Credit to Author: Todd VanderArk| Date: Thu, 13 Feb 2020 17:00:02 +0000
Today, we have another interesting story for the Voice of the Customer blog series. Tony Miller and Jon Sider of Mattress Firm deployed Azure Active Directory (Azure AD) to create a secure authentication experience for employees, including their Firstline Workforce. Much like sleep and a good mattress provide the foundation for a productive and enjoyable life, Tony and Jon show how Azure AD provides the secure foundation for a connected omnichannel experience. They were able to cut internal costs, quickly onboard their Firstline Workers, connect their employees to each other, and deliver a better authentication experience.
Read more from Tony and Jon to learn how you can use Azure AD to improve your customer experience.
Azure AD simplifies user provisioning and protects Firstline Workers’ identities
As America’s largest specialty mattress retailer, Mattress Firm aims to deliver a personalized experience to all our customers no matter how they interact with us. An exceptional customer experience requires a connected workplace. When a customer makes a purchase online and then visits a store for a second purchase, our sales associates, or “Firstline Workers,” should understand their full story and total lifetime value. If a customer needs to change the delivery time of a mattress, it should be easy for a customer services rep to contact the driver and reschedule the delivery. These connection points are invisible to the customer but can turn an ordinary interaction into a great one. To help us realize this aspiration, we deployed several Microsoft 365 products—one of which was Azure AD—to securely and simply unite communication across corporate and all the stores.
The foundation of strong cross-company collaboration is secure and simple user authentication. Our sales associates access several different software-as-a-service (SaaS) and on-premises apps to communicate and complete tasks. Many of these apps require a separate account, which meant users signed into multiple accounts throughout the day. We were concerned that some were reusing passwords, opening us up to risk. Our identity team was also overburdened. They were responsible for setting up accounts for each user, updating permissions as needed, and revoking accounts when users left the company. To resolve these challenges, we deployed Azure AD, which allowed us to decrease the size of the identity team, deliver a simpler user access experience to our employees, and gain more visibility into security threats.
Migrated identity and access management from Okta to Azure AD
Before we selected Azure AD, we investigated various identity and access management (IAM) options. We had previously deployed Okta, which fulfilled many of our requirements. However, we were simultaneously increasing our investment in Microsoft 365. We reviewed both Okta and Azure AD and discovered that Azure AD delivers better controls and security for Office 365 and its data than Okta at a much lower cost in addition to single sign-on (SSO) to other applications. At that point it was an easy sell, and we migrated all our users to Azure AD.
Decreased the size of the identity team
We are a large company with over 8,500 employees, stores in 49 states across the country, and 73 distribution centers across the biggest markets. Our physical footprint allows us to deliver a mattress within an hour to 89 percent of the population. Like many retailers we have a lot of employment churn. Each day, we process between 10-100 user identity status changes. Before Azure AD, a team of 12 people were responsible for provisioning the right accounts and access to each user. Twelve people is a large team, but it was required because for each change—whether that was a new hire, a promotion, or someone leaving the company—an identity team member needed to manually grant access or change privileges to them one at a time. This took a lot of time, and it was error prone.
Once we deployed Azure AD and set up automated provisioning, the onboarding process sped up significantly. Today, someone in human resources sets up a new employee in our HR system and within four hours the employee is onboarded to all their accounts. Our Identity Manager was able to redeploy most of the people on the provisioning team to higher priority work. Now there are just two people who manage the environment. We’ve realized a huge costs savings from this transition—about $500,000 per year in hard dollars, but tons of soft costs saved!
Azure AD automated provisioning simplifies the process of provisioning the right access and applications to each user.
Delivered a simpler and more secure user access experience
Our users have also benefited from the rollout of Azure AD and automated provisioning. We enabled SSO so users can sign in once and access all the apps they need for work. We integrated Azure AD with about 40 apps, including Workday, Back Office, Salesforce, our VOIP administrator, Citrix, Tools video, Microsoft Dynamics 365, Concur, Tableau, WebEx, our benefits portal, our 401K provider, and all the Office 365 apps. Our employees love the new process. It is now rare that they must use another account to access work apps.
With Azure AD SSO, users sign in once and have access to all their apps.
Azure AD has also given us peace of mind. Our customers provide a full set of information when they purchase a mattress from us. They trust us to protect their first-party data. Azure AD offers tools to better safeguard our identities. We control access to the first-party data based on employment status. We also enabled Multi-Factor Authentication (MFA) to Workday and off-premises sign-ins. That means whenever a user attempts to sign in to Workday or if they attempt to access any other system from off-site, we force a second form of authentication. Users get a secure code from the Microsoft Authenticator app, which validates their identity with Azure AD. This significantly reduces our security risk, and employees find it easy to use—a win for everybody.
We also enabled conditional access policies to reduce or block access when sign-in circumstances are risky. For example, Azure AD can evaluate the riskiness of a client app or the location of a user trying to gain access. If the risk is high enough, we can block access or force a password reset to confirm identity. Another good example of our conditional access approach is the leave of absence policy. While users are on a leave, we limit the apps they can access to the ones they really need: Workday and our benefits portal. These flexible, customizable policy strike the right balance between enabling productivity while minimizing our exposure.
Azure AD can evaluate user and location, application, device, and real-time risk before allowing access.
Improved threat visibility
Security doesn’t end with our access policies. Azure AD also provides tools that Security Operations (SecOps) use to better understand security incidents. The Azure AD authentication logs and the Office 365 application access information provides useful insights. We now better understand when users try to access applications with VPNs or from unauthorized networks. This intelligence informs our security strategy and policies.
Azure AD has provided the foundation for a secure and connected employee experience. As we operationalize communication tools like Microsoft Teams, we are confident that the information that employees share is less likely to get compromised. Employees are empowered to work together to meet and exceed customer expectations. We rest easy because our customer data is more secure.
Azure Active Directory
Protect your business with a universal identity platform.
I hope you’re able to apply Mattress Firm’s learnings to your own organization. For more tips from our customers, take a look at the other stories in the Voice of the Customer blog series. Also, check out the Mattress Firm case study to see how other Microsoft 365 solutions have helped them improve the customer experience.
Here are several additional resources: