Entra ID Identity and Access Management Configuration — Konve IT

Konve IT / Identity and Access Management

One-time project  ·  Per user  ·  Milestone payment

Entra ID Identity and
Access Management
Configuration

Who can access what, on which device, from where, under what conditions — designed, implemented, and documented. Identity is the perimeter. If your Entra ID configuration is ungoverned, every other security control you have in place is built on an unstable foundation.

Conditional Access policy architecture MFA enforced — all accounts Privileged identity management
Get a quote How it works

Indicative Pricing

Base fee (up to 10 users) £900 Exclusive of VAT
Per user above 10 — standard £55 / user
Per user above 10 — volume (25+) £50 / user 10% discount at 25+ users

Example: 20-user firm — £900 + (10 × £55) = £1,450 + VAT

Payment: 50% on commencement · 50% on completion

Licence: Entra ID Plan 1 is included in Microsoft 365 Business Premium

Why identity governance matters

The most common entry point for attackers is not a technical vulnerability. It is an ungoverned identity.

Microsoft Entra ID — formerly Azure Active Directory — is the identity layer that controls access to every Microsoft 365 workload, every connected application, and every resource in your environment. It determines who can sign in, from where, on what device, and under what conditions. When it is properly configured, it is the strongest security control in your Microsoft 365 environment. When it is ungoverned, it is the most exploitable.

Most professional services firms on Microsoft 365 Business Premium have Entra ID in a partial or ungoverned state. User accounts exist but have no Conditional Access policies governing them. Administrator accounts are not separate from standard accounts. MFA is not enforced for all accounts. Guest access is unreviewed. Stale accounts from former staff remain active. Line-of-business applications have separate credentials that are never rotated.

This engagement designs and implements a complete identity and access management architecture for your organisation — covering every user, every access scenario, every privileged role, and every connected application. The result is an identity layer that is documented, defensible, and aligned to the Cyber Essentials user access control requirements from the point of completion.

No MFA — compromised credentials give full access

Without MFA, a stolen or guessed password gives an attacker complete access to your Microsoft 365 environment from anywhere in the world.

Stale accounts — former staff retaining access

Accounts belonging to former employees, contractors, or partners that have not been properly offboarded are active credentials that can be exploited or compromised.

No admin account separation — one compromise is total compromise

Using the same account for daily work and administrative tasks means a single phishing email can result in complete administrative control of your environment being handed to an attacker.

Unreviewed guest access — external exposure you cannot see

Guest accounts provisioned for client collaboration that have never been reviewed accumulate over time, giving external parties ongoing access to internal resources long after the need has passed.

No Conditional Access — access from anywhere, on any device

Without Conditional Access policies, your Microsoft 365 environment is accessible from any device, any location, and any network — including unmanaged personal devices and known high-risk locations.

Scope of work

Six workstreams covering every dimension of identity governance.

The engagement is designed to leave no identity governance gap unaddressed. Every workstream is delivered within the single engagement — not phased across separate projects.

Workstream 01

MFA and Conditional Access

  • MFA enforcement for all user accounts — no exceptions
  • Conditional Access policy architecture design — covering all access scenarios
  • Device compliance enforcement where Intune is deployed
  • Location and risk-based access policies
  • Legacy authentication protocol blocking
Workstream 02

User Account Governance

  • User account audit — identification of stale, orphaned, and ungoverned accounts
  • Stale account remediation — disabled or deleted with documented evidence
  • Group structure design aligned to your organisational structure
  • Licence assignment governance
  • Onboarding and offboarding process documentation
Workstream 03

Privileged Identity Management

  • Administrator account audit — all accounts with privileged roles identified
  • Separation of admin accounts from standard user accounts
  • Privileged role minimisation — removal of unnecessary Global Administrator assignments
  • Privileged Identity Management configuration for time-bound elevated access
Workstream 04

Guest and External Access

  • Guest account audit — all active guest accounts identified and reviewed
  • Stale guest account remediation
  • External sharing policy configuration for SharePoint and OneDrive
  • Access review policy design and documentation
  • Teams external access and guest settings governance
Workstream 05

Single Sign-On Integration

  • Audit of line-of-business applications in use
  • SSO configuration for applications confirmed in the Statement of Work
  • SAML and OAuth integration for supported applications
  • Application access policy aligned to user roles and Conditional Access
Workstream 06

Audit Logging and Access Certification

  • Microsoft 365 audit logging activation and configuration
  • Audit log retention policy configuration
  • Access certification policy documentation — periodic review schedule
  • Sign-in risk reporting configuration

Law firm-specific: ethical wall configuration

Where a law firm has multiple practice areas that must not share access to each other's files — family and corporate, for example — Entra ID and SharePoint permission architecture can be configured to enforce information barriers at the identity level. Where ethical walls are required, this is confirmed in the Statement of Work before commencement and delivered as part of this engagement at no additional charge.

What you receive

A governed identity environment. Documented from day one.

Completion is confirmed in writing by Konve IT when the configuration is live and verified. The Tenant Configuration Document follows on completion.

Tenant Configuration Document

Delivered in PDF on completion. Records every configuration decision made across all six workstreams — the Conditional Access policies implemented, the admin account structure, the guest access governance policy, SSO integrations configured, audit logging settings, and the access certification schedule. Suitable for regulatory review, board presentation, and professional indemnity insurance disclosure.

