One of the core elements of a fully secured Microsoft 365 deployment is effective office 365 identity and access management (IAM). Below, we’ll explore what identity and access management are, how they are distinct from one another, and how identity management is handled in both cloud and hybrid deployments of an M365 tenant.
Identity management is the system by which individual users within a given software system are distinguished from one another and the system that confirms a user is who they say they are – i.e., authentication.
An essential element of maintaining system security comes in the form of knowing exactly who has access to that system. This process must be continually managed, because new users are added and former employees, likewise, must be removed continuously.
Failure to maintain accurate records of current users can result in all manner of security concerns, but they ultimately boil down to a user’s inability to access his or her workspace, or a user still having access to resources that he or she shouldn’t.
Access management differs from identity management, and by extension, authentication in that it is a set of rules that determine the level of access a given, authenticated user ought to have.
That is, access management rules are not concerned with who a user is, but rather what a given, known user is to be allowed to do once they have gained access to the system.
That said, these two elements are generally described as being two parts of a whole, which is well illustrated by the industry-standard abbreviation IAM – identity and access management.
Microsoft holds itself responsible for maintaining certain elements of a secure deployment of M365.
Moreover, it provides administrators with the tools required for them to successfully implement the remaining requirements that fall outside the scope of Microsoft 365 Shared Responsibility Security Model to this end.
Specifically, Microsoft’s position is that although there are certain security elements Microsoft itself is responsible for, such as physically securing the servers and networks on which a given M365 deployment runs, “the customer continues to be accountable; they must ensure that data is classified correctly, and they share a responsibility to manage their users and end-point devices.”
Meaning it is the responsibility of IT staff to ensure that users are identified in the system correctly and that those same users are granted appropriate permissions levels.
Office 365 identity management comes in two forms – cloud-only identities and hybrid identities. In both cases, M365 makes use of Azure Active Directory to maintain records of users and thus identify them within the larger system. However, they differ in terms of the services they can control access to, and in terms of who they are each best suited to.
Cloud-Only Identities
Cloud-only identities are stored in the Azure AD tenant associated with your M365 deployment. Users are authenticated for access to M365 with this account, and this approach is best suited to smaller organizations that do not maintain on-prem data centers that serve M365 resources.
The core value proposition of cloud-only identity management is that it is relatively simple to use and maintain with tools such as Microsoft 365 admin center and Windows PowerShell. Moreover, all authentication actions are carried out with credentials stored in the cloud.
Hybrid Identities
Conversely, the source of truth for hybrid identities is found in an on-premises Azure AD deployment, but a copy is kept in the M365 tenant for identity management as needed.
Azure AD Connect provides the mechanism for synchronizing the data stored in each of these locations, which constitutes an ongoing effort, as most identity management tasks are carried out on-premises and are then synched with M365 cloud resources.
Authentication can be executed in two ways – managed authentication and federated authentication. When an organization opts for managed authentication, its user authentication is directed to the on-premises Azure AD server.
Federated authentication is best suited to larger organizations with more complex authentication requirements, as it involves redirecting a given authentication request to an external service selected by the organization.
The ultimate goal of effective IAM in M365 is that an organization’s employees should be able to perform the tasks their specific role within the organization calls for, but that they are not granted permissions beyond the scope of what is necessary for them to be effective in their respective roles.
To this end, Microsoft 365 is equipped with administrative tooling required to manage IAM, but it is the IT staff of the organizations that use M365 tenants that is responsible for ensuring that these tools are implemented effectively for their respective environments.
When user types are identified and differentiated precisely within M365, it becomes a much simpler task to grant them the specific permissions they need to do their work, because
M365 tools for managing user identification and assigning permissions according to user type are certainly available and are a good option for achieving the requisite degree of security in most cases.
However, M365 IAM configuration can also lack the degree of granularity required to achieve both of the aforementioned objectives surrounding effective IAM – i.e., providing user access that is both sufficient for sincere productivity within the organization and that is limited to only the permissions required for exactly that.
This often means that users have too few permissions to perform a given task, so a more senior IT member needs to complete the task.
Or they are granted full permissions within the system, which is the root of significant security concerns.
CoreView can help your team get identity and access management under control by providing a simple interface that multiplies the powers M365 ships with. CoreView helps teams address this issue from multiple angles to provide exceptional results.
From one end, CoreView empowers IT teams to establish and enforce security policies that result in true “Least Privilege Access” to keep your employees productive in their specific roles without granting full admin privileges willy-nilly. And from the other end, CoreView helps you ensure that those policies are working with deep forensics and security auditing capabilities, and detailed reporting to boot.
