Identity & Conditional Access Jumpstart

Summary. Establish core identity hygiene and baseline Conditional Access (MFA, device state, risk) to harden sign‑ins with minimal user friction.

Who it's for. SMBs running Microsoft 365/Entra or Google Workspace that need quick wins against account takeover and risky sign‑ins.

Business Outcomes

MFA enforced for pilot cohort with break‑glass access.
Baseline CA policies (user risk, device compliance, location).
Sign‑in logs monitored; alerting for risky events configured.
User comms and help materials ready for wider rollout.

What’s Included

Scope	Description
Core Inclusions	Tenant review and MFA readiness; protect break‑glass accounts. Baseline CA policies for pilot users; test exclusions. Telemetry and alert flows; admin RBAC checks.
Optional Add‑Ons	Self‑service password reset and number matching. Risk‑based CA with step‑up when needed. Integration with SIEM and ticketing.

Timeline & Deliverables

Note: estimates may vary depending on the level, tier and tenant complexity.

Phase	Deliverables
01 — Discover	Extended Discovery (client‑signed), environment read‑in, inventory & stakeholders.
02 — Identify & Mitigate RDC/L	Initial RDC/L register; mitigations, dependencies & constraints agreed.
03 — Plan	Label model, success criteria, test plan, change & rollback plan, schedule.
04 — Implement	Visibility → draft policy; ring‑0 controls; HA & logging verified.
05 — Test	Execute UAT; fix exceptions; ring‑1/2 as per tier; evidence captured.
06 — Close‑out	Close‑out report, scale‑out proposal, next steps.

Service Levels (Summary)

Plan	Coverage	Response / Restore	Governance
Bronze	Business hours (Mon–Fri 08:30–17:30 NZT)	P1: 2h / NBD • P2: 4h / 2BD	Email support • Change log • Close‑out report
Silver	Extended hours (Mon–Fri 08:00–20:00 NZT)	P1: 1h / Same day • P2: 2h / NBD	Weekly check‑in (Std/Plus) • Findings register • Acceptance criteria
Gold	Business + after‑hours (24×7 P1 only)	P1: 30m / ASAP • P2: 1h / Same day	Executive summary • CAB‑ready rollback • Handover pack

Success criteria (from our perspective)

MFA enforced for pilot cohort with working break-glass account(s) verified.
Baseline Conditional Access (user risk, device compliance/location) applied with zero critical business disruption.
Risky sign-ins and policy hits observable in logs; alerts wired to the agreed mailbox/ticket queue.
Pilot close-out report accepted; rollout plan agreed.

Prerequisites

Global admin / security admin access to Entra ID (or equivalent IdP).
Pilot cohort (users/groups/devices) identified; maintenance window confirmed.
Mail/Ticket target for alerts; change approval for MFA/CA updates.

Assumptions

Pilot scope limited to a defined cohort; broad exceptions are temporary only.
Licensed features available for MFA/CA (per tenant licensing).
Network egress allows IdP endpoints and health telemetry.

Out of scope

Full identity lifecycle (HR-driven joiner/mover/leaver, IGA).
Third-party app SSO integrations beyond pilot target(s).
Company-wide policy hardening (pilot only).

Risks & mitigations (examples)

User lockout due to policy: use staged rollout + one break-glass per tenant; CAB-approved rollback plan.
Legacy clients failing MFA: conditional exclusions for legacy protocols; communicate upgrade paths.
Alert noise: tune thresholds; route only actionable events.

Next steps (after-pilot)

Scale MFA/CA to next ring(s) with staged groups and measured KPIs.
Enable SSPR/number matching; add risk-based step-up where valuable.
Consider managed service: Identity & Access Management (Managed).

Start the pilot

Start intake — Lite Start intake — Standard Start intake — Plus Extended Discovery

Early Adopter Program (limited): 10% off the pilot package for customers who start by 31-Dec-25. Not combinable with other offers. May be applied as a credit on close‑out.

For pricing, terms and conditions see the Pricing Annex .

Identity & Conditional Access Jumpstart

Business Outcomes

What’s Included

Timeline & Deliverables

Service Levels (Summary)

Success criteria (from our perspective)

Prerequisites

Assumptions

Out of scope

Risks & mitigations (examples)

Next steps (after-pilot)

Start the pilot

Happy with the outcome?

Related Resources