Digital Identity is Broken: How Entra External ID Fixes the Trust Gap

1
00:00:00,000 --> 00:00:05,360
Identity still gets treated like a gate, a login page, a directory, a border around an app.

2
00:00:05,360 --> 00:00:09,040
But work doesn't happen at your border anymore, and that's where the old model starts failing.

3
00:00:09,040 --> 00:00:12,960
Your customers move across channels, your partners move across tenants, and your contractors

4
00:00:12,960 --> 00:00:15,200
move in and out of projects every single day.

5
00:00:15,200 --> 00:00:19,160
Now we have AI agents and automated workflows that need access to, and they often do it

6
00:00:19,160 --> 00:00:22,720
without ever touching the need path your old identity stack expected.

7
00:00:22,720 --> 00:00:27,280
The business asks for speed and reach, but the identity layer answers with forms, passwords,

8
00:00:27,280 --> 00:00:29,280
duplicate accounts, and manual proof.

9
00:00:29,280 --> 00:00:31,040
It creates two failures at once.

10
00:00:31,040 --> 00:00:35,000
Users drop off because the friction is too high, and attackers get bigger targets because

11
00:00:35,000 --> 00:00:36,760
the data is scattered.

12
00:00:36,760 --> 00:00:40,360
Research on modern CIM keeps showing the same pattern over and over.

13
00:00:40,360 --> 00:00:44,720
Hard registration loses users, password problems, flood your support desk, and better sign

14
00:00:44,720 --> 00:00:47,880
inflows improve first time success almost immediately.

15
00:00:47,880 --> 00:00:52,440
So before we talk about Entra External ID, portable trust, or verifiable credentials, we need

16
00:00:52,440 --> 00:00:55,280
to define the real break in the model.

17
00:00:55,280 --> 00:00:56,920
The death of the perimeter.

18
00:00:56,920 --> 00:01:01,760
The old identity model came from a simple assumption, people came to your system, on your network,

19
00:01:01,760 --> 00:01:03,800
through your app, and on your terms.

20
00:01:03,800 --> 00:01:07,320
The logic was that if you control that boundary well enough, you control trust.

21
00:01:07,320 --> 00:01:11,280
That model fit a world of employees and corporate devices where everything stayed inside one

22
00:01:11,280 --> 00:01:12,280
organization.

23
00:01:12,280 --> 00:01:14,160
That world is gone, but the model stayed.

24
00:01:14,160 --> 00:01:18,600
In most organizations, identity architecture still thinks like an internal control system,

25
00:01:18,600 --> 00:01:21,080
while the business now runs like an ecosystem.

26
00:01:21,080 --> 00:01:24,960
Users move between suppliers, resellers, customer portals, and shared workspaces without

27
00:01:24,960 --> 00:01:27,360
stopping to think about which directory owns them.

28
00:01:27,360 --> 00:01:31,200
They just need to get work done by a product or approve a contract that mismatch creates

29
00:01:31,200 --> 00:01:32,200
the trust gap.

30
00:01:32,200 --> 00:01:36,040
The business wants more partner growth and faster onboarding, but the identity stack responds

31
00:01:36,040 --> 00:01:38,880
with another sign up form and another isolated user store.

32
00:01:38,880 --> 00:01:40,800
You can see the structural problem here.

33
00:01:40,800 --> 00:01:44,960
Reach expands outward, but trust still gets rebuilt from scratch inside every single

34
00:01:44,960 --> 00:01:46,040
application boundary.

35
00:01:46,040 --> 00:01:47,880
And every time that happens, you pay twice.

36
00:01:47,880 --> 00:01:49,240
First, the user pays.

37
00:01:49,240 --> 00:01:53,080
Research shows that 73% of consumers abandoned purchases because registration is too

38
00:01:53,080 --> 00:01:55,960
cumbersome, which means this isn't just a design detail.

39
00:01:55,960 --> 00:01:58,200
It's a revenue leak caused by identity friction.

40
00:01:58,200 --> 00:02:02,440
The person was ready to move, but your proof model asked them to stop, type, wait, and eventually

41
00:02:02,440 --> 00:02:03,440
give up.

42
00:02:03,440 --> 00:02:04,840
Then the organization pays.

43
00:02:04,840 --> 00:02:08,720
Password issues still drive 40% to 60% of authentication support requests.

44
00:02:08,720 --> 00:02:13,000
The same architecture that hurts your conversion rate also creates massive service desk load

45
00:02:13,000 --> 00:02:15,880
and cleanup work for teams that should be doing better things.

46
00:02:15,880 --> 00:02:17,760
Now look at the security side.

47
00:02:17,760 --> 00:02:21,760
Centralized identity silos don't just slow people down, they also concentrate your risk.

48
00:02:21,760 --> 00:02:25,360
If every external journey depends on your central store holding more data and more duplicated

49
00:02:25,360 --> 00:02:28,680
records, you've created a better breach target while calling it control.

50
00:02:28,680 --> 00:02:32,400
The attacker only needs to find one week pass, while your users have to survive every single

51
00:02:32,400 --> 00:02:33,400
one.

52
00:02:33,400 --> 00:02:37,600
This is where internal IAM logic and external identity reality finally split apart.

53
00:02:37,600 --> 00:02:41,800
Internal IAM is built around workforce control for known employees on known devices.

