What is a good order for an IAM implementation?
A modern IAM solution is connected to a multitude of systems, plays a role in numerous processes, and therefore cannot be implemented in a single big bang. Organizations usually start implementation by migrating existing IAM processes and then plan the rollout of new capabilities step by step. What should you consider in that process? Every organization has different starting points, requirements, and objectives.
In the blog below we explain this in more detail. We use our HelloID cloud-based IAM platform as the example, which is built from three modules: Access Management, Provisioning, and Service Automation. With these three modules, HelloID is effectively prepared for the most common growth path: we start with basic authentication and authorization functions; next we automate the associated user onboarding, role changes, and offboarding processes; then we use Service Automation to streamline the exceptions and the remaining account management processes. Each module offers various capabilities that do not all need to be implemented, or implemented right away. Below we outline an example growth path, explain the dependencies between the different capabilities, and show how you can add more functions over time.
We also outline how each step can contribute to organizational goals. IAM functionality can support several objectives, including improving access and information security, compliance with privacy and security guidelines, the cost efficiency of account management, and usability for end users.
Step 1: Access Management implementation
The Access Management module provides the core access capabilities for which IAM systems were originally developed. It handles user authentication, often with a username and password, and then grants users access to applications and data, authorization. In many organizations this authentication and authorization function is already covered by their Microsoft environment, Active Directory or Entra ID, or Google Workspace. These serve as the primary identity provider to give users access to IT services.
This does not mean that IAM Access Management is now redundant. For some IT environments the Microsoft or Google identity provider is sufficient, but there are many exceptions and special requirements that are not easy to meet with standard functionality. A more flexible Access Management environment can also be necessary during mergers and migration projects. Finally, a solution that uses Access Management can simply be much more cost-effective than the standard identity providers. For all these cases an Access Management solution offers multiple features and user scenarios that can be activated as needed:
Additional or overarching identity provider(s)
Expansion to diverse user groups
As explained above, in a standard IT environment that only needs to be accessible to internal employees, the common identity providers Active Directory, Entra ID, formerly Azure AD, or Google Workspace are usually sufficient. Increasingly, organizations want to grant access to other user groups as well. Companies want to make CRM data available to customers, healthcare organizations want to give clients access to their personal information, and educational institutions want students to log in directly to their digital learning environment. Organizations also want to provide contingent workers with access to IT applications, and during mergers you want staff from different organizations to use each other's systems easily.
Challenges with multiple identity providers
Many of these new user groups are not registered in that primary identity provider. For customers the CRM system often serves as the identity provider, and student account information is recorded in the student information system. As a result we increasingly face multiple identity providers, while target applications often support only one. Such an application cannot be used simultaneously by internal employees and clients, contingent workers, and students. Issuing Entra ID accounts to everyone is often undesirable and expensive.
Integration of multiple identity providers through Access Management
An Access Management solution such as HelloID can serve as an adapter between multiple identity providers and the target applications. Each user group uses its own identity provider to access the access management system, which then ensures that everyone gains access to the required IT resources. Implementing Access Management allows you to handle multiple user types in your IT landscape with flexibility.
Single Sign-On
When a user signs in to the network, they usually gain default access to basic office applications such as email and office. It is inconvenient if users also need to use other applications and must sign in repeatedly. Single Sign-On solves this. One login at the start of the day is sufficient, after which the user has direct access to all applications and data without repeated logins. An incremental growth path is also possible here; HelloID supports all major SSO standards, which allows you to start with the primary standard and expand from there.
Multi-Factor Authentication (MFA)
Passwords remain a risk factor in access security. Adding an extra security check significantly strengthens access protection. With MFA we perform an additional verification based on something the user has, for example a smartphone. After the regular login with a username and password, the user must enter a code that was sent to their smartphone. A growth path applies here as well. You can start with one specific authenticator app for smartphones and gradually add other options, such as security tokens.
