Workforce IAM and Customer IAM: Two Sides of the Identity Management

Jim, the ever-optimistic salesperson at Dunder Mifflin, starts his day by accessing various applications necessary for his work. In addition to the CRM, he relies on his email client and collaboration tools to connect with clients and colleagues, share updates on projects, and strategize for upcoming sales pitches and client meetings.

Previously, this process was cumbersome, with multiple passwords to remember and the occasional IT support call to reset his login credentials. However, thanks to the Dunder Mifflin IT team's implementation of Microsoft Entra ID as their Workforce Identity and Access Management (IAM) solution, Jim can now access all his applications seamlessly. By entering his Microsoft Entra ID credentials once in the morning, he gains quick and secure access to every tool he needs throughout the day. This streamlined experience not only saves Jim time but also reduces frustration, allowing him to focus on what he does best: selling paper.

While Workforce IAM solutions efficiently manage employee access, they do not address the complex access needs of customers. Dunder Mifflin's IAM system, powered by Microsoft Entra ID, allows employees to access various applications seamlessly through Single Sign-On (SSO) and Multi-Factor Authentication (MFA). However, the same IAM system may not fully support customer-facing  features like sign-up, self-service account management, or personalized experiences. This is where Customer IAM comes into play. 

Take, for example, the Sales CRM platform used by Dunder Mifflin. The product team at the Sales CRM team needs to offer enhanced authentication and account creation experiences to meet security requirements of organizations like Dunder Mifflin. 

Workforce IAM and Customer IAM are both critical components of a comprehensive identity and access management strategy. Though they share core functionalities—such as authentication, authorization, and directory services—they serve distinct purposes for different user groups. In this article, we will delve deeper into Workforce and Customer IAM, exploring their unique features, benefits, and key differences.

Solving IT Challenges with Workforce IAM

Dunder Mifflin’s IT team is responsible for managing employee access to various applications, ensuring security across a diverse workforce that includes full-time employees, contractors, and temps. Let's explore how they can streamline this process with Workforce IAM solutions like Microsoft Entra ID.

Simplify Access with Centralized Single Sign-On (SSO)

At Dunder Mifflin, employees require access to different tools to perform their jobs effectively However, managing separate logins for each application is a challenge, leading to security risks and password fatigue. Jim’s colleague, Dwight, has a habit of scribbling down passwords on paper, only to lose them. And Jim reuses the same password for all applications– both of which are potential security vulnerabilities. 

To tackle this, the IT team introduced Single Sign-On (SSO) using Microsoft Entra ID.

With SSO, employees only need to login once to access all the necessary applications, making it easier for Jim to switch between the CRM, email, and other collaboration tools, all with a single click. The centralization of SSO not only enhances user convenience but also boosts security. The IT team at Dunder Mifflin spends less time  resetting passwords or dealing with security incidents. They could focus on more important tasks, like preventing database mishaps. 

Enhancing usability with IdP-Initiated SSO

Dunder Mifflin took the employee experience up a notch by additionally implementing IdP-initiated SSO. This allows employees to log in through a centralized dashboard managed by Microsoft Entra ID. This dashboard provides a clean, user-friendly interface where employees see all their apps in one place, eliminating multiple logins.

For instance, when a new intern joins the sales team, IT can provision their access with just a few clicks through the admin dashboard. This efficient setup saves IT time and ensures new team members can quickly integrate into their roles.

Strengthening Security with Adaptive MFA

Dunder Mifflin didn't stop just at SSO—they added Adaptive Multi-Factor Authentication (MFA) to enhance security. MFA requires employees to verify their identity using multiple methods before gaining access to sensitive applications and data.

For example, when Jim’s colleagues, like Dwight or Pam, log into the company’s financial systems, they would be prompted to enter a code sent to their phone, adding an extra layer of protection. 

Adaptive MFA adjusts security requirements based on the user’s behavior and context, such as their location or the device being used. Say Pam logs in from her office desktop, the system recognizes it as low-risk and grants access with just her password. However, if she tries logging in from an unfamiliar device, such as a coffee shop laptop, the system flags it as risky and prompts for an additional verification.

Automate Provisioning & Deprovisioning with User Management

Managing new hire onboarding and employee terminations (offboarding) can be time-consuming for IT and prone to human error. Workforce IAM solutions like Microsoft Entra ID  streamline these processes through automated provisioning and deprovisioning, role assignments, and group membership updates. This automation ensures seamless transitions as employees join, move roles, or leave the organization.

For instance when a new hire is added to the HR system (such as BambooHR or Workday), Workforce IAM automatically grants access to essential applications, like the Sales CRM is created, granting them permissions to CRM tools, sales pipelines, and customer databases—all without IT lifting a finger. This seamless onboarding allows new employees to hit the ground running from day one. Similarly, when Jim’s colleague, Ryan, rejoined Dunder Mifflin as a temp, Workforce IAM automatically provisioned his accounts and restored permissions instantly as if he never left.

Conversely, when a former manager, Michael Scott, left Dunder Mifflin for good, his access to all company applications was automatically revoked, ensuring that no ex-employees could retain access to sensitive company data. This automation reduces the workload on  IT, allowing them to focus on strategic tasks, and minimizing the risks of manual errors during the account setup or removal. Additionally, Workforce IAM allows for the mapping of custom user attributes from the corporate directory, ensuring that employees have the appropriate access permissions aligned with their roles or departments.

With these capabilities, Workforce IAM solutions make managing access simpler, more secure, and much easier for IT teams. Now, let’s look at the other side of the coin. How does the Sales CRM application’s team leverage Customer IAM solutions to transform customer experiences for organizations like Dunder Mifflin. 

Delivering Secure and Seamless Customer Experiences with Customer IAM

Let’s consider  Sales CRM , the  platform that businesses like Dunder Mifflin and Wonka Factory rely on to track leads, manage sales, and close deals. Beyond its core sales features, Sales CRM sets itself apart by leveraging Customer IAM to create a smooth authentication experience for businesses and bolster security. Let’s understand this better by diving into what Customer IAM does for businesses.

High Scalability 

Customer IAM systems are built with a unique focus on scalability due to the nature of their user base, which includes potentially millions of external users, such as customers, partners, and end-users. Workforce IAM systems typically handle a relatively stable number of internal employees. But Customer IAM must support high volumes of traffic, variable usage patterns, and frequent spikes in user activity.

Secure Logins—Beyond Just Passwords

For enterprise businesses like Dunder Mifflin and Wonka Factory, accessing different applications securely is critical. However, password-based logins aren’t always sufficient. That’s where Customer IAM comes in—ensuring that users are verified while making it easy to access their accounts. Let’s explore some Customer IAM features that help Sales CRM maintain this balance between security and convenience.

Single Sign-On (SSO)

Sales CRM enhances the customer experience with SSO, enabling users to access multiple applications with a single set of credentials. With Customer IAM, Sales CRM supports a range of SSO capabilities to make authentication smooth and secure:

• Federated Identity allows users to log in with existing enterprise credentials from systems like Active Directory or LDAP. Once logged in, users can seamlessly access different applications without having to sign in again. For example, if you log into your Google account, you can access Google Drive, YouTube, and Gmail without signing in  multiple times. This makes it easy for users to manage their accounts.
• When an employee at Wonka Factory logs into Sales CRM from their desktop and then later switches to the mobile app, their experience remains seamless. They don’t have to re-enter credentials. Cross-Domain SSO ensures they can move between devices without re-entering their credentials. This creates a consistent and smooth experience.
• Sales CRM uses industry-standard protocols like Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) to provide secure, scalable SSO across various platforms. This ensures interoperability and keeps user data safe, regardless of the access point.

Multi-Factor Authentication (MFA)

In today’s digital landscape, passwords alone can’t protect sensitive data. Multi-Factor Authentication (MFA) strengthens security by requiring multiple forms of verification:

• Something You Know: This could be  a password or PIN.
• Something You Have: This could be a smartphone, or security token, that generates a one-time password (OTP).
• Something You Are: Biometric verification like fingerprints or facial recognition.

Imagine if Dwight, at Dunder Mifflin, accidentally shared his password in a phishing attack. Without MFA, an attacker could easily access the system. But with MFA, they’d still need a one-time code, keeping the data safe.

Even better? Sales CRM supports adaptive MFA, which adjusts security requirements dynamically based on behavior and context, providing a tailored security layer. For instance, if someone tries to log in from an unusual location, the system might require extra verification, making it harder for unauthorized access to happen.

Passwordless Authentication

Passwords can be a hassle to remember and manage, so passwordless authentication offers a user-friendly alternative. With this feature, users—such as employees at Dunder Mifflin’s client company—can log in using options like fingerprint scans or one-time codes bypassing traditional passwords altogether. This not only improves security by eliminating weak or reused passwords but also enhances user experience by simplifying the login process.

Self-Service Account Management

Sales CRM takes customer convenience seriously, allowing their users to manage aspects of their accounts, including registration, password resets, and account recovery, without needing to contact support at the Sales CRM team.

For instance, if an Oompa Loompa at Wonka Factory forgets their password (probably too focused on chocolate-making), they can reset it independently using a secure link sent to their email. After resetting, they’re logged out from all devices, adding an extra layer of security by requiring reauthentication.

Similarly when Pam at Dunder Mifflin updates her email, she can make the change directly through the self-service portal.. 

Streamlined Session Management 

When a user, such as Jim from Dunder Mifflin, logs into the Sales CRM application, a session is created. Thanks to Customer IAM’s session management capabilities, Jim can switch between his laptop and mobile app without needing to login again, maintaining a seamless experience.  The “Keep me signed in,” option allows users to stay logged in across sessions, while Customer IAM ensures session security by setting time limits on inactivity, or terminating a session that appears suspicious.

Admins can also benefit from session management as they can track user actions, such as logins and logouts, and respond proactively to unusual patterns, ensuring greater control over session security. 

Scalable User Access Control

Customer IAM solutions streamline user access control by simplifying account creation and management. Here’s how Sales CRM leverages these features:

• Automated Provisioning: When a new employee joins Dunder Mifflin, their corporate directory (such as Microsoft Entra ID) automatically triggers a provisioning workflow. This creates an account in the Sales CRM and assigns the employee to relevant groups such as "Sales" or "Marketing", ensuring appropriate access based on their department and role. 
• Automatic Deprovisioning: When an employee leaves, like when Michael Scott famously exited the company (hopefully without a "World’s Best Boss" mug in tow), Customer IAM automatically deprovisions their account, revoking all access to sensitive company data.

Fine-Grained Permission Settings

Authorization in Customer IAM ensures users have the appropriate access permissions to resources based on their roles and attributes. A common model used is the Role-Based Access Control (RBAC) where users get access to applications based on their roles. For instance, Jim might be able to access customer data in Sales CRM, but he may not have permission to delete it—that’s reserved for sales admins.

While RBAC is widely used, Customer IAM also supports other authorization models such as Attribute-Based Access Control (ABAC) and Relationship-Based  Access Control (ReBAC). ABAC is an advanced authorization model that determines access rights based on various attributes.Thus, allowing for more granular access.

Additionally, admins can add new users, assign roles, adjust access permissions, or deactivate user accounts. 

Audit Logs 

Audit logs are essential for tracking user activity within the system– activity such as user logins, create/edit/delete operations performed on data objects, access requests, and changes to user accounts. Audit Logs help businesses detect suspicious activities, potential security breaches, and produce evidence during audits, demonstrating compliance with regulations such as GDPR or HIPAA. By analyzing these logs, organizations can detect unauthorized access attempts or unusual patterns of behavior, enabling them to respond proactively to threats. 

For instance, if an account shows multiple failed login attempts from different locations, this activity could trigger an investigation into possible account compromise. Customer IAM’s comprehensive logging ensures that businesses have a clear record of all user activities, which can be essential for security audits and compliance documentation. 

Admin Dashboard 

The admin dashboard in a Customer IAM solution is a central hub for managing user access and enforcing security policies. Through this dashboard, admins can 

• easily add new users
• assign roles and permissions
• adjust and enforce security settings like MFA, password policies
• configure and enable SSO 

The self-service portal empowers businesses like Dunder Mifflin to manage their users independently, reducing the dependencies on the support team at Sales CRM. 

Developer-Friendly Tools

Customer IAM also comes with a suite of tools for developers— including SDKs, APIs, and pre-built widgets, allowing easy customization of their authentication and user management flows. Whether it’s adding a social login option for Wonka Factory or customizing SSO for Dunder Mifflin, developers have the flexibility to make Customer IAM work for their specific business needs.

Privacy Regulations

Customer IAM systems align closely with privacy regulations like GDPR, CCPA, and others. Further, it is built with data protection and user consent management in mind, helping companies meet regulatory standards. 

For example, GDPR mandates that users have the right to access, modify, and delete their personal information. Customer IAM platforms provide self-service account management options that empower users to control their data, meeting these regulatory requirements seamlessly.

Key Differences Between Workforce IAM and Customer IAM

We’ve explored different use cases for both Workforce IAM and Customer IAM throughout this blog. Here’s a summary of the differences between the two:

Optimize Your IAM Strategy

Understanding the differences between Workforce IAM and Customer IAM is essential to optimizing your identity management strategy. Workforce IAM ensures that employees have the right access at the right time, boosting productivity and protecting sensitive internal data. In contrast, Customer IAM is critical for delivering smooth, secure customer experiences– thus safeguarding user information, and supporting long-term growth by adapting to the customers needs.

In short, both Workforce IAM and Customer IAM play vital roles in building trust, enhancing security, and fostering stronger relationships—whether with employees or customers.

Ready to enhance your own identity management strategy? 

Scalekit’s Customer IAM solution for B2B SaaS applications could be the perfect fit. Schedule a demo today and see how it can work for your business!

‍