You may not be as nice for that on-premises, not AAD integrated outgo, will provide a way for you to stick to those together >> So do you have the ability to read flat files, [inaudible]? >> Yes. There is a couple ways of entering, get the data into the system, we have some examples we can show you for that Yes, we are not saying that this is just for IS ready access It’s just where we are starting because of these new risk people are concerned I would love to do B2B guests but how do I keep the guests under control? And that is a problem they haven’t solved You know I can’t go get a Greenlight to solve that problem for me because Greenlight does SAP and SAP does no back guest I can’t get the non-prem product to do my B2B guests So we can do this and over time as we build out our extension and reach into the SaaS applications, the other identity providers as well the on-premises products, we think that having this model of being able to show not just here, is a list of users and permissions but how were they accessing the app? What were they doing? Were they actually active? And we have to bring that information in from using the on-prem apps as well >> [inaudible] All right. This one, it turns out in that earlier session overall is there, we talked about this whole stage, lifecycle What it is that we’ll be providing is a way to station, the first then is to say, “Hey, if they don’t delete them, it’s a self-delete”, they go into a potentially disabled state for a period of time And then after a certain period of time, you go remove them Because we are hearing requirements in different stages where some customers, like big advertising firm, they work with so many people about their work, they cannot keep track What they want is actually use authorization as a way to send email and based on lack of response, put them in the queue of potential to be deleted or group of people that may no longer work with them And then they go into a staging phase and then they set policy If those two don’t login after X period of time, then go permanently delete them We’ll be providing controls to avoid a problem of accidentally deleting people right off the bat Yes, this is also for B2E Yes, we’ve optimized some scenarios for the guest users to make it streamlined but for B2E, you can do it for members of a group or anybody Now, we showed access reviews First, with the terms of use, the activity or policies to come, you have a recurring process for regular users or guest How do you make sure that you are certified authorized to the access within the directory? We know the biggest risk though is what do you do with privileged users Almost every company you talk to, they say, oh, the business unit brought in some contractors to come build some funky website And now, we don’t know how to manage these people For privileged users, we need additional levels of control or additional level of lifecycle management on them We introduced privilege identity management last year for AD roles We are going to now add that same capability for roles of people with roles in Azure RBAC, Azure resources, so contribute a role, et cetera In that case, we even have more in-depth control overhead around being able to set expiration that the assignment of the user to the rule is not permanent It’s time limited They are only assigned for three months and after that, they just get removed from the role unless

they go re-request access or renewal of their permissions The system automatically age out their permissions from that directory, or you can time limit them and also require them to JIT whenever they need to activate to go do a privileged operation That’s another level of control that we are bringing to the privileged access >> [inaudible] >> We don’t have separation of leaders right now, but something we’re going to add where you can say, hey, I don’t want people to be in these two roles at the same time or somebody global would help us make global admin because then they can go change people’s password and then reusing them, et cetera But to show you the Azure RBAC, let Mark walk you through it and see some of the controls that we have there to time limit and do the activation You can also then require approvals for those with JIT elevation >> Yeah. I mean, you’ve probably seen some of the previews, I don’t imagine for the enterprise scenarios, but we also now have this not just for the Office 365 rules but also now in a private preview for Azure Again, this works for employees as well as for contractors and guests and some other scenarios for device management as well I can pick, for example, a role within an Azure subscription, let’s go down here to, let’s say a Contributor role Now, something you can already do in Azure, I can go and add a user to a Contributor role, that’s fine and they’re permanently on that role forever But I could also do something now that’s a little bit more fine-grained I could pick a particular user, let’s just try it myself, here I am, and then we can set some more constraints on that Rather than just saying, well, Mark’s now permanently always a contributor, he can take down the web site whenever he wants, I can say it’s just in time So if he wants to be working in this site, he has to activate This is a big thing for a lot of organizations where as you probably see, people who are doing development sometimes inadvertently publish to the production side rather than to their