54
00:02:41,800 --> 00:02:43,280
External identity isn't like that.

55
00:02:43,280 --> 00:02:47,400
Customer identity, partner identity, and machine identity all work in a much more fluid

56
00:02:47,400 --> 00:02:48,400
system.

57
00:02:48,400 --> 00:02:52,040
The next has to cross company lines and legal boundaries without turning every interaction

58
00:02:52,040 --> 00:02:53,560
into a help desk event.

59
00:02:53,560 --> 00:02:56,600
And one level deeper, even the language gets people stuck.

60
00:02:56,600 --> 00:03:00,480
Leaders still talk about user management as if the job is just storing records and granting

61
00:03:00,480 --> 00:03:01,480
access.

62
00:03:01,480 --> 00:03:04,280
But for external identity, the job is much bigger.

63
00:03:04,280 --> 00:03:07,840
You need to verify the right thing at the right moment with the least amount of friction

64
00:03:07,840 --> 00:03:08,840
possible.

65
00:03:08,840 --> 00:03:12,920
Sometimes that's a pass key and sometimes it's a claim about a certification, a role,

66
00:03:12,920 --> 00:03:13,920
or a contract.

67
00:03:13,920 --> 00:03:16,560
That's why identity now hits more than just security outcomes.

68
00:03:16,560 --> 00:03:20,560
It hits conversion, it hits onboarding speed, and it hits how fast a new product can launch

69
00:03:20,560 --> 00:03:22,200
without creating another silo.

70
00:03:22,200 --> 00:03:26,000
Once you see identity as part of your growth infrastructure, the perimeter model stops looking

71
00:03:26,000 --> 00:03:27,000
old.

72
00:03:27,000 --> 00:03:28,000
It starts looking expensive.

73
00:03:28,000 --> 00:03:29,000
So the question changes.

74
00:03:29,000 --> 00:03:31,840
It's not, how do we protect the border better?

75
00:03:31,840 --> 00:03:36,080
The better question is, what replaces a border model when trust has to travel?

76
00:03:36,080 --> 00:03:38,680
Why portable identity changes the model?

77
00:03:38,680 --> 00:03:40,840
Portable identity changes the starting point.

78
00:03:40,840 --> 00:03:44,480
Instead of rebuilding trust inside every app, every portal, and every partner flow, you

79
00:03:44,480 --> 00:03:47,880
let trusted proof travel with the person or system that needs to act.

80
00:03:47,880 --> 00:03:50,600
That sounds simple, but it changes the whole structure.

81
00:03:50,600 --> 00:03:55,040
You are no longer asking if you have an account for a specific user sitting in a database.

82
00:03:55,040 --> 00:03:58,840
Instead, you are asking what you need this party to prove right now and whether you can

83
00:03:58,840 --> 00:04:01,320
verify that proof under your current policy.

84
00:04:01,320 --> 00:04:05,080
That is the move from account-centric identity to claim-centric identity.

85
00:04:05,080 --> 00:04:07,080
In the old approach, the account is the asset.

86
00:04:07,080 --> 00:04:10,600
You create it, store it, enrich it and protect it, but then you end up copying it into more

87
00:04:10,600 --> 00:04:12,200
places than you ever wanted.

88
00:04:12,200 --> 00:04:14,320
In the new approach, the claim is the asset.

89
00:04:14,320 --> 00:04:15,320
Are you a certified partner?

90
00:04:15,320 --> 00:04:16,680
Are you over a certain age?

91
00:04:16,680 --> 00:04:18,640
Are you approved for this transaction?

92
00:04:18,640 --> 00:04:21,280
Are you still employed by the supplier you represent?

93
00:04:21,280 --> 00:04:24,200
Those are different questions, and they do not only the same answer format.

94
00:04:24,200 --> 00:04:27,960
This clicked for a lot of teams once PASKIE started getting real traction.

95
00:04:27,960 --> 00:04:30,080
The goal was not just to remove passwords.

96
00:04:30,080 --> 00:04:33,880
The deeper shift was that SININ started relying less on shared secrets and more on stronger

97
00:04:33,880 --> 00:04:36,160
proof tied to the user and the device.

98
00:04:36,160 --> 00:04:39,440
Microsoft reported that PASKIE logins are three times faster than passwords and eight

99
00:04:39,440 --> 00:04:41,880
times faster than a password plus MFA.

100
00:04:41,880 --> 00:04:43,800
But the lesson here is not only about speed.

101
00:04:43,800 --> 00:04:48,200
It is the fact that better proof can lower friction and increase security at the same time.

102
00:04:48,200 --> 00:04:52,520
Now when people hear decentralized identity, they often jump to the wrong conclusion.

103
00:04:52,520 --> 00:04:56,560
They think it means no central control, no policy, or maybe even no enterprise role,

104
00:04:56,560 --> 00:04:57,680
but that is not the model.

105
00:04:57,680 --> 00:05:01,640
Decentralize identity in practical enterprise terms means trust does not depend on one

106
00:05:01,640 --> 00:05:04,240
giant record store being the only source of truth.

107
00:05:04,240 --> 00:05:09,160
Instead, issues provide verifiable proofs, holders present only what is needed, and verifiers

108
00:05:09,160 --> 00:05:11,440
check that proof against policy.

