Self-Service Identity and Access Management
Microsoft IT Showcase and Lana Chin
Microsoft IT recently released the Easy ID service. This is a fully automated, self-service identity and access management solution that gives each employee the ability to create and use a personalized, easy-to-remember e-mail address that is based on employee name information in the human resources system. Although Easy ID is an internal service that was developed for Microsoft employees, it is a compelling example of a self-service solution that can be implemented in different environments to simplify identity and access management.
- The solution had to be a fully automated and easy to use solution that would give each employee—that's more than 60,000 users—the ability to create a personalized e-mail address.
- The new e-mail address would have to work in addition to the employee's original alias-based e-mail address, without modifying its functionality.
- Some level of control had to be maintained over certain criteria in order to ensure integrity and consistency of identity information. This meant we had to integrate the solution with the authoritative source for employee identity information: the SAP HR module.
- The solution had to offer a flexible address schema so users could create addresses that adhered to the naming preferences in different regions and groups across the enterprise. But, at the same time, the solution had to enforce compliance with account naming standards.
The solution was built on Microsoft® Identity Integration Server (MIIS) 2003 Service Pack 1 (SP1). It uses the MIIS enterprise resource planning (ERP) management agent to integrate HR information from the SAP HR module. The MIIS ERP management agent provides a continuous link between HR systems (such as the SAP HR module) and IT systems (such as Active Directory®). This allows identity information to flow directly between systems.
Early on in the project, a pilot program was carried out with a small group of users. After development and testing was completed, Easy ID was deployed to executives. This was followed by a global deployment to all employees in the six Active Directory forests that Microsoft IT manages.
The Identity Management (IdM) team within Microsoft IT collaborated with the cross-IT (XIT) team and other internal teams to deliver Easy ID. The IdM team, as business owner, compiled the business requirements. They identified the name-related attributes that need to be imported from SAP, established the business rules that govern how Easy ID integrates identity information from multiple identity stores, and established how Easy ID manages e-mail addresses. The XIT team took care of design, development, testing, and deployment of all Easy ID components except the MIIS ERP management agent. The XIT team also worked with the Messaging team to substantiate messaging-related aspects of Easy ID.
The MIIS product group partnered with an independent software vendor to drive development of the MIIS ERP management agent, in collaboration with the IdM, XIT, and Enterprise Application (EAS) teams. (The MIIS ERP management agent is currently in prerelease and will be available as an MIIS 2003 product offering.)
Microsoft e-mail addresses are formatted as email@example.com. The alias matches the user logon name that was configured in Active Directory when the account was first created in the account provisioning system. The user logon name, which has to be unique across all Active Directory and Microsoft Exchange Server accounts, is limited to eight characters to maintain compatibility with certain internal business systems.
Due to these constraints, the way a logon name and e-mail alias is determined does not follow a standard format. The e-mail alias is based on substrings of a user's first and last name, but the substrings are not based on any consistent pattern. For example, the e-mail alias can be made up of the first letter of the first name and a substring of the last name, a substring of the first name and the first letter of the last name, or substrings of both the first and last names.
As a result, Microsoft e-mail addresses are sometimes unintuitive and hard to remember. This lack of consistency creates a business problem that is most evident when it comes to communicating with external customers and partners. Before rolling out Easy ID, external people who wanted to send a message to a Microsoft employee had to have explicit knowledge of that employee's alias. And even when an employee did give her e-mail address to an external contact, it was easily forgotten. Thus, a common request from employees has been for more intuitive e-mail addresses. Easy ID now allows each user to create a more predictable and more memorable e-mail address.
(In addition, a system built on alias-based e-mail addresses creates a potential security risk when each user's logon name—one half of the user's network credentials—is exposed to non-employees.)
Using Easy ID
Easy ID presents employees with an internal, self-service Web site that allows them to quickly and easily create a new, more intuitive e-mail address. Easy ID e-mail addresses are formatted as EasyIDAlias@microsoft.com, where EasyIDAlias can be a maximum of 26 characters based on a combination of the following name attributes: first name, last name, preferred first name, and middle initial.