tester staging site and interesting things happening You can also is to come back to the point before, say, well, I don’t want this person in the role forever, this person’s the contractor, they’re going to end, let’s say December 1 And so, I don’t want to have to remember to come in on December 2 and take their information out and go make sure all this happens Let’s just make sure that that is going to end automatically Now, that user is limited, they only are in this role when they explicitly ask to be in this role, we can, say they have to give a justification, we’ll be adding approvals for this as well so that you can’t just start messing around with Azure things without any adult supervision And you can also then limit how long that lasts Furthermore, we also are lining up some more audit capabilities because of things that people always want to know, what did they do in this role You can see, for example, a user and when they’re activating into that role, we can see the details about that And we can also see what they’re doing at the time that they were in that role Last week, I was going through and having this user go in and try activating/deactivating the role, and then I could see what they did They went in here to this Azure resource, IgnightMoon, and they started a virtual machine Someone is asking why this user have Azure rights? What are they doing with that? Do they still need access? We have this audit trail available for that so that then, you can surface this up and show this to an auditor or, in the future, we are showing this a part of the access review experience when you’re reviewing on a subscription Do these people still need some critical access? Well look, they’re starting and stopping VMs fairly regularly, that indicates they probably have a strong need to keep using it. Yes? >> Is there’s a session recording? >> This is not session recording in the traditional sense of recording every click that they do or whatever, how they move their mouse around But it gives you an audit trail of the specific actions that it took against the resources in Azure >> [inaudible] >> Great, yes >> Yes, that’s fine >> All right, and so that’s one area that we think for guests that are going into companies helping them build infrastructure, et cetera There’s another layer that we are providing around governance around them and their lifecycle where you can time limit them like matched If their contract ends at a particular day, you set them and automatically the system takes care of it It all goes into the audit logs so you can see, oh, this user got added for this duration and when that duration hit, they got removed from it Access reviews could’ve been doing the ongoing review and authentication process also on them That’s another new capability that we’ve provided in private preview >> Is that usage [inaudible] , can you get to that program?

>> Yes, it will all be in their audit log, so you’ll be able to get out there and all that Azure AD audit logs get exportable >> [inaudible] >> Yes, yes, exactly, right Okay, so that’s one thing And so over time, we are going to build more capabilities on that We talked earlier about the on-premises applications, we don’t have that right now but we keep hearing request about it Then how do you provision that guest access to on-premises system? I know the Sharad’s team is writing some guidance around how guest access are provisioned to on-premise system, and then we’ll look at how do we bring that governance to those on-premises applications also, we don’t have that yet Then we’ll look at is, sir? >> [inaudible] >> So we are feeding these events into the common Azure audit logging story So that thing you write up from here can be published out as well, but we all going to go beyond that That audit log is more for like seems style integration There’s more things we want to do, and we are looking at how we leverage what we already have in Azure to drive a lot of these recurring processes, and we also kick out ongoing notification So there will be some more Azure integrations beyond >> Are there even Gritz basically, we just gone on for like a month or so ago, so we have to think of what’s the right way to expose the capabilities or is it OMS, rather that we provide a way to look into OMS or not? We don’t have an answer yet That’s something we have to look at. So what I showed do right now we are in private preview Within the next few weeks, we hope to announce public preview of them It will be a bet in the two Skews, so the tens of few stuff would be because of the conditionalities of being the premium capability, the access reviews stuff will be in the P2 skew Those on there Okay. So, that’s the first set on premises up, we talked about the group owners Leavers scenarios, is one thing that we also looking at So right now, we talked about how we do this stage then, we get a disabled, stay and then, we have policy, you go delete them But increasingly here we have some different requirements for additional policies around what to do when they’re in the disabled state Do you start sending them a bunch of reminders in a file, and reminders, no responses you delete them or not? So these are additional things that we are looking at adding there, you can use IPX to get us some of this data, and actually provide some more value for our customers The last piece is sponsors, tracking sponsors on our own organization We don’t have a good