The 84th Edition of the Identity Jedi Newsletter

In partnership with

The Daily Newsletter for Intellectually Curious Readers

• We scour 100+ sources daily

• Read by CEOs, scientists, business owners and more

• 3.5 million subscribers

Sign up today!

Hey Jedi welcome to the 84th edition of the Identity Jedi Newsletter! SPECIAL EDITION: The Microsoft Deep Dive! This is going to be fun….. But first, here is a quick shout-out to our sponsors over at 1440 Media. I love straight-to-the-point, information-based material. It’s one of the reasons I got into newsletters like Morning Brew, which inspired me to write this newsletter. Life is full of circles…but I digress. I love 1440’s daily briefing. They are quick reads and straight facts. Check em out, click the link above to show them some love!

Ok before we get started. For those that are new around here these editions are a little different. The focus is on one specific topic, in this case, Microsoft IAM, and I provide links to articles and resources for further reading and investigation.

Ok heads up this is one of the bigger newsletters I’ve written. You can also listen to this online ( podcast style). It’s not my voice; unfortunately, if you view this online, there is a generated audio version that you can listen to. JUST FYI

Now LET’S GET TO THE GOOD STUFF!!!

This week's edition

• Research Table

  • Good Reads

  • Podcasts

  • Identity Jedi Show Podcast

  • The Last Word

Ok, let’s get into this. ( Grabs a bottle of Bourbon)

I feel like we can’t start this deep dive without going into a little bit of the history of Microsft and its relationship with IAM. It all starts with Active Directory. A long time ago ( The year 2000, to be exact), in a galaxy far, far away, humans piled into large buildings and sat in what we called cubicle farms. Each cubicle had its own computer that you could log into and access applications on the network or, most importantly, connect to a printer and print out the daily TPS report. It was a different time…. ( sips bourbon….shudders, and then pours some more)

One of the driving forces behind this marvel of technology was a service known as Active Directory, which allowed administrators to create digital

identities for people, computers, and, yes, even printers. It also enabled users to authenticate to different applications using just their Active Directory account. Thus, the fallacy began that Active Directory was an organization's authoritative source of identity information. But that’s a different story for a different day. The important part to know here is that Active Directory became a staple for managing access within most organizations.

Fast-forward about a decade( 2010) and this little niche of an industry called Identity and Access Management was starting to form. It consisted of managing all things digital identity, from Access Management to Identity Governance (a hot new term at the time) to Privileged Access Management. Organizations need to understand and control everything about the digital identity lifecycle. So naturally, you would look for Active Directory to do this, right?

Right?

Well, it turns out that Active Directory (AD) wasn’t the only place where information about identities was kept. ( GASP!!) So you needed to be able to sync information across various applications, create workflows for requesting access to applications, and allow business users to review and update both identity information and the access that users had. Well AD wasn’t built for that, it was a sys admin tool and sys admins had become very protective of their precious AD system…

So something else was needed. Enter in Microsft Identity Manager to save the day. ( Drinks a bigger gulp of bourbon). Ok, so there are a couple of iterations that happen before we get to MIM that I didn’t want to rabbit hole too far down. Suffice it to say that Microsoft was trying to address this problem. They just failed at it multiple times. Acquisitions, mergers, and bad releases eventually arrived at Forefront Identity Manager, which they later renamed Microsoft Identity Manager ( MIM) because renaming changes everything in the Microsoft world. ( Some history in the research table for you).

Anyways,

The result was a powerful yet very clunky product that did a decent job of connecting systems in your environment IF you were a Microsoft-heavy shop. So, if it played nice with AD, you were most likely good to go. However, AD wasn’t the end-all-be-all that MS thought it was; so many MIM installations sat unused or barely used, and organizations spent millions building around them or replacing them. And MS in the identity world was never seen again……

Not really. But for the most part, they disappeared, and as the decade turned once again, we moved into the “modern era” of identity systems, and MS was mostly just Active Directory. However, as MS transitioned to the cloud like the rest of us, Azure and Azure AD led to the resurgence of MS in the IAM world ( Again, this is more nuanced than this. See the Research table for links to more of the history)

Of course, nothing is complete without a name change, so Azure AD became Entra, which brings us to today.

