Zero Trust was the goal, with no clear starting point. I led with identity and built a Conditional Access and privileged access model that cut standing risk.
Context
A growing firm had accumulated broad access rights and standing admin accounts. Leadership wanted Zero Trust but lacked a place to begin.
Challenge
Access decisions were implicit and inconsistent. Admin rights were permanent, Conditional Access was patchy, and no one could explain who could do what.
Scope
- Assess identity posture and standing access
- Design a Conditional Access framework
- Introduce just-in-time privileged access
- Establish access reviews and governance
Constraints
- A workforce resistant to friction
- Legacy applications with weak authentication
- No appetite for a big-bang rollout
Approach
- 01Treated identity as the control plane and mapped real access needs
- 02Rolled out a layered Conditional Access framework in stages
- 03Replaced standing admin rights with PIM and just-in-time elevation
- 04Introduced access reviews to keep permissions honest over time
Technologies
Entra IDConditional AccessPIMDefender XDR
Entra ID
Conditional Access
Defender XDROutcome
- Standing administrative access reduced across the tenant
- Access decisions made explicit, auditable, and policy-driven
- A Zero Trust foundation the firm keeps building on
Lessons
Zero Trust starts at identity. Fixing standing access and Conditional Access first creates leverage for everything that follows.
What made it complex
Tightening access materially without the friction that makes users route around controls.
Azure Landing Zones
Azure Policy
Microsoft Sentinel
KQL
Microsoft Purview