What is our primary use case?
BDO is a network of firms and a firm is what we call a country. So, we are present in about 160 countries. I am involved in BDO Global, which is not really a firm in the sense that we don't deal directly with clients, but BDO Global hosts IT services for all those 160 countries. A couple of those solutions are a worldwide audit solution that our firms use for financial audits for customers. We have a globally running portal solution, which firms are using to collaborate with our customers directly. All these services are basically based on Azure AD for authentication and authorization. This has been a lifesaver for us, because BDO firms are legally independent, so, we don't have a single identity store worldwide, like other big companies potentially do. We created an IAM solution based on Azure AD that ties all 160 dispersed identity stores back into one. We use that to give access to our services that we run globally.
Azure AD doesn't really give you a version. You just need to take the version as-is because it is a service that Microsoft delivers as a SaaS service. So, we don't have a lot of influence over the version that we use.
How has it helped my organization?
Besides tying together all authentications for our 160 countries, it has also been instrumental in getting the collaboration going between our firm countries since normally they are quite isolated. Also, their IT firms are quite isolated. So, Azure AD has made sure that we can collaborate with each other in multiple different systems: the global portal, the Audit application, and Office 365. This allows us to collaborate closer together, even though we are still separated as different countries.
Because it is an identity store, it handles all our authentication. We also use it with a combination of conditional access, which is a way to limit people's authentication or authorization based on where they are, the compliance of their device, and on a whole bunch of other variables that we can set. So, it definitely has been influential as well on the security side. Because it is a SaaS, you have central management over that. You can see all the logins and get reports on who signs in from where.
There is a lot of artificial intelligence in Azure AD that can monitor behavior of users. If users behave in a strange way, then the authentication can be blocked. For example, if you have a user logging in from China, but it looks like the same user is logging in from America just a few seconds apart. That is a seemingly risky behavior that Azure AD flags for you, then you can block that behavior or have the user provide you with a second factor of authentication. So, there are a lot of security features that come with Azure AD too.
What is most valuable?
In our scenario, we use a lot of the business-to-business (B2B) features in Azure AD, which allows us to tie multiple Azure AD instances together. That is what we heavily use because every firm or country has their own Azure AD instance. We tie those together by using the B2B functionality in Azure AD. So, that is the most valuable part for us right now.
It has been very instrumental towards a lot of services we run, especially on the single sign-on side. For example, we have 160 countries that all run their own IT but we still are able to provide users with a single sign-on experience towards global applications. So, they have a certain set of accounts that they get from their local IT department, then they use exactly the same account and credentials to sign into global services. For the user, it has been quite instrumental in that space. It is about efficiency, but also about users not having to remember multiple accounts and passwords since it is all single sign-on. Therefore, the single sign-on experience for us has been the most instrumental for the end user experience.
We are using a whole bunch of features:
- We are using privileged identity management, which is also an Azure AD feature. This allows us to give just-in-time, just enough access to privileged accounts. For example, normally you have a named account and you get a few roles based on that named account. If that is a very privileged role, that role always sits on your account all the time. When your account is compromised and the role is on the account, the people that compromise your account have that role. With privileged identity management, I can assign a role to a certain account for a specific amount of time and also for a specific amount of privileges, e.g., I can give somebody global administrator access, then revoke that after an hour automatically. So, when his/her account gets compromised, that role is not present anymore.
- We use conditional access.
- We use access reviews, which is basically a mechanism to access reviews on Azure AD groups automatically. So, the group owner gets a notification that they need to review their group member access, and they use that to do reviews. That is all audited and locked. For our ISO process, this is a very convenient mechanism to audit your group access.
What needs improvement?
We have a custom solution now running to tie all those Azure ADs together. We use the B2B functionality for that. Improvements are already on the roadmap for Azure AD in that area. I think they will make it easier to work together between two different tenants in Azure AD, because normally one tenant is a security boundary. For example, company one has a tenant and company two has a tenant, and then you can do B2B collaboration between those, but it is still quite limited. For our use case, it is enough currently. However, if we want to extend the collaboration even further, then we need an easier way to collaborate between two tenants, but I think that is already on the roadmap of Azure AD anyway.
