Memo 22-09 enterprise-wide identity management system
Article
M 22-09 Memorandum for Heads of Executive Departments and Agencies requires agencies to develop a consolidation plan for their identity platforms. The goal is to have as few agency-managed identity systems as possible within 60 days of the publication date (March 28, 2022). There are several advantages to consolidating identity platform:
Centralize management of identity lifecycle, policy enforcement, and auditable controls
Uniform capability and parity of enforcement
Reduce the need to train resources across multiple systems
Enable users to sign in once and then access applications and services in the IT environment
Integrate with as many agency applications as possible
Use shared authentication services and trust relationships to facilitate integration across agencies
Why Microsoft Entra ID?
Use Microsoft Entra ID to implement recommendations from memorandum 22-09. Microsoft Entra ID has identity controls that support Zero Trust initiatives. With Microsoft Office 365 or Azure, Microsoft Entra ID is an identity provider (IdP). Connect your applications and resources to Microsoft Entra ID as your enterprise-wide identity system.
Single sign-on requirements
The memo requires users sign in once and then access applications. With Microsoft single sign-on (SSO) users sign in once and then access cloud services and applications. See, Microsoft Entra seamless single sign-on.
Integration across agencies
Use Microsoft Entra B2B collaboration to meet the requirement of facilitating integration and collaboration across agencies. Users can reside in a Microsoft tenant in the same cloud. Tenants can be on another Microsoft cloud, or in a non-Azure AD tenant (SAML/WS-Fed identity provider).
With Microsoft Entra cross-tenant access settings, agencies manage how they collaborate with other Microsoft Entra organizations and other Microsoft Azure clouds:
Limit what Microsoft tenants users can access
Settings for external user access, including multifactor authentication enforcement and device signal
Scans firewall logs to detect cloud apps, infrastructure as a service (IaaS) services, and platform as a service (PaaS) services. Integrate Defender for Cloud Apps with Defender for Endpoint to discovery data analyzed from Windows client devices. See, Microsoft Defender for Cloud Apps overview
Your apps might be in systems other than Microsoft, and Microsoft tools might not discover those apps. Ensure a complete inventory. Providers need mechanisms to discover applications that use their services.
Prioritize applications for connection
After you discover the applications in your environment, prioritize them for migration. Consider:
Part of centralizing an identity management system is enabling users to sign in to physical and virtual devices. You can connect Windows and Linux devices in your centralized Microsoft Entra system, which eliminates multiple, separate identity systems.
During your inventory and scoping, identify the devices and infrastructure to be integrated with Microsoft Entra ID. Integration centralizes your authentication and management by using Conditional Access policies with multifactor authentication enforced through Microsoft Entra ID.
Tools to discover devices
You can use Azure Automation accounts to identify devices through inventory collection connected to Azure Monitor. Microsoft Defender for Endpoint has device inventory features. Discover the devices that have Defender for Endpoint configured and those that don't. Device inventory comes from on-premises systems such as System Center Configuration Manager or other systems that manage devices and clients.
Devices integrated with Microsoft Entra ID are hybrid-joined devices or Microsoft Entra joined devices. Separate device onboarding by client and user devices, and by physical and virtual machines that operate as infrastructure. For more information about deployment strategy for user devices, see the following guidance.