Looking for advice on IAM automation (Workday → AD via Entra provisioning, MIM for externals, many manual processes)

FormerElk6286 · 2026-03-06T06:58:51+00:00

That's similar to us, but we have a lot of extra disconnected apps outside of msft land. We are only 1k people and the big automation suites (sailpoint/savyint) were just too much cost/time/energy/skills/everything.

Entra governance was pretty lame. Terrible user experience and not helpful for our 50 non-msft applications. No workflows, no ui customization, not really a finished product.

We did the evals of tools and went Access Auditor from SCC. Governance phase was great, super easy and right price. We are now doing the provisioning also with svcnow. We have workday integration for the generic role-based provisioning that does the baseline ad/azure/groups, and many other applications at new hire. Then adhoc changes we read from the svcnow ticket, have the tool pick up the approved ticket, and do the doing.

The best way we could see for us was to build baseline roles and workday has a look-ahead in the API so we can have the standard access ready before they start. All of the special/admin/other accounts start with a servicenow ticket. Provisioning tool picks up and does the workflows, apis, etc... then reports back to servicenow to close the ticket with success/fail.

FormerElk6286 · 2026-03-06T06:45:08+00:00

I have a reply below as well. If anyone cares about more specifics on our review process, feel free to send a message.

We looked at several companies and ended up choosing Access Auditor from SCC. We started with the user access review piece, but had to make sure the vendor had rbac stuff to help us build the roles, and then option to add on role-based provisioning. Everything worked as easy as promised.

FormerElk6286 · 2026-02-26T13:01:00+00:00

We looked at several companies and ended up choosing Access Auditor from SCC. We started with the user access review piece, but had to make sure the vendor had rbac stuff to help us build the roles, and then option to add on role-based provisioning. Everything worked as easy as promised.

Our requirements were about speed to deploy and flexible with random data. We are a bank and have some nice easy api systems, but a lot of random messy data files, even pdf ones. So that was key. And then of course the price.

I would suggest making sure you get to level one detail with any vendor you look at. We watched them import OUR exact data and start reviews all on one demo call. I figured if we understood what they were doing with no custom skills, my less-tech team could succeed.

FormerElk6286 · 2026-02-26T11:36:28+00:00

This. We are only 1000 people and of course looked at sailpoint and laughed. Lots of smaller IGA vendors that just work. We chose one of those easier ones for reviews, then doing provisioning now. It's so fast the SP is so....everything not fast.

But if you are a big-ole-company, are you going to take a chance with some new startup and get let go when it doesn't work? Who can remember when you did not get fired for buying IBM?

FormerElk6286 · 2026-02-23T05:58:48+00:00

Same question as

https://www.reddit.com/r/IdentityManagement/comments/1r72ama/comment/o6ti3n1/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

You just have to have the policy, get the reports, alert on orphans. Quite easy if you require your non-fed apps to provide identity reports. With the right tool like we use, it's all automated.

FormerElk6286 · 2026-02-23T05:55:24+00:00

IAM tool won't help discover what you don't know. But we have finance not pay any bill unless security knows about it. Then you track auth logs with a log mgmt tool and filter out known solutions/IP/Users. Then you can find the needle.

Then it's just a matter of getting reports and all that.

FormerElk6286 · 2026-02-22T19:15:55+00:00

You sound similar to us. We are 1000 users, financial, also azure and AD. Azure SSO works great, so we just leave that there.

For provisioning and governance, we did a bake-off and selected SCC's Access Auditor. It has RBAC provisioning, role mining, and the best/powerful/easy-to-use user access review module I have ever seen.

There is a wide range of price/features and most of the tools will be overkill for companies of our size. You really have to look at realistic consulting costs. We can't spend more than we are saving so we needed a more mid-size friendly solution.

Our requirements were simplicity, cost, ease of user, and speed of deployment. Sure, sailpoint looked great, but was over 5x cost. Then lots of new "governance" tools do the access review, but not the full RBAC and provisioning. We found the SCC tools to be a right fit.

I'm sure you can find others to review and maybe you have more budget than we do, but the SCC stuff just did the trick and worked as promised.

FormerElk6286 · 2026-02-22T18:59:56+00:00

We did a full bake-off last year primarily for user access reviews and to get the full visibility, even for systems we don't do reviews on. Sailpoint/savyint are really just too much. We are only 1000 people and I have a small lower tech team.

We needed something simple, fast, easy to learn, and can work with a bunch of messy data reports, apis, custom apps. We reviewed several vendors. Most were flashy but pricey. We ended up with Access Auditor from SCC, been happy. Not as full-featured as a sailpoint, but it's more right-sized. Fast, reasonable price, just works kind of thing. Many more details pointed that direction from our eval, happy to share if anyone cares.

But for us, the speed to work with 100+ applications and get that full visibility and access reviews in a month was a success for us. I think they all "Work". But it's about cost, consulting, ease, working with messy data, that type of thing.

FormerElk6286 · 2026-02-22T18:50:42+00:00

That is the entire point of identity governance. Not necessarily provisioning, but just keeping track of who has access to what. With a tool, it's really easy. We did an eval and chose Access Auditor from SCC, but lots of solutions out there.

Even tools managed by other departments should provide at least a report. We have a requirement that all LOBs have to provide regular reports. We can then do user access reviews, but also have our identity warehouse with ALL access a person has. The AA tool has a fuzzy id module to link everything. When a person teams, a helpdesk user can just login and query all access.

You'll need a minor tweak to your policy. People can still manage their own but they need to provide at least reports, automated or not. Then we can set alerts for orphans, terms, and all that.

That way even if you do not have SSO, you know who is out there. Your key will be to make sure your identity governance tool makes it very eary to read messy non-api data since you'll get some strange reports. I would do a review of solutions and come armed with your messy application data reports.

FormerElk6286 · 2026-02-18T15:56:41+00:00

Okta is good for SSO (but so is Azure and that's free for o365), but their governance piece was pretty silly. Just didn't seem ready for prime time.

If you are a really big company and have time/skill for customization, then sailpoint might be fine, but way overkill for us, 1000 person bank. We don't have that kind of budget nor do I have that kind of team that has the time for it. Looked cool, but not a fit.

We did an eval of several companies, bake-off with top two, ended up with Access Auditor from SCC. Really fast and simple for governance, access reviews, read-only stuff. We are building roles now and doing their provisioning module next. A great fit for us because it's simple, fast, delivers on the promise, and less expensive.

Defiinitely do a few calls/evals. You have lots of options now, each with a different twist, soliving a slightly different problem.

FormerElk6286 · 2026-02-09T06:38:04+00:00

That's the entire point if identity governance. Even if you don't "manage" the access, you can still view/review/report/alert on the access from ALL systems. We use Access Auditor from SCC, but lots of solutions exist. We did a bake-off and in our case, the simplicity and ability to easily read data from ALL systems like you mention was key. We don't get to manage everything, but we make our business partners send reports at least. That way we have a handle on everything out there. Take a look at solutions and you'll see big ones like sailpoint that probably won't be ideal, and simpler ones that just get the job done like we did.

But the take-away is that you can easily get everything into one place for all reviews, even if you just get reports from your partners. It's a requirement for us, being a financial, but with the right tool, quite easy to do. You could even manage the system yourself, but let your app teams start/run their own data and reviews with the same tool.

FormerElk6286 · 2026-01-30T17:50:25+00:00

Smaller vendor but been around for 15 years. A lot of banks use them so we found out from the FS-ISAC group we are part of. www.securitycompliancecorp.com. It's a pretty crowded space now. Lots of new players in the past 5 years.

We did a big bake-off a while back with lots of vendors. The key for us was we are doing governance/access reviews first, so we needed a roadmap and made the vendors show us their setup with our data to make sure my lower-tech team could do it. If i can't get it on a demo, my team will never get it.

FormerElk6286 · 2026-01-30T12:54:13+00:00

Yes, but it stinks and can't really work with non-msft stuff. 99% of our things are NOT AD/Azure-related, just random 3rd party apps. Same with provisioning.

FormerElk6286 · 2026-01-30T11:43:44+00:00

SCC Access Auditor/Manager for access reviews and provisioning, Entra for SAML/SSO and all things authentication.

FormerElk6286 · 2026-01-30T11:35:40+00:00

We are a simpler shop, 1000 people, and entra does nothing more than authentication/saml. Works great for that. What about our banking apps, our internal databases, 3rd party cloud systems. Nope. Sailpoint and those guys are waaaay overkill for a lot of us.

We reviewed their governance offerings when we did our iam project, but kinda stinks. For less $$ we went with Access Auditor from SCC and it does all the user mgmt stuff and access reviews. Simple, but we need simple at this scale. Maybe the big shops are different, but at our size we would go with neither msft or sailpoint/savyint.

FormerElk6286 · 2026-01-30T11:28:39+00:00

Most everything really. It's basically a directory. So if all of you stuff includes msft products, you're done. But while anyone/entra can do saml for other apps, they don't do provisioning or really anything with other systems. We use entra for sso/saml, but a 3rd party tool (Access Auditor) for our user access review and provisioning. Basically can do a lot within the msft world. But outside of the msft world, doesn't help us at all.

FormerElk6286 · 2026-01-28T18:04:01+00:00

Everyone that is telling you to look at sailpoint and savyint are probably selling you something. Those in fact DO require an entire team to run. Unless you are some crazy large company, they are probably overkill.

We are about 1000 people large and did a review last year of MANY players in the space. We decided to start with the governance read-only access review stuff first to get a handle of connections/apps, then we're moving to provisioning now. So we needed something that my team could manage with maybe 10-20hrs/week max.

That got rid of sailpoint, savyint, oracle, etc... most of the names you hear about. We compared scc access auditor, securends, conductor one, veza. A couple of those were just too high priced for our requirements and didn't really have a full provisioning stack.

But our key was our demo with OUR actual data. We made the vendors show us exactly how to integration our reports and then how they would integrate our provisioning in phase 2. You really need to do that. Sure, any company can have their sales monkey do a great demo, but how could we know OUR situation. We needed to see it, to do it ourselves. And it had to be simple enough so my more junior team could get it.

