Where Organizations go wrong with Azure Active Directory management
Working for AvePoint for now two years running, I’ve been given an amazing opportunity to work and connect with organizations across the enterprise spectrum. From what I’ve learned so far, there are more things that bind organizations together than differentiate them when it comes to effective SaaS management.
One theme I’ve noticed across is a consistent gap regarding effective Identity Management.
Most of Microsoft’s identity management falls into solutions regarding Active Directory (AD). This post is the first in a series of blog articles relating to the best practices around Identity Management, mostly regarding Active directory, its relationship with both on-premises and cloud-based Microsoft solutions, and how this affects effective SaaS from a technical, business process, and value priority perspective.
SharePoint, like many of the different solutions offered by Microsoft, is dependent upon on an array of software solutions to function properly.
Vast troves of books, articles, videos, and blog posts exist detailing expert discussion regarding best practices in managing SharePoint and SQL, IIS, Windows Server, .NET, PowerShell, Visual Studio, and many other solutions. Identity applications in the Microsoft realm can easily stand on its own alongside each of these solutions.
I want to focus on identity because of how imperative it is for organizations to get it right the first time, and continually check, review, and modify its relationship with identity management. Identity, after all, is the foundation process which enables user access to their corporate resources, content, and sensitive business data.
Effective Identity Management matters because identity is essential to getting things right in any Microsoft solution offered to the business. From the get-go I see things often going wrong.
Azure Active Directory Identity Management Mistake #1
Azure Directory Test environments and production environments are different!
Test Environments do not reflect nor often sample production level permissions.
This leads to delays in deploying solutions for end users because of unanticipated complications between practice and reality of permissions and permissions management.
Azure Directory Management Mistake # 2
Direct Control over Azure Directory permissions should be used with caution. (What is the right way?)
Admins often attempt to better control permissions via direct and centralized AD control. This is often a risky method for management and is a mistake for many reasons, no matter the size of the organization, because of the following:
Centralizing permissions management solely into AD and AD admins inevitably leads to process bottlenecks in changes to solutions offered.
Admins intend to mitigate pain from busy workers, but actually instead risk numbing any pain of experience, which often leads to disuse of a solution because it is seen as impossible to make work for business needs.
Azure Directory Management Mistake #3
Admins fail to instill an understanding around Azure Identity Protection and Management
Admins and the business rarely talk about identity, despite its essential function in allowing access
Most people hired by a company are given a corporate identity, usually an email address. This email address is the gateway for many to access resources, communicate, and take action.
Most users, especially employee managers, are not made aware of the underpinning identity management rules in place in solutions such as Azure Active Directory. There is a reason for this. Explaining these concepts can be difficult. This leads to lack of knowledge around Identity Management and Azure information protection and often exacerbates the issue.
Azure Active Directory Management Mistake # 4
Failure to Fine Tune Employee Lifecycle Management
The business employee lifecycle and the identity lifecycle rarely match, leaving to significant security gaps in access
New hires, employees retiring, or terminations are a constant cycle at any organization of any size. Rarely have I seen an effective process in place between Human Resources/Recruiting, Admins, and Identity administrators regarding the beginning, middle, and end of an employee’s lifecycle in an organization’s identity management system. This is where Automation and configuration management can help mitigate security lapses at organizations dealing with turnover.
Azure Active Directory Management Mistake # 5
Failing to see the bigger picture
The silo effect between Exchange, AD Admins, DB Admins, and SharePoint on-prem often leads to disparities in effective administration because of how easy it is to dive deep in controlling elements of these solutions, without realizing the essential unifier for all services: Identity.
Azure Active Directory Management Mistake # 6
Excess Devices leads to Azure Identity Management problems
With the proliferation of Bring Your Own Devices (BYOD) into the workplace, identity access is now mixing between personal and professional areas of life. This has led to solutions regarding containerization of content on phones, however, it still hasn’t really solved the issue of identity, especially across different devices from Windows to Apple iOS to Android, and many more platforms.
Azure Active Directory Management Mistake # 7
Not planning and controlling processes when in transition
We see plenty of organizations going all-in to the cloud. They may have transition periods where AD and content is hybrid. This can lead to a new opening for cloud services and management.
Azure Active Directory Management Mistake #8
Failing to De-active Users before licenses renew
Cost- Effective Identity Management is all about better cost management.
On-Prem CALs in Azure Directory are one of the essential ways Microsoft has priced solutions. Many an admin, myself included, have often not unlicensed an account fast enough when there is turnover.
In O365, the situation is just as complicated as it is on prem, but with even larger potential ramifications. External license access, permissions management, content leaks, security gaps and unauthorized access to poorly permissioned content are some examples.
Cloud Solutions and SaaS solutions often rely on active users. This leads to very important cost management elements when deploying both Microsoft and Microsoft partner solutions.
Like what you read? Be sure to subscribe to our blog to stay in the fold for all things Office 365, SharePoint and more!
Formerly a Solutions Engineer at AvePoint, Bryan worked with enterprises to implement effective business-focused governance, GDPR and regulatory compliance, proactive training and solution deployments for enterprises of all sizes, balancing customizations and available technology to meet business needs.