Managing user accounts and company devices from the cloud and employee lifecycle

The Tokyo-based global software firm planned its structural changes with access to the global market. This also meant major changes in many areas of the company's management. One of these was controlling user access and gaining a simple overview of which employee had what permissions and which applications they could access.

Microsoft 365
Small and medium-sized companies

The Tokyo-based global software firm planned its structural changes with access to the global market. This also meant major changes in many areas of the company's management. One of these was controlling user access and gaining a simple overview of which employee had what permissions and which applications they could access. We were therefore approached to join an international team as one of 8 members and together we tackled the daunting task of unifying user identities, managing company devices and setting up Single Sign On (SSO) for as many applications as possible.

Challenges

  1. At the beginning, we had to audit all 8,000+ users, where we compared existing accesses from the cloud identity management provider JumpCloud.
  2. The company's technical management considered changing the Identity Provider (IdP) to the more well-known and supported Microsoft Azure, or Entra ID. Thus, we analyzed which tools and applications not only enable single sign-on (SSO) but also the user lifecycle with a set of specifications for cross-domain sharing (System for Cross-domain Identity Management - SCIM).
  3. Another challenge was to unify corporate devices and their management so that Group Policy Object (GPO) policies could be easily applied directly from the cloud domain controller in Azure to gain clearer control over the company's resources in use.
  4. The biggest challenge was communicating with individual tool and application vendors (Vendors), with whom we arranged to change the identity provider so that there would be no downtime during working hours and user data would be preserved, so that the average employee would not experience any significant difference from the previous solution.

Objectives

  1. Transfer user identities from JumpCloud to Microsoft Azure, or Entra ID, and correct access to individual applications and licenses based on detailed analysis.
  2. Set up Mobile Device Management (MDM, i.e. Microsoft Intune) for corporate devices to easily apply defined security policies from the cloud. And device management was not limited to the current device presence, which complements the Zero-Trust security concept and makes sense given the company's global footprint.
  3. Set up as many tools and applications as possible on single sign-on (SSO), making it easier for all employees to log in to individual applications on a single login, which will also increase security.
  4. For as many applications as possible, set up identity promotion between the manufacturer and the identity provider (SCIM), so that it is not necessary to create an account for each application with the manufacturer, but the manufacturer retrieves the account settings from the identity provider, even if the employee needs to cancel the account completely.
  5. Negotiate with software vendors to seamlessly move existing identities to a new identity provider in Microsoft Azure or Entra ID and keep all user data with the vendor.

Solution

Among the first steps was the analysis of all the tools we were assigned. We found out if the manufacturer supports linking to Entra ID and if it supports SCIM. Here we also had to make sure that the software manufacturer did not limit the SSO and SCIM features according to the license used, i.e. if the company was using a cheaper plan that did not support SSO and SCIM features, we had to decide how to proceed. Next, we analysed what users accessed the selected tool and consulted this list with the technical project management team to see if this was okay. In case of disagreements, we further addressed whether the user no longer existed, whether access would be removed, or whether any of the current employees were missing from the list and should have access.

After a detailed analysis of applications and accesses, and a discussion of how to handle this information, we proceeded to create user groups that define permissions for using the application. For example, SSO-Application, into which we inserted the accounts of authorized users.

We used the prepared documents to set up each of the applications in the Enterprise Applications setup, where we first created the application itself in the list, filled in the basic settings and then the SSO settings, which we consulted with the manufacturer in advance to insert the correct values into the required fields and correctly pair the user identities with the manufacturer.

After verifying that user authorization via SSO works, we proceeded to set up SCIM, where it was also an integral part of the communication with the manufacturer. After a successful test, where a new user logs in with their single account to the application, is redirected to the correct company space, and a new account is created for them, we simply fine-tuned the authorization levels when using SCIM based on the variables defined in conditional access.

Result

In the original plan, we were given the responsibility by the technical management to process the transfer of 24 applications. Thanks to our precise analysis, where we emphasized that each user out of over 8000 was correctly classified and had the expected permissions, the satisfaction of the management was so high that they assigned us additional applications up to the number of about 46 applications, which were to be processed by the company's internal team, because they were applications containing sensitive company data.

Due to the large number of user identities, the number of devices under management and the number of tools and applications, we ended up not managing the device management part of Microsoft Intune via MDM and this part was handled by a dedicated team member.

The application migration that we were tasked with was successful and the required features such as single sign-on (SSO) and account synchronization between the identity provider and the manufacturer (SCIM) were set up and tested successfully for the applications that support this feature.

Conclusion

With applied single sign-on (SSO) and identity provider-to-vendor synchronization (SCIM) features, the internal IT team has full control over the user lifecycle for most tools and applications. When a new user identity is created, they simply select the appropriate groups to which the user should have access, and the incoming employee automatically gains access to the tools and applications that are inherently job functions. In addition, only a single user login will serve him or her, and no more dozens of different logins and passwords for different applications. Even if the employee leaves his or her job, the internal IT team has an easy job of removing these accesses and, most importantly, making sure that no key applications are forgotten.

Are you also worried about the large number of different applications, logins for a large number of employees and want to have a simple overview of who has what permissions? Contact us and we will be happy to work with you to come up with a solution tailored to your needs.

More stories

See how we helped other schools.

How Microsoft 365 simplified the work of a small accounting firm

Small and medium-sized businesses are often looking for a simple and secure solution for central document management and communication. Microsoft 365 Business Premium enabled a small accounting firm with four employees to fully digitize processes - from invoices and documents to internal communications - while ensuring data security and clear access control.

View story

Efficient management of school devices via the cloud with Microsoft Intune

The primary school in Mirošovice u Prahy for Grade 1 (small class) was struggling with problems in the management of its facilities. Often there was a so-called hurrah event, where a dedicated parent put his hand to work and "somehow" set up the facility. Helping a small elementary school with administration is commendable, but lacks systemic anchoring and the necessary professional support.

View story