Skip to content
Get started

Identity and Access Management

Identity is the new security perimeter. Who can access what, under what conditions, and what happened while they were there? These are the questions that modern security depends on.

Identity and access management (IAM) is often introduced through its most visible features such as single sign-on that simplifies how users log in, multi-factor authentication that adds a verification step, automated account provisioning that speeds up onboarding. These are useful. They are not the whole picture.

Behind those features sits a discipline that is broader and more consequential: the set of practices, processes, and controls that govern how digital identities are created and managed, how access to systems and data is authorised and reviewed, and how the activities of users (including privileged users) are recorded and auditable. When this discipline is well managed, identity is a foundation of security and operational efficiency. When it is not, it is one of the most exploited attack surfaces in the modern threat landscape.

Microsolve manages identity and access across Entra ID, OneLogin, and AWS IAM as a structured, ongoing service, not a one-time configuration.

Assess your identity and access postureLearn how IAM supports zero trust

Why Identity Has Replaced the Network Perimeter

When everyone worked from a fixed office on company hardware connected to a single network, the firewall was a meaningful security boundary. Access from inside the perimeter was trusted. Access from outside was blocked.

That model is no longer adequate. Users access business systems from home, from personal devices, from remote offices, from cloud applications, and from locations the organisation never sees. The perimeter has dissolved and identity has taken its place. In a distributed, cloud-connected environment, the question is no longer "is this traffic inside the network?" It is "is this identity who they say they are, should they have this access, and are their actions consistent with expected behaviour?"

When an identity is compromised through phishing, credential stuffing, a reused password, or a poorly managed account, an attacker does not need to defeat a firewall. They simply log in. The organisations that manage identity well are dramatically harder to compromise and far faster to detect anomalous activity when something does occur.

Identity is now the primary attack vector in the majority of cyber incidents. An attacker with a valid set of credentials does not need sophisticated techniques, they simply use the front door. Managing identity well is not optional. It is the foundation of everything else.

 

The Three Pillars of Identity Management

SSO and MFA are the most visible elements of identity management. They are also the entry point, not the destination. A well-managed identity environment is built on three interconnected disciplines that are commonly referred to as Authentication, Authorisation, and Accounting (AAA), each of which has its own depth and its own security implications.

Authentication

Authentication is the process of confirming that a user is who they claim to be. At its most basic, this is a username and password. At its most resilient, it is a combination of something the user knows, something they have, and something they are, enforced through policies that adapt based on risk context.

Microsolve implements and manages authentication controls across the environment:

  • Multi-Factor Authentication (MFA): enforced across all accounts, with phishing-resistant options (such as FIDO2 hardware keys or authenticator apps) for privileged and high-risk roles
  • Conditional Access: policies that evaluate the context of each sign-in attempt (device health, location, user risk level, application sensitivity) and grant, challenge, or block access accordingly
  • Single Sign-On: centralised authentication that reduces the number of credentials users manage and ensures every application access event flows through a governed identity layer
  • Passwordless Authentication: where appropriate, reducing reliance on passwords entirely using Microsoft Entra ID or OneLogin authenticator capabilities
  • Legacy Authentication Blocking: older authentication protocols that do not support MFA are identified and blocked, removing a commonly exploited attack pathway

Authorisation

Authorisation is the set of decisions about what an authenticated user is permitted to do. It is separate from authentication, and often more complex. A user who has successfully verified their identity may still need to be limited in what they can reach by role, by system, by data sensitivity, by time of day, or by device type.

Poor authorisation is one of the most common contributors to both security incidents and operational risk. Permissions that were broadly granted and never reviewed. Access that was inherited from a previous role and never updated. Administrative rights held by users who do not need them. A former employee whose account was not deprovisioned before they left.

Microsolve manages authorisation controls through:

  • Role-Based Access Control (RBAC): access rights assigned to roles rather than individuals, so that changes to job function automatically update access scope
  • Least Privilege Access: users hold only the minimum access required for their current role, reviewed regularly and adjusted as roles change
  • Privileged Access Management (PAM): administrative and privileged accounts managed with additional controls: just-in-time access, separate credentials, session monitoring
  • User Lifecycle Management: structured onboarding, role-change, and offboarding processes that ensure access is granted promptly when needed and revoked completely when it is not
  • Third-Party and Contractor Access: time-limited, scoped access for external parties, with automated expiry and review workflows
  • Application and Service Account Management: non-human identities (applications, automation accounts, service principals) managed with the same rigour as human accounts

Accounting

Accounting in this context is the recording and auditing of identity-related activity. It is the layer of IAM that is most often underdeveloped and most urgently needed when something goes wrong.

