Access Management

Identity and Access Management (IAM): A Practical Guide for Mid-Market IT Teams

Somebody asks you in a meeting what your identity and access management strategy is. You have Entra ID. You have MFA on most accounts. There's a wiki page from 2023 that says new hires get added to three security groups. Is that a strategy? Sort of. Is that IAM? Also sort of.

May 16, 202614 min readFredrik Schöld

Identity and Access Management (IAM): A Practical Guide for Mid-Market IT Teams

What IAM actually means when you have to live with it

Somebody asks you in a meeting what your identity and access management strategy is. You have Entra ID. You have MFA on most accounts. There's a wiki page from 2023 that says new hires get added to three security groups. Is that a strategy? Sort of. Is that IAM? Also sort of.

The category is genuinely vague. Vendors will sell you a "comprehensive IAM platform" that does six different things. Three of which you don't need, and one of which Microsoft already gives you for free. So let's clean it up.

IAM is the layer that knows who someone is and what they can log into. That's the whole job. Authentication (proving they are who they say). Authorization (deciding what they can reach). Plus the directory that stores those people, the policies that gate them, and the lifecycle that adds and removes them over time.

If your company runs Microsoft 365, you already have most of an IAM stack. The question is whether you're getting the value out of it, and where the gaps are.

This guide walks through every piece. What mid-market companies (50 to 1,000 people) typically get wrong, and where the line is between "Entra ID is enough" and "you need something on top."

The five pieces of an IAM stack

There are honestly only five things to think about. Vendors will draw thirty-box architecture diagrams and call them reference models. Ignore those.

The directory. This is where every user account, group, and role lives. For most Nordic mid-market companies, the directory is Microsoft Entra ID (formerly Azure AD). If the company has been around a while, there's usually an on-prem Active Directory paired with it. The directory is the source of truth for who exists.

Authentication. Proving the user is who they say they are. Passwords, MFA prompts, passkeys, Windows Hello, SAML federations to other directories. All authentication. If you have Entra ID with MFA enforced, you have authentication.

Authorization. Deciding what someone is allowed to do once they're in. Group membership, role assignments, permissions on individual SharePoint sites or Azure resources. Authorization is where most of the access creep and audit pain actually lives.

Access policies. The rules that gate authentication and authorization at runtime. Conditional Access in Entra ID is the dominant tool here. "Require MFA from outside the office." "Block legacy authentication." "Allow admin actions only from compliant devices."

Lifecycle. Adding people, changing their access when they move, removing them when they leave. The joiner-mover-leaver cycle. This is where IAM blurs into identity governance, and where most companies have the biggest gap.

Every "IAM strategy" is just a set of choices about how each of those five pieces works at your company. That's it.

What Entra ID already does (and what it doesn't)

Microsoft Entra ID covers the first four pieces reasonably well at the right license tier. The fifth (lifecycle) is where the wheels come off.

Out of the box, Entra ID handles a directory of users, groups, and devices. Authentication via password plus MFA, passkeys, or external federations. Authorization through group-based access and assigned roles. Conditional Access policies (with P1 licensing or above). Single sign-on to thousands of SaaS apps via the enterprise applications gallery.

For most mid-market companies, that's a real IAM platform. Treat it as one.

What Entra ID doesn't cover well at standard tiers:

  • Automated provisioning from HR. Native lifecycle workflows exist, but they live in Entra ID Governance (P2 or Suite licensing).
  • Periodic access reviews for everything (also P2 territory).
  • Audit reporting that an ISO 27001 auditor will accept without follow-up questions.
  • Cleaning up old access. Entra ID is excellent at adding access and quietly indifferent about removing it. That's where access creep comes from.
  • Cross-system view of access. A user might have permissions in Salesforce, Jira, and finance systems. Entra ID only sees what's brokered through it.

So a typical mid-market IAM gap looks like this. Authentication is fine. Conditional Access is fine. The directory is fine. The piece that's missing is the lifecycle and the audit trail. That's not really a hole in IAM. That's where identity governance (IGA) sits on top.

If you've ever wondered where IAM ends and IGA begins, the practical difference is here.

How authentication should actually be set up

There's a long version of this and a short version. The short version, for a 200-person company:

MFA on everyone, no exceptions for the CEO. Conditional Access policy that blocks legacy authentication. (If you still have POP3 or IMAP traffic, find the user and fix it.) Sign-in risk policy that forces MFA re-prompt on high-risk sign-ins. Passwordless rollout (Windows Hello and passkeys) for at least the admin accounts. Get that running before you try to do it for everyone. A break-glass admin account, excluded from MFA and Conditional Access, with a stored credential nobody touches except in an emergency.

If you do those five things, your authentication setup is in the top third of mid-market companies. None of it requires anything beyond Entra ID P1. Microsoft has made this part of the stack good enough that you don't need a third party.

The piece that breaks most often isn't authentication itself. It's the exceptions. Someone gets locked out, you add them to a Conditional Access exclusion group, the ticket closes. Three months later that exclusion is still in place for a person who no longer needs it. That's an auditor finding waiting to happen.

How authorization gets out of hand

Authorization is where the volume is. Adding someone to a group takes ten seconds. A 200-person company is doing roughly 15 to 20 access changes a week. New hires, role changes, project rotations, leave covers, contractor on/off. That's 800 to 1,000 access events a year.

Almost all of them go in. Almost none of them come back out.

Three things drive this:

No removal triggers. When a project ends, no Jira ticket says "remove these eight people from this SharePoint site." When a role changes, the new manager assumes the old manager cleaned up. The old manager assumes the new one will.

Mixed group hygiene. Some groups are dynamic. Some are manually assigned. Some are nested into Microsoft 365 groups. Some are synced from on-prem AD. Cleaning up "all the groups for this person" usually requires touching three different admin surfaces. People skip it.

Permission inheritance. Adding someone to a Teams channel quietly adds them to the underlying SharePoint site and the underlying Microsoft 365 group. Removing them from the Teams channel doesn't always remove them from those underlying objects. The access stays.

The fix is two things together. A regular access review where managers actually look at who has what, plus dynamic groups based on real attributes so most memberships clean themselves up. We've got the dynamic groups setup walkthrough here, with the gotchas worth knowing before you build a thirty-rule dynamic group only to find the data is wrong.

Conditional Access, in real life

Conditional Access is where Entra ID is at its best. It's also where most mid-market companies do half the job and stop.

A solid Conditional Access baseline for a Nordic mid-market company:

Require MFA for all users. Sounds basic. A surprising number of companies still have policies "for users in this group" rather than "for everyone." Flip it.

Block legacy authentication. Anything that isn't modern auth is a phishing factory. Modern apps don't need it. Block it.

Require compliant devices for admin actions. Global Admin, User Admin, anything privileged. Admin work happens from a managed Windows or Mac device, not the marketing intern's home laptop.

Geo-restrict sign-ins. If 100 percent of your staff is in the Nordics, sign-ins from Brazil at 03:00 are not a normal Tuesday. Block by country, or at least require MFA plus device compliance from outside your operating geography.

Block or step up risky sign-ins. Use Identity Protection if you have P2. If you don't, at least set up sign-in risk policies that prompt MFA on medium risk events.

The mistake people make is bolting on Conditional Access policies one at a time without thinking about overlap. You end up with 17 policies, three of which contradict each other. You spend a Thursday trying to figure out why the CFO can't log in from the train. Document the intent of each policy, review them quarterly, and kill anything that's a workaround for a problem that no longer exists.

The hybrid case: on-prem AD plus Entra ID

A big share of Nordic mid-market companies still have on-premises Active Directory. Either because of a file server somewhere, a line-of-business app that doesn't speak modern auth, or because nobody's gotten around to retiring it.

If you're hybrid, your IAM strategy has to account for both. The hybrid identity playbook covers this in depth. The short version:

Entra Connect (formerly Azure AD Connect) syncs accounts and attributes between AD and Entra ID. Decide which one is the source of truth for each attribute. Don't try to write back to both.

Password hash sync is the simplest authentication option. Pass-through auth is fine. Federation via ADFS is increasingly unnecessary and a maintenance burden you don't need.

Be deliberate about which apps live where. Modern SaaS goes to Entra ID. Legacy on-prem apps stay on AD until they're retired or replaced.

Plan an AD-retirement path even if it's three years out. Hybrid is fine. Permanent hybrid is expensive.

The biggest IAM mistake in a hybrid environment is treating AD and Entra ID as two separate identity systems. They are not. They should look like one system to your users. If a user has different access in different systems, that's an attack vector and an audit finding both.