109
00:05:11,440 --> 00:05:13,120
Selective disclosure matters here.

110
00:05:13,120 --> 00:05:16,760
If a partner needs to prove their certification status, they should not need to hand over

111
00:05:16,760 --> 00:05:19,920
every profile detail sitting in some old onboarding form.

112
00:05:19,920 --> 00:05:23,760
If a customer needs to prove eligibility, they should not have to recreate the same identity

113
00:05:23,760 --> 00:05:25,720
story in every channel.

114
00:05:25,720 --> 00:05:28,080
Portable identity narrows the exchange.

115
00:05:28,080 --> 00:05:31,160
You prove what is needed, you verify it, and you move on.

116
00:05:31,160 --> 00:05:34,400
That also explains why executives get stuck on the word decentralization.

117
00:05:34,400 --> 00:05:37,840
They hear less central storage and assume there is less governance, but the opposite

118
00:05:37,840 --> 00:05:40,520
can be true if the model is designed well.

119
00:05:40,520 --> 00:05:41,840
Governance does not disappear.

120
00:05:41,840 --> 00:05:43,600
It moves.

121
00:05:43,600 --> 00:05:47,680
The organization still defines issuance rules, trust rules, and acceptance rules.

122
00:05:47,680 --> 00:05:51,600
The difference is that governance starts controlling verification and policy instead of

123
00:05:51,600 --> 00:05:54,800
forcing every journey to depend on account duplication.

124
00:05:54,800 --> 00:05:57,800
So digital sovereignty is not some abstract ideal here.

125
00:05:57,800 --> 00:06:02,040
In practical terms, the user controls the proof they present, while the organization controls

126
00:06:02,040 --> 00:06:04,520
the conditions under which that proof is accepted.

127
00:06:04,520 --> 00:06:08,120
The verifier checks validity, issuer trust, and policy fit.

128
00:06:08,120 --> 00:06:10,560
That is a cleaner split of roles than the old model.

129
00:06:10,560 --> 00:06:14,720
Their one platform often try to store everything, decide everything, and expose everything

130
00:06:14,720 --> 00:06:15,720
at once.

131
00:06:15,720 --> 00:06:18,000
The timing matters too because the outside world is moving.

132
00:06:18,000 --> 00:06:23,840
The W3EC Deid version 1.1 reached candidate recommendation status in March of 2026, which

133
00:06:23,840 --> 00:06:27,000
tells you the standard side is still maturing but moving forward.

134
00:06:27,000 --> 00:06:31,760
At the same time, Europe is pushing harder through Ida's 2, and the broader, verifiable

135
00:06:31,760 --> 00:06:35,840
credentials market is projected to grow fast through the next several years.

136
00:06:35,840 --> 00:06:40,160
Adoption is early, yes, it is definitely uneven, but it is not theoretical anymore.

137
00:06:40,160 --> 00:06:43,240
And there is another pressure coming from user expectations.

138
00:06:43,240 --> 00:06:47,400
Passkeys are spreading, and phishing resistant methods are becoming the baseline people expect

139
00:06:47,400 --> 00:06:49,640
from serious digital services.

140
00:06:49,640 --> 00:06:53,980
Cross-border access keeps growing, and AI agents need trust models that are not built around

141
00:06:53,980 --> 00:06:56,240
typing credentials into forms.

142
00:06:56,240 --> 00:06:59,280
What used to look advanced now starts to look overdue.

143
00:06:59,280 --> 00:07:03,840
Theory is useful up to a point, but after that, leaders need to know where Microsoft actually

144
00:07:03,840 --> 00:07:04,840
fits in this shift.

145
00:07:04,840 --> 00:07:08,400
They need to know where Entra external ID helps, where it does not, and how verified

146
00:07:08,400 --> 00:07:09,920
ID enters the picture.

147
00:07:09,920 --> 00:07:12,560
Where Entra external ID fits, and where it doesn't.

148
00:07:12,560 --> 00:07:14,880
So where does Entra external ID sit in all of this?

149
00:07:14,880 --> 00:07:19,440
It is not a magic decentralized identity platform, and it is not a total replacement for every

150
00:07:19,440 --> 00:07:21,600
external identity pattern overnight.

151
00:07:21,600 --> 00:07:23,520
It is also not just a nicer sign-in page.

152
00:07:23,520 --> 00:07:25,480
Its real role is more structural.

153
00:07:25,480 --> 00:07:28,840
Entra external ID works as the control plane for external trust.

154
00:07:28,840 --> 00:07:32,760
It handles customer and partner identities, application access, and branded journeys

155
00:07:32,760 --> 00:07:34,880
in a way that fits the broader Entra model.

156
00:07:34,880 --> 00:07:39,000
That matters because most organizations do not need another isolated identity product.

157
00:07:39,000 --> 00:07:42,840
They need a way to coordinate proof in policy across external users without building another

158
00:07:42,840 --> 00:07:44,200
governance mess.

159
00:07:44,200 --> 00:07:47,080
This is also where the shift from Azure ADB to C matters.

160
00:07:47,080 --> 00:07:50,240
B2C came from a different era of the Microsoft Identity stack.

