Microsoft IT Reduces Identity Management Costs
Business Case Study
Published: June 2010
Microsoft Information Technology (Microsoft IT) faces a unique set of identity management challenges because of the large number of user accounts, distribution and security groups, and corporate applications at Microsoft. By migrating more than 50,000 users to Microsoft Forefront Identity Manager 2010, Microsoft IT saved U.S.$150,000 in the first 10 weeks and reduced the time required to fulfill password-reset requests by 92 percent.
Business Case Study, 180 KB, Microsoft Word file
Products & Technologies
Microsoft IT provides strategic guidance and hands-on IT support services to the Microsoft global workforce of more than 90,000 employees.
With increasing demands on its identity management infrastructure, Microsoft IT sought to expand group management capabilities and to increase the efficiency of its approach to credential management.
Microsoft IT initiated a phased deployment of Microsoft Forefront Identity Manager 2010 to take advantage of enhanced IT management capabilities and new self-service tools.
Microsoft IT provides application development resources and technical support to the Microsoft global workforce of more than 90,000 employees. As a core part of its mission, Microsoft IT delivers and maintains key infrastructure and line-of-business applications to individual employees and business groups within Microsoft.
As the organization responsible for managing the companywide deployment and use of technology resources, Microsoft IT promotes employee productivity and collaboration while maintaining the highest level of enterprise data security. Historically, the organization has successfully balanced these two priorities by emphasizing and driving continuous innovation in the area of identity management.
This case study describes Microsoft IT's deployment of Microsoft Forefront Identity Manager 2010 to streamline identity management, save costs, and improve user productivity. It is intended for business decision makers who are considering a similar solution.
Like other enterprise IT organizations, Microsoft IT faces the challenge of developing an identity management solution that integrates diverse systems, applications, and data sources to provide comprehensive access control for the scope of its operations. This scope encompasses 208,000 user accounts, 472,000 security and distribution groups, and 2,300 distinct corporate applications. Moreover, Microsoft IT has experienced increasing demand on its identity management infrastructure, as system interoperability and compliance concerns become more complex and cost considerations drive the need for greater efficiency.
Over the past decade, Microsoft IT has played a critical role in promoting the evolution of an increasingly sophisticated and powerful identity management solution. In 2007, Microsoft released Microsoft Identity Lifecycle Manager 2007, which combined identity synchronization, automated user provisioning, and certificate and smart-card management in a single packaged application.
Alongside the rollout of Identity Lifecycle Manager 2007 within the Microsoft ecosystem, Microsoft IT deployed a custom-built group management application called AutoGroup. This application featured a Web interface where employees could submit requests to join distribution and security groups, though approvals were handled outside the system. Microsoft IT had a three-person team dedicated to processing requests and troubleshooting issues with the tool. The application also offered application programming interfaces (APIs) to enable administrators to author policies for managing and updating groups based on changing business needs.
Although AutoGroup extended functionality in Identity Lifecycle Manager in several important ways, including providing limited self-service for group management and support for centralized Group Policy authoring, its heavily customized code base was costly to maintain. Moreover, it was not designed to enable automatic approval of group membership requests, which resulted in lost productivity due to notification delays. Microsoft IT had already documented that it took more than 24 hours to batch process requests made through the Web interface during the previous business day. And, as more employees interacted with AutoGroup, leaders at Microsoft IT were concerned about the long-term scalability of the application.
In addition to addressing the service capacity limitations of its custom group management solution, Microsoft IT sought to increase the efficiency of its approach to credential management. Specifically, the organization targeted the manual process of resetting passwords as an area where it could achieve significant time and cost savings without compromising security. Microsoft IT calculated the cost for each Helpdesk call at U.S.$17.50, which quickly aggregated to tens of thousands of dollars in any month, based on the number of requests handled.
The critical need for a more scalable group management application and the potential to achieve measurable cost savings through a self-service model for resetting passwords prompted Microsoft IT to look for a new identity management solution. Leaders at Microsoft IT recognized the strategic importance of implementing a comprehensive solution that would extend the system integration capabilities of Identity Lifecycle Manager 2007. To further reduce the costs and risks associated with identity management, they were eager to find a solution that combined centralized policy authoring and enforcement capabilities with self-help tools for group management and credential management.
To address the scalability limitations of AutoGroup and provide employees with tools to simplify tasks related to credential and group management, Microsoft IT led a pilot deployment of Forefront Identity Manager 2010. Building on the certificate management, user account provisioning, and identity synchronization capabilities of Identity Lifecycle Manager 2007, Forefront Identity Manager 2010 offers enhanced IT management through a centralized administrative console and new self-service tools to reduce dependency on the Helpdesk.
Deployment Planning Process
In accordance with the company's long-established methodology for software development, Microsoft IT deployed a prerelease version of Forefront Identity Manager 2010. In early 2009, Microsoft IT began working closely with the product team for Forefront Identity Manager 2010 to develop its deployment project plan. As a first step in defining goals for collaboration, Microsoft IT generated a list of shared priorities. These business imperatives included migrating a minimum of 50,000 users and 75,000 groups to Forefront Identity Manager 2010 by January 2010 and achieving full-feature parity with the company's former group management solution by April 2011.
This phased approach enabled rigorous field testing of the solution in a production environment, which eased the transition from the heavily customized AutoGroup application. Moreover, it helped Microsoft IT gradually define the configuration of the solution while giving support staff hands-on experience with the technology before its broader release.