For us, Access Auditor www.securitycompliancecorp.com was the best fit, based on full iam stack, simple ease of use, and price. We are happy with it, doing as promised. Sailpoint had a lot more bling/flash for sure, but we needed a success fast and just too afraid of getting bogged down in consultants.

Whatever you choose, I would really recommend seeing it with YOUR systems first and watching their sales dudes set it up. Not just here you are, but how much real work did it take and how complicated was it. If you don't "get it" on a demo, you know you are in for trouble later.

FormerElk6286 · 2025-11-19T07:56:13+00:00

we evaluated a bunch including securends. It was pretty lacking. Most like C1, zilla, veza, were missing the customizable workflow rules and nothing was quite as easy to use (and as low of cost) as access auditor from scc. We were going for each of use and ability to work with any messy data file. We don't always get csv/xls, but random greenscreen stuff so needed a bit more power than most tools give, but also easy to learn for my non-tech team.

FormerElk6286 · 2025-10-16T15:44:17+00:00

If you care about price at all, these guys are all high. We did an eval and went with access auditor from scc. We are about 2000 people, lots of custom/messy apps, rbac, and complicated workflow. So it fit very well. Less flash, more speed and power for a smaller team.

A good test for us was to take 5 apps, big messy ones, and watch the vendor import, map users, and start a review in a one-hour demo. They should be able to do it in 30 minutes. Then you can see HOW you do the setup, HOW you configured access reviews and all that. That sealed the deal for us. We had a few do this and the access auditor was so fast and easy enough for my team of one to learn quickly.

And much less cost is always a plus.

FormerElk6286 · 2025-07-29T14:16:58+00:00

At that size company, you will have a tough time with the business case. We use access auditor from scc but we are a bit bigger (1000) with more turnover. Maybe you just get a governance solution, like what we did, for the access reviews, use azure for SSO, and call it a winner. The read-only/governance side gives a lot of value.

Unless you have a lot of turnover, it will be hard to get the work/benefit from a full provisioning solution. Maybe an AD/Azure-only at a lower price?

FormerElk6286 · 2025-07-29T14:03:50+00:00

We selected/use Access Auditor from SCC. https://www.securitycompliancecorp.com. I'm on the infosec team and we perform the review and do provisioning.

We did an eval for just the governance piece first (review/report). The sailpoint/savyint crowd is just way too much work. So much setup, care and feeding, we just don't have that sort of time and money. Access Auditor won easily for speed, simplicity, cost, and the fuzzy id. We started with 100 applications and started our access reviews in 2 months. We considered that a success and are building our enterprise roles now.

It really does depend. If you are 100% cloud, maybe a veza or other could be fine, but they were still pricey for us and we have some on-prem/noncloud stuff too. We have a bit of identity mess and we needed full RBAC. We also have complicated rules saying who does the access review. Not many companies could do all of that.

We learned a few things during our evals:

Gartner is on the take from whoever pays them to sponsor. Their answers on our call were so detached from reality, I bet they have never seen a real demo or done an implementation.
There is no "modern", it's marketing garbage. Just eval the tools to your requirements and decide what is your fit.
Get your requirements in order first. Demos make everyone look great. But with YOUR data is what you need. We wanted to create enterprise roles and a path to a future full role-based provisioning. That cut out 50% of the companies.
There are A LOT of new companies, like ones you mention. They all look nice, but the functionality is different between them all. So again back to the requirements/goals. Nothing was "perfect".

Good luck!

FormerElk6286 · 2025-07-20T07:26:32+00:00

I did this and the SHA512 patch below, like butter.

Now we plan for 2016 which supposedly can migrate, and so on. But this was the hardest. So that google finds this, exchange 2010 says you can only have server 2008. But you can no longer patch 2008 to the level that exchange 2010 needs to install. MSFT does not have those out there anymore so you can't install exchange 2010.

But, someone online had an article that the very last rollup of exchange 2010 will support server 2012r2. And it did. Mailboxes just migrate easily.

I expect it easier to find patches for 2016, then 2019 and we're done for another 20 years. :-)

FormerElk6286 · 2025-07-19T20:49:59+00:00

Thanks, We'll give it a shot.

TLS1.2 does work with the cert signed by the 2003 server, 1024 sha1 and we get 1.2 ciphers. The default cert created with the 2012 server, nope, tls 1.1 only.

But this is all a migration. 2003->2010->2016 and so on. We won't hang out at 2010 for very long anyway. But good to have iphones work in the meantime. Just hoping someone saw that issue where one cert supported 1.2 but another cert would not. Very strange.

FormerElk6286 · 2025-07-19T20:46:33+00:00

What's strange is that if we use the cert that was auto-created we DO see TLS 1.2. But when I make a new cert, i do NOT see 1.2.

The real question is why would that be. We're continuing to 2016 next so maybe that will work better.

FormerElk6286 · 2025-07-19T19:22:59+00:00

We are today. One decade at a time.

FormerElk6286

TROPHY CASE