The Importance of Identity for SaaS Applications
The enterprise cloud revolution is here. IT organisations everywhere, from small and mid-sized businesses to Fortune 500 companies, are transitioning from on-premises software to on-demand, cloud-based services. As enterprise IT transitions to a new hybrid on-demand/on-premises configuration, controlling who is granted access to which applications becomes increasingly important. This presents CIOS and their teams with a whole new set of identity management challenges. In addition, users must keep track of multiple URLS, usernames, and passwords to access their applications. IT’s role is also fundamentally changing. As the steward of these new services, IT must provide insight and advice on Software-as-a-Service (Saas) products to ensure the company maximises the business value of its investments.
There are eight primary Identity & Access Management (IAM) challenges associated with adopting and deploying cloud and Saas applications, along with best practices for addressing each of them.
User Password Fatigue
Although the Saas model initially makes it easier for users to access their applications, complexity increases rapidly with the number of applications. Each application has different password requirements and expiration cycles. The variety of requirements, multiplied by the variety of expiration cycles, results in diminished user productivity and increased user frustration as they spend time trying to reset, remember, and manage these constantly changing passwords across all their applications.
Perhaps of even greater concern are the security risks caused by the same users who react to this “password fatigue” by using obvious or reused passwords written down on Post-it notes or saved in Excel files on laptops.
Cloud-based IAM services can alleviate these concerns by providing single sign-on (SSO) across all these applications, giving users a central point of access to all their applications with a single username and password. Better yet, a cloud-based identity management system can also enable various departments to manage identities for both on-demand and on-premises applications.
The majority of enterprises use Microsoft Active Directory (AD) as the authoritative user directory, governing access to basic IT services such as email and file sharing. AD is often also used to control access to a broader set of business applications and IT systems. The right on-demand IAM solution should leverage Active Directory, allowing users to continue using their AD credentials to access Saas applications. This increases the likelihood that users will discover the newest and best Saas applications that their company provides.
Failure-Prone Manual Provisioning & De-provisioning Process
When a new employee starts at a company, IT often provides the employee with access to the corporate network, file servers, email accounts, and printers. Since many Saas applications are managed at the department level (e.g., Ales Operations manages Salesforce.com, accounting manages QuickBooks, nd marketing manages Marketo), access to these applications is often granted separately by the specific application’s administrator, rather than by a single person in IT.
Given their on-demand architecture, SaaS apps should be easy to centrally provision. A true cloud identity and access management service should be able to automate the provisioning of new Saas applications as a natural extension of the existing onboarding process. When a user is added to the core directory service (such as Active Directory), their membership in specific security groups should ensure that they are automatically provisioned with the appropriate applications and granted the necessary access permissions.
Almost certainly, an employee termination is a bigger concern. IT can centrally revoke access to email and corporate networks, but it has to rely on external application administrators to revoke the terminated employee’s access to each Saas application. This leaves the company vulnerable, as critical business applications and data are in the hands of potentially disgruntled former employees and auditors seeking vulnerabilities in your de-provisioning solution.
A cloud-based IAM service should not only enable IT to add new applications automatically, but it should also provide:
- Automated user de-provisioning across all on-premises and all cloud-based applications.
- Deep integration with Active Directory
- Clear audit trails
The IAM service should provide organisations with the peace of mind that, once an employee has left the company, the company’s data will not follow them.
Compliance Visibility: Who Has Access to What?
It’s essential to understand who has access to applications and data, where they are accessing it, and what they are doing with it. This is particularly true when it comes to cloud services. However, only the most advanced offerings, such as Salesforce.com, offer any compliance-like reporting, and even then, it’s siloed for just one application.
To answer auditors who ask you which employees have access to your applications and data, you need central visibility and control across all your systems. Your IAM service should enable you to set access rights across services and provide centralised compliance reports on access rights, provisioning, de-provisioning and user and administrator activity.
Siloed User Directories For Each Application
Most enterprises have made a significant investment in a corporate directory, such as Microsoft Active Directory, to manage access to on-premises network resources. As organisations adopt cloud-based services, they need to leverage that investment and extend it to the cloud, rather than creating a parallel directory and access management infrastructure solely for those new Saas applications.
A best-of-breed cloud-based IAM solution should provide centralised, out-of-the-box integration into your central Active Directory or LDAP directory, allowing you to seamlessly leverage and extend that investment to these new applications without requiring on-premises appliances or firewall modifications. As you add or remove users from that directory, access to cloud-based applications should be modified automatically, via industry standards such as SSL, without requiring any network or security configuration changes. Just set and forget.
Managing Access Across an Explosion of Browsers and Devices
One of the significant benefits of cloud applications is that access is available from any device connected to the Internet. However, the increase in apps means an increase in URLS and passwords, and the rise of mobile devices introduces yet another access point to manage and support.
IT departments must facilitate access across multiple devices and platforms without compromising security—a challenging feat with existing Identity and Access Management (IAM) systems.
