Identity and Access
Management
Managed Retainer
New user provisioning governance, leaver offboarding, access reviews, Conditional Access policy updates, monthly audit log review, and quarterly access certification. Konve IT keeps your identity environment current. Your headcount changes — the governance keeps pace.
Monthly Retainer Pricing
Four monthly activities. Quarterly access certification. All included.
Identity governance is not a one-time configuration. Every new starter, every leaver, every role change, and every new application represents a change to the access landscape. This retainer keeps that landscape current and documented.
New User Provisioning Governance
When you notify Konve IT of a new starter, Konve IT verifies that the account has been provisioned correctly within the agreed governance framework — appropriate group membership, licence assignment, MFA enrolled, Conditional Access policies applying correctly, and any SSO application access configured. This is governance oversight, not helpdesk provisioning. Your IT administrator or practice manager provisions the account; Konve IT verifies it is correctly configured within the identity architecture.
Leaver Offboarding Governance
When you notify Konve IT of a leaver, Konve IT verifies that the offboarding has been completed correctly — account disabled or deleted, active sessions revoked, MFA methods removed, group memberships cleared, licence reallocated, and any shared mailbox or resource access transferred. The most common identity security failure in professional services firms is incomplete offboarding — accounts that remain partially active after a staff member leaves. This activity ensures it does not happen.
Audit Log Review and Policy Updates
Monthly review of Microsoft 365 audit logs — sign-in risk events, unusual access patterns, failed authentication attempts, and any administrative actions taken outside of the agreed governance framework. Where the review identifies anything that warrants investigation or a policy adjustment, Konve IT notifies you and recommends action. Conditional Access policy updates applied where required by changes in your environment, Microsoft platform updates, or emerging threat patterns.
IAM Health Report
Delivered by the fifth working day of each calendar month. Covers: new users provisioned and governance check outcome; leavers offboarded and offboarding verification outcome; notable audit log events and any actions taken; Conditional Access policy changes made during the month; current guest account count and any flagged for review; and any recommended changes to the identity governance framework. Suitable for management and regulatory review.
Response and resolution commitments.
Service levels are measured during Business Hours — 09:00 to 17:30, Monday to Friday, excluding English public holidays — from the point at which Konve IT receives written notification from you.
Leaver offboarding governance should be initiated immediately on a staff member leaving — not retrospectively. The sooner Konve IT is notified, the sooner the verification is complete. For urgent situations — a staff member leaving under difficult circumstances — use the urgent access revocation request route. Konve IT will prioritise verification of account disablement and session revocation.
This retainer provides governance oversight — not account provisioning or helpdesk support.
- Account creation or deletion — performed by your administrator, verified by Konve IT
- Helpdesk or end-user support of any kind
- SSO integration for new applications not in the original configuration
- Major redesign of the Conditional Access policy architecture — subject to a written change order
- On-premise Active Directory management
- Microsoft 365 licence procurement or billing management
Per user per month. Adjusts as your headcount changes.
The retainer is priced per user because identity governance scales with the number of people whose access needs to be managed. As your headcount changes, the fee changes from the following invoice — you are billed for the environment you actually have.
Identity and Access Management Managed Retainer
Retainer Terms
From the commencement date confirmed in the Statement of Work.
Renews for successive 12-month periods unless either party gives 30 days' written notice before the end of the then-current term.
Issued on the first working day of each calendar month. Payable within 14 days.
Notify Konve IT within 5 working days of any user change. Leavers should be notified on the day of departure where possible.
Konve IT may review the per-user rate annually with 30 days' notice.
Entra ID not yet properly configured?
This retainer assumes that Microsoft Entra ID has been professionally configured — Conditional Access policies are in place, MFA is enforced, admin accounts are separated, and the identity architecture is documented. If Entra ID has not been configured to this standard, the Entra ID Identity and Access Management Configuration engagement establishes the foundation first.
Three steps to a running retainer.
If your Entra ID environment is already professionally configured — whether by Konve IT or another provider — the retainer can begin immediately following signature of the Statement of Work.
Complete the onboarding form
Download and complete the Konve IT Client Onboarding Form. If already submitted for a previous engagement, you do not need to complete it again.
Complete the service questionnaire
Download and complete the Entra ID Questionnaire. Confirms that the identity configuration is in place, total user count, preferred process for notifying Konve IT of starters and leavers, and reporting contact for the monthly IAM Health Report.
Review and sign the Statement of Work
Konve IT issues a Statement of Work within two working days. The retainer commences on the first day of the calendar month following signature, or from the commencement date confirmed in the SoW.