Learn how identity lifecycle management, role-based access control, SSO, and access reviews protect your organisation from over-privileged accounts.
Identity and Access Management (IAM)
IAM is the framework of policies and technologies that controls who has access to what, and under what conditions. It is the foundation of every other security control.
The IAM Core Concepts
Role-Based Access Control (RBAC)
RBAC assigns permissions to roles, then assigns roles to users. This makes access management scalable and auditable.
| Role | Permissions | Example Users |
|---|---|---|
| Finance Officer | Read/write invoices, read customer data | Finance team |
| Support Technician | Read customer data, create/update jobs | Helpdesk staff |
| Team Leader | All technician permissions + assign jobs | Senior staff |
| System Administrator | Manage users, configure systems | IT admins |
| Global Administrator | Full control of everything | Break-glass only, heavily audited |
⛔ Important
Never assign Global Administrator as a default admin role. Even IT administrators should use standard accounts for day-to-day work and only activate privileged roles (via PIM) when specifically needed. A compromised Global Admin account can delete your entire Microsoft 365 tenant, including all email, SharePoint, and Azure resources — in seconds.
The Joiners-Movers-Leavers Process
IAM must track employees throughout their lifecycle:
| Event | IAM Action Required |
|---|---|
| New starter (Joiner) | Provision accounts with role-appropriate access only |
| Role change (Mover) | Add new permissions; remove old ones — don’t accumulate |
| Resignation / Termination (Leaver) | Disable all accounts on last day; revoke MFA; remove from groups |
| Long-term leave | Suspend account; review on return |
| Contractor engagement | Time-limited account with expiry date set at creation |
⚠ Warning
Access accumulation (also called privilege creep) occurs when users accumulate permissions from previous roles that were never revoked. An employee who moved from Finance to IT 3 years ago may still have read access to payroll data. Regular access reviews — at least annually — are required to catch this.
Single Sign-On (SSO)
SSO allows users to authenticate once and access multiple applications without re-entering credentials. Benefits:
- Fewer passwords to manage and forget
- Centralised enforcement of MFA and Conditional Access
- Instant account deprovisioning — disable the SSO account and all apps lose access simultaneously
✓ Key Point
Centralise as many applications as possible under your SSO provider (Azure AD / Entra ID, Okta, etc.). When an employee leaves, one account disable in the SSO system revokes access to every connected application instantly — removing the risk of forgotten application accounts remaining active.
Who has access to what in your business?
If you can’t answer that question quickly — or a former staff member’s account might still be active somewhere — your access management needs attention. Mobile Techs IT Service helps Gold Coast businesses take control: least-privilege roles and permission audits, SSO and MFA rollout across your apps, proper onboarding and offboarding processes, and regular access reviews that catch privilege creep before it becomes a breach. Home users welcome too — on-site or remote, anywhere in Australia.
Get your access under control → or call 1300 644 588


