Be your authenticated self

Let Azure Active Directory (AAD) be your guide to secure, reliable access to your apps and services

Jun 25, 2021

Hi Peer,

Can you see the forest for the trees? What if it’s an Active Directory (AD) forest? The trees, before the forest, are important. The bigger picture IS the outcome. The smallest details and best practices help lock in security WITH positive employee experiences.

In the realm of IT, a happy AD forest leads to happy users. Logging into apps and services needs to not only work but be validated at every entry point without being a burden. These days, hybrid work presents a mixture of on-premises and cloud applications on and off the corporate network. This often leads to the instance of AD in the cloud: Azure Active Directory (AAD) - Microsoft’s universal identity platform. Managing users across all poses challenging IT scenarios and the need for employee awareness.

The final-mile value, once you are validated as being who you say you are, is unique, secure access to important people and content. With AAD in place and Microsoft Graph, the environments you log into present personalized experiences based on who you work with, what they work on, and who has access to what.

Megan Bowen she appears in the **global Contoso directory managed in Azure Active Directory** (AAD).

Full transparency, I’m not an auth expert. I’ve recently scaled up my understanding for several recent customer briefings. This article highlights this new insight, the knowledge of others, and my own employee sign-in experience. My hope is to shed light on a pathway to a good, known auth state, one with improved security, reporting, and productivity gains.

Establish a healthy authentication connection

Azure AD’s primary role is to help manage and secure identities for employees, partners, and customers - anyone you OK to access apps and services, which lead to your content and information. By default, this applies to Microsoft 365 apps and services, and can be extended to connect to additional systems and content sources. I’ve overheard this statement over the years from numerous IT Pros: “Do not connect to any service until your AD is in good health” - usually followed by a war story or two of connectivity failure, sporadic auth experiences, and multiple sign-in credentials per user. War stories are great to hear, awful to repeat.

If your AD is in decent shape before you connect and share anything, great. Done. Skip to part 2. If not, it’s good to understand the benefits of a single tool to provide an easy deployment experience for synchronization and sign-in. Directory health leads to reliable password synchronization, up-to-date certificate renewal, and continuous monitoring to view and act on various activity.

Manage end user accounts, service licensing, and devices on behalf of your employees. Above is the console with the Microsoft 365 admin center used to manage user information and access. — Manage end user accounts, service licensing, and devices on behalf of your employees. Above is the **console with the Microsoft 365 admin center used to manage user information and access**.

The last mile, and most of what you manage going forward, is the influx of new employees, people exiting the company, and vendors you need to enable and provide access to. Once they are in the system, you can assign desired licenses, manage their device access, and more.

Learn more about secure access for a connected world (Azure AD).

Layer in and extra layer, multi-factor authentication (MFA)

Now let’s start to talk about application and breadth of this technology to improve productivity. Why not do this with single sign-on from anywhere, on any device. Use multi-factor authentication (MFA) to help ensure only verified users and trustworthy devices can access your resources. It’s an extra step. It’s worth it. And it doesn’t impede productivity when implemented properly.

As a Microsoft employee, I use the Microsoft Authenticator app adding a layer of protection knowing passwords can be forgotten, stolen, or compromised. Thus, my Google Pixel 3 XL becomes that extra layer prompting me for a PIN or fingerprint before I’m granted access to Web, mobile, or desktop apps. It’s an additional factor that's not easy for someone to obtain or duplicate.

**Enable multi-factor authentication** for one person, many or all from within the Microsoft 365 admin center. Above, you see Lee Gu has been enabled for MFA.

Authenticator makes it easy for secure sign-ins, even across numerous online accounts - personal, work or school.

Enter your username and confirm your sign-in with your phone. It’s that easy! — Enter your username and confirm your sign-in with your phone - note prompt above using Microsoft Authenticator for iOS or Android.

A few last specific tech call outs that pair me well with improved secure sign in. First, Windows Hello - a secure way to access your Windows devices using a PIN, facial recognition, or fingerprint. Second, specific to Android device access, Microsoft IT requires me to use the Android work profile to separate work apps and data from personal apps and data. The work profile lives on a separate part of the device so that your personal things stay private and unaffected by work. And third, I’m provided self-service tools to manage contact info, reset passwords, or monitor sign-in activity - ultimately to reduce helpdesk calls. I just like that I can do it without wasting time.

Learn more about multifactor authentication.

Once in, you are you and personalized experiences await

Everything up to this point is based good decisions and smart implementation. Now it’s time to see the trees for the forest. A modern workplace awaits. The intranet, as one example location, can be dynamic and personalized - once you’re in.

It all depends on the system knowing who you are (this is the role AAD plays) and who you work with and what you work on (this is the role of Microsoft Graph). When combined, an intelligent intranet is born, one that delivers experiences that provide shared content and solutions for collaboration, drives employee engagement and communications, and harnesses collective knowledge by connecting people and content.

This example Contoso intranet landing site brings together news, events, content, conversations, and video to deliver an engaging experience that reflects employees’ voice, priorities, along with company brand.

Learn how Microsoft Graph powers intelligent, personal experiences across Microsoft 365 and beyond.

Final thoughts

Engaging experiences keep you connected to vital information and activities that matter to you, across all your devices. When you sign into it, you are you and you get what you care about, what you need, and it’s all based on who you are - your best authenticated self.

BONUS | Go further in this related Microsoft Mechanics show with Joy Chik, Microsoft CVP from the identity engineering team focused on the latest innovations and hands-on tour with Azure AD: