Archive

Archive for the ‘Voice of the Customer’ Category

MVP Health Care secures member portal access with Microsoft Azure Active Directory B2C

November 23rd, 2021 No comments

Hello! I’m Sue Bohn, Microsoft Vice President of Program Management for Identity and Network Access. In today’s Voice of the Customer blog post, Chief Technology Officer and Chief Information Security Officer David Swits of MVP Health Care shares how Microsoft Azure Active Directory B2C helped the organization modernize and simplify portal authentication.

MVP Health Care modernizes and simplifies the way members gain access to health plan information

As both Chief Technology Officer and the Chief Information Security Officer at MVP Health Care, I believe you must design your technology solutions with security as the foundation and then overlay the functionality. When building online portals to be accessible to four groups—individual members, employers, healthcare providers, and brokers—MVP Health Care prioritized security as much as ease of use and the user experience (UX). After all, stolen healthcare data is highly prized by cybercriminals, and we have a duty to protect members’ information.

MVP Health Care is a regional, not-for-profit health plan with 700,000 members and 1,700 employees in New York and Vermont. When I joined in 2018, the company was eight to nine years behind on technology. Our objective was to embark on digital transformation so the company could more easily and efficiently serve our constituents. As a Microsoft-first organization, that meant turning to Microsoft technology as we reinvented our infrastructure and replaced our traditional authentication methods with Azure Active Directory (Azure AD) External Identities for B2C user journeys.

The technology running previous portals was antiquated and cumbersome

Comparing healthcare plans can be confusing. We knew we had data that could make it easier. To do that, our portals needed to cut through complexity and deliver the right content for each constituent group.

The old portals—fueled by the IBM WebSphere Application Server—were cumbersome to use and support. MVP Health Care developers sometimes had to go through the back-end to fix an account. No back-end identity process existed to authenticate people who needed to access a portal, so anyone could create an identity for anyone.

Partner Edgile becomes an extension of MVP Health Care’s team

We considered augmenting what we already had with biometrics features, but those plugins didn’t mesh well with our infrastructure. In 2018, we brought on Edgile as a partner and shared our Zero Trust security approach—assuming breach and giving people the least privileged access possible. With extensive knowledge of Azure AD B2C, Edgile designed the identity infrastructure around the new portal and trained our team on best practices.

Edgile built B2C custom policies with user flows, such as seamless single sign-on and self-service password reset. Single sign-on lets people access all their apps after signing in once, while self-service password reset enables people to unlock or reset their passwords without the help desk. To preserve the user accounts from MVP’s previous identity provider, Edgile designed a migration path for users to move to Azure AD B2C the first time they signed in.

Microsoft provided feature previews to Edgile and worked with an MVP Health Care developer to port the UX designs into the HTML, JavaScript, and cascading style sheets (CSS) to refine the experience. A collection of Azure functions and a .NET Core RESTful web application from Edgile helped maintain data synchronization and the execution of complex operations.

“Edgile teamed up really well with MVP Health Care expertise in identity management including external identity management. We started first with a strategy that was followed by a successful quickstart/proof of concept that led to the broader implementation.”—Tarun Vazirani, Edgile Account Partner

Custom policies help create user journeys

MVP Health Care leveraged the custom policies, which are configuration files that define the behavior of MVP’s Azure AD B2C tenant user experience. While user flows are predefined in the Azure AD B2C portal for the most common identity tasks, a custom policy can be edited by an identity developer to be fully configurable and policy-driven. It orchestrates trust between entities in standard protocols, including OpenID Connect, OAuth, and SAML, and a few non-standard ones like REST API–based system-to-system claims exchanges. The framework creates user-friendly, white-labeled experiences to:

  • Federate with other identity providers.
  • Address first- and third-party multifactor authentication challenges.
  • Collect user input.
  • Integrate with external systems using REST API communication.

Each user journey is defined by a policy. One can build as many or as few policies as required for the best user experience.

Microsoft’s identity experience framework

Figure 1: Microsoft’s identity experience framework.

A more unified and streamlined customer experience

Three portals have launched—with the provider portal expected to go live soon. Members appreciate the simpler, modern way they access their portal.

We now have modern authentication that integrates with modern technology. We can easily connect to Google, Facebook, and other verification methods. The experience is familiar for MVP Health Care’s constituents because it’s the same as the graphical interface they see elsewhere.

Together, all the features of Azure AD add huge value. Azure AD multifactor authentication and Conditional Access support Zero Trust’s baseline security. We’re audited on how well we protect confidential information. Multifactor authentication requires identity verification, such as entering a code sent to a phone. Conditional Access policies are if-then statements for how someone gains access.

On launch day, I tested the capabilities of Azure AD B2C and the new portals. I’ll never forget that feeling of knowing we’d chosen our technology wisely. It was slick. It was effective. It was fast. And it’s been an incredible asset for our organization ever since.

Voice of the Customer: Looking ahead

Many thanks to David for sharing MVP Health Care’s story. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers’ security and implementation insights more broadly. Bookmark the Microsoft Security blog so you don’t miss the next in this series!

To learn more about Microsoft Security solutions visit our website. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post MVP Health Care secures member portal access with Microsoft Azure Active Directory B2C appeared first on Microsoft Security Blog.

Medius’ small IT team supports distributed workforce with Azure Active Directory

March 22nd, 2021 No comments

In today’s Voice of the Customer blog post, IT Manager Jacob Andersson and IT Systems Architect Fredrik Frööjd of Medius share how Azure Active Directory (Azure AD) has inspired employees to live by the cloud commitment the company encourages from customers and helped their small team support a remote workforce with fewer resources. Atea, one of our Azure AD system integration partners, played a key role in this effort.

Medius logo

Securing a remote workforce with fewer resources with Azure Active Directory

At Medius, we develop cloud-based spend management solutions, including the accounts payable workflow solution MediusFlow (Microsoft offers an online tutorial on configuring MediusFlow for automatic user provisioning). We’re one of the largest Microsoft partners in the Nordics to build and offer an entire solution in Azure. Because we advocate the value of cloud for customers, we decided it was fitting to turn to the cloud solution offered by Azure AD to meet our identity requirements.

Providing a fully remote work environment

Our 3,500 customers typically want to restrict access to their financial documents by title or division. Since most have more than 200 employees, it would be cumbersome to manually set access for each employee. Being able to assign users through Azure AD using known Microsoft protocols is a big selling point of our spend management solution.

We can relate to our customers’ need for secure authentication in systems and applications; it’s important to us too. While headquartered in Sweden, Medius has offices in eight other countries and our employees work from across the globe. Teams are both distributed and virtual. It’s not unusual for project meetings with customers to include Medius employees from three countries. We’ve prioritized providing a fully remote environment, in part because the consulting nature of our business requires that some employees travel to customer sites.

That fully remote experience extends to offboarding. When employees leave Medius, Azure AD identity and access management makes it easier to abide by our HR processes, which are reviewed by external auditors. Each employee is associated with an active ID. When an employee is offboarded, we can disable accounts and block user access to everything at once from Azure AD.

Freeing up IT time with features and user self-service

As a small IT team, we couldn’t support Medius’ 400 employees without the increased security and high reliability offered by Azure AD. Time savings is among the biggest benefits of using Azure AD for secure management of users and identities. If a partner requires access, Medius can add them as a guest in Azure AD so the external identity is trusted in required Medius’ internal systems.

Azure AD serves as a trusted source of information that we can depend on in every situation. Rather than navigating islands of systems with unique identities, Azure AD is our single place for everything related to identity management. Because of that, we can help users in any time zone from wherever we’re working. However, users appreciate that the solution is user-friendly, and they can handle some identity tasks themselves. This frees up the IT service desk to focus on other work, and in a growing company, there’s plenty to do.

Users tell us they appreciate the simplicity of single sign-on, which allows them to log in with a single ID and password to SaaS apps like Salesforce, Zuora, Jira, Confluence, DocuSign, and Freshdesk. They also like the flexible integration, ease of use for frictionless workflow, and convenience of Azure AD multifactor authentication, which lets them verify their identity via multiple credentials.

Self-service password reset is another popular feature. We operate in just about every time zone, but our IT team is located in European time zones. Before self-service password reset, it could take as long as two days for an employee to have a password reset by the IT team. Now, employees can reset a forgotten or locked password themselves 24/7 and stay productive.

Connecting during the health crisis

Before the recent healthcare crisis sent employees home, Medius switched from Skype to Microsoft Teams, making it easier for everyone to remotely collaborate and share files. That’s been even more valuable now that in-person meetings are not possible.

Medius is a growing company that has been hiring throughout the crisis. With Azure AD, we can ship laptops directly to the homes of new employees and have them login remotely using Windows Autopilot, which is a collection of technologies to set up and pre-configure new devices.

Improving processes with support from Atea

Our partner Atea, one of the leading providers of IT infrastructure in the Nordic and Baltic regions, offers a full range of hardware and software from the world’s leading technology companies and a team of consultants. The company played a key role in our effort to migrate apps to Azure AD and ramp up new employees.

