CAF – B2.d Identity and Access Management (IdAM)

Identity and Access Management Overview

• A structured IdAM process should be in place to ensure that only verified and authorised users, devices and systems can access environments supporting managed services.
• User identities should be verified during onboarding using an identity provider such as Microsoft Entra ID, Okta or JumpCloud, and access should follow the principle of least privilege.

Access Assignment and Review

• Access rights should be assigned based on job role.

• Changes to access should be reviewed through a joiners, movers and leavers process.

• Access should be audited at least annually using tools such as:

  • Entra ID Access Reviews

  • Adoptech access review workflow

• Single Sign-On (SSO) should be implemented to centralise authentication.

• Administrative roles should require enhanced approval and multi-factor authentication (MFA).

Monitoring Access to Critical Systems

• All user, device and system access to critical systems should be logged and monitored using tools such as:

  • Microsoft Sentinel

  • Splunk

  • Datto

  • Microsoft Defender

• Access logs should be reviewed routinely and correlated with expected behaviour and wider security signals, such as:

  • device health

  • conditional access events

  • network monitoring alerts

Responding to Unauthorised Access Attempts

• Any access attempts by unauthorised users, devices or systems should trigger alerts via tools such as Defender, Sentinel or other SIEM platforms.

• Alerts should be triaged promptly, investigated and escalated in line with the organisation’s incident management process.

Maintaining Effective Identity Controls

• A structured IdAM approach helps ensure identity verification, access control and monitoring remain effective and aligned with regulatory and security expectations.