So let’s break this down by Component

Governance

The Entra Suite, at first glance, offers a full complement of IAM services, all in one platform and all integrated with each other to a certain extent. The governance capabilities aren’t ones that would compete with SailPoint, Savyint, ConductorOne, insert your IGA platform here. Instead, Entra’s Governance product is built to give users a “just good enough” governance tool for managing all access integrated with Entra ID. If you can connect it via SSO, then you can govern it via Entra Governance. However, it’s an Entra Group-based type of governance. Basically, it seems to want you to consolidate the entitlement and permission model of outside applications into the entitlement and permission model of Entra ID ( Disclaimer: This could be inaccurate as I don’t have access to build a full environment with Entra)

Access Management

EntraID as an Access Management tool is solid. The combination of conditional access policies and the overall commoditization of Single Sign-On make this a strong offering for MS. It’s this offering that gives MS the wedge in most organizations for a complete migration over to MS for all IAM needs. Part of what led me down this area of research is the conversations I’ve had with organizations about the financial cost savings of consolidating onto MS. The “it’s all in there” approach gives customers so much on the business operations side, and does just enough on the identity side that it’s a really hard argument to make to spend an additional spend on an outside product that does one thing better. Said differently, customers are starting to buy into MS not because it’s the best IAM tool, but because it’s the best business tool that does Identity stuff decent FOR all things MS

Privileged Management

This isn’t the PAM that most of us think of. It’s more of the PAM is IGA done right type of PAM. The Entra platform allows you to govern privileged access much like you would any other access. It gives users options to do just-in-time access, set time boundaries on when certain access can be used, or even requested. It allows you to create solid boundaries around the most critical access in your environment. That part I actually like. However, again, it’s very “Microsoft is the center of the world” specific. Not much about how it helps you manage privileged access that lives outside of MS. ( Again: Disclaimer I don’t have access to full working environment so I could be wrong here)

Final thoughts

There’s a lot more digging that I can do around this, but from what I was able to put together, the Entra ID Sute of IAM tools is a very compelling offer for customers that fit specific criteria:

• MS Based Shop - Meaning everything you have integrates and flows through Microsoft

• Cloud First/Cloud Only - Ideally, no on-premise solutions

• Mid Market and Under - 10,000 users and less and this gives you everything you need to manage your IAM program sufficiently and all the cool things you on the business side.

If you don’t fit those criteria, this thing starts to fall apart on you very quickly. I’m also interested to see how MS starts to work Co-Pilot into their IAM platform. Combined with the work they are doing on the security side, and have to admit that it’s a real solid offering for a company that fits the specifications mentioned above.

As always, I’m up for discussion around this and would love to hear your thoughts around MS. Comment, reply, DM, send a raven, all is welcome.

Research Table

Hit this section to go down even further rabbit holes around Microsoft.

Identity Jedi Show Podcast

The Last Word

Is the cost of IAM too high?

Close your eyes, vendors, or you might want to stop reading at the end of this sentence.

As we embark further into this platformization of IAM, do we need to reset the cost of these tools? Historically, technology should get cheaper the better we get at it, but yet we continue to charge a premium for doing something that we say is CRITICAL to the lifeblood of every business. Yet we still suck at showing it’s real value, and we still struggle to get really good implementations of it. So, as we look at this brave new world where customers expect to have one suite of tools that helps them manage this to reduce costs, what exactly should that cost be? Before this SSO was $5, PAM was $8, and IGA was $100, NHI wasn’t heard of, neither was ITDR, CIEM, any other alphabet soup we want to through in there. So when we combine all of these into one, what should the cost be? I mean it should be the Costco model, right? I’m buying in bulk, so I should be getting some kind of discount per piece…right?

The REAL cost in most of this is not the implementation of the products. It’s in the change to the business that doing this right costs an organization. Both in man hours and consulting hours. So if we truly separate those two and make better products with better technology, the cost of that tech should be lower. We can also bring down consulting costs by doing the hard stuff with the products instead of just doing the low-hanging fruit. Specifically, Build a product that analyzes data, generates role recommendations based on usage, and maintains those roles based on continued usage. Automatically onboard applications based on published standards and API connectivity. Those are just a couple of examples; I’m sure there are hundreds more. We can’t really expect customers to keep paying hundreds of thousands of dollars for software and then millions of dollars for implementations…. can we?

Food for thought.

Quick Announcements: Identity Jedi University is coming! Planning a rollout event soon for everyone here, and then a more public one as well. So be on the lookout for that.

Premium Members will have discounted access to IDJU once it launches.

Early bird members will also receive some discounts. It's not too late to get in on that. You can sign up for the waitlist here. Registration closes August 20th.

Till next time

Be Good to each other, Be Kind to each other, Love each other

-Identity Jedi