The address may also include a differentiator. This is text that appears in parenthesis at the end of certain user names in the Global Address List (GAL). It is used to tell the difference between two or more employees who have the same name. A common differentiator is the business unit or group that a user belongs to. For example, a member of the XIT team might use (XIT) as a differentiator in his Easy ID address.
Format, consistency, uniqueness, and accuracy are enforced by a set of business rules that reflect account naming standards and business requirements. To accommodate differences in regional naming preferences and to provide alternative e-mail address options to employees who have the same or similar names, 120 different attribute combinations are available. The address must contain at least two of the attributes, not including the differentiator. Some examples include FirstName.LastName, LastName.FirstName, PreferredFirstName.MiddleInitial.LastName, and LastName.PreferredFirstName.Differentiator.
Easy ID e-mail addresses are available on a first-come, first-served basis. To create an Easy ID e-mail address, an employee can either pick one from a list of recommended e-mail addresses that are automatically generated by Easy ID, or he can build his own based on the list of available attributes (see Figure 1). Addresses that are already taken (by another employee with a similar name) or reserved for administrative purposes are simply not available.
Figure 1 Easy ID User Interface
It takes only about five minutes to configure an Easy ID e-mail address. After that, the address is ready to use within six hours and visible in the GAL within 24 hours. And if necessary, an employee can return to the site to update or remove his existing Easy ID e-mail address.
The two e-mail addresses—the original alias-based address and the new Easy ID address—work together to send and receive e-mail messages. Messages that are sent to either of these e-mail addresses are delivered to the same mailbox the user has always used. When an employee sends an e-mail message—either to an external or internal recipient—that message is sent from the employee's Easy ID e-mail address. Note that when the recipient is internal, Microsoft Outlook® shows the display name of the employee (not the Easy ID e-mail address) as the sender.
Core components of Easy ID include the self-service Web site, the Easy ID application database, management agents, and custom business logic. The self-service Web site sits on top of the Easy ID application database and acts as the front-end user interface. The application connects to SAP through the MIIS ERP management agent and imports the name-related attributes directly from SAP into the metaverse (the MIIS 2003 database). Identity information that's been aggregated from all connected data sources is stored in a Microsoft SQL Server™ database, providing a single, global, integrated view of all objects. From the metaverse, the name-related attributes are pushed to the Easy ID application database (also a SQL Server database). This database, which acts as the back end for the self-service Web site, stores attributes and Easy ID e-mail addresses and also contains a subset of information from the metaverse. SAP, the Easy ID application database, and Active Directory are all connected data sources with identity information that is integrated with MIIS 2003.
When an employee visits the self-service Web site and creates an Easy ID e-mail address, the following events take place:
- The Easy ID application database updates the employee's user record to include the Easy ID e-mail address.
- MIIS 2003 detects this change and updates the corresponding user record in the metaverse.
- MIIS 2003 then modifies the user account attributes of the employee in Active Directory. In the proxyAddresses attribute, the Easy ID e-mail address becomes the primary SMTP address and the alias-based e-mail address becomes the secondary SMTP proxy address. And the Automatically update e-mail address based on recipient policy option is turned off to ensure the primary SMTP proxy address is not overridden.
- From Active Directory, the user account attributes are replicated to Exchange Server.
That's about all there is to the process. The employee can send and receive e-mail messages using the new e-mail address, as well as continue to receive messages sent to the alias-based address. Figure 2 gives an overview of the data flow.
Figure 2 Flow of Data in the Easy ID Solution
MIIS 2003 uses management agents and synchronization rules to control attribute flow between the connected data sources and the metaverse. To implement the business rules that direct attribute flow, the XIT team extended the management agents using rules extensions that store custom business logic. The rules extensions are implemented within a Microsoft .NET Framework assembly that is saved as a DLL file. The XIT team used Microsoft Visual C#® .NET 2003 and the Microsoft Visual Studio® .NET 2003 development system to build these rules extensions. Figure 3 shows the basic architecture of Easy ID.
