Skip to content
const portfolio = { loading: true, status: 'initializing...'};
0%
back to home.tsx

~/case-studies/identity-security-posture

Identity Security Posture

Turning scattered identity signals into one prioritized recommendation — so admins can assess, understand and strengthen their security at a glance.

Product DesignerMicrosoft Entra · ISPMIdentity

1,818

identities analyzed

92%

in good state

+13

Secure Score · 30 days

0

standing admins (from 13)

All figures are mocked prototype data for a fictional tenant, “Zava.” No real customer, tenant or employee data.

Posture overview / tenant analysis
Identity posture overview for the Zava tenant: 1,818 identities, 92% requirements met, an agent recommendation card, and the Administrators segment.
AI-scored posture with one prioritized recommendation (“no standing privilege”).

01~/renan-rios$cat ./tenant/context.md

The tenant and the problem

A fictional demo tenant with a real-world shape: high-stakes, compliance-bound, and mostly healthy — except where it matters most.

tenant.md

A fictional Defense Industrial Base / government contractor — CMMC Level 2 and Zero Trust in scope, handling CUI + ITAR workloads on hybrid identity (Entra ID + on-prem AD), Microsoft 365 E5 · Entra ID P2.

The experience — An AI “Conditional Access Optimization Agent” analyzes the tenant, scores identity posture, and turns the single highest-impact gap into a safe, phased, human-approved rollout — a “Good State” campaign.

Tenant facts

Identities
1,818
Segments
6 cohorts
Admins
48
Compliance
CMMC L2 · ZTA
Licensing
M365 E5 · Entra ID P2
Identity
Hybrid (Entra + AD)

02~/renan-rios$cat ./posture/summary.json

Posture at a glance

One AI-scored read of the whole estate — then a segment-by-segment breakdown that shows where the risk actually lives.

1,818

Identities analyzed across 6 segments

92%

Identities meeting their good-state baseline (+2.1%)

143

Identities needing remediation (down 5.4%)

61 → 82

Identity Secure Score: 61 today (+13 in 30 days), path to 82

13

Admins scoped for standing-access removal (3 phases: 3 → 6 → 4)

+8.4 pts

Phishing-resistant MFA for admins — biggest Secure Score win

2

Break-glass accounts auto-excluded and preserved

Cohort breakdown

6 segments · sums to 1,818

Administrators

48 identities
73%
13drift2auto-fixed0approval

Hero cohort: 73% today but holds ~64% of critical exposure at 2.6% of identities; 13 admins drifted back to standing access.

44/48

MFA enforced

41/48

No standing priv.

45/48

Compliant device

48/48

Legacy auth blocked

Frontline Workers

1,240 identities
100%
0drift0auto-fixed0approval

Executives

24 identities
83%
2drift2auto-fixed1approval

DevOps Engineers

30 identities
100%
0drift0auto-fixed0approval

Non-Human Identities

156 identities
86%
2drift1auto-fixed1approval

Guests

320 identities
94%
2drift1auto-fixed1approval

03~/renan-rios$git diff baseline..today

Before to After

How the agent moved the tenant from a risk-concentrated baseline to a measurably stronger posture — in about a month.

Baseline — risk concentrated in the privileged tier

Zava's Identity Secure Score sat at 48 — well below the industry average — with Strong Authentication and Device Trust driving 6 of 21 failing checks. Most of the 1,818-identity estate was healthy, but risk clustered in the privileged tier: the agent flagged that 13 administrators had drifted back to standing (permanent) privileged access, including 7 newly-added admins with permanent Global Administrator rights. Break-glass accounts sat unmanaged, and a handful of admins still used SMS/phone MFA instead of phishing-resistant keys. The signals an admin needed were scattered across Secure Score, Conditional Access, PIM, and sign-in logs.

Intervention — one prioritized move, executed safely

The Conditional Access Optimization agent modeled all 1,818 identities into 6 cohorts, then surfaced one ranked recommendation: remove standing admin access. Rather than a raw to-do, it drafted a phased, reversible rollout — 13 admins across 3 waves (3 → 6 → 4), starting with PIM-familiar admins at the lowest predicted disruption, auto-excluding 2 break-glass accounts, and converting permanent roles to just-in-time PIM access. An impact preview showed exactly who's affected, the Teams message each admin would receive, and the built-in safeguards. In parallel, Good State campaigns moved the remaining admins to phishing-resistant FIDO2 keys (+8.4 Secure Score points — the biggest single win).

Outcome — measurable posture gain, near-zero friction

Identity Secure Score climbed +13 points in 30 days (48 → 61), with a mapped path to 82 once the five prioritized recommendations complete. Across the estate, 92% of identities now meet their good-state baseline (1,675 of 1,818, up from ~1,180), and the tenant's six-month posture trend rose from 64 to 87. Standing-access conversion runs with 100% PIM activation among sign-ins and zero support escalations. Net: the agent turned scattered signals into one safe, sequenced action that closes the tenant's single largest source of critical exposure.

metrics.delta
MetricBeforeAfter
Identity Secure Score4861 (→ 82 target)
Identities meeting good state~1,180 (65%)1,675 (92%)
Six-month posture-trend score6487
Admins on standing (permanent) access13 scoped0 (just-in-time via PIM)
Admins on phishing-resistant MFA44 / 4848 / 48
Phishing-resistant MFA Secure Score points+8.4
PIM activation success (in-scope sign-ins)100%

Six-month posture trend

6487
Feb 14Mar 7Apr 2May 1May 29Jun 18

Identities in good state

1,1801,675
Feb 14Mar 7Apr 2May 1May 29Jun 18

04~/renan-rios$node rollout.ts --recommendation=remove-standing-access

The prioritized move, executed safely

The single ranked recommendation becomes a phased, reversible, human-approved rollout — 13 admins across 3 waves, break-glass preserved.

