11 Steps to Ensuring Your Active Directory Identity Management Works Securely

Post Date: 04/23/2018
feature image

Editor’s note: This is the second post in a series around identity management in Azure Active Directory. Check out the first post here  and the others below!


Secure identity management on-prem or in the cloud

Most of us only worry about our ID when we need to prove to others who we are. In the online world, we actually do this on a regular basis. This process affects you more directly than you might think. Whether you login to Facebook, Gmail, or Microsoft Office, you’re proving your identity to a system and that you are who you say you are.

Most systems rely simply on an active username and valid password. Many more are now requiring Two-Factor Authentication (2FA) as a form of access to a system. Many more secure systems include multi-factor elements, such as identity, PIN, activity session timeout, and access-only from certified devices.

Each one of these processes builds walls and restricted paths around accessing a system. From my experience, there’s a balance to be had here between secure access and level of effort to log into systems. Most businesses seem to be on the reactive side of secure identity management in this regard, and we need to look further into how different teams play into this system.

Processes to ensure secure Active Directory identity management

1) When you are employed by a company, your identity as an employee and an agent of a company carries specific rules and requirements for both you and that organization. Companies compensate you with money for your time and efforts to create value, and as such, they often provide IT services, such as laptop, email, and mobile devices to get you productive from the get-go.

Identity management Office 365 Azure Active Directory

2) In order to provide licensed products for you to work, IT services needs to create and originate an identity for you. This can come from HR, such as an email, employee ID, or a request to create a new account.

3) Depending on what your position is inside the organization, your role will vary. Most Identity manager systems allow the creation of buckets to put users in. Administrative staff versus sales employees, or management, are all different buckets with specific roles and privileges.

4) Where things often break down: Communication between teams is often just not there until after the fact. Users come and go from companies all the time. Increasingly, the gig economy is becoming a part of the regular workforce, so the question is whether or not companies will simply allow access to your identity and when jobs are complete you get locked out. This has many ramifications for how business work and share content.

Some best practices to ensure secure Active Directory identity management

5) Check between HR and IT Admin services on a regular interval for the active and inactive users in the system. Simple secure lists can help enable this.

6) Task it out to complete it.

7) If more immediate needs exist, have an email system in place, workflow, forms, etc.

8) Establish SLAs between different units in the organization.

9) Check, prove, review.

10) How this changes in cloud services and SaaS- when users come and go from a multi-tenant system, part of the user agreement mostly surrounds active users. If a user leaves, content may be slated for deletion after a period of time.

This affects access to content that used to go stale on-prem. This should be a concern if content a user worked on is subject to regulatory or legal procedures. Something you should be aware of in systems such as Office 365 or Gmail.

11) Process to archive, backup, and ultimately delete content from inactive users

a. We do not live in a file share- nor should anyone anymore!

b. Help to mitigate potential legal costs from eDiscovery by deleting ROT data or data that has reached its expiration date.


Like what you read? Be sure to subscribe to our blog to stay in the fold for all things Office 365, SharePoint and more! 

Formerly a Solutions Engineer at AvePoint, Bryan worked with enterprises to implement effective business-focused governance, GDPR and regulatory compliance, proactive training and solution deployments for enterprises of all sizes, balancing customizations and available technology to meet business needs.

View all posts by Bryan Vanetten
Share this blog

Subscribe to our blog