Atea has told us that they do a lot of work for their customers when it comes to migrating apps to the cloud, helping them to benefit from the security and time-saving benefits of Azure AD. For instance, the pre-defined instructions on configuring applications in the app gallery facilitate the process of setting up a new integration.

Atea calls the partnership with Microsoft “extremely important” and has appreciated seeing product roadmaps and gaining access to private previews, which help it shape future offerings.

We look forward to sharing our next big successes: the introduction of the Conditional Access feature and a broader rollout of passwordless identity authentication.

Voice of the Customer: Looking ahead

Many thanks to Jacob and Fredrik for sharing the benefits they’ve realized with Azure AD. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers’ security and implementation insights more broadly. Bookmark the Microsoft Security blog Voice of the Customer so you don’t miss the next blog in this series!

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Medius’ small IT team supports distributed workforce with Azure Active Directory appeared first on Microsoft Security.

Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other

February 13th, 2020 No comments

Today, we have another interesting story for the Voice of the Customer blog series. Tony Miller and Jon Sider of Mattress Firm deployed Azure Active Directory (Azure AD) to create a secure authentication experience for employees, including their Firstline Workforce. Much like sleep and a good mattress provide the foundation for a productive and enjoyable life, Tony and Jon show how Azure AD provides the secure foundation for a connected omnichannel experience. They were able to cut internal costs, quickly onboard their Firstline Workers, connect their employees to each other, and deliver a better authentication experience.

Read more from Tony and Jon to learn how you can use Azure AD to improve your customer experience.

Azure AD simplifies user provisioning and protects Firstline Workers’ identities

As America’s largest specialty mattress retailer, Mattress Firm aims to deliver a personalized experience to all our customers no matter how they interact with us. An exceptional customer experience requires a connected workplace. When a customer makes a purchase online and then visits a store for a second purchase, our sales associates, or “Firstline Workers,” should understand their full story and total lifetime value. If a customer needs to change the delivery time of a mattress, it should be easy for a customer services rep to contact the driver and reschedule the delivery. These connection points are invisible to the customer but can turn an ordinary interaction into a great one. To help us realize this aspiration, we deployed several Microsoft 365 products—one of which was Azure AD—to securely and simply unite communication across corporate and all the stores.

The foundation of strong cross-company collaboration is secure and simple user authentication. Our sales associates access several different software-as-a-service (SaaS) and on-premises apps to communicate and complete tasks. Many of these apps require a separate account, which meant users signed into multiple accounts throughout the day. We were concerned that some were reusing passwords, opening us up to risk. Our identity team was also overburdened. They were responsible for setting up accounts for each user, updating permissions as needed, and revoking accounts when users left the company. To resolve these challenges, we deployed Azure AD, which allowed us to decrease the size of the identity team, deliver a simpler user access experience to our employees, and gain more visibility into security threats.

Migrated identity and access management from Okta to Azure AD

Before we selected Azure AD, we investigated various identity and access management (IAM) options. We had previously deployed Okta, which fulfilled many of our requirements. However, we were simultaneously increasing our investment in Microsoft 365. We reviewed both Okta and Azure AD and discovered that Azure AD delivers better controls and security for Office 365 and its data than Okta at a much lower cost in addition to single sign-on (SSO) to other applications. At that point it was an easy sell, and we migrated all our users to Azure AD.

Decreased the size of the identity team

We are a large company with over 8,500 employees, stores in 49 states across the country, and 73 distribution centers across the biggest markets. Our physical footprint allows us to deliver a mattress within an hour to 89 percent of the population. Like many retailers we have a lot of employment churn. Each day, we process between 10-100 user identity status changes. Before Azure AD, a team of 12 people were responsible for provisioning the right accounts and access to each user. Twelve people is a large team, but it was required because for each change—whether that was a new hire, a promotion, or someone leaving the company—an identity team member needed to manually grant access or change privileges to them one at a time. This took a lot of time, and it was error prone.

Once we deployed Azure AD and set up automated provisioning, the onboarding process sped up significantly. Today, someone in human resources sets up a new employee in our HR system and within four hours the employee is onboarded to all their accounts. Our Identity Manager was able to redeploy most of the people on the provisioning team to higher priority work. Now there are just two people who manage the environment. We’ve realized a huge costs savings from this transition—about $500,000 per year in hard dollars, but tons of soft costs saved!

Infographic explaining Azure AD automated provisioning, with Azure AD in the middle; Active Directory, Cloud HR, and SCIM surrounding it.

Azure AD automated provisioning simplifies the process of provisioning the right access and applications to each user.

