System Overview
Components
EasyLife 365 Identity consists of several components hosted on Azure.
App
The EasyLife 365 Identity App is a web application accessible through a web browser and directly through Teams. It uses a dedicated Entra ID application on the Microsoft Identity platform for authentication, ensuring security with Microsoft standards. The app provides an overview of the resources owned by a user, including all necessary compliance requirements. Users can also request new resources specified by those allowed to configure EasyLife 365 Identity through the EasyLife 365 Admin Insiders.
Admin
The EasyLife 365 Admin Insiders is a web application hosting the configuration pages for EasyLife 365 Identity. It is accessible through a web browser and can be restricted to selected users within your organization. Typically, permissions for this app are assigned to a small subset of administrators via a security group. Authentication is managed by an Entra ID application on the Microsoft Identity Platform, allowing you to limit access and enforce additional authentication techniques using conditional access policies.
API
The EasyLife 365 API is accessed by the EasyLife 365 Identity App and the EasyLife 365 Admin Insiders to manage the necessary information stored in the back-end storage. This web app is secured through a dedicated Entra ID app using the Microsoft Identity Platform. The EasyLife 365 API uses Microsoft Graph to interact with the Microsoft 365 environment, with access to endpoints secured using custom security scopes associated with your EasyLife 365 Identity App and users.
Engine
The EasyLife 365 Identity Engine is an Azure Function responsible for provisioning new resources and performing regular compliance checks in your tenant. It also sends notifications to users and administrators via a shared mailboxes and can send notifications through Teams or other applications using the Webhook feature.
Storage
The EasyLife 365 Identity configuration (e.g., templates, policies) is stored in Azure Table Storage. The storage account is accessible by the EasyLife 365 API and the EasyLife 365 Identity Engine.
Logging
Application Insights is used to log operations performed by EasyLife, maintaining 90 days of logs containing metadata of processed groups and emails of users receiving notifications.
Microsoft Graph
Microsoft Graph is used by EasyLife 365 components to interact with the Microsoft 365 tenant. It provides a unified programmability model to access data and intelligence in Microsoft 365, Windows 10, and Enterprise Mobility + Security.
Entra ID
The Microsoft Identity Platform is used in combination with Entra ID to secure access to all EasyLife 365 components. The EasyLife 365 Identity App, EasyLife 365 Admin Insiders, and EasyLife 365 API have dedicated Entra ID app registrations that can be secured using techniques such as Conditional Access.
Architecture and Data Flow
This section provides an overview of how EasyLife 365 components interact and how the environment is accessed.
All components are secured behind an Azure Virtual Network, with all external internet traffic to the EasyLife 365 Identity environment routed through an Azure Front Door and Web Application Firewall for load balancing and security. Only a few services, such as our GitHub for automated deployment and selected engineers over a secured network for emergency purposes, have access to the environment.
Incoming user traffic is routed through an Azure Front Door and Web Application Firewall, which secures the web applications and the environment from documented vulnerabilities. See details here. All endpoints are secured using Entra ID applications with the Microsoft Identity Platform. Interactions between internal applications are secured with role-based access control and managed identities. Azure Key Vaults, accessible only by managed identities and selected security engineers at EasyLife, store security keys when managed identities cannot be used.
The EasyLife 365 Identity App and EasyLife 365 Admin Insiders use Microsoft Graph with delegated identity permissions to perform activities on your Microsoft 365 tenant. This means users can only perform operations they are authorized to execute in your Microsoft 365 tenant.
Users can request new resources in the EasyLife 365 Identity App based on template configurations from the EasyLife 365 Admin Insiders. All CRUD operations on these configurations are processed through the EasyLife 365 API. The EasyLife 365 Identity App reads the configuration information, while the EasyLife 365 Admin Insiders allows you to create, update, and delete settings as needed.
The EasyLife 365 Identity Engine handles new resource requests from users, creating new resources with Microsoft Graph. All operations are executed in the context of the EasyLife 365 Identity App.
EasyLife 365 stores information in multiple storage locations and accounts to ensure resiliency and performance. Data partitioning is managed using the customer's TenantID, ensuring correct access to resources with security tokens from the Microsoft Identity Platform.
Endpoints
EasyLife 365 Identity Applications communicate with the following endpoints. Ensure your firewalls and content filters allow access to these URLs. EasyLife 365 communicates exclusively over https (TCP/443).
| Endpoint | Protocol | Comment |
|---|---|---|
| https://onboarding.insiders.easylife365.cloud | https | The EasyLife 365 Onboarding |
| https://app.insiders.easylife365.cloud | https | The EasyLife 365 Identity App |
| https://admin.insiders.easylife365.cloud/collab | https | The EasyLife Admin portal |
| https://api.insiders.easylife365.cloud | https | The EasyLife API |
| https://cdn.insiders.easylife365.cloud | https | Content delivery |
| login.microsoftonline.com | https | Entra ID Authentication |
| graph.microsoft.com | https | Microsoft Graph API |
| dc.services.visualstudio.com | https | Anonymous telemetry data |
Required Permissions
EasyLife 365 Identity uses the Microsoft Identity Platform to manage authentication and authorization against your Microsoft 365 tenant. It uses Microsoft Graph and the SharePoint REST API to access your resources. EasyLife 365 Identity employs the EasyLife 365 Admin Insiders and EasyLife 365 Entra ID application to perform operations in the context of a user or administrator.