For how long have I used the solution?
I have been using it for about six years.
What do I think about the stability of the solution?
The stability has been very good because it is an underpinning service for many things that Microsoft does:
- The underpinning identity store for Office 365.
- The underpinning identities over Azure services.
So, the stability has been very good. We haven't had major issues with Azure AD so far.
On the global side, we have around two to three FTEs aligned to this. On the firm side, in the countries, FTE's are aligned to managing identity as well. These FTE numbers differ per firm. In our case, there are about two to three FTEs who are aligned to this. That is normally probably not what you would need, but since we run some custom code around this to be able to do the B2B process, we need about two to three FTEs.
What do I think about the scalability of the solution?
Scalability is not a problem. We don't have to control that because Microsoft does it as a SaaS. However, we have never seen any real performance issues on the authentication stuff. I think they handle that under the hood. Since it is such an important service for them, they keep the scalability quite well. We don't have any scaling concerns. We also can control the scale. It is basically taken care of because it is a SaaS.
It is fully deployed to about 80,000 people worldwide.
How are customer service and technical support?
We have Microsoft Premier Support, which has been quite good. It is quick. We are mostly into the engineering group quite quickly, and that has been good. I think they also have non-paid support, which has somewhat lower response time SLAs, but we have Premier Support.
Which solution did I use previously and why did I switch?
Before, we only used local Active Directories because we were not in the cloud. Currently, in BDO Global, we are 100 percent cloud. So, we use Azure AD only.
We haven't run any other solutions than Azure AD.
How was the initial setup?
The initial setup is a relatively straightforward process because Microsoft gives you a lot of guidance on how to do it. They also have a tie-in with local Active Directory. So, if you are running a local Active Directory, you can easily integrate it with Azure AD. It is also one of the more powerful features of the solution because it is a SaaS solution, but you can still tie it in with your local identity store. That makes it quite powerful because many companies, before they go to the cloud, have a local identity store, e.g., Active Directory. Microsoft has a very easy process and some tooling to make it integrate with Azure AD, so your local identities, you can still be leading, but you can sync all those identities up to Azure AD quite easily and keep the identity storage up to date.
We are exclusively using Azure AD in BDO Global. In other BDO countries, most countries use local Active Directory in combination with Azure AD.
If you look at it from a BDO country perspective, you have everything up and running in about a week, if not quicker. In our global setup, that took a little bit longer, because we had to create a solution to synchronize multiple Azure ADs towards the global one. We did that via B2B, so our setup took a little bit longer as it also involved some custom development. If you only deploy Azure AD from a single company perspective, then it should be a relatively quick process.
Deployment is not that hard because it is a SaaS solution, so you don't have to deploy any infrastructure. All that is taken care of by the solution itself. It is a matter of configuring first-time use, then setting up a sync between your own identity store and Azure AD, which is quite an easy process. If you read through the documentation, then you can have that sync running in about a day.
What about the implementation team?
We mostly did the implementation and the custom coding ourselves in combination with people from Microsoft.
What was our ROI?
The ROI has been quite good because we looked at competitors as well, Ping and Okta, but their license fees were quite high. Also, Azure AD can meet all our use cases. In the beginning, we only used the free version, so that was quite cheap to run. We had some custom code that we needed to develop, but that was due to our specific use case. Overall, the return on investment has been very positive. The solution is not very expensive to run. It is quite stable. For us, it brings a whole lot of capabilities to provide people with a single sign-on experience across the world.
Compared to other big vendors over the past six years, I think we are close to saving $5 million on FTEs and licensing, which is substantial.
What's my experience with pricing, setup cost, and licensing?
MS has a free version of Azure AD as well. So, if you don't do a lot of advanced stuff, then you can use the free version, which is no cost at all because it is underpinning Office 365.
Some of the services that I mentioned, like conditional access, privileged identity management, and access reviews, come with a certain premium license per user. We negotiated those license fees in what we call a GEA. This is a global Microsoft contract that we have. So, the pricing seems to be quite fair. If I compare it to its competitors, Azure AD is a lot cheaper.
Because Microsoft gives it to you as a SaaS, so there are no infrastructure costs whatsoever that you need to incur. If you use the free version, then it is free. If you use the advanced features (that we use), it is a license fee per user.
Premier Support is an added cost, but they do it based on the amount of services that you consume. We don't have it specifically for Azure AD because we run a lot of Microsoft technologies. We have an overall Premier Support contract, which is an additional cost.
Which other solutions did I evaluate?
We looked at many different vendors for identity because our identity store is quite complicated within BDO, because you don't have that single identity store across all the countries like you see in many other global companies. So, we had a strategy. We looked at other products that could potentially do the same. However, the features that Azure AD gave us the option to do this as we wanted to do it. The other tools that we looked at, Okta and PingFederate, were not able to do the same thing for us back in the day. This is especially because we have many different identity stores within the BDO countries that have to be under the control of those countries. BDO Global cannot and is not allowed to control those identities. We need to allow the countries to control those identities themselves, but we still need a way to tie those altogether on the global side. Azure AD was the only solution that could do that for us.
From a BDO Global perspective, we don't. The firms and countries own their identities and the management around them, and they also need full control on those identities. We as BDO Global are not even allowed to control those, but we do need to provide them with single sign-on experiences. So, Azure AD is the service that allow us to do that.
Our primary use case was about that control, which is a very specific use case because countries need to control their own identity stores and we are not allowed to control that from a global perspective. Specifically, the control requirement and still being able to have that single sign-on experience led us to Azure AD. The other big vendors that we looked at couldn't do that.
What other advice do I have?
This solution is a prerequisite with some of the bigger Microsoft services, so if you want to use Office 365, Dynamics, etc., then you need Azure AD. However, it is also quite good to use for other services as well because they are currently supporting tens of thousands of other applications that you can sign into with an Azure account. So, it is not only for Microsoft Office, and I think that is probably a misconception in many people's heads. You can use it for many other cloud services as well as a single sign-on solution. My biggest point would be that it can be used for Microsoft services, but people tend to forget that you can also use it for many other services. In that sense, it is just an identity store that you can use across many services, not only Microsoft.
It continues to be one of our primary fundamental services around authentication, so we will keep using it in the future. We are planning to reduce the amount of custom code that we need to tie all these things together. Microsoft has a few things on the roadmap coming up there. We hope that we can decrease the amount of custom code that we need to run around this. The custom code is mostly about synchronizing identities from 160 countries to us. Microsoft will bring some stuff out-of-the-box there so we can hopefully decrease the custom code. It is a fundamental solution for us for identity and single sign-on, so we definitely plan to keep using it.
The biggest thing we learned is that the security boundaries are shifting from what used to be networks, firewalls, and data centers that you owned yourself. The security boundary is more shifting to identity in these cases because people are using cloud services. They use a single identity, and in this case, Azure identity to sign into those cloud services. You are not always controlling where people are signing in from anymore because those services live in the cloud. Where you used to have servers running in your data center, you had far more control on the network, firewalls, and all that stuff to keep those services secure. You now have to rely much more on the identity because the services are running in the cloud. You don't always have control over the network, so people can sign in from every device.
The security boundary is really shifting towards identity. Azure AD gives you a lot of options to secure your identity in a proper way. We use multifactor authentication, the conditional access piece, and privileged identity management, which are all services that Azure AD provides and quite hard to implement on a traditional Active Directory.
I would rate this solution as 10 out of 10. It is instrumental to everything that we do.
Which deployment model are you using for this solution?
Which version of this solution are you currently using?