Microsoft Security implements Microsoft Entra ID Governance and saves over $1.5 million per year

Tens of thousands of entities to manage

Around the world, millions of customers rely on Microsoft to help secure their businesses. But internally, who does Microsoft count on? The Microsoft Security team. And within that team, the Digital Security and Resilience team handles identities and access management for the majority of all Microsoft-owned tenants.

By the numbers, the Digital Security and Resilience team manages a staggering number of entities. For starters, there are over 25,000 unique security groups, which assign access to resources in a network, and the 10,000 entitlement objects, which are the resources and applications within a group that users need to access. Then, there are the approximately 350,000 human and non-human identities (with ‘non-human identities’ including things like service principals and machines that execute functions on behalf of users or groups).

Sunsetting SailPoint IIQ

For years, the Digital Security and Resilience team had been managing identities and access using a solution called SailPoint IIQ. The tool offered limited out-of-box features and needed significant upfront customizations to support a company the size of Microsoft. “If we wanted specific data dependency integrations or business logic or anything, really, it was up to us to integrate that into the tool,” says Adrian Gillem, Senior Engineering Program Manager at Microsoft. Over time, these customizations required an increasing number of developers to hardcode new features and became more expensive.

And it wasn’t just the building of new features that got expensive, but also the maintenance, as the team needed to maintain certain lifecycle thresholds for every identity and security group. Gillem explains, “Let’s say a particular security group has access to a critical production application for 365 days before it requires another validation. But, within that group, there’s an identity that has access for only 180 days. We’d need to manually build that logic into SailPoint IIQ.”

By the end of 2022, Microsoft was spending over $1.5 million per year to maintain SailPoint IIQ. To recoup these costs, the company decided to look inward for a solution. “We thought, ‘We’re a company of engineers and we have a litany of tools to meets our customers’ needs. Why can’t we use our own tools to meet our needs?’” says Gillem.

Governance from day one

In early 2023, Microsoft set out to transition away from SailPoint IIQ and began looking at internal tools and platforms as its replacement. Right away, Microsoft Entra ID Governance, an identity governance solution, emerged as an appealing option because of its built-in compliance, out-of-box APIs, and scale.

“Where SailPoint IIQ required us to build our own customizations, Entra ID Governance made those things available day one from the ground up,” notes Gillem. Unlike with SailPoint IIQ, Entra ID Governance offered the Digital Security and Resilience team the ability to automatically set its own security parameters and access policies as part of the identity onboarding process. Another selling point for Entra ID Governance was the out-of-box availability of Microsoft Graph APIs. With these APIs, customers who took production dependencies on some of the APIs the Digital Security and Resilience team had custom built to support programmatic access to SailPoint IIQ-hosted entitlement objects could immediately shift their resources and dependencies to Microsoft tools without losing business continuity.

Phasing out SailPoint IIQ involved a multi-stage approach, beginning with the migration of essential entitlement objects and security groups, followed by the gradual onboarding of identities. After cleaning up outdated and unused resources and objects, it took about six months to deploy, as the Digital Security and Resilience team ensured a smooth lift-and-shift of all necessary components while maintaining business continuity throughout the process.

The Digital Security and Resilience team also worked closely with the Entra ID Governance team to ensure the product met every need. “We wanted to integrate some automated tooling features into the product and worked with the Entra ID Governance team to build them. Throughout the whole process, they were an amazing partner to us,” says Gillem. In fact, the automated tooling features have become so valuable internally, Gillem’s team is now advocating that external customers adopt them. Gillem elaborates, “Entra ID Governance has become our north star for cloud-native, cloud-based access management within Microsoft. We want to share that value with our own customers.”

Enterprise-scale security for any business

Now that Microsoft is no longer paying for SailPoint IIQ, it’s starting to recover some of those costs. But cost savings aren’t the only benefit of Entra ID Governance; the company is gaining scale and efficiencies as well. The Digital Security and Resilience team is now able to automatically review and determine the necessary policies required of an identity or group. Since security and compliance policies (like least-privileged access, for example) are natively built in, all they must do is set the guidance and push it through. Developers on the team are now reporting 30% greater velocity, thanks to the elimination of the need for extensive customizations.

The team was able to scale Entra ID Governance up to over 250,000 users within just six months, but Gillem stresses that it’s valuable for businesses of all sizes. “This product isn’t just for companies like Microsoft. If you’re a mid-sized company that only has 100 users and you want to gate access to critical resources, or if you’re a company of 10,000, Entra ID Governance can scale to meet your needs,” he says.