161
00:07:50,240 --> 00:07:55,240
It gave teams a lot of flexibility, but it often did so through XML heavy custom policies

162
00:07:55,240 --> 00:07:57,960
and a separate way of thinking about external users.

163
00:07:57,960 --> 00:08:00,840
Entra external ID moves onto the newer Entra Foundation.

164
00:08:00,840 --> 00:08:05,200
It uses a more graph centered model and aligns much closer to current security controls.

165
00:08:05,200 --> 00:08:08,980
For leadership, that means less architectural drift, and for engineering, it usually means

166
00:08:08,980 --> 00:08:13,400
less policy work trapped in custom structures that only a few people understand.

167
00:08:13,400 --> 00:08:17,860
That does not mean every old B2C scenario drops neatly into external ID today.

168
00:08:17,860 --> 00:08:21,380
The migration path is real, and Microsoft has invested in it, including just in time

169
00:08:21,380 --> 00:08:25,700
paths with migration, so users do not all hit a forced reset wave at once.

170
00:08:25,700 --> 00:08:28,860
But there are still feature gaps and maturity differences, especially for organizations

171
00:08:28,860 --> 00:08:32,180
that build deep custom behavior on B2C over many years.

172
00:08:32,180 --> 00:08:35,980
So the honest message is not that external ID does everything better right now.

173
00:08:35,980 --> 00:08:39,660
The honest message is that it gives you a more modern platform direction, with clearer

174
00:08:39,660 --> 00:08:42,100
alignment to where Microsoft is investing.

175
00:08:42,100 --> 00:08:43,740
Now what does it actually do well?

176
00:08:43,740 --> 00:08:47,100
It handles external identities as a managed operating layer.

177
00:08:47,100 --> 00:08:52,100
This includes customer sign-up, partner access, and federation with external identity providers.

178
00:08:52,100 --> 00:08:56,500
In some partner scenarios that can extend into approvals, access reviews, and automated

179
00:08:56,500 --> 00:08:59,620
off-boarding when you pair it with Entra governance capabilities.

180
00:08:59,620 --> 00:09:01,860
That is a lot bigger than authentication alone.

181
00:09:01,860 --> 00:09:06,140
It is identity orchestration for people who are not employees, but still affect your business

182
00:09:06,140 --> 00:09:07,140
directly.

183
00:09:07,140 --> 00:09:10,540
Then there is verified ID, and this is where a lot of executives blur two different things

184
00:09:10,540 --> 00:09:11,540
together.

185
00:09:11,540 --> 00:09:14,860
Entra external ID and Entra verified ID are related, but they are not the same product doing

186
00:09:14,860 --> 00:09:15,860
the same job.

187
00:09:15,860 --> 00:09:19,900
External ID is the orchestration and policy layer for external access journeys.

188
00:09:19,900 --> 00:09:24,540
Verified ID is the portable proof layer for issuing and checking verifiable credentials.

189
00:09:24,540 --> 00:09:28,980
One manages how external users get in and stay governed, while the other helps define

190
00:09:28,980 --> 00:09:32,700
what they can prove without relying on the old pattern of collecting and storing everything

191
00:09:32,700 --> 00:09:33,860
centrally.

192
00:09:33,860 --> 00:09:39,220
That distinction matters because verifiable credentials do not replace all CM needs today.

193
00:09:39,220 --> 00:09:43,700
They do not remove the need for customer identity flows, federation, or session controls.

194
00:09:43,700 --> 00:09:47,660
What they do is improve specific proof moments inside that broader system.

195
00:09:47,660 --> 00:09:50,940
A partner can prove certification or a vendor can prove their status.

196
00:09:50,940 --> 00:09:54,980
A regulated onboarding flow can verify a trusted attribute with less data sharing.

197
00:09:54,980 --> 00:09:57,340
That is strong, but it is not the hold stack.

198
00:09:57,340 --> 00:09:59,900
Most organizations will land in a hybrid model for a while.

199
00:09:59,900 --> 00:10:03,100
They will use pass keys in some journeys and federation in others.

200
00:10:03,100 --> 00:10:07,460
They will keep traditional account-based CIM where they still need it and use verifiable

201
00:10:07,460 --> 00:10:11,180
credentials where portable proof clearly reduces cost or friction.

202
00:10:11,180 --> 00:10:14,100
Entra external ID is useful here because it can act as the bridge.

203
00:10:14,100 --> 00:10:18,220
It stops you from having to make a false choice between legacy login and full portable identity

204
00:10:18,220 --> 00:10:19,220
on day one.

205
00:10:19,220 --> 00:10:20,220
There are limits.

206
00:10:20,220 --> 00:10:21,220
And they matter.

207
00:10:21,220 --> 00:10:25,820
Public case studies around decentralized identity in partner scenarios are still thin.

208
00:10:25,820 --> 00:10:30,060
Some capabilities are newer or uneven across customer and partner use cases.

209
00:10:30,060 --> 00:10:34,340
In broader non-microsoft environments, governance depth may still need extra tooling.

210
00:10:34,340 --> 00:10:38,180
If an organization expects a pure decentralized future to arrive fully packaged inside

211
00:10:38,180 --> 00:10:41,740
one Microsoft service, that expectation will break fast.

212
00:10:41,740 --> 00:10:43,860
But the affirmative model is still strong.

213
00:10:43,860 --> 00:10:48,700
Use Entra external ID as the orchestration layer between identity proof, policy enforcement,

214
00:10:48,700 --> 00:10:49,900
and life cycle control.

215
00:10:49,900 --> 00:10:54,060
Add verified ID where portable trust adds clear value and keeps central governance where

216
00:10:54,060 --> 00:10:56,060
policy and accountability need it.

217
00:10:56,060 --> 00:10:57,380
That is a practical architecture.

218
00:10:57,380 --> 00:11:00,860
It is not an ideology and it is not a rip and replace fantasy.

219
00:11:00,860 --> 00:11:05,740
And once that role becomes clear, the business case gets a lot easier to see.

220
00:11:05,740 --> 00:11:09,220
The business case, friction, trust, and measurable return.

221
00:11:09,220 --> 00:11:13,060
Once leaders start viewing external ID as an orchestration layer, the conversation turns

222
00:11:13,060 --> 00:11:14,060
practical.

223
00:11:14,060 --> 00:11:17,220
They want to know if this actually pays back or if it is just a cleaner way to tell an

224
00:11:17,220 --> 00:11:18,220
architecture story.

225
00:11:18,220 --> 00:11:22,300
The reality is that it pays back because identity friction hides in places most executives

226
00:11:22,300 --> 00:11:23,300
are already tracking.

227
00:11:23,300 --> 00:11:25,220
They just use different labels for it.

228
00:11:25,220 --> 00:11:30,220
You see it in lost registrations, lower activation rates, and abandoned onboarding flows.

229
00:11:30,220 --> 00:11:34,260
It shows up as more support tickets and more fraud controls layered on top of weak user

230
00:11:34,260 --> 00:11:35,260
journeys.

231
00:11:35,260 --> 00:11:38,820
Engineering teams end up spending months stitching systems together that should have never been

232
00:11:38,820 --> 00:11:40,380
separate in the first place.

233
00:11:40,380 --> 00:11:43,460
This is why identity ROI is rarely found in just one budget.

234
00:11:43,460 --> 00:11:47,020
The growth team feels it in conversion rates while service desks feel it in the sheer

235
00:11:47,020 --> 00:11:49,140
volume of incoming tickets.

236
00:11:49,140 --> 00:11:53,300
It sees it in account takeover risks and compliance teams feel it when they have to collect evidence

237
00:11:53,300 --> 00:11:54,780
for access reviews.

238
00:11:54,780 --> 00:11:58,620
Product teams feel the pain through release delays because every new external flow turns into

239
00:11:58,620 --> 00:12:01,100
yet another exception path that needs custom coding.

240
00:12:01,100 --> 00:12:05,340
The thing most people miss is that a smoother sign-in experience is not just about making things

241
00:12:05,340 --> 00:12:06,340
convenient.

242
00:12:06,340 --> 00:12:10,440
It fundamentally changes whether a person completes the journey at all and it dictates

243
00:12:10,440 --> 00:12:14,500
how much internal labor you need to keep that journey alive once it goes live.

244
00:12:14,500 --> 00:12:18,700
Recent research from 2026 on CIM is pretty blunt about these outcomes.

245
00:12:18,700 --> 00:12:23,820
Fast-worthless authentication cut the average sign-in time from 8.7 seconds down to 1.2 seconds

246
00:12:23,820 --> 00:12:28,860
and first time success rates jumped from about 76% to nearly 99%.

247
00:12:28,860 --> 00:12:32,460
Registration completion moved from 64% to almost 88%.

248
00:12:32,460 --> 00:12:36,060
Those numbers matter because they sit right at the point where identity either clears the

249
00:12:36,060 --> 00:12:38,820
path or becomes the reason your customers stall.

250
00:12:38,820 --> 00:12:41,100
The business effect is visible immediately.

251
00:12:41,100 --> 00:12:45,620
Fast-approved means less drop-off and higher first time success means fewer retries and fewer

252
00:12:45,620 --> 00:12:47,620
abandoned sessions for your users.

253
00:12:47,620 --> 00:12:51,460
Fast-ar completion rates mean your marketing spend stops leaking out through a broken identity

254
00:12:51,460 --> 00:12:52,460
layer.

255
00:12:52,460 --> 00:12:55,420
This is exactly why product and security teams need to look at the same dashboard because

256
00:12:55,420 --> 00:12:58,300
both groups are acting on the same high stakes moment.

257
00:12:58,300 --> 00:13:01,700
Support economics tell the same story from a different perspective.

258
00:13:01,700 --> 00:13:05,260
Authentication improvements, including just-in-time migration and the move to path-worthless,

259
00:13:05,260 --> 00:13:09,180
have been linked to an 81% decrease in identity-related support tickets.

260
00:13:09,180 --> 00:13:14,300
CVS Health reported a 77% reduction in help desk calls after adopting path-worthless methods,

261
00:13:14,300 --> 00:13:17,740
along with a 98% reduction in account takeovers.

262
00:13:17,740 --> 00:13:22,340
When executives ask if identity work is a cost center or a growth driver, the honest answer

263
00:13:22,340 --> 00:13:23,740
is that it is both.

264
00:13:23,740 --> 00:13:27,020
It cuts costs and protects your revenue at the same time.

265
00:13:27,020 --> 00:13:30,740
Migration is where this reality often becomes most visible to the organization.

266
00:13:30,740 --> 00:13:34,220
Old-school identity migrations usually create what I call reset shock.

267
00:13:34,220 --> 00:13:38,980
Users hit a new login page, their old password, fails to work, the reset email goes missing

268
00:13:38,980 --> 00:13:43,100
in a spam folder, and the brand takes the blame when support calls spike.

269
00:13:43,100 --> 00:13:47,220
Other external ID uses just-in-time password migration to change that pattern by validating

270
00:13:47,220 --> 00:13:51,340
legacy credentials at the first sign-in and moving the user forward without a forced

271
00:13:51,340 --> 00:13:52,900
mass reset.

272
00:13:52,900 --> 00:13:56,460
This matters less as a technical feature and more as a way to control churn.

273
00:13:56,460 --> 00:14:00,140
It eliminates that ugly moment where a platform upgrade accidentally teaches your customers

274
00:14:00,140 --> 00:14:01,140
how to leave.

275
00:14:01,140 --> 00:14:03,940
Cost conversations also need a bit more honesty than they usually get.

276
00:14:03,940 --> 00:14:07,740
If a leader only compares monthly active user pricing between two platforms, they might

277
00:14:07,740 --> 00:14:10,060
miss the much larger bill entirely.

278
00:14:10,060 --> 00:14:14,340
Credit identity means you are paying for duplicate directories, custom maintenance and inconsistent

279
00:14:14,340 --> 00:14:16,180
policies that lead to slower launches.

280
00:14:16,180 --> 00:14:19,900
A cheaper line item on a contract can still produce a much more expensive operating model

281
00:14:19,900 --> 00:14:20,900
for the business.

282
00:14:20,900 --> 00:14:25,220
The question is not just what the platform costs, but what your current fragmentation is

283
00:14:25,220 --> 00:14:28,300
costing the company every single month you keep it.

284
00:14:28,300 --> 00:14:30,860
Trust is what finally compounds the return on this investment.

285
00:14:30,860 --> 00:14:34,940
When users move through proofing and sign-in without any confusion, they see that as a sign

286
00:14:34,940 --> 00:14:36,620
of competence from your brand.

287
00:14:36,620 --> 00:14:40,700
When partners get access to the tools they need faster, they start engaging with your business

288
00:14:40,700 --> 00:14:41,700
sooner.

289
00:14:41,700 --> 00:14:45,500
When a regulated onboarding process asks only for the proof required, people see discipline

290
00:14:45,500 --> 00:14:46,980
instead of overreach.

291
00:14:46,980 --> 00:14:49,460
Trust is not a soft outcome in this environment.

292
00:14:49,460 --> 00:14:53,900
It directly affects retention, adoption and whether those external users ever come back

293
00:14:53,900 --> 00:14:55,580
for a second interaction.

294
00:14:55,580 --> 00:14:57,540
That is the ultimate executive takeaway.

295
00:14:57,540 --> 00:15:01,620
Identity choices now shape your conversion rates, your margins, your support load and your

296
00:15:01,620 --> 00:15:03,700
ability to scale and ecosystem.

297
00:15:03,700 --> 00:15:07,420
The numbers can make that case on paper, but rolling it out without creating new chaos is

298
00:15:07,420 --> 00:15:10,220
where most programs actually slow down.

299
00:15:10,220 --> 00:15:12,620
Governance, risk and the sovereignty tension.

300
00:15:12,620 --> 00:15:16,020
This is where the conversation gets difficult because the hard part isn't actually issuing

301
00:15:16,020 --> 00:15:18,700
a credential or adding a new sign-in method.

302
00:15:18,700 --> 00:15:22,740
The real challenge is deciding who gets to trust what, which rules apply and what happens

303
00:15:22,740 --> 00:15:25,700
when that trust needs to be revoked or repaired after something goes wrong.

304
00:15:25,700 --> 00:15:30,060
A lot of the hype around decentralized identity tends to skip that part.

305
00:15:30,060 --> 00:15:34,060
You can talk about user control and portability as if they are magic, but if your governance

306
00:15:34,060 --> 00:15:38,500
stays weak, you don't actually get sovereignty, you get confusion or worse, you get a cleaner

307
00:15:38,500 --> 00:15:43,380
looking version of the same old control model just pushed into a new set of tools.

308
00:15:43,380 --> 00:15:47,260
Research on portable identity governance warns us that without due process and transparent

309
00:15:47,260 --> 00:15:51,780
rules, digital identity can still exclude people and centralize power in ways that are harder

310
00:15:51,780 --> 00:15:53,260
to see.

311
00:15:53,260 --> 00:15:56,340
Executives have to hold two competing ideas in their heads at the same time.

312
00:15:56,340 --> 00:15:59,420
First, portable identity can definitely reduce your central exposure.

313
00:15:59,420 --> 00:16:04,020
You no longer need one massive system, storing every single attribute and proof exchange forever,

314
00:16:04,020 --> 00:16:07,380
which improves privacy and limits your concentration risk.

315
00:16:07,380 --> 00:16:11,820
Second, none of those technical shifts remove your fundamental duty to govern that trust.

316
00:16:11,820 --> 00:16:16,300
Someone still has to define the issuance rules and someone has to set the trust registries.

317
00:16:16,300 --> 00:16:20,420
Someone still owns the consent handling, the retention rules and the cross-border data decisions.

318
00:16:20,420 --> 00:16:22,900
The technology changes, but the accountability does not.

319
00:16:22,900 --> 00:16:25,500
This is the tension that actually matters for the business.

320
00:16:25,500 --> 00:16:27,140
User control matters.

321
00:16:27,140 --> 00:16:28,620
Enterprises assurance matters.

322
00:16:28,620 --> 00:16:30,620
Local accountability matters.

323
00:16:30,620 --> 00:16:32,620
Operational recovery matters.

324
00:16:32,620 --> 00:16:36,580
If any one of those priorities wins completely, the whole model breaks down.

325
00:16:36,580 --> 00:16:40,900
If a user cannot recover their access, the system ends up excluding them entirely.

326
00:16:40,900 --> 00:16:45,860
If the enterprise cannot verify enough information, the system becomes unsafe for everyone.

327
00:16:45,860 --> 00:16:49,660
If legal accountability is vague, regulators will not care how elegant your architecture

328
00:16:49,660 --> 00:16:50,900
looked on paper.

329
00:16:50,900 --> 00:16:54,700
If recovery parts are missing, your support teams will just rebuild manual workarounds

330
00:16:54,700 --> 00:16:56,460
that bypass your entire design.

331
00:16:56,460 --> 00:17:00,660
That is why governance has to be more specific than just saying we trust verified credentials.

332
00:17:00,660 --> 00:17:04,740
You need a clear policy around who can issue a credential and what standards that issuer

333
00:17:04,740 --> 00:17:07,460
must meet before you accept their data.

334
00:17:07,460 --> 00:17:11,140
You have to define how trust gets established and how often that proof must be renewed or

335
00:17:11,140 --> 00:17:12,420
checked in real time.

336
00:17:12,420 --> 00:17:16,580
You also need to decide what happens when a credential is technically valid, but no longer

337
00:17:16,580 --> 00:17:18,860
appropriate for the specific context.

338
00:17:18,860 --> 00:17:22,780
A person might hold a legitimate credential, but the transaction might still need step-up

339
00:17:22,780 --> 00:17:26,020
verification because of their location or the sensitivity of the data.

340
00:17:26,020 --> 00:17:29,460
This is where Microsoft provides help in a very grounded, practical way.

341
00:17:29,460 --> 00:17:33,460
The strength of Entra is not that it magically removes the hard work of governance.

342
00:17:33,460 --> 00:17:37,380
Its real value is that it gives you the places to enforce your policy once you actually

343
00:17:37,380 --> 00:17:39,540
know what that policy should be.

344
00:17:39,540 --> 00:17:43,180
Conditional access can apply context at the exact moment of access and entitlement management

345
00:17:43,180 --> 00:17:46,300
can package or expire that access in a controlled way.

346
00:17:46,300 --> 00:17:50,500
Access reviews allow you to challenge stale permissions, while external MFA gives organizations

347
00:17:50,500 --> 00:17:53,940
room to use their preferred providers while keeping Entra in the policy loop.

348
00:17:53,940 --> 00:17:58,260
That matters because sovereignty without life cycle control eventually turns into a mess.

349
00:17:58,260 --> 00:18:02,540
A clean issuance moment will not save your organization if access stays active after a contract

350
00:18:02,540 --> 00:18:06,540
ends or if trust relationships linger after a partner loses their status.

351
00:18:06,540 --> 00:18:09,540
The new model is not about storing nothing and hoping for the best.

352
00:18:09,540 --> 00:18:13,700
It is about verifying only what is needed at the exact time it is needed under a strict

353
00:18:13,700 --> 00:18:16,740
policy with a clear ability to review and revoke.

354
00:18:16,740 --> 00:18:22,780
Research on digital identity governance also raises a point that makes many leaders uncomfortable.

355
00:18:22,780 --> 00:18:26,900
Quality design systems can actually deepen exclusion, especially when digital access becomes

356
00:18:26,900 --> 00:18:30,580
mandatory but the paths to appeal a decision stay weak.

357
00:18:30,580 --> 00:18:35,060
If you are an executive governance is not just a security issue it is an operating model

358
00:18:35,060 --> 00:18:36,060
issue.

359
00:18:36,060 --> 00:18:39,540
You have to know who gets included, who gets blocked and who is responsible for auditing

360
00:18:39,540 --> 00:18:40,540
the issuer.

361
00:18:40,540 --> 00:18:44,420
If those answers stay fuzzy your architecture will eventually drift back towards central

362
00:18:44,420 --> 00:18:45,420
control.

363
00:18:45,420 --> 00:18:49,700
Operations teams will always choose the model they can actually defend when a crisis hits.

364
00:18:49,700 --> 00:18:53,780
This leads us directly to the rollout phase because governance only works when the operating

365
00:18:53,780 --> 00:18:56,300
model changes along with it.

366
00:18:56,300 --> 00:18:58,300
The operating blueprint for a phase move.

367
00:18:58,300 --> 00:19:01,780
Don't start with ideologies, start with one journey where identity friction or trust

368
00:19:01,780 --> 00:19:05,020
failure is already costing you money, time or control.

369
00:19:05,020 --> 00:19:08,740
Partner onboarding is a great candidate but customer registration drop off or the contractor

370
00:19:08,740 --> 00:19:10,420
lifecycle work just as well.

371
00:19:10,420 --> 00:19:14,220
You need to pick one path where the current model produces visible drag because that gives

372
00:19:14,220 --> 00:19:17,420
your program a business anchor instead of just a technology slogan.

373
00:19:17,420 --> 00:19:19,660
From there the first phase is consolidation.

374
00:19:19,660 --> 00:19:24,460
You need to bring external identity orchestration into one managed layer which means reducing

375
00:19:24,460 --> 00:19:29,180
duplicate directories and standardizing your federation patterns and policy evaluations.

376
00:19:29,180 --> 00:19:33,940
The goal is to create one single place where external access decisions can be seen, governed

377
00:19:33,940 --> 00:19:35,180
and improved.

378
00:19:35,180 --> 00:19:39,420
This phase isn't flashy but it matters because portable trust cannot sit on top of total

379
00:19:39,420 --> 00:19:40,860
directory chaos.

380
00:19:40,860 --> 00:19:44,620
After that focus on reducing friction in the journeys that matter most.

381
00:19:44,620 --> 00:19:49,140
This phase passes and stronger pass wordless options where they fit and use just in time migration

382
00:19:49,140 --> 00:19:53,220
for legacy credentials when you need to avoid a hard reset event.

383
00:19:53,220 --> 00:19:57,220
You want to clean up the first run experience and tighten success paths by removing steps

384
00:19:57,220 --> 00:20:00,540
that only exist because your old systems couldn't trust each other.

385
00:20:00,540 --> 00:20:03,140
This phase proves something to the business very quickly.

386
00:20:03,140 --> 00:20:05,340
Identity can get simpler without getting weaker.

387
00:20:05,340 --> 00:20:07,900
Then add portable proof where the value is obvious.

388
00:20:07,900 --> 00:20:12,100
Don't try to decentralize every interaction right away but instead start where a reusable

389
00:20:12,100 --> 00:20:14,060
proof removes repeat work.

390
00:20:14,060 --> 00:20:18,780
Your certification is a strong case as is vendor access in regulated environments or onboarding

391
00:20:18,780 --> 00:20:21,140
flows that require repeated document checks.

392
00:20:21,140 --> 00:20:25,180
In these specific cases, verifiable credentials stop being a strategy slide and start becoming

393
00:20:25,180 --> 00:20:26,940
a practical operating tool.

394
00:20:26,940 --> 00:20:30,540
The user carries the proof, the verifier checks it and the organization no longer needs

395
00:20:30,540 --> 00:20:33,500
to rebuild the same verification every single time.

396
00:20:33,500 --> 00:20:36,140
Once that works you can widen the governance model.

397
00:20:36,140 --> 00:20:40,540
Expand your access reviews, add expiration rules and define how you handle revocations.

398
00:20:40,540 --> 00:20:45,180
Hold your trust policies by scenario rather than just by user type and carefully review what

399
00:20:45,180 --> 00:20:49,020
proof must travel with the user versus what policy must remain central.

400
00:20:49,020 --> 00:20:50,420
Those are not the same thing.

401
00:20:50,420 --> 00:20:54,420
Proof can move but accountability usually shouldn't and that is the design split leaders

402
00:20:54,420 --> 00:20:55,700
need to protect.

403
00:20:55,700 --> 00:20:59,860
Keep one decision lens through the whole rollout, what proof needs to travel, what policy needs

404
00:20:59,860 --> 00:21:05,060
to stay central, what risk event should trigger a step up, what can be automated safely and

405
00:21:05,060 --> 00:21:07,180
what still needs a human decision.

406
00:21:07,180 --> 00:21:10,940
If your teams can't answer those questions they are not ready to scale the model yet.

407
00:21:10,940 --> 00:21:15,780
The practical move is simple, pick one external journey and map every identity step, count

408
00:21:15,780 --> 00:21:20,220
every duplicate proof request, every manual approval and every place trust gets rebuilt

409
00:21:20,220 --> 00:21:21,220
from zero.

410
00:21:21,220 --> 00:21:23,180
That is where the redesign starts.

411
00:21:23,180 --> 00:21:25,300
Identity doesn't begin where your app begins anymore.

412
00:21:25,300 --> 00:21:29,580
It begins where trust can be verified, carried forward and enforced under policy without

413
00:21:29,580 --> 00:21:31,700
rebuilding the whole journey each time.

414
00:21:31,700 --> 00:21:34,900
So pick one external flow this week, not ten, just one.

415
00:21:34,900 --> 00:21:38,620
But every hand off, count every duplicate proof request and look at every manual approval

416
00:21:38,620 --> 00:21:42,580
where a user is asked to prove the same thing twice because your systems can't carry trust

417
00:21:42,580 --> 00:21:43,660
forward.

418
00:21:43,660 --> 00:21:45,420
That is the true cost of the old model.

419
00:21:45,420 --> 00:21:50,140
If this changed how you think about identity, subscribe to the M365FM podcast, connect

420
00:21:50,140 --> 00:21:54,620
with me, Mirko Peters on LinkedIn and leave a review, it helps more leaders find this before

421
00:21:54,620 --> 00:21:55,860
they build another silo.