Administrators
Hero cohort: 73% today but holds ~64% of critical exposure at 2.6% of identities; 13 admins drifted back to standing access.
44/48
MFA enforced
41/48
No standing priv.
45/48
Compliant device
48/48
Legacy auth blocked
~/case-studies/identity-security-posture
Turning scattered identity signals into one prioritized recommendation — so admins can assess, understand and strengthen their security at a glance.
1,818
identities analyzed
92%
in good state
+13
Secure Score · 30 days
0
standing admins (from 13)
All figures are mocked prototype data for a fictional tenant, “Zava.” No real customer, tenant or employee data.

01~/renan-rios$cat ./tenant/context.md
A fictional demo tenant with a real-world shape: high-stakes, compliance-bound, and mostly healthy — except where it matters most.
A fictional Defense Industrial Base / government contractor — CMMC Level 2 and Zero Trust in scope, handling CUI + ITAR workloads on hybrid identity (Entra ID + on-prem AD), Microsoft 365 E5 · Entra ID P2.
The experience — An AI “Conditional Access Optimization Agent” analyzes the tenant, scores identity posture, and turns the single highest-impact gap into a safe, phased, human-approved rollout — a “Good State” campaign.
Tenant facts
02~/renan-rios$cat ./posture/summary.json
One AI-scored read of the whole estate — then a segment-by-segment breakdown that shows where the risk actually lives.
1,818
Identities analyzed across 6 segments
92%
Identities meeting their good-state baseline (+2.1%)
143
Identities needing remediation (down 5.4%)
61 → 82
Identity Secure Score: 61 today (+13 in 30 days), path to 82
13
Admins scoped for standing-access removal (3 phases: 3 → 6 → 4)
+8.4 pts
Phishing-resistant MFA for admins — biggest Secure Score win
2
Break-glass accounts auto-excluded and preserved
Hero cohort: 73% today but holds ~64% of critical exposure at 2.6% of identities; 13 admins drifted back to standing access.
44/48
MFA enforced
41/48
No standing priv.
45/48
Compliant device
48/48
Legacy auth blocked
03~/renan-rios$git diff baseline..today
How the agent moved the tenant from a risk-concentrated baseline to a measurably stronger posture — in about a month.
Zava's Identity Secure Score sat at 48 — well below the industry average — with Strong Authentication and Device Trust driving 6 of 21 failing checks. Most of the 1,818-identity estate was healthy, but risk clustered in the privileged tier: the agent flagged that 13 administrators had drifted back to standing (permanent) privileged access, including 7 newly-added admins with permanent Global Administrator rights. Break-glass accounts sat unmanaged, and a handful of admins still used SMS/phone MFA instead of phishing-resistant keys. The signals an admin needed were scattered across Secure Score, Conditional Access, PIM, and sign-in logs.
The Conditional Access Optimization agent modeled all 1,818 identities into 6 cohorts, then surfaced one ranked recommendation: remove standing admin access. Rather than a raw to-do, it drafted a phased, reversible rollout — 13 admins across 3 waves (3 → 6 → 4), starting with PIM-familiar admins at the lowest predicted disruption, auto-excluding 2 break-glass accounts, and converting permanent roles to just-in-time PIM access. An impact preview showed exactly who's affected, the Teams message each admin would receive, and the built-in safeguards. In parallel, Good State campaigns moved the remaining admins to phishing-resistant FIDO2 keys (+8.4 Secure Score points — the biggest single win).
Identity Secure Score climbed +13 points in 30 days (48 → 61), with a mapped path to 82 once the five prioritized recommendations complete. Across the estate, 92% of identities now meet their good-state baseline (1,675 of 1,818, up from ~1,180), and the tenant's six-month posture trend rose from 64 to 87. Standing-access conversion runs with 100% PIM activation among sign-ins and zero support escalations. Net: the agent turned scattered signals into one safe, sequenced action that closes the tenant's single largest source of critical exposure.
04~/renan-rios$node rollout.ts --recommendation=remove-standing-access
The single ranked recommendation becomes a phased, reversible, human-approved rollout — 13 admins across 3 waves, break-glass preserved.
13
admins in scope
3
phased waves
2
break-glass excluded
PIM-familiar admins with lowest predicted disruption
Broader admin cohort with strong sign-in cadence
Remaining permanent-role assignments with closer monitoring
Safeguards


05~/renan-rios$cat ./secure-score/report.json
Every campaign reports back to a measurable score, with the highest-impact moves ranked first.
0
current score
5 prioritized recommendations map the path to 82.
Biggest wins

06~/renan-rios$cat ./design/decisions.md
The judgment calls behind the experience — what to prioritize, when to automate, and how to earn trust with privileged change.
Outcome-framed information architecture — controls read as end-states (“No standing privilege,” “Phishing-resistant MFA only,” “No open risk”), kept consistent from hero to drawer.
“Assess at a glance” hero — a single posture read, weighted critical-exposure-by-segment, and one ranked recommendation instead of an alert list.
Human-in-the-loop trust model — chain-of-thought agent reasoning, an impact preview, admin-initiated phases, and reversible/pausable rollouts.
Break-glass safety patterns — auto-detection, exclusion, and guidance for group-based emergency access so campaigns never lock out emergency admins.
Secure Score ↔ Good State evidence loop — connecting a recommendation to execution and back to a measurable score, with a ranked “biggest wins” surface.
Cohort model surface — every identity classified across tenant signals, with confidence-gap handling that refines without blocking evaluation.
Regulation co-branding contract — only show an Entra Recommendation chip where a real 1:1 mapping exists; extensions and deep-links don't fake it.
Design decisions embodied in the prototype; exact scope and collaborators per Renan.
07~/renan-rios$ls ./screens/*.png
Key surfaces from the prototype. All mocked demo data.





// end of case study
See more Microsoft Entra work and the full delivery record, or head back home.