Licensing, briefly

Entra ID licensing is its own special hellscape. The very short version:

Entra ID Free comes with Microsoft 365. You get the directory and basic auth. Entra ID P1 (often bundled with Microsoft 365 E3) adds Conditional Access, group-based licensing, dynamic groups, and self-service password reset. Most mid-market companies should be here at minimum.

Entra ID P2 adds Identity Protection, Privileged Identity Management, and risk-based Conditional Access. Useful for higher-risk roles.

Entra ID Governance (formerly Identity Governance) adds Entitlement Management, Access Reviews, and Lifecycle Workflows. Significant additional cost.

The trap is over-licensing. P2 for everyone is rarely worth it. P2 for admins, finance, and engineering is usually the right footprint. We wrote about the licensing mess in detail here.

The other trap is under-licensing. Free is not enough for a 200-person company. If you're trying to enforce Conditional Access policies and you don't have P1, you're going to hit walls.

The lifecycle gap

Authentication, authorization, policies, directory. Those four pieces are solvable with native Entra ID and good policy hygiene. The fifth piece, lifecycle, is where most mid-market companies need outside help, whether they admit it or not.

Lifecycle means three workflows:

Joiner. A new person starts. They need an account, a license, the right groups, the right SaaS app assignments, and a working email by 09:00 on day one. Done well, this is 30 seconds of human input. Done badly, it's three hours of clicking across four admin portals.

Mover. Somebody changes roles. They need new access for the new role, and the old access from the previous role needs to go away. The "go away" part is where access creep is born. If your mover workflow doesn't remove anything, you're just adding access for the rest of someone's career.

Leaver. Somebody leaves. Their account is disabled, their sessions are killed, their licenses are reclaimed, their group memberships are stripped, their files are handed off, and their mailbox is converted to shared. The full Entra ID offboarding checklist is here. It's ten steps. Doing it manually for one person takes about 45 minutes if you're focused.

That last point is the real cost. A 200-person company with healthy turnover (around 10 to 15 percent per year) is doing roughly 25 leavers a year. 25 leavers times 45 minutes equals nearly 19 hours of pure offboarding clicks. And that's the easy part. The hard part is making sure none of those 10 steps got skipped.

This is the workflow native Entra ID handles least well at standard licensing. You can build it with Power Automate plus PowerShell plus Logic Apps if you have the time. Most mid-market IT teams don't. So the work goes in tickets, the tickets are inconsistent, and the audit suffers.

How IAM goes wrong in mid-market companies

A few patterns we see often:

Everyone is admin. Old habits. The IT manager has Global Admin. So does the senior sysadmin who left in 2024 and whose account "we'll clean up later." So does the consultant who set up the tenant in 2021. Three Global Admins are reasonable. Eleven Global Admins is an incident waiting to happen. Use Privileged Identity Management if you have P2, or at minimum run a manual privileged-role review every quarter.

No service account hygiene. Service accounts (or "users" that are really service accounts) get created for an integration, the integration gets retired, the service account stays. It still has a credential. It still has permissions. Inventory them annually and kill what doesn't belong.

Guest sprawl. External guests get added to Teams channels for a project. Project ends. Guests stay. After three years, your guest list looks like a LinkedIn search result. Run a guest review at least once a year and clean it.

No documented break-glass account. When the SSO provider has a bad day, you need a way in. Without a documented and tested break-glass admin account, you've made yourself dependent on a single auth path. Set one up. Test it. Document it. Lock the credential in a physical safe.

MFA is "mostly" enforced. Mostly isn't enforced. The attacker only needs the one exception.

None of these are exotic. All of them are common. Fixing them takes a Friday afternoon. The reason they go unfixed is the same reason access creep goes unfixed. It's nobody's specific job.

Building an IAM strategy without making it a six-month project

If you're a 100-person company trying to "have an IAM strategy," don't start with a 40-page document.

Start with five questions:

  1. Where does our authoritative identity data come from? (Usually the HR system or whoever owns hiring data.)
  2. What's our authentication baseline? (MFA, passwordless plan, break-glass.)
  3. What's our authorization model? (Group-based, role-based, both, none.)
  4. What Conditional Access policies are actually in force, and why?
  5. What happens when somebody joins, moves, or leaves?

Write the answers down. One page. If you can't answer one of them clearly, that's your top priority for the next quarter.

Then prioritize based on risk and effort:

  • Privileged access cleanup (low effort, high risk).
  • MFA enforcement gaps (low effort, high risk).
  • Lifecycle automation (higher effort, ongoing benefit).
  • Access reviews (medium effort, audit-critical).
  • Conditional Access overhaul (medium effort, depends how messy it is).

