Implementing single sign-on for Microsoft Partners
Business Case Study
March 2016
Download |
|---|
Business Case Study, 172KB, Microsoft Word file |
Microsoft Azure Active Directory business-to-business (B2B) collaboration brings a new set of capabilities to Azure Active Directory (AD) that enable secure collaboration between B2B partners. These new capabilities make it easy for the Microsoft Operations team to enable single sign-on access by Microsoft Partners to Microsoft extranet applications.
The challenging number of partner tools
Microsoft relies on a vibrant partner community to serve its customers. Microsoft has extensive supply chains and partner networks made up of roughly 310,000 large and small companies that are essential to delivering customer value. As Microsoft has evolved through the years, the business-to-business systems for Microsoft Partners have also grown in number and in complexity.
Some partners report using as many as 65 different tools, sites, and applications to work with Microsoft across different lines of business, including OEM, Azure, and Volume Licensing. Adding to this complexity is a lack of centralized access to the tools and systems, which use different authentication protocols for signing in. Users have to bookmark links to the tools they use, or save them to their browser favorites. Partners have to manage their user identities to sign in with each system's secure passwords. That mix of identities for each user can include Microsoft accounts (aka Windows Live accounts), corporate IDs, and Azure AD IDs—a lot for a partner to keep track of.
Identity and access management
Identity and access management is at the core of partner collaboration. Microsoft needs to grant partners access to key applications and data, but also needs to ensure that those assets don't end up in the hands of the wrong people. Setting up inter‑company federation relationships has been the classic approach, but it has its challenges:
Not all partner companies have the expertise—nor can they afford—the server infrastructure to set up and manage federation.
Complexity grows linearly when you have to manage a federation relationship with each partner.
With federation, there is limited user level visibility, making compliance and audits challenging.
These difficulties lead many companies to create directories of internally managed partner identities, a practice with its own security and management concerns:
Accounts in internally managed directories can provide too much access, putting the whole organization at risk.
The accounts are not connected to the partner's identity system, so they aren't disabled when partner employees change jobs or are terminated.
There is another set of usernames and passwords for partners to remember and yet another set of identities for Microsoft to manage (provision, de-provision, reset passwords, etc.).
The role of Microsoft Operations
The role of Microsoft Operations is to make it easy for partners to do business with Microsoft. Microsoft Operations is accountable for the partner experience. After receiving feedback from partners about how complex it was to use bookmarked partner tools and manage all of the required sign in information, the operations team began to look at third-party technology and what was available at Microsoft to create a unified identity solution that could streamline partner access by providing:
Easier sign in
Password management
Consolidated access to Microsoft Partner tools
A fully integrated tool seemed like it might be years out until the operations team discovered B2B collaboration, a module available for Azure AD.
Introducing Azure AD B2B collaboration
Azure AD is an enterprise grade, cloud Identity as a Service (IDaaS) solution that provides single sign-on to thousands of cloud (SaaS) apps and access to web apps that you run on-premises. Azure Active Directory B2B collaboration is the foundation for cross-company collaboration at Microsoft and provides a cross-company identity model where each partner manages its own employee identities.
Azure AD B2B collaboration is integrated into the partner's existing IT systems, according to their own corporate policy, in a way that works for their business while providing rich cross-company visibility, compliance, and control. Azure AD B2B collaboration supports cross-company relationships by enabling partners to selectively access corporate applications and data using self-managed identities.
Azure AD B2B collaboration is:
Simple. Each partner user has an existing Azure AD account or one that is easily created. This account can be provided to the user with direct access to a single corporate app or a set of applications through the Azure AD access panel.
Secure. Admins control all access to corporate apps through Azure AD directory. When collaboration ends, partner users can be removed from Azure AD and their access to your apps is immediately revoked. And when the partner user leaves the partner organization, access is automatically lost.
Free. B2B collaboration is a free feature that comes with Azure AD. The partner companies who need access to corporate apps do not need to have Azure AD. Azure AD B2B collaboration provides a simple user sign in experience to provide these partners with immediate access to apps.
Creating a single sign-on access panel
The operations team gathered anecdotal evidence from interviews with partners about the complexity of working with Microsoft over the last few years. To address their pain points about the increased number of portals and tools and the need to sign in to each app separately, the operations team wanted to create a single sign-on access panel (SOAP) to centralize their tools with one sign in.
Developing a proof of concept
When developing a proof of concept for using Azure AD B2B collaboration to create the SOAP, the operations team first had to decide which applications to include and what kind of identity to use. The goal was to ensure that partners could access the commonly used tools and sites using the new SOAP portal.
