Pharmaceutical Research and Manufacturers of America
The Pharmaceutical Research and Manufacturers of America (PhRMA) represents leading innovative biopharmaceutical researchers and biotechnology companies in the United States, which are devoted to discovering and developing medicines that enable patients to live longer, healthier, and more productive lives. PhRMA is committed to advancing public policies in the United States and around the world that support innovative medical research, provide access to medicines and programs, support intellectual property and drug safety. Over 33 member organizations are currently part of PhRMA.
PhRMA hosts an external member website that allows members to login and consume resources that are relevant to them. The original member site was built on SharePoint 2010, with users connecting to it by a forms-based authentication model through SQL database records. A CRM platform housing member information drives groups and roles which feed into SharePoint and provides the permissions for user access.
When PhRMA first contacted Extranet User Manager, they were in the process of migrating to Office 365 and SharePoint Online with plans to decommission their onsite servers. Connecting SharePoint Online sites with permissions driven by their CRM brought with it several challenges. PhRMA wanted to continue using their CRM as the ‘Website of Record’ for the various membership accounts. This SaaS hosted CRM solution maintains rich user profile information on the members and users that have access into the SharePoint extranet environment.
For up to potentially 30,000 external users, extending link sharing through Office 365 was not viable. If all these users were to be provisioned with SharePoint Online licenses, it would make for a very costly implementation.
The EUM Solution
The decision was made to facilitate Office 365 external sharing using Azure Active Directory B2B collaboration. For each paid Azure AD license that PhRMA assigns, up to 5 guest users can be invited under the external user allowance, which provides a significant cost saving. In addition to the above, PhRMA extends the OOTB login by leveraging Azure Premium P1 and P2 licensing for both their internal and external users. PhRMA has configured access policies at the role level for both internal and external users which means some may need to go through Multi-Factor Authentication and or have a Conditional Access policy applied to them. With SharePoint Online being the only collaboration space with these members, conditional access triggers Azure Multi-Factor Authentication for the users to progress through to the site.
PhRMA was looking for a solution that would make it easy for non-IT users to manage membership provisioning. They wanted to maintain all user updates in CRM without duplicating efforts to manage users in Azure and SharePoint Online. They also wanted to ensure that existing members would continue to benefit from a seamless single sign-on experience with little to no apparent change from what they were accustomed to when logging in. With over 30,000 registered users, the platform needed to be scalable enough to handle such a potentially high volume of use.
Extranet User Manager developed a custom API solution specifically for the PhRMA scenario. When users are added to CRM, the Administrator simply associates them with an EUM named field which kicks off a workflow. The user is then automatically added to the appropriate EUM group and a welcome email is sent out to the user providing them with instructions to login to the SharePoint member site. If their email address is recognized as internal to PhRMA, they are routed through an additional multi-factor authentication step. If the user’s email address is external, they are redirected to an Azure Multi Factor Authentication process. Once their organization email is already associated with a Microsoft account, then this is linked to their account. If not, then a new Azure account is automatically created for them. The sign-up process includes a second level of security by prompting users to provide a mobile number. A call or text is then sent to the user providing a verification code that must be entered before they can be authenticated to the site.
Once new users have signed up, their future logins are seamless. Entering the member site, EUM has already assigned them to their appropriate groups so users have access to all the resources that they are entitled to without waiting for an administrator to provision them.
For the initial rollout of the hosted solution, PhRMA took advantage of the EUM bulk upload feature. Using a CSV file, hundreds of users were quickly added to EUM and sent welcome onboarding emails which were easily configured by administrators. A few simple instructions for end users have ensured a seamless sign up process, and to date over 700 users have successfully logged in to the member site.
Next steps will include rolling the platform out to additional PhRMA offices and incorporating the self-registration feature for new end users. With the rapid development happening in Office 365, EUM will continue to be pivotal in helping PhRMA leverage functionality such as Office 365 Groups and collaboration tools like Teams for external users.