That's a 12-month roadmap. You don't need a vendor to give it to you.

Where Adcyma fits in this picture

Full transparency: this is our product, so take this with the appropriate context. Adcyma sits in the lifecycle gap. We don't try to be your directory, your auth provider, or your Conditional Access engine. Entra ID does that. We handle the joiner-mover-leaver automation, the access reviews, and the audit reporting on top.

That's a deliberate choice. The first four pieces of the IAM stack are well covered by Microsoft for mid-market companies. The fifth piece is where the manual work and the audit risk lives. So that's where the product focuses.

If you're at the point where you're spending hours every week clicking through Entra ID to provision and deprovision, or where your last SOC 2 audit involved screenshotting group memberships into a Word document, that's the gap. Adcyma is free for up to 25 users. For larger teams there's a 14-day trial. No credit card, no consultants, no six-month rollout.

Related reading

Back to blogAccess Management

Related articles

A

How to Run an Access Review (Without Drowning in Spreadsheets)

Your auditor mentions access reviews. Your CISO mentions access reviews. Your last security questionnaire from a customer mentions access reviews. Two months later you're sitting in front of a 4,000-row spreadsheet of "User, Application, Permission, Last Used."

May 18, 2026
A

Access creep: what it is and how to stop it in Entra ID

Pull up the access list for someone who's been at your company five years. Take a real look. Half those permissions are from projects that ended in 2023. Sites they joined for one meeting. Shared mailboxes they were added to "just in case." This is access creep. The slow accumulation of permissions a person picked up over time and never lost. Nobody designed it. Nobody approved most of it on purpose. It just grew. How it actually happens Somebody joins a new project. Gets added to a SharePoint site, a Teams group, two shared mailboxes, maybe a license bundle. Project ends. Access stays. Then they change roles. They get the new permissions for the new role. The old ones stay too, because nobody owns that cleanup. Then they cover for a colleague on parental leave. Temporary access to a finance group. Colleague comes back. Temporary access is now permanent. Now multiply that by every employee, every project, every leave cover. Add every "can you give me access real quick" Teams message over four years. That's your access list today. Why nobody catches it Manual provisioning is built for adding access, not removing it. When a project ends, there's no Jira ticket that says "remove eight people from this SharePoint site." When someone changes role, the old manager assumes the new manager is cleaning up. The new manager assumes the old one already did. And honestly, for a while it works fine. Nothing breaks. The user has more access than they need, but they're not malicious, so nothing happens. Then somebody quits, or clicks a phishing link, or you get audited. Suddenly the access list everyone ignored is the only thing anyone is looking at. What it actually costs you Three specific things. First, audit findings. Any auditor doing a serious sample of user access in Entra ID will find people with permissions they don't need. ISO 27001 calls that a control failure. You get to write a corrective action plan. Second, breach blast radius. If an account is compromised, the attacker gets everything that user can reach. Picture a finance person. They have access to four old project sites. Two shared mailboxes from a previous role. A Teams group from a vendor onboarding two years ago. That's a much bigger problem than a finance person with finance access. Third, licenses. People collect Entra ID P1, Intune, and app licenses as they move between roles. A 200-person company can easily be paying for 30 to 50 licenses nobody actually uses. Cleaning it up without losing a month Don't try to clean up everything. You'll burn out and quit halfway through. Pick the riskiest 10 percent and start there. That's usually people who changed roles in the last 24 months. People in privileged groups. Shared mailboxes with more than five members. Pull the current access list per user. Show it to their manager. Ask one question. "Is any of this still needed?" Most managers look at the list and say "no, kill half of that." Do this once a quarter for the high-risk group. Once a year for everyone else. Write down what you removed and why. That's your audit trail. The bit nobody mentions: you also need triggers. Role change. Project end. Leave start. Leave end. Contractor end date. If access doesn't get reviewed at those moments, creep just rebuilds itself. A quieter way to do this Full transparency, this is our product, so take it with the appropriate context. Adcyma handles the Entra ID lifecycle triggers and access reviews. No six-month rollout like the enterprise IGA tools want. If you're tired of doing this in spreadsheets, have a look.

May 6, 2026

Try Adcyma free — no credit card needed

Set up identity governance for your Entra ID or Active Directory environment in under a day.

Start Free Trial