Introduction
Everyone has been raving about some of the latest security features in Entra ID such as Privileged Identity Management (PIM) and Conditional Access Policies (CAP). Although implementing these features to their full extent is valuable to an organization, they take time to develop. They should not be pursued without developing the program behind the capabilities to drive the value, enforcement, and operations. To guide you toward accomplishing these objectives, we have developed a maturity strategy for identity and access management (IAM) in Entra ID. Our goal is for our clients and readers to achieve the “Modern” maturity level and aspire to be at the “Advanced” maturity level, which we will outline more specifically below.
Pillar and Maturity Overview
Our Maturity Matrix contains four maturity levels (rows): Foundational, Basic, Modern, and Advanced, aligned with five pillars (columns) that we believe have the largest impact on an organization’s identity defenses. Our matrix outlines the expected implementations and controls within each pillar and provides a high-level roadmap depending on what maturity your organization is at. As mentioned in the introduction, our target is for every enterprise, no matter the industry, size, or region, to meet or exceed the Modern maturity level. Refer to the table below for a quick summary of each pillar within each maturity and see the content below for additional information.
| Security Defaults | Authorization | Authentication (Strengths) | Audit | Continuity | |
| Advanced | Disabled | Same as Modern | Investments in phishing resistance Multi-Factor Authentication (MFA) are prioritized, per the Executive Order on Strengthening and Promoting Innovation in Cybersecurity, and is the organizational standard achieved through certificates, Windows Hello for Business, and/or FIDO2 security keys. Access to non-compliant devices, networks, and applications is blocked via Conditional Access Policies (CAP). | Role assignments are reviewed bi-annually with automated workflows found in the Entra Identity Governance and PIM modules. | Same as Modern |
| Modern | Disabled | Provisioning is captured in Entra ID. Personas created at the Foundational stage include their own unique Conditional Access Policies (CAP). Privileged roles are assigned as eligible versus active. | Passwordless Multi-Factor Authentication (MFA) solutions are enforced (e.g., Microsoft Authenticator apps, passkeys, and FIDO keys) in conjunction with Conditional Access Policies (CAP) based on geolocation, device status, and/or IP address. Applications unable to integrate with ID Single Sign On (SSO) are migrated to the Entra ID application proxy to enable secure access to on-premises web applications. | User and Group assignments are reviewed bi-annually with no or limited automation. Alert logic is in place to notify an organization when identities, external collaboration settings, or overly permissive roles are added/updated within the directory. | Same as the Foundational maturity level, but includes Conditional Access Policies (CAP)targeted at recovery-only accounts to verify device and location, require phishing resistant Multi-Factor Authentication (MFA) and restrict access to sensitive applications. |
| Basic | Enabled | Provisioning in Entra and separate accounts are created for administrators to complete tasks outside of their daily user account. | Entra ID ID Single Sign On (SSO) is enforced for all compatible applications. Applications not compatible with SSO should be included in the enterprise risk register for regular review and audit purposes. Additionally, Multi-Factor Authentication (MFA) through an authenticator app is required for all users (e.g., Microsoft Authenticator). | User and Group assignments expire after a year when an annual review is conducted to determine which roles should be renewed. | Same as Foundational |
| Foundational | Enabled | Personas are implemented at a business functions level (e.g., IT, Human Resources, and Highly Regulated). Role Based Access Control (RBAC) is scoped to IT infrastructure teams. | Basic multi-factor authentication (MFA) is implemented to access Microsoft 365 and the company’s Virtual Private Network (VPN). A subset of applications are integrated with Entra ID Single Sign On (SSO). | Access reviews only exist for a subset of personas and RBAC permissions. | Five or less break-glass accounts exist for disaster recovery/business continuity (DRBC) purposes exempt from standard Multi-Factor Authentication (MFA) requirements and enterprise-wide Conditional Access Policies (CAP). |
Advanced
| Security Defaults |
| Disabled |
| Authorization |
| Same as Modern |
| Authentication (Strengths) |
| Investments in phishing resistance Multi-Factor Authentication (MFA) are prioritized, per the Executive Order on Strengthening and Promoting Innovation in Cybersecurity, and is the organizational standard achieved through certificates, Windows Hello for Business, and/or FIDO2 security keys. Access to non-compliant devices, networks, and applications is blocked via Conditional Access Policies (CAP). |
| Audit |
| Role assignments are reviewed bi-annually with automated workflows found in the Entra Identity Governance and PIM modules. |
| Continuity |
| Same as Modern. |
Modern
| Security Defaults |
| Disabled |
| Authorization |
| Provisioning is captured in Entra ID. Personas created at the Foundational stage include their own unique Conditional Access Policies (CAP). Privileged roles are assigned as eligible versus active. |
| Authentication (Strengths) |
| Passwordless Multi-Factor Authentication (MFA) solutions are enforced (e.g., Microsoft Authenticator apps, passkeys, and FIDO keys) in conjunction with Conditional Access Policies (CAP) based on geolocation, device status, and/or IP address. Applications unable to integrate with ID Single Sign On (SSO) are migrated to the Entra ID application proxy to enable secure access to on-premises web applications. |
| Audit |
| User and Group assignments are reviewed bi-annually with no or limited automation. Alert logic is in place to notify an organization when identities, external collaboration settings, or overly permissive roles are added/updated within the directory. |
| Continuity |
| Same as the Foundational maturity level, but includes Conditional Access Policies (CAP)targeted at recovery-only accounts to verify device and location, require phishing resistant Multi-Factor Authentication (MFA) and restrict access to sensitive applications. |
Basic
| Security Defaults |
| Enabled |
| Authorization |
| Provisioning in Entra and separate accounts are created for administrators to complete tasks outside of their daily user account. |
| Authentication (Strengths) |
| Entra ID ID Single Sign On (SSO) is enforced for all compatible applications. Applications not compatible with SSO should be included in the enterprise risk register for regular review and audit purposes. Additionally, Multi-Factor Authentication (MFA) through an authenticator app is required for all users (e.g., Microsoft Authenticator). |
| Audit |
| User and Group assignments expire after a year when an annual review is conducted to determine which roles should be renewed. |
| Continuity |
| Same as Foundational. |
Foundational
| Security Defaults |
| Enabled |
| Authorization |
| Personas are implemented at a business functions level (e.g., IT, Human Resources, and Highly Regulated). Role Based Access Control (RBAC) is scoped to IT infrastructure teams. |
| Authentication (Strengths) |
| Basic multi-factor authentication (MFA) is implemented to access Microsoft 365 and the company’s Virtual Private Network (VPN). A subset of applications are integrated with Entra ID Single Sign On (SSO). |
| Audit |
| Access reviews only exist for a subset of personas and RBAC permissions. |
| Continuity |
| Five or less break-glass accounts exist for disaster recovery/business continuity (DRBC) purposes exempt from standard Multi-Factor Authentication (MFA) requirements and enterprise-wide Conditional Access Policies (CAP). |
What is Required to Meet the Modern Maturity Level?
