Idemitsu Kosan says goodbye to ADFS through switching authentication infrastructure to Microsoft Entra ID in pursuit of diverse work styles

The company also aims to provide services to solve region-specific issues by utilizing digital technologies through its 6,300 service stations (gas station) nationwide and is advancing the “Smart Yorozuya (One-stop Shop)” concept to evolve them into smart one-stop shops for a new era. Idemitsu Kosan, which actively engages in digital transformation, switched its authentication infrastructure to Microsoft Entra ID (formerly Azure Active Directory) with the aim of achieving diverse work styles and successfully migrated away from ADFS.

Performing work without using VPN became necessary with the increase of remote work

Idemitsu Kosan uses 18,000 PCs and 12,000 smartphones within the entire group for work. The authentication infrastructure for them was based on on-premise AD (Active Directory), and for Microsoft 365 and some SaaS authentications, inquiries were issued from Microsoft Entra ID to on-premise AD via ADFS (Active Directory Federation Services). In order to unify its authentication infrastructure and solve various issues, the company launched the Microsoft Entra ID migration project in August 2021. The trigger was the increase of remote work during the COVID-19 pandemic.

“With the diversification of work styles, it became necessary to create an IT environment in which we can safely work from various locations. We previously had to connect to the internal network via VPN to use business applications from home. This method, however, causes wasted internal traffic because all the traffic goes through VPN. There had also been requests from business divisions that they wanted to collaborate with external users, but the issue was that it would require time and effort to lend devices and accounts, etc. for collaboration. In order to solve these issues, we decided to migrate to Microsoft Entra ID which supports device-based authentication” says Yasushi FUKUNAGA, Digital Platform Section, Digital & ICT Department, Idemitsu Kosan.

Migration work proceeded in three steps with consideration also given to smartphone authentication

Migration to Microsoft Entra ID was proceeded in three steps. In step 1, a feature called password hash synchronization was enabled to make passwords stored in on-premise AD usable to Microsoft Entra ID. Password hash synchronization is an extension of directory synchronization implemented by Microsoft Entra Connect Sync that enables synchronization of user password hashes from on-premise AD to Microsoft Entra ID.

“We previously used Microsoft Entra Connect Sync to synchronize users and groups between on-premise AD and Microsoft Entra ID. In order to be able to authenticate with Microsoft Entra ID only, without using ADFS, it was necessary to enable Microsoft Entra ID to authenticate using the same passwords as those in on-premise AD. To achieve this, we decided to enable the password hash synchronization feature which is security safe” (FUKUNAGA).

In step 1, Microsoft Entra Connect Sync was used to synchronize the device information registered in AD to Microsoft Entra ID to make the devices to be Microsoft Entra Hybrid joined. In addition, not only ID and password-based authentication, but also device-based authentication was added as part of the conditional access in Microsoft Entra ID to enhance security.

Microsoft Entra Hybrid joined is a mechanism to register devices joined to on-premise AD also in Microsoft Entra ID to make features, such as allowing single sign-on and device-based authentication to applications on Microsoft Entra ID, available for use.

In step 2, the third-party MDM (Mobile Device Management) solution was switched to Microsoft Intune (hereinafter “Intune”). More specifically, device information was registered in Intune to enable smartphone authentication by Microsoft Entra ID.

“The purpose was to create an authentication infrastructure that allows applications to be accessed from smartphones, just like PCs. Since Intune and Microsoft Entra ID are closely integrated, we thought it would be easier to control by switching MDM to Intune” explains Yohei TAKEZOE, Manager at Digital Platform Section, Digital & ICT Department, Idemitsu Kosan.

Migrating MDM to Intune eliminated the third party MDM solution license fees and resulted in cost reduction of tens of million yen a year for the company.

In this migration work, however, the most frequent inquiries from users were those related to MDM. Changing MDM caused differences in features and layers that can be controlled, and proceeding with the migration while enhancing security created a situation where features that were previously available became unusable.

“There were opinions such as ‘I found it difficult to use when I actually tried to operate.’ We deployed MDM to users after solving such issues, but we could not sufficiently explain the assumed specifications and ended up placing some burden on users” (TAKEZOE).

Step 3 involved the work of switching the cloud service authentication link destination from ADFS to Microsoft Entra ID, which was implemented by changing the domain authentication method. In order to avoid the impact of switching the authentication scheme on user authentication, it was implemented in three phases using a feature called phased rollout, which allowed advance switching with a limited number of users.

Microsoft helped relieving concerns due to lack of experience and provided full support for migration

The migration work thus proceeded, up to the termination of the use of the ADFS server, was completed in June 2022, 10 months after the start of the work. The actual migration work was accomplished by only two employees, including FUKUNAGA. They did not have sufficient knowledge of AD back then, but nevertheless were able to complete the migration work successfully without any problems. TAKEZOE says that the reason for assigning those two personnel with little experience to be in charge of the project was for the purpose of human resource development.

“I myself had little knowledge about Microsoft Entra ID, ADFS, and authentication when the project started, and for the work required for switching, we understood the flow by referring to the webinar provided by Microsoft. The actual implementation proceeded with FastTrack support” recalls FUKUNAGA.

TAKEZOE says that Microsoft FastTrack was a major factor that enabled them to proceed with the migration work without problems. FastTrack is a service in which customers subscribing to Microsoft 365, Azure, or Dynamics 365 can receive support from Microsoft engineers without additional charge.

“In step 1, we were concerned about how to configure conditional access. We were able to configure it with support from Microsoft and also by having their engineers participate in reviews. We then gradually expanded the target and proceeded while checking for any unexpected behaviors. When we implemented phased rollout, devices were required to be Microsoft Entra Hybrid joined, but for some reason there were some PCs that were Microsoft Entra joined. While checking with Microsoft for the cause, we were also provided with support on how to tune Microsoft Entra Connect Sync” (TAKEZOE).

Aiming to enhance security and achieve collaboration with external users by further utilizing Microsoft Entra ID

Since the completion of this project, Idemitsu Kosan has been promoting authentication link using Microsoft Entra ID for cloud applications, and is also planning to shift on-premise systems to Microsoft Entra ID to the extent possible.

They also intend to utilize conditional access achieved by migrating to Microsoft Entra ID to enhance security. The company currently uses device authentication, but with conditional access, more advanced risk score-based authorization process based on the user behavior information, authorization of external users, and adjustment of the authentication strength are also possible.

“Since we can set more detailed conditions with device authentication, such as which security patches have been applied and antivirus software versions, we intend to work on further enhancing security. Being able to respond to more detailed application-specific requests, such as requiring two-factor authentication only to specific applications and allowing access after agreeing to the terms of service, we consider, is a benefit of migrating to Microsoft Entra ID” states TAKEZOE about the effect of integrating authentication to Microsoft Entra ID.

While many companies tend to hesitate to migrate away from ADFS considering the complication of the migration work and the impact it may have on users, Idemitsu Kosan decided to migrate away from ADFS after understanding the advantages of migrating to Microsoft Entra ID and eventually succeeded. The key to the success lied on the well-thought-out migration plan and extensive support from Microsoft. Idemitsu Kosan will enhance the company-wide authentication conditions by expanding the scope of utilizing the Microsoft Entra ID from cloud services to on-premise systems and continue to pursue diverse work styles.