Conditional access
With the flexible Access Management module you can also make access to applications and data dependent on the user context. From where is access requested? In the office, over the internet, or from abroad? With which device and at what time is the user signing in? Depending on these factors, you can block certain functions or data or make them available only after an extra MFA verification. Thanks to conditional access, an access management solution helps organizations maintain more control over who gets access, when, and where.
Access portal
If the organization does not already have a launch menu from which various applications and data shares can be accessed with one click, Tools4ever can implement a HelloID Access Management portal for you. If desired, this can be integrated as a widget into an existing intranet or SharePoint Online environment.
Step 2: Orchestrate and automate provisioning
By implementing the Access Management capabilities described above, we provide basic user authentication and authorization. A user's digital identity is verified and, based on that, the user receives access to the IT environment.
Automate the management of identities and authorizations
Access Management alone does not prepare us for the increasingly complex management of all access rules for hundreds or thousands of users. Organizations often work with dozens of applications and data sources where least privilege access is a key requirement; everyone may only receive access to the applications and data needed to perform their job. Only then can you remain compliant with current information security and privacy guidelines. A user's access rights depend on their role, department, or work location, and when those change, the corresponding access rights must be adjusted automatically.
Access Management alone is not sufficient for this. A management system is required that ensures a user is automatically provided with the correct entitlements throughout the entire employment cycle. This applies not only to permanent staff but also to contingent workers, clients, and students. It starts at onboarding, continues during role changes, and extends through offboarding when someone leaves the organization. The HelloID Provisioning module automates this workflow and forms the core of a modern IAM solution. It manages user accounts and entitlements based on a clear set of user roles and corresponding access rights defined in business rules. To accomplish this you will connect the Provisioning module to the systems below and gradually implement additional capabilities:
Integration with HR and other source systems
Traditionally the IT support department creates and manages user accounts and access rights. A manager or the HR department submits a request for a new account, often as a form. The IT staff member then prepares account data, access rights, and other facilities in time and activates them in the various systems.
It is much more logical and efficient to use the source data directly. HR records all employment agreements and information about each user's specific role. By integrating the HR system with HelloID Provisioning you can drive the creation of new accounts, as well as changes in rights when someone moves to a different role, from the HR system. HelloID manages the identity lifecycle of user accounts and access rights, processes updates automatically, and translates them into the correct settings in the downstream IT systems. The connection between the HR system and HelloID Provisioning is therefore typically implemented immediately. A student information system can be connected in a similar way. In all cases responsibility for user data rests with the relevant business owner.
Further develop business rules
Using business rules is the most effective way to realize Role-Based Access Control, a concept in which a user's role automatically determines which access rights they receive. It is the way to implement least privilege access in a manageable manner. The important point is that you can define a growth path here. Initially you can start with basic business rules and further develop and refine them over time. You can fully define more operational roles, for example clinical staff in healthcare organizations, into so-called key roles where all required rights and facilities are issued directly based on the user's role. For more generic roles such as a project manager a basic account is created automatically, after which specific rights must be requested separately.
Connections to target systems
We usually automate the provisioning of account data for basic office applications from the start, with integrations between the HR system, HelloID, and for example Active Directory. The connection between HelloID and an IT Service Management, ITSM, solution such as TOPdesk often has priority as well. This helps simplify existing service desk processes, including issuing physical assets such as laptops, smartphones, security tokens, or access badges.
For more specific applications, such as a client record, organizations may initially choose to send automatic notifications only, after which the relevant application owners process the changes in the target systems. HelloID Provisioning then already orchestrates the issuance of accounts and rights but does not fully automate it yet. A fully automated connector is the logical next step.
In this way the IT organization can implement more and more provisioning connections to target systems over time and further automate account processes. Each organization can follow its own plan here. Tools4ever provides an increasing number of standard connectors that only need to be configured and deployed.
Step 3: Automate service processes
With step 2 we manage accounts and access rights based on established user roles. This is the policy framework in which you operate and with which we can cover about 80 percent of all access rights. For the key roles mentioned earlier we can even fully automate rights management.
