MARCH 2023
In a world where 20% of security breaches happen as a result of weak or stolen credentials, identity and access management professionals aim to strengthen security and compliance without creating hurdles to business growth or user experience.1 The Microsoft Entra family of products helps organizations strengthen security posture while also eliminating complexity and extra costs by simplifying and modernizing the IAM technology stack, shortening product development timelines, and improving user productivity.
Microsoft Entra brings together identity and access solutions into a comprehensive product family for multicloud environments. Microsoft Entra helps organizations protect access to any app or resource for any user or workload, verify and secure every identity and every access request, discover permissions and govern access, and simplify user experience with intelligent real-time access controls all in one place. This study focuses on three products from the Microsoft Entra family: Azure Active Directory (Azure AD), Microsoft Entra Permissions Management, and Microsoft Entra Verified ID.
Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying products within the Microsoft Entra portfolio.2 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of Microsoft Entra on their organizations.
To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed 10 representatives of eight organizations with experience using Azure AD, Microsoft Entra Permissions Management, and Microsoft Entra Verified ID. For the purposes of this study, Forrester aggregated the interviewees’ experiences and combined the results into a single composite organization that is an organization with 10,000 employees and 10 identity and access management (IAM) professionals.
These interviewees noted that prior to using Microsoft Entra, their organizations used on-premises Active Directory and various identity federation systems for legacy applications plus several different cloud-based identity solutions for software-as-a-service (SaaS) and line-of-business apps. In this complex environment, it was not easy for the organizations to provide the level of security and regulatory compliance they sought to achieve. It was also expensive to maintain and manage the disparate IAM tools, and end users craved more consistent and streamlined authentication experiences.
After the investment in Microsoft Entra, the interviewees’ organizations strengthened their security postures, reduced complexity and cost of IAM technologies and infrastructures, empowered developers to build new products faster, and improved end-user and partner experiences.
Consulting Team: Julia Fadzeyeva, Claudia Heaney
Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:
Moving from on-premises identity federation systems like Active Directory Federation Services (AD FS) and a combination of several IAM point-solutions to Microsoft Entra allows the composite organization to eliminate infrastructure and associated management effort, and it significantly lowers its software license costs.
The composite organization relies on several Microsoft Entra products to streamline onboarding, provisioning, and offboarding, to reduce manual effort required for compliance-related data collection and management, and to automate multicloud permissions management. This frees its dedicated IAM team to focus on more strategic business objectives.
By securing all applications and identities with Azure AD, the composite organization improves visibility, implements more granular risk-based policies, and ensures protection against phishing, credential stuffing, and other malicious techniques that exploit compromised user credentials. With Microsoft Entra Permissions Management, the organization also rightsizes unused and excessive permissions and automates on-demand, time-bound privilege escalations to further reduce security risks.
Previously, when the composite’s developers requested new permissions, their projects could be interrupted by an average of two days while they waited for access. With Microsoft Entra Permissions Management, they receive access within hours, which saves them time and helps keep development projects on schedule.
By enabling self-service password resets, the composite organization empowers users to reset their own passwords. This aligns the experience to user expectations and significantly reduces the number of password reset requests submitted to the help desk.
The composite considers more time available to get work done as a proxy for improved business outcomes because the value someone adds should be at least equal to what they are paid.
Unquantified benefits. Benefits that provide value for the composite organization but are not quantified in this study include:
All interviewees said that working with fewer vendors is easier and that Microsoft provides very good customer service and support.
Several interviewees’ organizations operate in highly regulated markets, and moving to the cloud with Microsoft Entra helped them adhere to their industries’ requirements.
Several of the interviewees’ organizations use Microsoft Entra to securely interact with partners, distributors, suppliers, or vendors without incurring the costs and security risks of managing those peripheral identities.
Costs.Three-year, risk-adjusted PV costs for the composite organization include:
The composite organization pays license costs based on the number of Azure AD users per month and the number of resources per cloud who use Permissions Management.
The internal efforts associated with the composite’s Microsoft Entra investment include a six-month initial rollout, app integration, training for the IAM team, and ongoing management of the Entra product family and relevant projects.
The representative interviews and financial analysis found that a composite organization experiences benefits of $12.14 million over three years versus costs of $3.57 million, adding up to a net present value (NPV) of $8.57 million and an ROI of 240%.
The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that Microsoft Entra can have on an organization.
Forrester Consulting conducted an online survey of 351 cybersecurity leaders at global enterprises in the US, the UK, Canada, Germany, and Australia. Survey participants included managers, directors, VPs, and C-level executives who are responsible for cybersecurity decision-making, operations, and reporting. Questions provided to the participants sought to evaluate leaders' cybersecurity strategies and any breaches that have occurred within their organizations. Respondents opted into the survey via a third-party research panel, which fielded the survey on behalf of Forrester in November 2020.
Interviewed Microsoft stakeholders and Forrester analyst to gather data relative to Microsoft Entra.
Interviewed 10 representatives at eight organizations using Microsoft Entra to obtain data with respect to costs, benefits, and risks.
Designed a composite organization based on characteristics of the interviewees’ organizations.
Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.
Readers should be aware of the following:
This study is commissioned by Microsoft and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Microsoft Entra.
Microsoft reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
Microsoft provided the customer names for the interviews but did not participate in the interviews.
Role | Industry | Region | Number of emloyees |
---|---|---|---|
Director of solutions architecture | Insurance | HQ: Europe Operations: Global |
55,000 |
Identity and access team lead | Software | HQ: US Operations: Global |
3,000 |
Principal IT engineer | Semiconductor | HQ: US Operations: Global |
45,000 |
Senior security engineer | Software | HQ: US Operations: Global |
25,000 |
Head of enterprise security architecture | Insurance | HQ: US Operations: Global |
95,000 |
Senior IT system engineer | Manufacturing | HQ: Europe Operations: Europe |
12,000 |
Co-founder and chief technology officer; Founder and chief executive officer | Security | HQ: Canada Operations: Canada |
<50 |
Senior manager for productivity services and networking automations; Senior solutions architect, identity and access management space | Software | HQ: US Operations: Global |
13,000 |
Before adopting Microsoft Entra, interviewees’ organizations managed identity and access with multiple point solutions. The complexity of managing and integrating multiple tools resulted in inefficient use of both financial and labor resources.
The interviewees noted how their organizations struggled with common challenges, including:
Attacks targeting weak credentials for employees or partner third parties became more frequent and complex over time, and interviewees said that meeting these threats required modern tools that are well-integrated with each other. A director of solutions architecture at an insurance company said, “A lot of the businesses we are in are strictly regulated and we have to have these kinds of controls in place.”
The director of solutions architecture – whose insurance organization holds a Microsoft 365 E5 license – told Forrester: “In the past, a lot of folks have gone out and bought tools with comparable capabilities at the highest price point. We wanted to reevaluate and try to leverage more of the Microsoft tools to get a return on investment.” In addition to controlling license costs, interviewees indicated that setting and managing their organizations’ prior point solutions required significant effort.
Interviewees recognized the need for IT and IAM teams to enable business growth and contribute to employee productivity rather than create interruptions, delays, and frustration. Their organizations’ legacy on-premises identity and access management solutions made it too difficult for employees to maintain their working flows and stay productive.
The interviewees’ organizations searched for a solution that could:
Strengthen security through modern authentication capabilities that could offer strong protection again credential-related attacks.
Improve regulatory compliance.
Reduce costs through license rationalization.
Reduce the level of effort of managing IAM tools and infrastructure without significant additional training.
Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the interviewees’ 10 interviewees, and it is used to present the aggregate financial analysis in the next section.
The composite organization is a global, business-to-business (B2B) organization with 10,000 full-time employees. It employs 10 IAM professionals who interact with Microsoft Entra solutions on a regular basis.
Before implementing Microsoft Entra, the composite organization had several IAM solutions in place that supported a core set of applications based on nonmodern authentication methods. Users needed to remember multiple credentials, IT had very little visibility into who accessed applications, and there were no self-service capabilities enabled for IAM issues. With multiple solutions not seamlessly integrated, the organization was concerned about security gaps and heightened risks.
The composite organization enables single sign-on (SSO), requires multifactor authentication (MFA) for all applications and all users, and allows employees to access applications through managed mobile devices, desktops, or laptops. The IT team integrates security logs with the enterprise security information and event management (SIEM) solution to improve visibility and the SecOps team’s ability to investigate and remediate incidents.
Ref. | Benefits | Year 1 | Year 2 | Year 3 | Total | Present Value |
---|---|---|---|---|---|---|
Atr | Vendor consolidation and identity modernization | $866,250 | $832,500 | $810,000 | $2,508,750 | $2,084,082 |
Btr | Identity team efficiency gains | $675,000 | $1,377,000 | $2,079,000 | $4,131,000 | $3,313,636 |
Ctr | Improved security posture | $505,130 | $673,506 | $673,506 | $1,852,142 | $1,521,840 |
Dtr | Improved development velocity | $0 | $584,640 | $584,640 | $1,169,280 | $922,422 |
Etr | Improved help desk efficiency from reduced password resets | $101,250 | $101,250 | $101,250 | $303,750 | $251,794 |
Ftr | End-user productivity improvement | $1,280,000 | $1,600,000 | $2,080,000 | $4,960,000 | $4,048,685 |
Total benefits (risk-adjusted) | $3,427,630 | $5,168,896 | $6,328,396 | $14,924,922 | $12,142,459 |
Interviewees’ organizations looked to reduce the cost and complexity of their IAM infrastructures, which (in the prior states) typically included a legacy on-premises presence and SaaS-based point solutions. With Microsoft Entra, interviewees’ organizations could sunset their legacy IAM infrastructures including the physical and proxy servers as well as previous identity-as-a-service (IDaaS) solutions because Azure AD now manages and secures authentication for all applications including non-Microsoft apps. Moving from a point-solution-integration approach to Microsoft Entra lowered license costs for interviewees’ organizations. For those that already had Microsoft 365 E5 licenses, the savings were often significant if considered a sunk cost for the business case. Interviewees shared the following examples of how their organizations reduced license costs:
For the composite organization, Forrester assumes:
The following factors may affect the magnitude of this benefit and are reflected in the risk-adjustment percentage:
To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $2.1 million
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | ||
---|---|---|---|---|---|---|---|
A1 | License fees for legacy IAM tools | Interviews | $750,000 | $750,000 | $750,000 | ||
A2 | Number of IAM machines sunset as a result of Azure AD investment | Interviews | 5 | 2 | 0 | ||
A3 | Cost per machine | Composite | $12,500 | $12,500 | $12,500 | ||
A4 | Number of FTEs who manage IAM-related infrastructure | Composite | 1 | 1 | 1 | ||
A5 | Fully burdened annual salary of an IAM FTE | Composite | $150,000 | $150,000 | $150,000 | ||
At | Vendor consolidation and identity modernization | A1+A2*A3+A4*A5 | $962,500 | $925,000 | $900,000 | ||
Risk adjustment | ↓10% | ||||||
Atr | Vendor consolidation and identity modernization (risk-adjusted) | $866,250 | $832,500 | $810,000 | |||
Three-year total: $2,508,750 | Three-year present value: $2,084,082 | ||||||
View More
View Less
|
Interviewees said their organizations spent a significant amount of resources on management and maintenance of their previous IAM solutions, and that this left little time for projects that could further strengthen security postures or improve user experiences. In addition to managing IAM solutions, the organizations also struggled to manage permissions for their multicloud environments. The head of enterprise security architecture at an insurance company said, “Previously it was a dump of who was using what permissions, and it was up to the manager to decide whether it was good or bad.”
By migrating to Azure AD, the organizations were able to leverage the benefits of a modern and comprehensive cloud solution, which freed time for their dedicated IAM teams to focus on adding value to the businesses, and even reallocating some workers to other teams that needed additional resources.
For the composite organization, Forrester assumes:
The following factors may affect the magnitude of this benefit and are reflected in the risk-adjustment percentage:
To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV of $3.3 million.
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | ||
---|---|---|---|---|---|---|---|
B1 | IAM team members with previous IAM solution | Composite | 10 | 10 | 10 | ||
B2 | Reduction in effort for onboarding/offboarding and provisioning (FTEs) | Interviews | 3 | 3 | 3 | ||
B3 | Reduction in effort for managing previous IAM solution (FTEs) | Interviews | 1 | 1 | 1 | ||
B4 | Reduction in compliance effort with previous IAM solution (FTEs) | Interviews | 1 | 1 | 1 | ||
B5 | Total reduction in effort for IAM team | (B2+B3+B4)/B1 | 50% | 50% | 50% | ||
B6 | Fully burdened annual salary of an IAM FTE | Composite | $150,000 | $150,000 | $150,000 | ||
B7 | Subtotal: Identity team efficiency gains | B1*B5*B6 | $750,000 | $750,000 | $750,000 | ||
B8 | External contractors required to run identity provisioning and permissions management | Composite | 5 | 5 | 5 | ||
B9 | Contractor hourly rate | TEI standard | $150 | $150 | $150 | ||
B10 | Contractor labor cost attributed to identity provisioning and permissions management | B8*B9*2,080 | $1,560,000 | $1,560,000 | $1,560,000 | ||
B11 | Reduction to contractor labor with Microsoft Permissions Management | Interviews | 0% | 50% | 100% | ||
B12 | Subtotal: Labor efficiency in identity provisioning and permissions management | B10*B11 | $0 | $780,000 | $1,560,000 | ||
Bt | Identity team efficiency gains | B7+B12 | $750,000 | $1,530,000 | $2,310,000 | ||
Risk adjustment | ↓10% | ||||||
Btr | Identity team efficiency gains (risk-adjusted) | $675,000 | $1,377,000 | $2,079,000 | |||
Three-year total: $4,131,000 | Three-year present value: $3,313,636 | ||||||
View More
View Less
|
Interviewees told Forrester that improving security posture was among the top drivers for their organizations’ investments in Microsoft Entra. According to Forrester research, 20% of external attacks are carried out with the use of weak or stolen credentials.3 Additionally, Microsoft research says it sees 1,287 password attacks every second (i.e., more than 111 million per day), and that in 2022, it saw 5.8 billion password breach replay attacks per month, 31 million phishing attacks per month, and 5 million password spray attacks per month.4
Interviewees said that by securing all applications with Azure AD, their organizations were able to improve visibility, implement granular risk-based policies to ensure that employees only had access to the applications that they need, and — through MFA — proactively protect against phishing, credential stuffing, and other techniques that exploit compromised user credentials.
Interviewees shared the following examples of how their organizations’ security postures improved:
For the composite organization, Forrester assumes:
The size of the benefit can vary based on:
To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV of $1.5 million.
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |||
---|---|---|---|---|---|---|---|---|
C1 | Average annual number of material breaches before using Microsoft Entra | Forrester research | 3.1 | 3.1 | 3.1 | |||
C2 | Average cost of a breach | Interviews | $750,000 | $750,000 | $750,000 | |||
C3 | Reduced likelihood of a breach with Microsoft Entra | Interviews | 15% | 15% | 15% | |||
C4 | Subtotal: Reduced risk of a major security breach | C1*C2*C3 | $348,750 | $465,000 | $465,000 | |||
C5 | Total employees | Composite | 10,000 | 10,000 | 10,000 | |||
C6 | Average percent of employees impacted | Forrester research | 33% | 33% | 33% | |||
C7 | Average downtime per employee per breach (hours) | Forrester research | 4 | 4 | 4 | |||
C8 | Average fully burdened hourly rate of an employee | TEI standard | $40 | $40 | $40 | |||
C9 | Subtotal: Reduced employee downtime during a breach | C1*C3*C5*C6* C7*C8 | $245,520 | $327,360 | $327,360 | |||
Ct | Improved security posture | C4+C9 | $594,270 | $792,360 | $792,360 | |||
Risk adjustment | ↓15% | |||||||
Ctr | Improved security posture (risk-adjusted) | $505,130 | $673,506 | $673,506 | ||||
Three-year total: $1,852,142 | Three-year present value: $1,521,840 | |||||||
View More
View Less
|
Developer experience as well as the balance between security and inefficiencies in the development process were top of mind for interviewees. They said that when their organizations tightened security components and obligated developers to request permissions every time they needed new access, this tended to have a negative impact on product-development speed. A developer’s work on a project could get interrupted by up to several days while the developer was waiting for access, and any project as a whole could get delayed by weeks or even months as those interruptions added up.
Security teams have a difficult task and are often viewed as a department that sets obstacles for the rest of the business, and changing this perception can be challenging. According to the interviewees, enabling Microsoft Entra Permissions Management was an “aha” moment because it produced a tangible improvement in security team members’ experiences as well.
For the composite organization, Forrester assumes:
The size of the benefit can vary based on:
To account for these risks and because developer productivity may be viewed as a softer benefit, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV of $922,400.
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |||
---|---|---|---|---|---|---|---|---|
D1 | Number of developers | Composite | 1,000 | 1,000 | 1,000 | |||
D2 | Percent of developers building for the cloud | Composite | 70% | 70% | 70% | |||
D3 | Number of times a developer makes a permission request | Composite | 25 | 25 | 25 | |||
D4 | Time needed to receive a permission with former permissions processes (hours) | Interviews | 16 | 16 | 16 | |||
D5 | Wait time eliminated with Microsoft Entra | Interviews | 0% | 90% | 90% | |||
D6 | Percent of developers’ productivity wasted by waiting for permission | Assumption | 10% | 10% | 10% | |||
D7 | Productivity recapture with Microsoft Entra | TEI standard | 50% | 50% | 50% | |||
D8 | Average fully burdened hourly rate of a developer | TEI standard | $58 | $58 | $58 | |||
Dt | Improved development velocity | D1*D2*D3*D4* D5*D6*D7*D8 | $0 | $730,800 | $730,800 | |||
Risk adjustment | ↓20% | |||||||
Dtr | Improved development velocity (risk-adjusted) | $0 | $584,640 | $584,640 | ||||
Three-year total: $1,169,280 | Three-year present value: $922,422 | |||||||
View More
View Less
|
Interviewees said their organizations’ previous IAM solutions were not set up to support self-service password resets. Because of this, the organizations received thousands of requests per month to assist with password resets, and each of them was routed through the help desk. Each ticket represented a set amount of time for the help desk worker to resolve the issue, but it also meant that an end user was locked out of certain applications while the ticket was being resolved.
After deploying Azure AD, interviewees’ organizations could take advantage of the self-service capabilities for password resets and significantly reduced the number of password reset requests that made it to the help desk. This self-service capability also aligned better with end users’ expectations because self-service password resets are so prevalent in consumer-facing websites and applications.
For the composite organization, Forrester assumes:
The size of the benefit can vary based on:
To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV of $251,800.
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |||
---|---|---|---|---|---|---|---|---|
E1 | Average number of password reset requests per month with previous IAM solution | Composite | 500 | 500 | 500 | |||
E2 | Reduction in password reset requests with Azure AD | Interviews | 75% | 75% | 75% | |||
E3 | Cost per request | Composite | $25 | $25 | $25 | |||
Et | Improved help desk efficiency from reduced password resets | E1*E2*E3*12 months | $112,500 | $112,500 | $112,500 | |||
Risk adjustment | ↓10% | |||||||
Etr | Improved help desk efficiency from reduced password resets (risk-adjusted) | $101,250 | $101,250 | $101,250 | ||||
Three-year total: $303,750 | Three-year present value: $251,794 | |||||||
View More
View Less
|
In addition to enhancing security, all of the interviewees’ organizations were looking to improve their employee experiences. According to Forrester research from 2022, 60% of business and technology professionals indicated that improving the experience of employees was a key IT objective during the next 12 months.8 Relatedly, interviewees said that a primary goal for their organizations was to improve user experience (UX) by enabling SSO for all applications and from any device or location. Interviewees recognized that users who did not have to enter their credentials at every step were more productive and that a poor sign-on experience is not only frustrating for end users but also negatively impacts how the organizations perceive their IT and identity teams.
For the composite organization, Forrester assumes:
The size of the benefit can vary based on:
To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV of $4.0 million.
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |||
---|---|---|---|---|---|---|---|---|
F1 | Total employees | Composite | 10,000 | 10,000 | 10,000 | |||
F2 | Time saved per week using Azure AD (minutes) | Interviews | 10 | 12 | 15 | |||
F3 | Hours saved per user per year (rounded) | F2*50 weeks/60 minutes | 8 | 10 | 13 | |||
F4 | Average hourly salary for a user (rounded) | TEI standard | $40 | $40 | $40 | |||
F5 | Productivity capture | TEI standard | 50% | 50% | 50% | |||
Ft | End-user productivity improvement | F1*F3*F4*F5 | $1,600,000 | $2,000,000 | $2,600,000 | |||
Risk adjustment | ↓20% | |||||||
Ftr | End-user productivity improvement (risk-adjusted) | $1,280,000 | $1,600,000 | $2,080,000 | ||||
Three-year total: $4,960,000 | Three-year present value: $4,048,685 | |||||||
View More
View Less
|
Interviewees mentioned but were not able to quantify the following additional benefits that their organizations experienced:
All interviewees said that working with fewer vendors was easier and that Microsoft provided very good customer service and support. This included co-engineering and support on new security-related initiatives.
Several interviewees’ organizations operate in highly regulated markets, and moving to the cloud with Microsoft Entra helped them adhere to their industries’ requirements. The director of solutions architecture at an insurance company said: “First, being compliant protects us from incurring penalties. Second, with Microsoft Entra, we no longer have to do it the old-school way of using other point solutions.”
Several of the interviewees’ organizations started using the External Identities capabilities in combination with other Microsoft Entra products such as Azure AD to help secure and manage customers and partners.
The identity and access team lead at a software company said that during the pandemic, their organization was able to quickly and securely onboard various partners. They said: “[Without Microsoft Entra,] we would have had to create nearly 2,000 identities and then figure out a way of relaying the credentials to them. But we did not have to do that because we could simply take their existing work [identities] powered by Azure AD and give them access to stuff that they needed access to.”
The principal IT engineer at a semiconductor company said that beyond the cost of resources and the ease of integrating third-party resources, using External Identities contributed to improved security. They said: “The nice thing about guest access or external identity management is that when the account gets terminated on their side, it just stops working on our side. Putting on my security hat for a minute, this represents a way to close a security gap. That’s a huge advantage from a security perspective.”
Forrester research says the use of verified digital identity is one of the top trends shaping identity and access management in 2022.9 Interviewees said their organizations have started to see the potential in relying on trusted digital identity for onboarding new employees, managing certifications, licenses, and password replacement or recovery for existing personnel, and even for managing software licenses for customers.
A co-founder and chief technology officer at a security organization told Forrester that recruiters carry a lot of liability. First, during hiring processes, employers incur the risk of trusting that new hires are indeed who they say they are. Then, there is a risk of storing their data in a way that is or is not compliant. And, finally, employers must ensure that an employee’s personal data is no longer stored at the end of their employment.
Microsoft Entra Verified ID partners with background check providers to verify a user’s identity once so they can use it anywhere. This reduces the need for employers to store user data. The co-founder and chief technology officer at the security organization elaborated on this benefit: “If you leave my organization, you get to keep your wallet, and the employer or the recruiter does not have to worry about any of the liability.”
A senior solutions architect in the identity and access management space at a software organization said their company tested Microsoft Entra Verified ID for onboarding new hires. They said: “We spend a lot of time and money working with different third parties for background checks. Once that process is done, we manually onboard new hires. The way [new hires] are providing their passports, their visas, and their work authorizations happens outside of Azure AD because [they’re] not onboarded yet, and that is not as robust and secure as [we] would want it to be.”
The same interviewee elaborated that relying on Microsoft Entra Verified ID in the future would allow their organization to significantly reduce the costs of working with third parties for background checks, and also reassign several FTEs dedicated to managing background checks and vendors.
Moreover, their organization projected shortening the hiring and onboarding processes and making employees available and ready for work sooner and at scale, if needed. The senior manager for productivity services and networking automations at the company said: “Adding more people manually is inefficient, may leave room for errors, and [may] cause some unwanted security incidents. Verified ID is helping us do this right and at scale.”
For the composite organization, Forrester assumes:
This yields a three-year projected PV ranging from $321,500 (low) to $369,300 (high).
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |||
---|---|---|---|---|---|---|---|---|
P1 | Number of FTEs managing background checks | Composite | 2 | 2 | 2 | |||
P2 | Reduction in effort managing background checks with Microsoft Entra Verified ID | Composite | 15% | 60% | 90% | |||
P3 | HR FTE fully burdened annual salary | Composite | $78,000 | $78,000 | $78,000 | |||
P4 | Productivity recapture | TEI standard | 50% | 50% | 50% | |||
P5 | Subtotal: Reduction in background check management | P1*P2*P3*P4 | $11,700 | $46,800 | $70,200 | |||
P6 | Total employees | Composite | 10,000 | 10,000 | 10,000 | |||
P7 | Average turnover rate | Composite | 30% | 30% | 30% | |||
P8 | Number of employees hired to compensate for turnover | P6*P7 | 3,000 | 3,000 | 3,000 | |||
P9 | Average background check cost (fee paid to an external vendor) | Composite | $50 | $50 | $50 | |||
P10LOW P10MID P10HIGH |
Percent of background checks eliminated with Microsoft Entra Verified ID | Interviews | 10% 15% 20% |
50% 60% 70% |
90% 92% 95% |
|||
P11LOW P11MID P11HIGH |
Subtotal: Vendor cost savings from reduction in background checks with Microsoft Entra Verified ID | P8*P9*P10 | $15,000 $22,500 $30,000 |
$75,000 $90,000 $105,000 |
$135,000 $138,000 $142,500 |
|||
PtLOW PtMID PtHIGH |
Savings from reduction in background checks | P5+P11 | $26,700 $34,200 $41,700 |
$121,800 $136,800 $151,800 |
$205,200 $208,200 $212,700 |
|||
Three-year total: $353,700 to $406,200 | Three-year present value: $321,545 to $369,273 | |||||||
View More
View Less
|
Ref. | Costs | Initial | Year 1 | Year 2 | Year 3 | Total | Present Value |
---|---|---|---|---|---|---|---|
Gtr | Microsoft Entra license fees | $0 | $772,275 | $811,650 | $890,400 | $2,474,325 | $2,041,824 |
Htr | Internal effort | $428,340 | $496,584 | $414,084 | $414,084 | $1,753,092 | $1,533,106 |
Total costs (risk-adjusted) | $428,340 | $1,268,859 | $1,225,734 | $1,304,484 | $4,227,417 | $3,574,930 |
Most interviewees’ organizations already held an enterprise license for Microsoft M365 E5 that included access to Azure AD Premium P2, and Microsoft Entra Verified ID is currently available for free. Additional charges apply for Microsoft Entra Permissions Management and are defined by the number of connected cloud resources. Even though interviewees said that Azure AD came at no extra cost to their organizations, Forrester assigned a per-year licensing for the purposes of cost and benefit analysis.
For the composite organization, Forrester assumes:
The size of this cost could vary based on:
To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $2.0 million.
Ref | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
---|---|---|---|---|---|---|---|
G1 | Subtotal: Azure AD P2 cost with M365 E5 license | Microsoft | $0 | $648,000 | $648,000 | $648,000 | |
G2 | Number of resources for Microsoft Entra Permissions Management | Composite | 0 | 700 | 1,000 | 1,600 | |
G3 | Microsoft Entra Permissions Management cost per resource per year | Microsoft | $0 | $125 | $125 | $125 | |
G4 | Subtotal: Microsoft Entra Permissions Management subscription (per resource) | G2*G3 | $0 | $87,500 | $125,000 | $200,000 | |
Gt | Microsoft Entra license fees | G1+G4 | $0 | $735,500 | $773,000 | $848,000 | |
Risk Adjustment | ↑5% | ||||||
Gtr | Microsoft Entra license fees (risk-adjusted) | $0 | $772,275 | $811,650 | $890,400 | ||
Three-year total: $2,474,325 | Three-year present value: $2,041,824 | ||||||
View More
View Less
|
Interviewees’ organizations took a staggered approach to the rollout of Azure AD by incrementally onboarding more applications and users. Following the initial implementations, the organizations focused on building automations and defining new workflows. When Microsoft Entra Permissions Management became available, several of the organizations dedicated additional resources to testing and implementing the new product.
Interviewees said the transition to Microsoft Entra was smooth for end users and that their organizations did not need to provide significant training or change management to ensure adoption. The director of solutions architecture for an insurance company said, “For end users, we just sent an email and some how-to [guidance that explained] what was coming.”
For the composite organization, Forrester assumes:
The size of this cost could vary based on:
To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV of $1.5 million.
Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
---|---|---|---|---|---|---|---|
H1 | Number of FTEs involved in testing and deployment of Microsoft Entra | Composite | 3 | 2 | 0 | 0 | |
H2 | Implementation time (months) | Composite | 6 | 3 | 0 | 0 | |
H3 | Number of FTEs involved in app integration during implementation | Composite | 2 | 0 | 0 | 0 | |
H4 | Number of FTEs involved in app integration | Composite | 0 | 1 | 1 | 1 | |
H5 | Percent of time dedicated to app integrations | Composite | 0% | 50% | 50% | 50% | |
H6 | Fully burdened IAM team salary | TEI standard | $150,000 | $150,000 | $150,000 | $150,000 | |
H7 | Subtotal: Implementation and app integration cost | H1*H2*(H6/12)+H3*H2*(H6/12)+H4*H5*H6 | $375,000 | $150,000 | $75,000 | $75,000 | |
H8 | Ongoing solution management | 2 FTEs*H6 | $0 | $300,000 | $300,000 | $300,000 | |
H9 | Training | Initial: 10 FTEs* 20 hours*$72 Years 1 to 3: 10 FTEs*2 hours* $72 |
$14,400 | $1,440 | $1,440 | $1,440 | |
Ht | Internal effort | H7+H8+H9 | $389,400 | $451,440 | $376,440 | $376,440 | |
Risk adjustment | ↑10% | ||||||
Htr | Internal effort (risk-adjusted) | $428,340 | $496,584 | $414,084 | $414,084 | ||
Three-year total: $1,753,092 | Three-year present value: $1,533,106 | ||||||
View More
View Less
|
These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.
Initial | Year 1 | Year 2 | Year 3 | Total | Present Value | |
---|---|---|---|---|---|---|
Total costs | ($428,340) | ($1,268,859) | ($1,225,734) | ($1,304,484) | ($4,227,417) | ($3,574,930) |
Total beneifts | $0 | $3,427,630 | $5,168,896 | $6,328,396 | $14,924,922 | $12,142,459 |
Net benefits | ($428,340) | $2,158,771 | $3,943,162 | $5,023,912 | $10,697,505 | $8,567,529 |
ROI | 240% | |||||
Payback | <6 months | |||||
View More
View Less
|
The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.
Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.
Benefits represent the value delivered to the business by the product. The TEI methodology places equal weight on the measure of benefits and the measure of costs, allowing for a full examination of the effect of the technology on the entire organization.
Costs consider all expenses necessary to deliver the proposed value, or benefits, of the product. The cost category within TEI captures incremental costs over the existing environment for ongoing costs associated with the solution.
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. Having the ability to capture that benefit has a PV that can be estimated.
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”
The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.
1 Source: Forrester Consulting Cost Of A Cybersecurity Breach Survey, Q1 2021.
2 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.
3 Source: Forrester Consulting Cost Of A Cybersecurity Breach Survey, Q1 2021.
4 Source: Joy Chik, “Microsoft Entra: 5 identity priorities for 2023,” Microsoft, January 9, 2023.
5 Source: “The Current State Of Enterprise Passwordless Adoption,” Forrester Research, Inc., January 19, 2022.
6 Source: “2022 Data Breach Investigations Report,” Verizon, 2022.
7 Source: Forrester Consulting Cost Of A Cybersecurity Breach Survey, Q1 2021.
8 Source: Forrester’s Priorities Survey, 2022.
9 Source: “The Top Trends Shaping Identity And Access Management In 2022,” Forrester Research, Inc., October 17, 2022.
Cookie Preferences
Accept Cookies
A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions (data inputs, website navigation), so you don’t have to re-enter data when you come back to the site or browse from one page to another.
Behavioral information collected by our web analytics vendor is used to analyze data pertaining to visitor trends, plan website enhancements, and measure overall website effectiveness. We may also use cookies or web beacons to help us offer you products, programs, or services that may be of interest to you and to deliver relevant advertising. We may use third-party advertising companies to help tailor website content to users or to serve ads on our behalf. These companies may also employ cookies and web beacons to measure advertising effectiveness.
Please accept cookies and the collection of behavioral information to receive full functionality and enhance your experience. If you decline cookies, some features of the website may not function normally.
Please see our
Privacy Policy for more information.