A cloud-based IAM solution should enable both users and administrators to address the challenge of accessing resources from anywhere, at any time and from any device. It should not only provide browser-based SSO to all user applications, but it should also enable access to those same services from the user’s mobile device of choice.
Keeping Application Integrations Up To Date
Truly centralising single sign-on and user management requires building integrations with numerous applications and keeping track of the maintenance requirements for new versions of each application. For the vast majority of organisations, having their IT department maintain its collection of “connectors’ across that constantly changing landscape is unrealistic and inefficient.
Today’s enterprise cloud applications are built with cutting-edge, Internet-optimised architectures. The modern web technologies underlying these applications provide excellent choices for vendors to develop their service and its associated interfaces. Unfortunately for IT professionals, this also means that every new vendor may require a new approach to integration, particularly in terms of user authentication and management.
In addition, like on-premises applications, Saas apps change over time. A good cloud-based IAM solution should keep pace with these changes and ensure that application integration, and thus your access, remains up-to-date and functional. Your IAM service should mediate all the different integration technologies and approaches, making these challenges transparent for IT. As the various services and APIS change and multiply, the cloud IAM provider should manage these programmatic interfaces, offloading the technological heavy lifting away from your IT department. Hence, they no longer have to track dependencies between connectors and application versions.
This should also make adding a new application to your network as easy as adding a new app to your iPhone. With only minimal, company-specific configuration, you should be able to integrate new Saas applications with SSO and user management capabilities within minutes.
Managing Access Across an Explosion of Browsers and Devices
As cloud applications become easier and less expensive to get up and running, companies are adopting more point Saas solutions every day. These solutions are often managed by the corresponding functional area in a company, such as the Sales Operations group in the case of Salesforce.com. This can benefit IT, as it allows application administration to be handled by others, freeing up time. Still, it can also create a new problem because there is no central place to manage users and applications, or provide reports and analytics.
A cloud Identity and Access Management (IAM) service should provide IT with central administration, reporting and user and access management across cloud applications. Additionally, the service should include a built-in security model to provide the appropriate level of access to application administrators, allowing them to manage their specific users and applications within the same Identity and Access Management (IAM) system.
Sub-Optimal Utilisation & Lack of Insight Into Best Practices
One reason for the rise of cloud applications is that monthly subscription models have replaced the upfront lump sum required for purchasing old, on-premises software licenses. CFOS prefer to pay for the services that employees use as they go. With no centralised insight into usage, however, T and financial managers cannot effectively manage these subscription purchases and have little idea whether they are paying for more than they use.
A cloud-based IAM service should provide accurate visibility into seat utilisation and help IT optimise SaaS subscription spend. Managers should have real-time access to service utilisation reports. In addition, by superimposing access trends to various applications across top employee performers, corporate executives should be able to utilise a centralised user management service to record and promote employee best practices.
Addressing These Challenges With Microsoft Entra ID
Microsoft Entra ID (formerly Azure Active Directory) is an enterprise-grade identity and access management (IAM) service, purpose-built for the cloud with deep integration across Microsoft environments. It delivers comprehensive directory services, single sign-on, strong authentication, user provisioning, governance automation, and built-in reporting — all with a focus on security, productivity, and compliance.
Organisations worldwide rely on Microsoft Entra ID to manage access across applications, users, and devices, helping them strengthen their security posture, enhance workforce productivity, and meet complex regulatory requirements.
Microsoft Entra ID can be used to manage access across all applications. and services If yyou’rejust beginning your Entra journey for SaaS or cloud services, it offers:
Users: Seamless Access Across All Applications
Adding new users to Microsoft Entra ID is as intuitive as managing users in any modern platform. Once provisioned, users gain a personalised portal that offers single sign-on (SSO) across all connected applications. This unified access can be leveraged across browsers and devices, with the option to embed specific applications into custom portals that match your business branding.
Self-service capabilities empower users to manage their credentials and request access to applications, thereby reducing IT support overhead and enhancing the user experience.
Administrators: Unified Management Across People, Apps and Devices
For IT administrators, Entra ID provides a unified control plane for managing users, applications, devices, and access policies across cloud, hybrid, and on-premises environments. A centralised directory offers full visibility into identities and their associated access rights across the digital estate.
Onboarding new applications is streamlined through an extensive gallery of pre-integrated Saas applications. Entra’s identity governance tools enable policy enforcement, automate joiner-mover-leaver (JML) processes, and facilitate risk-based conditional access enforcement.
Executives: Visibility to Maximise ROI and Minimise Risk
Microsoft Entra ID provides a centralised audit log and monitoring platform, capturing a rich set of identity events across the organisation. Out-of-the-box reporting and security insights, integrated with tools like Microsoft Sentinel, help leadership teams monitor user activity, compliance status, and application usage.
These insights not only simplify regulatory audits and reporting but also highlight the value delivered by modern identity-driven security strategies, aligning cyber security directly with business outcomes.