Governed Identity Architecture

Not a report — a live, configured environment. MFA enforced. Conditional Access policies active. Stale accounts remediated. Admin accounts separated. Guest access reviewed and governed. SSO integrations operational. Audit logging active. All of this is in place before the engagement closes.

Administrator Handover Session

A sixty-minute remote session with your nominated administrator covering the Conditional Access policy architecture, how to manage user accounts within the governance framework, how to onboard and offboard users correctly, how to review guest access, and how to read sign-in risk reports.

Who this is for

Organisations where identity is the biggest unaddressed security gap.

If you are on Microsoft 365 Business Premium and you do not have Conditional Access policies, enforced MFA, and a clean account inventory, this is the highest-value security engagement available to your organisation.

Situation 01

You have Microsoft 365 Business Premium and Entra ID has never been professionally configured.

Business Premium includes the full Entra ID Plan 1 feature set — Conditional Access, Privileged Identity Management, and Identity Protection. The vast majority of firms on Business Premium are using none of these capabilities. This engagement deploys everything that is already included in the licence you are paying for.

Situation 02

A Cyber Essentials assessment has identified MFA absence or ungoverned administrator accounts as critical gaps.

MFA enforcement and administrator account separation are two of the most commonly failed Cyber Essentials controls. Both are addressed directly within this engagement. Where the assessment was completed with Konve IT, the findings feed directly into the scope of this work without requiring a repeat assessment.

Situation 03

You are a law firm that needs to demonstrate appropriate access controls and information barriers to satisfy SRA requirements.

The SRA Code of Conduct requires firms to have appropriate systems and controls to manage confidential information. A governed Entra ID configuration — with Conditional Access, privilege separation, guest access controls, and audit logging — provides the documented evidence that those systems are in place and operating correctly.

Situation 04

Staff use separate passwords for multiple line-of-business applications and password management is a persistent operational problem.

SSO integration through Entra ID eliminates separate application credentials for every integrated application — staff sign in once with their Microsoft 365 account and access all connected applications without additional passwords. This reduces both the security risk of weak application passwords and the operational burden of password management.

What this service does not include

Each of the following is available separately or is beyond the scope of this engagement.

  • Microsoft Intune device enrolment and endpoint management
  • Full Microsoft 365 tenant deployment or remediation across all workstreams
  • SSO integration for applications beyond those confirmed in the SoW
  • On-premise Active Directory migration or synchronisation
  • Procurement or payment of Microsoft 365 licences
  • Helpdesk, end-user support, or break-fix
  • Ongoing management of identity governance following completion
  • ISO 27001 ISMS design or data protection impact assessments
Pricing

Base fee plus per-user above ten.

Identity governance scales with user count — more users means more accounts to audit, more Conditional Access scenarios to design for, and more SSO integrations to configure. The per-user increment reflects that genuine variability.

Entra ID Identity and Access Management Configuration

Project fee structure Excl. VAT
Base feeCovers fixed overhead · includes up to 10 users £900
Per user above 10 — standard rate £55 / user
Per user above 10 — volume rateApplies where 25 or more users confirmed £50 / user
Example calculations Excl. VAT
10 users £900
20 users£900 + (10 × £55) £1,450
30 users — volume rate£900 + (20 × £50) £1,900
50 users — volume rate£900 + (40 × £50) £2,900
Volume rate: The 10% volume discount applies automatically where 25 or more users are confirmed in the Statement of Work.

Payment Milestones

Milestone 1
On commencement
50%

Due before work begins. Covers account audit, Conditional Access policy design, and privilege review.

Milestone 2
On completion
50%

Due when all six workstreams are complete and Konve IT confirms the environment is live and configured.

All fees
Exclusive of VAT. Invoices payable within 14 days.

Want ongoing identity governance management?

The Identity and Access Management Managed Retainer covers monthly new user provisioning, access reviews, policy updates, and monthly audit log review.

from £5.00 / user / month View IAM Retainer
How to get started

Three steps from enquiry to a governed identity environment.

The questionnaire for this engagement captures your current Entra ID state, user and admin account counts, line-of-business applications for SSO, and any law firm-specific requirements such as ethical walls. Complete it as accurately as you can — the audit in the engagement will fill any gaps.

01

Complete the onboarding form

Download and complete the Konve IT Client Onboarding Form. Captures your organisation details, contacts, sector, and regulatory obligations.

02

Complete the service questionnaire

Download and complete the Entra ID Questionnaire. Captures your Microsoft 365 tenant details, current MFA status, admin account count, guest access state, line-of-business applications for SSO integration, and any law firm ethical wall requirements.

03

Review and sign the Statement of Work

Konve IT issues a Statement of Work within two working days. On signature and receipt of the first instalment, the account audit begins and Conditional Access policy design commences in parallel.

Get started Back to Konve IT Or write to it@konvegroup.com
Services that build on this engagement
Identity Management

IAM Managed Retainer

Ongoing new user provisioning governance, access reviews, policy updates, and monthly audit log review. From £5.00 per user per month.

 Endpoint Management

Microsoft Intune Deployment

Conditional Access enforcement requires devices to be enrolled and compliant. Intune deployment is the natural companion to this engagement for organisations on Business Premium.

 Cyber Essentials

Cyber Essentials Full Programme

This engagement satisfies the user access control control in Cyber Essentials. The Full Programme takes your entire environment — including this work — to a valid certificate.
Scroll to Top