All of the sites are built for partners to access externally and there is very secure data behind those sites, including partner transaction data, customer information, and financial data. The first partners were vital in testing and validating the simplified experience as they already had accounts set up to use the partner applications.
The operations team chose a partner company to be the first users of the SOAP portal. That partner agreed to work closely with the operations teams to test the single sign-on solution and to help them identify any issues before onboarding the remaining partners. The operations team spent about 10 hours of testing with the first partner before expanding testing to a group of 10 partners.
The operations team decided that it would be to their benefit to start small because they were learning every step of the way with every user, and because the solution was a configuration and not a net new development. The Azure AD B2B collaboration team provided the tool, and the operations team configured it and started deploying it to partners.
The operations team wanted to use an existing identity that was compatible with the Azure service without creating yet another identity for the user. They developed a detailed questionnaire to help prioritize identities and narrow the focus on which identity to use. The first preference for identity was an Azure AD account.
Moving from a pilot to a service
The operations team was able to ramp up the remaining 85 partners in the early adoption community fairly quickly and stabilize their onboarding processes through careful monitoring of partner experience metrics. As SOAP usage ramped up, the operations team provided valuable feedback to the Azure team that helped improve the B2B Collaboration product including:
Refining the process for users to self-select their own apps
Improving analytics on usage
Identifying improvements and customizations for the automated invitation process
Improving the user experience for first time users
Providing longer session times
Improving overall site performance
After onboarding over 100 partners, SOAP has moved from a pilot to a service. Rather than seeking out partners to participate, the operations team is now measuring adoption rates within the partner community. Microsoft has notified partners that the service is available, and they are invited to sign up.
Onboarding process
The onboarding process starts when an invited partner visits the site link provided by the operations team. From the site, the partner launches an email template questionnaire that helps identify who they are and which applications they need access to. The operations team administrator creates a comma-separated values (CSV) file specifying groups and applications for each partner user and uploads it to the Azure management portal.
The portal sends email invitations to the user, letting them know that their applications are now accessible through the SOAP portal and that they simply need to sign in to them. For applications that are not federated, when the user first clicks on the tile to sign in using password-based SSO, an access panel extension is downloaded automatically in the browser. The required access panel extension is available for Internet Explorer, Chrome, and Firefox browsers.
Once the access panel extension is installed, a user needs to sign in to each of their applications once, and their sign in information will be captured and saved so they won't need to enter it again when they access their application through the portal.
NOTE: My Apps—the Azure Active Directory mobile app for Android and iOS mobile devices—provides the same experience without the need to install the access panel extension.
.png "SOAP portal applications screenshot")
Figure 1. SOAP portal
Implementing single sign-on best practices
The lack of an identity service can cause bad security habits. The most secure passwords are complex and unintuitive, which makes them more difficult for an unauthorized user to guess. Using Azure AD B2B collaboration helps drive more secure behavior.
Simplify onboarding for partners by automating processes. The operations team used a questionnaire that helped partners select the right identity, email address, and account. By providing criteria that helped narrow down their choices, onboarding has become a more streamlined process and has helped guide more partners into using the types of identities that the operations team prefers.
For business partners that don't already have Azure AD, B2B collaboration has a streamlined sign-up experience that can provide free Azure AD accounts to Microsoft business partners.
Benefits of SOAP
Providing a portal experience with a dashboard of partner tools was a significant improvement for users. They no longer need to keep separate links organized in browser favorites, nor do they have to maintain all the separate sign in information for each individual system they need to access.
After vetting and testing, setting the SOAP portal up as a service was completed within a matter of weeks with very little Microsoft IT involvement.
Secure access to extranet apps remains a top priority with the security of the Azure platform protecting partner identities and information.
Conclusion
By partnering with the Azure AD team, the operations team was able to create the SOAP solution within a matter of months and over half of the 300 highest transacting Partners have been on-boarded. The operations team is on track to meet their adoption goal by the end of this fiscal year. With plans to expand that number to include more partners, more partner types, and other lines of business in the future, SOAP has provided tangible improvements to a long-standing business problem.
The operations team was able to provide important feedback to the Azure AD team and have been uncovering complex user scenarios around identity and security. Those lessons learned are being shared to help other Microsoft teams build portals of the future.
Feedback from the Microsoft Partners that are using SOAP has been very positive. They were excited to see the solution rolled out so quickly and have communicated that the single sign-on experience truly does make it easier to do business with Microsoft.
For more information
Microsoft IT
© 2016 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.