Identity and access foundations¶

A large iron key board mounted on the wall of the Home's entrance hall. Many keys hang from it, labelled in faded ink. Several hooks are empty. One key is labelled Master and appears to have been copied at least four times. Mrs. Clodpull is staring at it with deep suspicion.

The first question is not what tools do we need. The first question is who has access to what, and do we actually know?

In a mid-sized non-profit that has grown organically, the answer is usually uncomfortable. Shared accounts. Former employees with lingering access. An admin or two who are the only ones who know the passwords, stored in their head, or in a spreadsheet, or on a sticky note that was definitely deleted. MFA rolled out for some people. Conditional Access policies that exist in draft form and have never been enforced.

The foundation work is unglamorous and takes longer than expected. It is also the most consequential thing you will do in the first six months.

Laying the groundwork.

The Entra ID audit
MFA: the unglamorous foundation
Conditional Access: policies with teeth
Privileged access
Offboarding and access lifecycle