Owner: IAM Engineering · Platform: Microsoft Entra ID · Review Cycle: Quarterly
Identity and Access Management (IAM) is the foundation of the Zero Trust security model. The organisation uses Microsoft Entra ID (formerly Azure Active Directory) as the authoritative identity provider for all corporate resources, supplemented by CyberArk for privileged access management (PAM) and Cisco ISE for network access control.
| Component | Product | Purpose |
|---|---|---|
| Cloud Identity Provider | Microsoft Entra ID P2 | SSO, MFA, Conditional Access, SSPR |
| Privileged Access Management | CyberArk PAM | Vaulted admin credentials, session recording |
| Privileged Identity Management | Entra ID PIM | JIT elevation for M365 / Azure roles |
| Network Access Control | Cisco ISE | 802.1X, VPN authentication, BYOD posture |
| Identity Governance | Entra ID Governance | Access reviews, entitlement management |
| Secrets Management | Azure Key Vault / AWS Secrets Manager | Non-human identity, API keys, certs |
| Certificate Authority | Microsoft ADCS + Entra CA | Device and user certificates |
MFA is mandatory for all users. Exceptions require CISO sign-off and compensating controls.
| MFA Method | Approved? | Priority |
|---|---|---|
| Passkeys (FIDO2 — hardware key) | ✅ Preferred | Highest |
| Microsoft Authenticator (number matching) | ✅ Approved | Standard |
| Certificate-based Auth (device cert) | ✅ Approved | Machine accounts |
| OATH TOTP (authenticator app) | ✅ Approved | Fallback only |
| SMS OTP | ❌ Prohibited | Phishing risk |
| Voice call OTP | ❌ Prohibited | Phishing risk |
Phishing-resistant MFA (FIDO2 / CBA) is required for:
Following NIST SP 800-63B guidance:
| Setting | Value |
|---|---|
| Minimum length | 14 characters |
| Complexity requirements | Passphrases encouraged — complexity not enforced |
| Maximum password age | None (rely on breach detection) |
| Blocked passwords | Custom banned password list in Entra ID |
| Password spray detection | Entra ID Protection — auto-block |
| Leaked credential detection | Entra ID Protection — user risk policy |
Conditional Access (CA) is the primary enforcement point for identity-based access control. All CA policies are version-controlled in Git (security/conditional-access).
| Policy Name | Signal | Conditions | Action |
|---|---|---|---|
CA-001-MFA-AllUsers |
All sign-ins | All users, all apps | Require MFA |
CA-002-CompliantDevice-CorpApps |
Device compliance | Corporate apps | Require Intune compliant device |
CA-003-PIM-PhishResist |
Role activation | PIM eligible roles | Require phishing-resistant MFA |
CA-004-BlockLegacyAuth |
Auth protocol | All apps | Block legacy auth protocols |
CA-005-HighRisk-SignIn |
Sign-in risk | Risk: High | Block + require MFA re-auth |
CA-006-HighRisk-User |
User risk | Risk: High | Require password change |
CA-007-BYOD-MAM |
Device state | Unmanaged devices | MAM-only, no device enrolment |
CA-008-GeoBlock-Restricted |
Location | Blocked countries | Block access |
CA-009-Admin-PrivilegedWS |
User type | Privileged admin accounts | Require compliant PAW only |
All privileged accounts (server admins, network admins, database admins, cloud admins) must use CyberArk for credential access. Direct use of admin credentials stored in personal password managers is prohibited.
Engineer requests access (CyberArk Web Portal)
│
│ (Approval required for break-glass accounts)
▼
CyberArk vaults credential / generates ephemeral password
│
▼
Engineer connects via CyberArk PSM (session proxy)
│
│ Session recorded + keystroke logged
▼
Target system (no direct credential handed to engineer)
| Account Type | Storage | Rotation | Session Recording |
|---|---|---|---|
| Windows Local Admin | CyberArk | 30 days | PSM |
| Linux Root / SUDO | CyberArk | 30 days | PSM |
| Network Device Admin | CyberArk | 30 days | PSM |
| Database DBA | CyberArk | 30 days | PSM |
| Cloud Console (break-glass) | CyberArk | On use | PSM |
| Service Accounts | CyberArk CPM | 90 days | No (API) |
All Tier 0 and Tier 1 administration must be performed from a Privileged Access Workstation. PAWs are:
Quarterly access reviews are conducted via Entra ID Governance:
| Scope | Reviewer | Frequency |
|---|---|---|
| All privileged roles (Entra, Azure) | Role owner + CISO | Quarterly |
| Application role assignments | Application owner | Quarterly |
| Guest/external accounts | Sponsoring employee | Monthly |
| Group memberships (security groups) | Group owner | Semi-annual |
Accounts not reviewed within the review window are automatically revoked.
| Event | Action | SLA |
|---|---|---|
| Joiner | Account created, groups assigned via Entra provisioning | Day 1 |
| Mover (internal transfer) | Access review triggered, new role access provisioned | 5 days |
| Leaver | Account disabled, sessions revoked, CyberArk access removed | Same day |
| Contractor end | Account disabled on contract end date | Automatic |
Service accounts, API keys, and application identities are subject to the same governance as human identities.
https://entra.microsoft.comhttps://cyberark.internal