When a security incident occurs, or when a compliance obligation requires demonstration of access controls, the ability to answer "who accessed what, when, from where, and what did they do?" is not optional. Audit logs that were never configured, retained for too short a period, or stored in systems that themselves were compromised provide no value when they are needed most.

Microsolve manages identity audit and accountability through:

  • Centralised Audit Logging: all identity and access events captured in a consolidated, tamper-evident log
  • Sign-In and Access Reporting: regular reports on authentication activity, risky sign-ins, access patterns, and anomalies
  • Privileged Activity Monitoring: administrative actions logged and reviewed; alerts on changes to high-risk settings or permissions
  • Access Review Cycles: scheduled reviews of user access rights, ensuring permissions remain appropriate and removing access that is no longer needed
  • Retention Management: audit logs retained for appropriate periods and available for investigation, compliance review, or incident response
  • Anomaly Detection: unusual access patterns, impossible travel events, and high-risk sign-in alerts investigated as part of the managed service

The Platforms Microsolve Manages

Identity management does not happen in a single platform. Most organisations have identity spread across multiple systems such as a Microsoft 365 tenant, cloud-hosted applications, AWS workloads, and third-party SaaS tools. Microsolve manages identity across the platforms that matter most for the Australian mid-market.

Microsoft Entra ID

Entra ID (formerly Azure Active Directory) is the identity foundation for organisations using Microsoft 365, Azure, and the broader Microsoft ecosystem. It provides cloud-native identity management, Conditional Access policies, MFA enforcement, privileged identity management, and integration with thousands of SaaS applications through the Azure AD application gallery.

For organisations heavily invested in Microsoft, Entra ID is typically the primary identity platform and the depth of its configuration directly determines the security posture of the Microsoft 365 environment. Many organisations have Entra ID in place but have never configured it beyond the basics. Microsolve assesses the current configuration, identifies gaps, and implements and manages the controls that make Entra ID a genuine security asset rather than an underutilised directory service.

OneLogin

OneLogin is a cloud-native identity and access management platform suited to organisations that need a user-friendly, multi-application SSO and MFA layer particularly where the application portfolio extends well beyond the Microsoft ecosystem or where users are operating across multiple cloud-based tools.

OneLogin's strengths include its application catalogue, its user-friendly interface for both administrators and end users, and its automated provisioning capabilities for a wide range of SaaS applications. Microsolve implements and manages OneLogin as a standalone identity platform or as a complement to Entra ID, depending on the organisation's application landscape and existing infrastructure.

AWS IAM

For organisations with workloads running in AWS, AWS Identity and Access Management (IAM) controls access to AWS resources by defining who can perform which actions on which resources within the AWS environment. AWS IAM is a powerful but complex service, and misconfiguration is one of the most common sources of cloud security risk.

Microsolve manages AWS IAM configurations for clients with cloud-hosted workloads including role design, policy management, least-privilege implementation, and regular review of IAM permissions to identify over-privileged accounts or roles that are no longer required.

User Lifecycle From Onboarding to Offboarding

Identity management is not a background configuration task. It is an active, ongoing discipline that touches every stage of the user lifecycle, from account creation on the first day to complete access removal after someone leaves.

The most common IAM failure modes are lifecycle failures: accounts that were never properly provisioned, access that accumulated as roles changed, and - most critically - accounts that were not deprovisioned when a user left. A former employee with an active account and unchanged credentials is one of the most straightforward attack vectors in any organisation's environment.

What Microsolve manages across the user lifecycle:

Onboarding

New user accounts created consistently, assigned to the correct role and group memberships, with the right application access provisioned automatically based on role templates

Role Changes

Access updates managed promptly and completely when users change roles, ensuring old permissions are removed as new ones are added

Temporary and Contractor Access

Time-limited access granted with automatic expiry, scoped to what is needed and nothing more

Access Reviews

Scheduled reviews of all user access rights across platforms, identifying permissions that are no longer appropriate and removing them

Offboarding

Imediate, complete, and documented account deactivation across all platforms when a user leaves, not just the primary directory

IAM and the Security Frameworks

Identity and access management is not an isolated discipline, it is foundational to the security frameworks that Australian organisations are increasingly expected to align with.

Essential Eight

The Essential Eight includes MFA as a top-priority mitigation strategy as it is one of the most consistently exploited weaknesses in compromised organisations. It also includes restricting administrative privileges, which is an access management control directly managed through IAM.

Learn more about Essential Eight

SMB1001

SMB1001 is the Australian Cyber Security Centre's certification framework for small and medium businesses. It places access control and identity governance within its core security pillars. Organisations pursuing SMB1001 certification need to demonstrate structured identity practices and Microsolve's managed IAM service is designed to support that demonstrability.

Explore SMB1001

Zero Trust

Zero Trust architecture treats identity as the primary security boundary and IAM is the discipline through which Zero Trust principles are implemented. Every access decision in a Zero Trust model depends on verified identity, assessed device health, and contextual policy. Each of these are managed through IAM platforms and governance processes.

Read about Zero Trust

Microsolve connects IAM implementation to these frameworks explicitly, so that the work done to improve identity security builds toward measurable, documented compliance posture not just better configurations.

Watch a video on Zero Trust and how to create Secure-by-Design IT infrastructure

Frequently asked questions

What is identity and access management (IAM)?

IAM is the framework of policies, processes, and technologies that ensure the right people have the right access to the right resources and that their activities are recorded and auditable. It covers authentication (verifying identity), authorisation (controlling what access is permitted), and accounting (logging and auditing what happened).

Is SSO the same as identity management?

No. Single sign-on is one feature within identity management. It simplifies how users authenticate across multiple applications. Identity management is broader: it covers how identities are created and managed, how access rights are assigned and reviewed, how access is governed across the user lifecycle, and how activity is logged and audited.

What is the difference between authentication and authorisation?

Authentication verifies who a user is. It confirms they are who they claim to be through credentials, MFA, or biometrics. Authorisation determines what that verified user is permitted to do, which systems they can access, which data they can see, and which actions they can take. Both are necessary; authentication without authorisation governance means verified users may still have access to more than they should.

Why does it matter when a user leaves the organisation?

A former employee with an active account and unchanged credentials is an open door into the organisation regardless of whether the departure was on good terms. Complete, immediate account deprovisioning across all platforms is one of the most important and most commonly neglected identity controls.

What is least-privilege access and why does it matter?

Least-privilege access means each user holds only the minimum permissions required for their current role and nothing more. It limits the potential damage from a compromised account, reduces the risk of accidental data exposure, and shrinks the attack surface available to an insider threat. The principle sounds simple; implementing it consistently across a growing organisation requires active governance.

What is the difference between Entra ID and OneLogin?

Entra ID (formerly Azure Active Directory) is Microsoft's cloud identity platform, best suited to organisations using Microsoft 365 and Azure. OneLogin is a cloud-native IAM platform suited to multi-cloud and SaaS-heavy environments with a broad application portfolio. Many organisations use both, with Entra ID as the core directory and OneLogin for SSO and application access management. Microsolve assesses the right approach for each client's environment.

How does IAM connect to Essential Eight compliance?

The Essential Eight includes MFA enforcement and restriction of administrative privileges as top-priority mitigation strategies. These are both identity and access management controls. Microsolve's IAM service implements and manages these controls as part of a structured approach to Essential Eight alignment.

What does an access review involve?

An access review is a scheduled audit of user permissions across all platforms to check that each user's access is appropriate for their current role, that there are no accumulated permissions from previous roles, and that there are no active accounts for users who have left. Microsolve conducts access reviews as a regular part of the managed IAM service and produces clear documentation of what was reviewed and what was changed.

How is AWS IAM different from Entra ID or OneLogin?

AWS IAM controls access to AWS cloud resources by defining which users, roles, and services can perform which actions in the AWS environment. It is not a replacement for Entra ID or OneLogin (which manage user identity for applications and Microsoft services) but a complementary platform for organisations with AWS workloads. Microsolve manages AWS IAM configurations as part of the broader identity posture for clients with cloud infrastructure.

Discover the gaps in your IAM setup

Whether it be over-privileged accounts, ex-staff access, unconfigured conditional access, or dormant audit logs, it's important to get an honest picture of your current identity posture before we can implement change.

Get Microsolve's structured IAM review for clear visibility and a compliant path forward.

Book a guided review