Struggling to deliver multifactor authentication
SaaS deployments come with risk, and CONA wanted to make sure that every user who accesses an SaaS application is protected with multifactor authentication. In early 2020, CONA gave bottlers the news that it would require Azure AD multifactor authentication registration for all users in April 2020. “Our business applications were largely on-premises until 2019, and we didn’t have a large SaaS footprint then,” explains Campbell. Bottling company employees previously accessed on-premises apps with local credentials or Active Directory Federation Services, which simplified management across multiple bottling companies. But CONA Services found that the setup couldn’t enable multifactor authentication.
The company decided to use Azure AD for its upcoming deployment of major SaaS applications. “This gave us a pathway to multifactor authentication and the ability to use B2B guest features,” says Campbell. “However, it created a need for multiple multifactor authentication registrations.” If bottlers also enabled multifactor authentication for their environments, new employees had to register for it both with their company tenant and with the CONA tenant, creating frustration for users and a complicated support scenario for IT. That frustration worried CONA. Additionally, it wanted to direct IT time toward more value-added work, but the hundreds of access-related help desk tickets it received every month confined its skilled workers to repetitive, time-consuming tasks.
Karthik Cherukuru, Identity and Access Developer and Analyst at CONA Services, is part of the team that provides access for bottler users like the sales associates and delivery drivers who distribute Coca-Cola products all over North America. Those users can’t function without systems access to perform operations like entering orders or completing deliveries. Cherukuru experienced their exasperation firsthand whenever he helped users who upgraded their mobile devices. “In some cases, resetting multifactor authentication for a new device would take about four days,” he says. “That was partly because the support ticket took two days to get to us from the guest user’s tenant. It was very painful for everyone.”
That pain had far-reaching impact. “Our bottlers’ products can’t be sold and delivered if users can’t access the system,” explains Andreea Ursu, Director of Identity and Access Management at CONA Services. “Our team could work with them to ensure access, but when bottlers encounter that kind of difficulty, it damages their confidence in us and can undermine our efforts to deliver highly secure solutions.” That loss in confidence threatens the goodwill on which CONA Services had been built and creates the risk of bottlers losing business.
With security as the cornerstone of everything it does, CONA made it a top priority to better manage user identities for both the bottlers’ employee and guest accounts. But the company lacked a good way to verify that reset requests came from their bottlers’ users, which introduced another risk. And with its large customer base’s need for always-on performance, the company also wanted to create a seamless user experience.
Support for multifactor authentication resets became a demanding job for Ursu’s team throughout major deployments and into the first days of 2022, with up to 1,500 support tickets per month. Assessing the features in Azure AD, the CONA Services IT team found strong incentive to hasten adoption.
The CONA Identity and Access Management team first set up administrative units—a mechanism for admins at the bottlers to be able to quickly take care of their own multifactor authentication requests without going through CONA. This worked well in that it enabled these admins to determine in which tenant the issue existed and to take action with the user without opening a secondary CONA ticket. The team then set up cross-tenant access policies, a long-awaited feature, easing the transition for users with multifactor authentication rules that didn’t force them to register for multifactor authentication in the resource tenant. This enabled bottler users to have one multifactor authentication registration for their local and CONA applications. Now, B2B guest users seamlessly access applications across both tenants, significantly reducing user confusion and the need for admin intervention.
Help desk tickets decreased dramatically following the adoption. When cross-tenant access policies were fully deployed to all bottlers in July, multifactor authentication–related tickets dropped to 36, and monthly help requests are now in the single digits. The reason for that dramatic improvement is no mystery—users who need to reset their multifactor authentication registrations now have more options to self-recover, and if they’re still stuck, they only have to open a single ticket on their home tenant.
That simplicity has created change throughout the entire CONA network and the companies it supports. “We’ve saved hundreds of hours in lost work time since rolling out cross-tenant access policies in Azure AD,” says Campbell. Adds Cherukuru, “The reduction of support tickets every month from hundreds to single digits is a great win for our team. Now, we can focus on other security initiatives and help with new systems that can further the business.” All 85,000 CONA users are now required to use multifactor authentication with Azure AD, accessing 158 enterprise applications with a frequency of about 2 million monthly sign-ins.
Campbell appreciates the efficiency of a connected set of Microsoft solutions. “We enjoy all the benefits of our relationship with Microsoft and use its solutions to cover many of our business, productivity, and security needs,” he says. “Our bottlers use Microsoft 365 and other Microsoft solutions, so adopting Azure AD as our primary cloud directory was our avenue to bring guest users into a common resource tenant. That enhances our ability to use single-tenant applications across multiple legal entities.”
The new identity policies are sparking vigor in the CONA Services IT department. “Our team is learning so many new things because we have the time to attend Microsoft learning sessions,” says Cherukuru. “By using cross-tenant access policies, we’ve made it possible to repurpose our support team to bring new value to our customers.” Campbell reflects on the changes that have rippled through CONA and all the companies it supports. “Everyone is starting to see overall benefits,” he says. “From a user experience perspective, there are even more advantages.” With less focus now on mundane tasks like responding to help desk tickets, the team can focus more time on meaningful research on new innovations. He hopes to bring passwordless ease to bottlers and B2B guest users for even greater convenience. But security-focused CONA prizes the safety gains most. “We’ve freed so many hours through our Azure Active Directory adoption,” concludes Campbell. “Most of all, we’ve enhanced security by reducing complexity, and we’ve set the stage for our next steps in user experience improvements.”