Delivered a simpler and more secure user access experience

Our users have also benefited from the rollout of Azure AD and automated provisioning. We enabled SSO so users can sign in once and access all the apps they need for work. We integrated Azure AD with about 40 apps, including Workday, Back Office, Salesforce, our VOIP administrator, Citrix, Tools video, Microsoft Dynamics 365, Concur, Tableau, WebEx, our benefits portal, our 401K provider, and all the Office 365 apps. Our employees love the new process. It is now rare that they must use another account to access work apps.

Infographic showing apps connected to Azure Active Directory.

With Azure AD SSO, users sign in once and have access to all their apps.

Azure AD has also given us peace of mind. Our customers provide a full set of information when they purchase a mattress from us. They trust us to protect their first-party data. Azure AD offers tools to better safeguard our identities. We control access to the first-party data based on employment status. We also enabled Multi-Factor Authentication (MFA) to Workday and off-premises sign-ins. That means whenever a user attempts to sign in to Workday or if they attempt to access any other system from off-site, we force a second form of authentication. Users get a secure code from the Microsoft Authenticator app, which validates their identity with Azure AD. This significantly reduces our security risk, and employees find it easy to use—a win for everybody.

We also enabled conditional access policies to reduce or block access when sign-in circumstances are risky. For example, Azure AD can evaluate the riskiness of a client app or the location of a user trying to gain access. If the risk is high enough, we can block access or force a password reset to confirm identity. Another good example of our conditional access approach is the leave of absence policy. While users are on a leave, we limit the apps they can access to the ones they really need: Workday and our benefits portal. These flexible, customizable policy strike the right balance between enabling productivity while minimizing our exposure.

Infographic showing signals (user, location, device, app, real-time risk) being verified (allowed, requiring MFA, or blocked).

Azure AD can evaluate user and location, application, device, and real-time risk before allowing access.

Improved threat visibility

Security doesn’t end with our access policies. Azure AD also provides tools that Security Operations (SecOps) use to better understand security incidents. The Azure AD authentication logs and the Office 365 application access information provides useful insights. We now better understand when users try to access applications with VPNs or from unauthorized networks. This intelligence informs our security strategy and policies.

Azure AD has provided the foundation for a secure and connected employee experience. As we operationalize communication tools like Microsoft Teams, we are confident that the information that employees share is less likely to get compromised. Employees are empowered to work together to meet and exceed customer expectations. We rest easy because our customer data is more secure.

Azure Active Directory

Protect your business with a universal identity platform.

Get started

Learn more

I hope you’re able to apply Mattress Firm’s learnings to your own organization. For more tips from our customers, take a look at the other stories in the Voice of the Customer blog series. Also, check out the Mattress Firm case study to see how other Microsoft 365 solutions have helped them improve the customer experience.

Here are several additional resources:

Finally, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other appeared first on Microsoft Security.

Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other

February 13th, 2020 No comments

Today, we have another interesting story for the Voice of the Customer blog series. Tony Miller and Jon Sider of Mattress Firm deployed Azure Active Directory (Azure AD) to create a secure authentication experience for employees, including their Firstline Workforce. Much like sleep and a good mattress provide the foundation for a productive and enjoyable life, Tony and Jon show how Azure AD provides the secure foundation for a connected omnichannel experience. They were able to cut internal costs, quickly onboard their Firstline Workers, connect their employees to each other, and deliver a better authentication experience.

Read more from Tony and Jon to learn how you can use Azure AD to improve your customer experience.

Azure AD simplifies user provisioning and protects Firstline Workers’ identities

As America’s largest specialty mattress retailer, Mattress Firm aims to deliver a personalized experience to all our customers no matter how they interact with us. An exceptional customer experience requires a connected workplace. When a customer makes a purchase online and then visits a store for a second purchase, our sales associates, or “Firstline Workers,” should understand their full story and total lifetime value. If a customer needs to change the delivery time of a mattress, it should be easy for a customer services rep to contact the driver and reschedule the delivery. These connection points are invisible to the customer but can turn an ordinary interaction into a great one. To help us realize this aspiration, we deployed several Microsoft 365 products—one of which was Azure AD—to securely and simply unite communication across corporate and all the stores.

The foundation of strong cross-company collaboration is secure and simple user authentication. Our sales associates access several different software-as-a-service (SaaS) and on-premises apps to communicate and complete tasks. Many of these apps require a separate account, which meant users signed into multiple accounts throughout the day. We were concerned that some were reusing passwords, opening us up to risk. Our identity team was also overburdened. They were responsible for setting up accounts for each user, updating permissions as needed, and revoking accounts when users left the company. To resolve these challenges, we deployed Azure AD, which allowed us to decrease the size of the identity team, deliver a simpler user access experience to our employees, and gain more visibility into security threats.

Migrated identity and access management from Okta to Azure AD

Before we selected Azure AD, we investigated various identity and access management (IAM) options. We had previously deployed Okta, which fulfilled many of our requirements. However, we were simultaneously increasing our investment in Microsoft 365. We reviewed both Okta and Azure AD and discovered that Azure AD delivers better controls and security for Office 365 and its data than Okta at a much lower cost in addition to single sign-on (SSO) to other applications. At that point it was an easy sell, and we migrated all our users to Azure AD.

Decreased the size of the identity team

We are a large company with over 8,500 employees, stores in 49 states across the country, and 73 distribution centers across the biggest markets. Our physical footprint allows us to deliver a mattress within an hour to 89 percent of the population. Like many retailers we have a lot of employment churn. Each day, we process between 10-100 user identity status changes. Before Azure AD, a team of 12 people were responsible for provisioning the right accounts and access to each user. Twelve people is a large team, but it was required because for each change—whether that was a new hire, a promotion, or someone leaving the company—an identity team member needed to manually grant access or change privileges to them one at a time. This took a lot of time, and it was error prone.

Once we deployed Azure AD and set up automated provisioning, the onboarding process sped up significantly. Today, someone in human resources sets up a new employee in our HR system and within four hours the employee is onboarded to all their accounts. Our Identity Manager was able to redeploy most of the people on the provisioning team to higher priority work. Now there are just two people who manage the environment. We’ve realized a huge costs savings from this transition—about $500,000 per year in hard dollars, but tons of soft costs saved!

Infographic explaining Azure AD automated provisioning, with Azure AD in the middle; Active Directory, Cloud HR, and SCIM surrounding it.

Azure AD automated provisioning simplifies the process of provisioning the right access and applications to each user.

Delivered a simpler and more secure user access experience

Our users have also benefited from the rollout of Azure AD and automated provisioning. We enabled SSO so users can sign in once and access all the apps they need for work. We integrated Azure AD with about 40 apps, including Workday, Back Office, Salesforce, our VOIP administrator, Citrix, Tools video, Microsoft Dynamics 365, Concur, Tableau, WebEx, our benefits portal, our 401K provider, and all the Office 365 apps. Our employees love the new process. It is now rare that they must use another account to access work apps.

Infographic showing apps connected to Azure Active Directory.

With Azure AD SSO, users sign in once and have access to all their apps.

Azure AD has also given us peace of mind. Our customers provide a full set of information when they purchase a mattress from us. They trust us to protect their first-party data. Azure AD offers tools to better safeguard our identities. We control access to the first-party data based on employment status. We also enabled Multi-Factor Authentication (MFA) to Workday and off-premises sign-ins. That means whenever a user attempts to sign in to Workday or if they attempt to access any other system from off-site, we force a second form of authentication. Users get a secure code from the Microsoft Authenticator app, which validates their identity with Azure AD. This significantly reduces our security risk, and employees find it easy to use—a win for everybody.

We also enabled conditional access policies to reduce or block access when sign-in circumstances are risky. For example, Azure AD can evaluate the riskiness of a client app or the location of a user trying to gain access. If the risk is high enough, we can block access or force a password reset to confirm identity. Another good example of our conditional access approach is the leave of absence policy. While users are on a leave, we limit the apps they can access to the ones they really need: Workday and our benefits portal. These flexible, customizable policy strike the right balance between enabling productivity while minimizing our exposure.

Infographic showing signals (user, location, device, app, real-time risk) being verified (allowed, requiring MFA, or blocked).

Azure AD can evaluate user and location, application, device, and real-time risk before allowing access.

Improved threat visibility

Security doesn’t end with our access policies. Azure AD also provides tools that Security Operations (SecOps) use to better understand security incidents. The Azure AD authentication logs and the Office 365 application access information provides useful insights. We now better understand when users try to access applications with VPNs or from unauthorized networks. This intelligence informs our security strategy and policies.

Azure AD has provided the foundation for a secure and connected employee experience. As we operationalize communication tools like Microsoft Teams, we are confident that the information that employees share is less likely to get compromised. Employees are empowered to work together to meet and exceed customer expectations. We rest easy because our customer data is more secure.

Azure Active Directory

Protect your business with a universal identity platform.

Get started

Learn more

I hope you’re able to apply Mattress Firm’s learnings to your own organization. For more tips from our customers, take a look at the other stories in the Voice of the Customer blog series. Also, check out the Mattress Firm case study to see how other Microsoft 365 solutions have helped them improve the customer experience.

Here are several additional resources:

Finally, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other appeared first on Microsoft Security.