13

admins in scope

3

phased waves

2

break-glass excluded

  1. 1

    Pilot

    3 admins

    PIM-familiar admins with lowest predicted disruption

  2. 2

    Early adoption

    6 admins

    Broader admin cohort with strong sign-in cadence

  3. 3

    Full enforcement

    4 admins

    Remaining permanent-role assignments with closer monitoring

Safeguards

  • Excludes break-glass and emergency access accounts
  • Each phase starts only when an admin clicks Start
  • Monitors notification delivery, sign-in issues, PIM activation, and support tickets
  • Admin can pause the rollout and restore access while investigating
Remove standing admin access — phased rollout
Phased PIM rollout: 13 identities in scope, 3 phases, 2 excluded, with Phase 1 pilot and an AI summary.
Standing access removed in safe, approval-gated waves (13 in scope, 3 phases).
Impact preview drawer (Phase 1)
Impact preview drawer: 3 admins affected, a sample Teams notification, and safeguards including break-glass exclusion and one-click pause-and-restore.
Human-in-the-loop: who's affected, the user's Teams message, and built-in safeguards.

05~/renan-rios$cat ./secure-score/report.json

Identity Secure Score — the evidence loop

Every campaign reports back to a measurable score, with the highest-impact moves ranked first.

0

current score

+13 in 30 days
path to target61 / 82

5 prioritized recommendations map the path to 82.

Biggest wins

Require phishing-resistant authentication for admins+8.4
Remove permanent Global Administrator assignments+5
Enable device compliance requirements+5
Configure lifecycle workflows+3
Deploy GSA client to remaining devices+2
Identity Secure Score
Identity Secure Score page: score 61, ranked biggest wins with points, critical exposure gaps, and a 30-day progress chart.
Prioritized “biggest wins” and +13-point 30-day progress.

06~/renan-rios$cat ./design/decisions.md

Design decisions

The judgment calls behind the experience — what to prioritize, when to automate, and how to earn trust with privileged change.

Identity risk hides across Secure Score, Conditional Access, PIM, and sign-in logs. The overview replaces that noise with a single AI-scored posture read and one ranked recommendation, so an admin knows the highest-leverage action at a glance.

  • Weighted critical-exposure-by-segment — 64% mapped to Administrators (2.6% of identities)
  • One primary recommendation instead of a backlog of 143 tasks
  • A “biggest wins” list ranks the five moves that add the most Secure Score points

Prioritization is the product — surfacing the one move that matters beats a longer list.

Changes to privileged accounts are risky, so the rollout is staged in waves that expand only when activation, sign-in, and support signals stay healthy — and it protects emergency access by design.

  • Phased waves (3 → 6 → 4 admins) that each start only when an admin clicks Start
  • Break-glass accounts auto-detected from CA-policy exclusions and preserved (2 out of scope)
  • One-click pause-and-restore if unexpected access issues appear

Trust comes from visible guardrails — staging, exclusions, and reversibility — not just automation.

The agent fixes low-risk drift automatically but routes anything consequential to an approval step, keeping humans in control of privileged change.

  • Low-risk drift is auto-remediated; high-impact actions require admin approval
  • An impact preview spells out who's affected and the exact Teams message users receive
  • Evidence loop: campaign telemetry reports back to Identity Secure Score (+8.4 pts)

Automation earns trust by knowing what not to do on its own.

The single biggest risk — permanent admin rights — is converted to just-in-time PIM access without disrupting admins, using earlier phases to de-risk the final cohort.

  • 13 admins scoped across 3 waves; permanent roles become eligible, just-in-time access
  • 100% PIM activation among sign-ins, zero support escalations in the pilot
  • Framework-aligned: CMMC L2 AC.L2-3.1.5 and NIST 800-171 3.1.5 (least privilege)

The highest-impact security win can ship with near-zero user friction when it's sequenced well.

What I owned — craft and UX patterns

Outcome-framed information architecture — controls read as end-states (“No standing privilege,” “Phishing-resistant MFA only,” “No open risk”), kept consistent from hero to drawer.

“Assess at a glance” hero — a single posture read, weighted critical-exposure-by-segment, and one ranked recommendation instead of an alert list.

Human-in-the-loop trust model — chain-of-thought agent reasoning, an impact preview, admin-initiated phases, and reversible/pausable rollouts.

Break-glass safety patterns — auto-detection, exclusion, and guidance for group-based emergency access so campaigns never lock out emergency admins.

Secure Score ↔ Good State evidence loop — connecting a recommendation to execution and back to a measurable score, with a ranked “biggest wins” surface.

Cohort model surface — every identity classified across tenant signals, with confidence-gap handling that refines without blocking evaluation.

Regulation co-branding contract — only show an Entra Recommendation chip where a real 1:1 mapping exists; extensions and deep-links don't fake it.

Design decisions embodied in the prototype; exact scope and collaborators per Renan.

// end of case study

Want the rest of the story?

See more Microsoft Entra work and the full delivery record, or head back home.