way today to associate who is the sponsor for a company Let’s say Microsoft is working with Intel on something Intel will be working with different parts of the organization of Microsoft Right. So who is the sponsor? is it one sponsor there I guess or multiple potential sponsors, and then how do you review and figure out when their users access and within a particular time? And these are some things that we don’t have good solutions for, we’re looking at how we go enable that So, do that specific guest scenarios Basically over time, what we want to do as part of this whole governance thing is consistent joiner/mover/leaver scenarios, how do the guests join and how they use their B2B experience We have the self-service or out there on GitHub, how do we bring that into the product itself, so you have a consistent way? Whether you bring people on a one on basis or when you do tenant friendly, how do you help people within that tenet then actually come in and self provision themselves, or does it go to a manager sponsor that invites people where there’s no IT involved So a lot of scenarios that we’re going to add to make that process of managing guests and driving the accountability down in the organization to business users, this has all been IT without proper controls

on it or something Absolutely So one of the key principles that we have is all the capabilities that we do, the UI, you’ll be able to do it through graph BPS You’ll have grapgh BPS for you to be able to do that kind of process And the joiner/mover/leaver, one thing we didn’t talk about is more moving Let’s say there’s a guest in your organization, and they were working with a particular division Now, there are contract ended, but then there’s a good idea that they go hide in another division How do you manage their admissions and their rights in a different organization within that same company? So we’re going to look at the mover capabilities, and what entitlements people should have in there So that’s something that we are also working on And as we do that consistently, we know there’s going to be lots of users, and lots of data, so we are going to have to probably invest in machine learning to how to do more predictive assignment of entitlements or recommendations For example, if a guest is part of an organizing tenant branding, or to the same sponsor, ideally we should be able to provide in their entitlements automatically without having to have somebody approve them Or if one particular guest in organization is acting very differently, or accessing things differently than other people, we should generate appropriate unless so that somebody can go take a look Why is this particular guest actually accessing these resources, or logging to this and that? No other guest in that group has, is that appropriate or not? We were talking to a customer last week where we saw that leads that we are generating in privilege and then management actually help them detect the compromise One of their vendors actually have been compromised and was creating global agreements in their tenants And so that led to fire and say, “Hey people are being added to global even outside of printed, go and delete it and guess what? No, after an hour somebody goes and created it So they detected that piece and then they will start recreating So we’re going to look at more ways to sort of add those life cycle things and how people actually keep and manage those anomalous behavior to reduce risk in their environment Because ultimately I think, what it comes down to, who has access to what, right? So, knowing who the people are, but then the UI or BPS will provide out, what are they doing? We do it mostly through the audit capabilities and the access highlights and insights that we use to drive things like access reviews et cetera The effective controls, we’re going to provide more policies and features like these in the system, and then you’ll be able to then show in your reports or other information for the auditors to prove that yes you have the right control on your guest users and their life cycle within the organization So that’s where we are headed towards, and if you’re interested, you will contact us, you can get a private preview in a couple of weeks, and that’s public preview, so yourself and your customers can play with it Additional questions, etc kind of run out over time, but if that’s the case, we’ll study this Additional questions, comments, thoughts? Are we doing the things that your customers care about or not? Let’s start here On the first case, the point I made was that we don’t have a great UI based experience for all those other applications However, we will provide APIs for you to be able to bring those in the management, so that’s one In the second case, in terms of more finer grain permissions and stuff, that’s something on our road map that within the next year or so we will be able to show you some of those capabilities, they will be there in the next two weeks or so Okay, thanks for your time I think evaluate this, go do the evaluation and send feedback And if you have questions, feel free to reach me or Mark, we’ll be at Ignite also, so if you’ll be there, we can chat more about specific scenarios that you may need to help your customers out we may

not have thought about, or all things that you think we should do to help you, feel free to let us know, and we’ll be around for a while today Thanks for coming