However, the remaining 20 percent of all access rights must typically be granted and managed on an individual basis. We can never fully define every role. For a project lead the Provisioning module can handle the so-called birthright entitlements, but if someone temporarily needs Visio for a project, this must be requested individually. These processes are naturally manual, but with Service Automation you can increasingly streamline these remaining 20 percent exceptions and specials.
This is not only about additional access rights; we can also use Service Automation for other processes, ranging from password resets or name changes to creating and extending guest accounts. A process for accepting user terms before someone may use an account can also be handled with Service Automation.
There is no need to start with self-service immediately. HelloID makes it possible to optimize helpdesk processes first and then apply a shift-left migration per process: first we allow managers and functional administrators to make changes, and eventually we offer self-service to end users:
Delegated forms for the support team
A first step is to optimize and better secure helpdesk tasks. To perform these tasks, helpdesk staff traditionally have high admin rights in complex applications such as Active Directory Users & Computers, ADUC. This requires relatively deep expertise from staff, and that direct access is costly, user licenses, and risky.
HelloID Helpdesk Delegation makes it possible to provide delegated forms to non-skilled or semi-skilled helpdesk staff. Through these forms they can perform IT administrative tasks, such as creating accounts and changing rights, without needing admin rights in underlying systems. HelloID processes the forms and automatically applies the required changes in the downstream systems. This makes the work simpler, safer, and more cost effective, while ensuring that processes are executed uniformly and are auditable.
Delegation to managers and or 'resource owners'
A possible next step is to move some administrative tasks to managers, functional administrators, or license managers. They can best evaluate requests for their team or specific applications and can process them directly using such delegated forms. From a technical perspective this is a simple step because you can build on the forms and actions already developed for the service desk.
The organizational impact is greater. After implementing this layer, managers in particular gain much more insight into which licenses and access rights their staff use. This increases managers' awareness of their department's IT footprint and helps reduce unnecessary costs. For the IT department this eliminates the need for a cumbersome process with service tickets and service personnel.
Self-service: delegation to users
The ultimate step is delegating to the end user, self-service. Through an online catalog employees can independently request, for example, rights for applications, folders, or mailboxes. Through one or more online approval steps by the manager or product owner involved, Service Automation can ensure that changes are processed automatically in the relevant back-end systems.
In addition to handling access requests for systems, applications, and folders, the platform also supports controlled customization to automate complex, organization-specific issuance and management processes. Every type of request and service ticket can be scheduled as a standalone project at the desired moment. There is no big bang here either.
Step 4: Monitoring, audits, and compliance
An important role for modern IAM environments is watertight recording of issued rights and logging of all user actions. This makes it possible to demonstrate compliance with your information security plans, the underlying security standards, and privacy legislation. HelloID records all activities in audit logs. Based on these, HelloID provides standard reports to HelloID administrators, managers, and product owners. Urgent information is communicated as incidents. HelloID also offers a growth path for this information delivery:
Standard logs and reports
HelloID provides standard logs and reports depending on the HelloID modules in use. Access Management reports contain information on current access attempts, while Provisioning reports focus on the creation of and changes to accounts, business rules, and rights. The Service Automation module provides log data on specialized processes.
Customer-specific reports, analysis, and monitoring
The number of available standard logs and reports increases as you roll out more HelloID functionality. You can also create customer-specific reports as needed, for example with Elastic Kibana dashboard and reporting features. HelloID also provides various APIs to Power BI and other business applications and security systems to retain data longer, combine and correlate it with other data, and analyze it further. This also supports integrations with a customer's SIEM environment.
The HelloID roadmap
With HelloID you can roll out more IAM functionality over time. At the pace that fits your organization and aligns with your needs. We also continue to evolve the HelloID platform. Because the IDaaS solution HelloID has a new release every month, new features are added periodically. See our public roadmap.