Figure 3 Easy ID Architecture
The XIT team deployed the MIIS component of Easy ID on a server running MIIS 2003 Enterprise Edition SP1, SQL Server 2000, and Windows Server® 2003 Enterprise Edition. The team developed the self-service Web site, which hosts the business rules that enforce how Easy ID manages e-mail addresses, as an ASP.NET Web application. This app was deployed on a separate server running IIS version 6.0 and Windows Server 2003 Enterprise Edition.
Easy ID was built on top of an earlier deployment of another MIIS 2003–based identity and access management solution, AutoConsistency Manager. Using MIIS 2003 as a platform for developing custom functionality, the XIT team extended AutoConsistency Manager to accommodate Easy ID components on the same instance of MIIS 2003 on which AutoConsistency Manager was deployed. For more information about AutoConsistency Manager, see the IT Showcase technical case study, "Ensuring Identity Consistency at Microsoft
Observations and Best Practices
The IdM and XIT teams embraced certain best practices and made some important observations during the course of this project. These points may be useful to others implementing a similar self-service identity and access management solution.
The phase of the project that took the most time was establishing the set of business rules to determine how Easy ID would manage e-mail addresses. This task involved identifying the attributes that would be used in the new addresses, developing naming standards, determining appropriate attribute combinations, recognizing regional naming preferences, and deciding on access-related characteristics. The IdM team was careful not to rush through this phase. They made it a priority to thoroughly understand and validate each business requirement and rule.
Best Practice: Making sure that business rules are solid and well defined is imperative from a technology and usability perspective, as well as for the purposes of user education.
The XIT team implemented a pilot program that ran in parallel to the design phase. They rounded up a group of employees (based on name, business group, and geographic location) who volunteered to participate. To mimic Easy ID e-mail addresses, the XIT team manually changed the user account attributes of the employees in Active Directory. This pilot program was critical to the success of the project because it enabled the XIT team to identify, investigate, and better understand the impact to downstream line-of-business (LOB) applications. As it turned out, some interoperability issues were uncovered and several LOB applications had to be recoded or reconfigured. Additionally, based on information discovered during the pilot program, the XIT team was able to fine-tune the design of Easy ID before starting development.
Best Practice: By implementing a pilot program early in a project, you can help make sure that changes are incorporated in a timely manner and also help reduce development costs by discovering issues and addressing them early on, rather than discovering them later in the project and having to redo work.
The IdM team discovered that it is important to set expectations and make sure that instructions to users are clear and concise. They noticed that many users assumed that the alias in an e-mail address would always match the user logon name. To drive a cultural shift, the team found it necessary to promote user education and build awareness. This helped employees understand what an Easy ID e-mail address is, what it's for, how it works, and how it affects the way they communicate.
Best Practice: A self-service solution such as Easy ID enables employees to manage their own information. However, employees must be informed and ready to take on such a responsibility.
Easy ID is an opt-in or opt-out service. Employees decide for themselves whether they want to sign up for an Easy ID e-mail address. Each employee who opts in can customize her own e-mail identity by choosing the combination of attributes that works best for her.
Since its release in September 2005, Easy ID has been very popular. More than 6,500 employees signed up for an Easy ID e-mail address during the first 24 hours of its availability. Currently, more than 20,000 employees at Microsoft use an Easy ID e-mail address for external mail.
Microsoft IT has seen multiple benefits resulting from the Easy ID service. The most significant benefits include easier communication with external customers and partners, increased security, and a reusable platform that can be used for future development of service automation and self-service functionality. In fact, Microsoft IT already has plans for a future project that will make use of this reusable platform. Microsoft IT is working on an approach to use the platform in conjunction with the MIIS ERP management agent (which provides the ability to automate access to HR information) to further streamline identity and access management for the company. The goal is to replace the current account provisioning system (which relies on manual processes) with a fully automated, end-to-end account provisioning system that has self-service management features.
Microsoft IT Showcase presents an inside view of the Microsoft IT process for developing, deploying, and managing Microsoft solutions—from Microsoft IT professionals to IT professionals—peer to peer. The resources they provide reveal how Microsoft uses technology to solve specific business problems. Find out more at Microsoft IT: Showcase.
Lana Chin is a technical writer and instructional designer who is based in British Columbia, Canada. She holds an MCSE certification and a Bachelor of Science degree.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited