Identity and Access Management (IAM)

Identity and Access Management (IAM)
👤 Read — Files Edit — Reports ✗ Admin — Denied IDENTITY & ACCESS ✓ Least-privilege roles ✓ SSO — one identity ✓ MFA enforced ✓ Access reviews quarterly ✗ Shared accounts ✗ Permanent admin rights

Learn how identity lifecycle management, role-based access control, SSO, and access reviews protect your organisation from over-privileged accounts.

Identity and Access Management (IAM)

IAM is the framework of policies and technologies that controls who has access to what, and under what conditions. It is the foundation of every other security control.

The IAM Core Concepts

IDENTITY Who are you? User, service, device, app AUTHENTICATION Prove you are who you claim to be Password + MFA AUTHORISATION What are you allowed to do? RBAC, permissions ACCESS Granted to approved resource Logged + audited AUDIT Who accessed what, when Forensics trail Authentication ≠ Authorisation — proving WHO you are doesn’t determine WHAT you can do

Role-Based Access Control (RBAC)

RBAC assigns permissions to roles, then assigns roles to users. This makes access management scalable and auditable.
RolePermissionsExample Users
Finance OfficerRead/write invoices, read customer dataFinance team
Support TechnicianRead customer data, create/update jobsHelpdesk staff
Team LeaderAll technician permissions + assign jobsSenior staff
System AdministratorManage users, configure systemsIT admins
Global AdministratorFull control of everythingBreak-glass only, heavily audited
⛔ Important
Never assign Global Administrator as a default admin role. Even IT administrators should use standard accounts for day-to-day work and only activate privileged roles (via PIM) when specifically needed. A compromised Global Admin account can delete your entire Microsoft 365 tenant, including all email, SharePoint, and Azure resources — in seconds.

The Joiners-Movers-Leavers Process

IAM must track employees throughout their lifecycle:
EventIAM Action Required
New starter (Joiner)Provision accounts with role-appropriate access only
Role change (Mover)Add new permissions; remove old ones — don’t accumulate
Resignation / Termination (Leaver)Disable all accounts on last day; revoke MFA; remove from groups
Long-term leaveSuspend account; review on return
Contractor engagementTime-limited account with expiry date set at creation
⚠ Warning
Access accumulation (also called privilege creep) occurs when users accumulate permissions from previous roles that were never revoked. An employee who moved from Finance to IT 3 years ago may still have read access to payroll data. Regular access reviews — at least annually — are required to catch this.

Single Sign-On (SSO)

SSO allows users to authenticate once and access multiple applications without re-entering credentials. Benefits:
  • Fewer passwords to manage and forget
  • Centralised enforcement of MFA and Conditional Access
  • Instant account deprovisioning — disable the SSO account and all apps lose access simultaneously
✓ Key Point
Centralise as many applications as possible under your SSO provider (Azure AD / Entra ID, Okta, etc.). When an employee leaves, one account disable in the SSO system revokes access to every connected application instantly — removing the risk of forgotten application accounts remaining active.
Who has access to what in your business?
If you can’t answer that question quickly — or a former staff member’s account might still be active somewhere — your access management needs attention. Mobile Techs IT Service helps Gold Coast businesses take control: least-privilege roles and permission audits, SSO and MFA rollout across your apps, proper onboarding and offboarding processes, and regular access reviews that catch privilege creep before it becomes a breach. Home users welcome too — on-site or remote, anywhere in Australia.