Azure AD and SailPoint: Advanced identity governance across your on-premises and cloud resources

First published on CloudBlogs on Feb, 10 2017
Howdy folks, Over the past year, we've had the privilege to work closely with our largest customers in highly regulated industries like healthcare, financial services and pharma, helping them to successfully deploy and use Azure AD Premium. Through this close partnering, we've learned that to meet their unique security and compliance requirements, they need some pretty advanced access governance controls across their on-premises and cloud resources, in addition to the industry leading identity management and security they get with Azure AD Premium. Today, we've got good news for these customers. I am thrilled to announce our technical collaboration with SailPoint, a proven leader in identity governance. SailPoint' s identity governance capabilities, combined with Azure AD's secure access and risk-based identity protection, will help cover the most demanding security and compliance needs of our joint customers. The SailPoint integration extends Azure Active Directory Premium to provide full, fine-grained provisioning and lifecycle governance across enterprise systems on-premises and in the cloud. Let's take a look at how the integration works through the lens of a few specific scenarios.

Identity and context synchronization The first step in enabling advanced access governance is to synchronize the Azure AD view of users and their access to applications with SailPoint. This is performed using a direct connector that automatically aggregates user accounts, group permissions, and Microsoft Access Panel tiles and maps each of these to the SailPoint Identity Cube. It also provides the basis for SailPoint to send change events back to Azure AD when access is modified during a governance mitigation process. In addition to this, SailPoint will connect to applications managed outside of Azure AD, including on-premises applications like EPIC, which is widely used in healthcare. This creates a 360-degree view of all access in the organization and creates a strong foundation for comprehensive control. Access request and lifecycle events User access request and approval is at the core of any identity management and governance solution. The integration of SailPoint with Azure AD adds support for self service access requests and approvals. Additionally the integration propogates access changes based on employee lifecycle events like join, move, or leave across all applications (cloud or on-premises) to ensure that access is granted according to business policy. In both cases, the SailPoint-Microsoft combination enables end-to-end coverage of all provisioning events with full synchronization of access changes to the Microsoft Access Panel. Identity governance – certification, segregation of duty policies, and more A key component of strong identity governance is the ability to review access on a regular basis. The integration provides a simple and effective way to automate the entire access certification process. SailPoint's access certifications combine data collected from the identity and context synchronization process described above with account and entitlement data from all application sources to create a single view of all access. After that, a fully automated access review process can be initiated to business and IT owners. Changes to access that resulted from the access review process are automatically propagated to the Azure AD Access Panel. Another important governance control is the ability to enforce SOD policies throughout a user's lifecycle with an organization. SOD policies can be defined and enforced by SailPoint during access reviews or access request processes to provide an additional level of policy control. SailPoint also delivers audit and compliance reporting that demonstrates the effectiveness of the identity controls operating across the organization. This significantly reduces the burden on IT operations teams and improves visibility for the business. Self-service password reset extension In addition to the governance capabilities described above, the integration with SailPoint enables an important password management use case – the combined solution can automatically propagate an Azure AD password change to all connected systems in SailPoint that share a common password policy. This allows a user to change their password once in Azure AD and have it synchronized across a wide variety of on-premises and cloud-based systems. We're excited to bring this partnership to you and want to hear your feedback. Leave your comments below and reach out to us via Twitter! As always, we're listening. Best regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division