Microsoft IT implemented self-service tools in Forefront Identity Manager 2010 for managing distribution groups and security groups. By using these tools, employees can now create and manage groups from the built-in portal, which is based on Windows SharePoint Services. To manage groups from the Microsoft Outlook messaging and collaboration client, employees can use the Forefront Identity Manager Add-in for Microsoft Office Outlook. Some of the group management capabilities from the Outlook user interface include the ability for group owners to approve or deny membership requests for groups that they own and the ability to join or leave groups. In a single month after the initiation of the deployment process, Microsoft IT recorded that 43,765 group modifications had occurred and that group owners had used the new workflow tools in the solution to approve 46,256 membership requests.
Forefront Identity Manager 2010 provides intuitive tools that employees can use to reset their own passwords and provision their own smart cards. Although Microsoft IT acknowledges that it will not be able to completely eliminate the use of the Helpdesk for some requests to reset passwords, it anticipates widespread adoption of these self-help tools. In fact, since deployment of Forefront Identity Manager 2010 began, more than 20,000 Microsoft employees have registered to use the self-service tool for resetting passwords. And, since the market release of the technology, more than 1,300 employees have used the tool to reset their own passwords.
Microsoft IT is taking advantage of the extensibility of Forefront Identity Manager 2010 to customize the solution to the company's unique business rules. For example, the organization is developing specialized functionality to automate the process of updating group memberships. When employees create an e-mail distribution group, that profile will automatically be set to expire in adherence with corporate protocols for group life-cycle management. The group's administrator will receive automated notifications at fixed intervals to verify membership information and to update the group's status before it is automatically terminated.
In addition, to align the password reset component of the solution with the company's rigorous access control policies, Microsoft IT configured 21 challenge questions based on extensive research of industry best practices. When Microsoft employees register to reset their passwords, they must answer at least seven of the 21 questions. When employees initiate a request to reset their passwords through the self-service tool, they receive five of the challenges from the group that they previously answered, which are selected at random. Employees must correctly answer at least three of the challenge questions to proceed with resetting their passwords.
To maximize business continuity throughout the project, Microsoft IT opted to pursue a phased migration approach. This approach involved running AutoGroup and Forefront Identity Manager 2010 in parallel. Although Microsoft IT knew that this decision would result in a longer deployment cycle, the organization wanted to be able to roll back to the existing group management application if needed.
To preserve data integrity throughout the Microsoft internal migration process while simultaneously running both applications, Microsoft IT used Active Directory Domain Services to create separate organizational units for the two applications and to define a discrete set of permissions for each. With this approach, employees could view groups in both applications, while applying changes to only one location.
Based on its experience successfully migrating more than 50,000 users and 75,000 groups to Forefront Identity Manager 2010, Microsoft IT has compiled a list of recommendations for enterprise deployments of the software:
Define business rules and requirements before beginning the upgrade. Using this approach provides the opportunity to design, develop, and implement configuration and customization efforts to meet specific business needs.
Determine the best approach to migrating groups. Before migrating existing group data, an organization should determine whether an incremental approach or a one-time switch to Forefront Identity Manager 2010 best aligns with organizational goals. When opting to pursue a phased migration, an organization should create a plan for handling the coexistence of group data in multiple applications.
Start with a pilot deployment. An organization should consider piloting the group migration effort, even if it is using a one-time switch to Forefront Identity Manager 2010. A pilot is an excellent means for working out bugs and involving users early in the deployment. User feedback gathered during the initial phase of a deployment can help to ensure user satisfaction with both the deployment experience and the technology.
Minimize re-synchronization. When an organization is implementing declarative provisioning, it should plan to configure rule changes ahead of time to minimize the number of times that re-synchronization is required.
By upgrading to Forefront Identity Manager 2010, Microsoft IT has saved costs, increased user productivity, and improved its ability to efficiently manage changing security and compliance requirements.
Savings of $150,000 in 10 Weeks
The self-service functionality dramatically reduces the need for Helpdesk support to fulfill requests for resetting passwords. In fact, Microsoft IT has calculated that the rollout of Forefront Identity Manager 2010 decreased Helpdesk calls for resetting passwords by 10 percent a month. From March 22 through April 21, 2010, the organization recorded just 119 total Helpdesk calls; 64 of these calls were classified as requests for identity services.
Microsoft IT has calculated that this reduction in requests for resetting passwords through the Helpdesk has saved more than $150,000 in the first 10 weeks after the product's release to market. This figure is based on monthly savings of $61,250, achieved through the elimination of 3,500 Helpdesk calls at a cost of $17.50 for each support response. Microsoft IT anticipates annual savings of approximately $730,000 from these improvements. Forefront Identity Manager 2010 has helped Microsoft IT meet two of its core objectives: to help employees be more productive and to reduce the cost of identity management.
Reduction of Password Reset Time by 92 Percent
Microsoft IT estimates that it previously took an average of 60 minutes to resolve password-reset requests processed through its Helpdesk. Now, by using the self-service functionality in Forefront Identity Manager 2010, employees can complete this task independently in an average of five minutes. This process thus experienced a 92 percent gain in efficiency.
Simplification of Security and Compliance Management
Through centralized policy-based management and auditing across identities, credentials, and resources in Forefront Identity Manager 2010, Microsoft IT can audit business rules and events from a centralized repository. This ability makes it easier to effectively identify and close security gaps and to help ensure compliance. Through the improved administrative tools, Forefront Identity Manager 2010 gives Microsoft IT the fundamental security capabilities to address current needs. And, the extensibility of the solution provides the flexibility that Microsoft IT needs to meet changing security requirements.
By deploying Forefront Identity Manager 2010, Microsoft IT has helped employees across the organization to more easily accomplish such tasks as managing distribution groups and resetting their own passwords. By taking advantage of self-service tools in the technology, Microsoft IT has empowered employees to be more productive while enabling its own staff resources to focus more time on longer-range strategic initiatives.
For More Information
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:
© 2010 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Forefront, Outlook, SharePoint, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.