Identity & Access Management

Summary. Reduce account takeovers and keep access sane. We manage MFA and Conditional Access hygiene, privileged access, and break‑glass validation.

Who it's for. SMEs on Microsoft Entra ID/Azure AD that want MFA and Conditional Access consistently applied, with privileged access governed and emergency access tested.

Business Outcomes

Consistent MFA and CA coverage; fewer risky sign-ins
Privileged access under control, emergency access validated
Clear access exceptions process with monthly review

What’s Included

Scope	Description
Core Inclusions	MFA/CA policy management and variance monitoring Privileged access & break-glass account review Risky sign-in trend monitoring and reporting
Optional Add‑Ons	Just-In-Time admin (PIM) configuration and governance SSO app onboarding best practices Advanced risk detections (licensing add-ons, pass-through)

Onboarding & Steady‑State

Note: timelines depend on size and current tooling.

Phase	Activities	Deliverables	Indicative Duration
01 — Baseline	Assessment & policy inventory Gap analysis & plan	Baseline CA set + break-glass validation Privileged role inventory Variance report	0.5–1 week
02 — Stabilise	Variance reduction, exclusions review Privileged review	Steady MFA/CA coverage with reduced variance Exception register (owner + expiry)	1–2 weeks
03 — Operate	Monthly reporting App onboarding guidance	Monthly IAM KPIs (variance, risky sign-ins, exceptions) with decisions & next actions	Ongoing

Service Levels (Summary)

Plan	Coverage	Response / Restore	Governance
Bronze	Business hours (Mon–Fri 08:00–17:00 NZT, except Public Holidays)	P1: 2h / NBD • P2: 4h / 2BD	Monthly summary
Silver	Extended hours (Mon–Fri 07:00–19:00 NZT, except Public Holidays)	P1: 1h / Same day • P2: 2h / NBD	Weekly check‑in • Exceptions log
Gold	Business + after‑hours (24×7 P1 only)	P1: 30m / ASAP • P2: 1h / Same day	Exec summary • CAB-ready notes

For pricing, terms and conditions see the Pricing Annex.

Success Criteria (from our perspective)

MFA and Conditional Access applied consistently for the in-scope population with zero critical business disruption
Privileged access governed (break-glass validated, role assignments reviewed) with exceptions tracked and time-bound
Risky sign-ins reduced and policy variance trending down; MTTR within SLA for identity incidents

Prerequisites

Admin or delegated access for setup and policy verification
Tooling in place (or agreeable to deploy)
Maintenance windows agreed

Assumptions

Corporate-managed assets in scope unless otherwise agreed
Low-risk, scheduled maintenance with rollback plans
Customer approves standard change practices (CAB for Gold)

Risks & Mitigations

User lockout: staged rollout, one break-glass per tenant, CAB-approved rollback plan
Legacy protocols/apps: conditional exclusions with expiry; communicate upgrade paths
Alert noise: tune risky sign-in thresholds; route only actionable alerts to mailbox/ticket queue

Out of Scope

Major tooling migrations (separate project or pilot)
Custom scripting beyond standard patterns without a change request
Licensing costs for third-party tools (pass-through)

Get started

Book an Assessment Request Managed Service Request Custom Package Talk to us

Prefer to stabilise first? Run a short pilot to establish a clean baseline; then roll into this managed service.

Business Outcomes

What’s Included

Onboarding & Steady‑State

Service Levels (Summary)

Success Criteria (from our perspective)

Prerequisites

Assumptions

Risks & Mitigations

Out of Scope

Get started

Related Resources