As mentioned in the Introduction, your organization should strive to achieve the Modern maturity level, items from the Advanced maturity level can be implemented once you have established yourself at the Modern level. So, what does it take to achieve this goal?
Authorization
- Provisioning is entirely in Entra ID via Connect Sync with Pass-through Authentication and Password Hash Synchronization enabled. The personas identified at the foundational stage each have their own unique CAPs in use to enforce requirements for workstation types (e.g., Windows, Mac, Corporate-owned, Bring Your Own Device (BYOD)), MFA enrollment and types, permitted applications etc. Just-in-Time (JIT) access is implemented through the Privileged Identity Management (PIM) module which limits the need for permanently assigned roles throughout the organization. JIT activation includes user justification, management approval, and session time restrictions. For example, a user that needs permissions for an entire workday should be able to activate their roles for at least eight hours. Alternatively, an assigned role like Global Administrator should be limited to an hour at most.
Authentication (Strengths)
- Conditional Access Policies (CAP) restrict logins to passwordless solutions such as Microsoft Authenticator apps, passkeys, or FIDO keys. Additionally, controls prevent users from logging in from risky or restricted geolocations. Other requirements may exist such as requiring users to be on the company VPN and/or meeting device compliance requirements. Applications included within the risk register for incompatibility with SSO are Applications migrated to the Entra ID using the application proxy and Defender for Cloud capabilities to monitor and/or block application access based on the user or group persona and their implemented CAPs.
Audit (Identity Governance)
- Roles are reviewed on an annual basis, while privileged roles are reviewed on a biannual basis. A number of solutions can be used to accomplish this, such as the Access Reviews feature in the Identity Governance module, as well as the Privileged Identity Management service, which are designed to automate the process. As part of the role provisioning, domain management, and external collaboration settings, there is an alert system in place to identify potentially risky, non-compliant, and overly permissive role and directory configurations. A risky role configuration would include the assignment of Global Administrators, Privileged Role Administrators, or User Access Administrators, while a risky tenant configuration could involve trusting a third-party tenant, altering external collaboration settings, or adding guest users.
Continuity
- This requirement is standard across all maturity levels and should include fewer than five break-glass accounts that exist outside of the standard enterprise requirements for MFA and CAPs. However, the Modern maturity level includes an additional requirement to develop CAPs to enforce phishing-resistant MFA, device checks, and location verification, as well as to restrict enrollment, login, and session activities to recovery accounts only so they can still perform recovery functions as long as certain guardrails are in place.
Why choose SRA?
With so many solutions available, we simplify the process by leveraging our partnership with Microsoft and our customized approach. We understand the complexities of organizations and recognize that every organization may follow a different deployment timeline or approach based on their resources and defined risk tolerance. Using our customized approach, we assess an organization’s current state, desired benchmarks, regulatory needs, risk tolerance, and resources to develop a realistic roadmap. Additionally, we ensure that all programs and processes developed during a deployment can be accurately documented, scalable, reproducible, and maintainable.
As always, please reach out to us with any questions!
Megan DeWitt
Megan specializes in data engineering and analysis, cloud infrastructure management, program development, and process improvements. Megan has substantial experience in IT and Security Operations and brings with her an understanding of managing security controls in alignment with an organization’s objectives, risk tolerance, and compliance requirements.
Megan currently works within the SCALR XDR infrastructure team focusing on applying data engineering to maximize an organization’s ability to store security events, accelerate search and response, and reduce SIEM operating costs. Megan has extensive experience in the Healthcare and Accounts Receivable industries.
Megan has certifications in Microsoft Identity and Access Management Administrator and AWS Security Specialty. Prior to joining SRA, Megan graduated with a Bachelor’s of Science degree in Computer Information Systems.
Russell Harvey
Russell primarily works as a red operator on purple teams. He also plays a key role in facilitating research and innovation within the purple team program. Before his current role, Russell gained valuable experience at SRA in the CyberSOC, where he specialized in threat hunting, detection engineering, incident response, and served as a client lead.
Russell graduated from the Rochester Institute of Technology (RIT) in 2022 with a B.S. in Computing Security. His professional interests extend to reverse engineering, penetration testing, and operating system internals.