📄️ Design Conditional Access posture
Implementation Effort: Medium – Requires policy planning and technical setup.
📄️ Stop buying or building Active Directory dependent apps
Implementation Effort: High – Transitioning away from Active Directory (AD) dependencies requires comprehensive changes in procurement policies, development practices, and IT governance processes. 
📄️ Discover and triage modern apps
Implementation Effort: Medium – Requires coordination across IT, security, and application teams to inventory and assess applications, but can be streamlined with available tools.
📄️ Discover and triage legacy apps
Overview
📄️ Rollout CA with MFA controls
Overview
📄️ Rollout Conditional Access with device state and application compliance controls
Implementation Effort: High – Requires policy setup and integration with Intune.
📄️ Deploy Conditional Access policies with risk control
Implementation Effort: Medium – Requires configuration of risk-based policies and integration with Identity Protection.
📄️ Roll out Conditional Access for guest accounts
Implementation Effort: Medium – Requires policy configuration and cross-tenant settings.
📄️ Migrate VPN auth to Entra
Overview
📄️ Enable on-prem remote access for web apps without VPN
Overview
📄️ Rollout governance for app assignments
Overview
📄️ Define application infrastructure server management strategy
Implementation Effort: High – Establishing a comprehensive server management strategy requires significant planning, coordination across IT and security teams, and potential restructuring of existing infrastructure and policies.
📄️ Deploy Entra Domain Services
Implementation Effort: Medium – Deploying Microsoft Entra Domain Services (MEDS) involves configuring virtual networks, which requires cross-team planning and operational execution.
📄️ Remove app infra servers from AD
Overview
📄️ Define and rollout VDI strategy
Implementation Effort: High – Developing and deploying a Virtual Desktop Infrastructure (VDI) strategy involves significant planning, resource allocation, and coordination across IT and security teams, including infrastructure setup, policy configuration, and ongoing management.
📄️ Migrate Cloud print servers to cloud
Implementation Effort: High – Transitioning from on-premises print servers to a cloud-based solution like Universal Print requires coordinated efforts from IT and security teams to assess current infrastructure, configure cloud services, and manage the migration process.
📄️ Migrate SSO for employee federated applications
Implementation Effort: High – A program needs to be implemented to migrate applications engaging app owners and coordinating authentication updates.
📄️ Migrate SSO for employee Web Access Management based applications
Implementation Effort: High - Customer IT teams need to execute migration projects involving multiple application owners and technical stakeholders.
📄️ Decommission WAM servers
Implementation Effort: Medium – IT teams must manage targeted tasks to safely retire servers, ensuring no residual dependencies remain post-migration.
📄️ Migrate SSO for External Identities federated apps
Implementation Effort: High – Requires reconfiguration of authentication flows and coordination with external partners to transition federated trust.
📄️ Migrate SSO for guest WAM applications
Implementation Effort: High – Migrating Web Access Management (WAM) applications for guest users involves rearchitecting authentication flows, replacing legacy header-based access controls, and coordinating with external partners.
📄️ Stop issuing on-prem accounts for new external users
Overview
📄️ Start provisioning cloud apps via Entra app provisioning
Overview
📄️ Migrate on-prem external ids & workflows to Entra External ID
Overview
📄️ Decommission on-prem external user systems
Overview
📄️ Rollout governance for External IDs
Overview
📄️ Migrate existing SaaS app provisioning to Entra
Overview
📄️ Migrate HR provisioning flow to Entra
Overview
📄️ Migrate joiner/mover/leaver workflows to Entra
Overview
📄️ Migrate existing on-prem app provisioning to Entra
Overview
📄️ Rollout Authenticator App
Implementation Effort: High – IT and security teams must configure tenant settings, educate users, and manage registration campaigns.
📄️ Migrate on-prem MFA systems
Implementation Effort: High – Transitioning from on-prem MFA to Entra ID native methods involves infrastructure decommissioning, policy updates, and user re-registration workflows.
📄️ Migrate self-service password reset
Implementation Effort: High – Transitioning from on-premises SSPR to Microsoft Entra ID SSPR requires configuration of authentication methods, policy updates, and potential integration with on-premises directories via password writeback.
📄️ Develop credential (incl. Passwordless) strategy
Implementation Effort: Medium – Developing a comprehensive credential strategy requires coordinated efforts across IT and security teams, involving policy definition, infrastructure updates, and user onboarding processes.
📄️ Deploy Entra Password Protection
Implementation Effort: High – Deploying Microsoft Entra Password Protection requires installing and configuring agents on domain controllers and proxies, along with integration and validation in hybrid environments.
📄️ Turn on Password Hash Sync
Implementation Effort: Medium – Enabling Password Hash Synchronization (PHS) requires configuring Microsoft Entra Connect and ensuring appropriate permissions and connectivity between on-premises Active Directory and Microsoft Entra ID.
📄️ Migrate to Password Hash Sync authentication
Implementation Effort: Medium – After PHS already enabled, the remaining effort focuses on reconfiguring Entra ID as the primary authentication authority and decommissioning federation infrastructure.
📄️ Decommission on-prem federation servers
Implementation Effort: Medium – Federation infrastructure can be decommissioned after dependent applications and services are migrated, requiring targeted actions from infrastructure and identity teams.
📄️ Rollout Windows Hello for Business
Implementation Effort: High – Setting up Windows Hello for Business requires careful planning, configuration, and coordination across IT and security teams.
📄️ Roll out FIDO2 Security Keys
Implementation Effort: High – Deploying FIDO2 security keys requires configuring Microsoft Entra ID policies, distributing hardware tokens, and coordinating user onboarding and support.
📄️ Rollout Authenticator Passwordless methods
Implementation Effort: Low – Since the Authenticator app is already deployed for MFA and SSPR, only minimal configuration and enablement steps are needed to allow passwordless sign-in.
📄️ Drive passwordless authentication method usage
Implementation Effort: Medium – IT teams need to enable passwordless methods in Microsoft Entra ID, configure Conditional Access to require their use, monitor registration and sign-in activity, and take action to drive adoption across the organization.
📄️ Migrate to modern collaboration tools for collaboration (OneDrive, Teams, SharePoint)
Implementation Effort: High – Migrating to Microsoft 365 collaboration tools requires data migration, user training, license provisioning, and configuration of security and compliance settings.
📄️ Migrate distribution lists to Microsoft 365 Teams & Groups
Implementation Effort: High – IT teams must identify eligible distribution lists, upgrade them via the Exchange Admin Center or PowerShell, and configure Microsoft 365 Group settings as needed.
📄️ Use cloud groups for new cloud app authorization
Overview
📄️ Enable group writeback
Overview
📄️ Rollout governance for groups
Overview
📄️ Migrate group management workflows
Overview
📄️ Enable user writeback
Overview
📄️ Change provisioning flow of existing users to AAD
Overview
📄️ Decommission on-prem IDM system
Overview
📄️ Remove password as credential
Overview
📄️ Change provisioning flow of existing groups to Entra
Overview
📄️ Deploy Entra hybrid join
Overview
📄️ Define Entra join strategy
Overview
📄️ Rollout Entra join for new workstations
Overview
📄️ Rollout AutoPilot
Overview
📄️ Remove DJ Windows clients from Active Directory
Overview
📄️ Deploy macOS Identity management
Overview
📄️ Deploy macOS SSO Extension
Overview
📄️ Define policy & use least privileged roles
Implementation Effort: Medium – IT and security teams must develop a policy, analyze current role assignments, and update processes to align with least privilege principles.
📄️ Use cloud-only privileged accounts
Implementation Effort: Medium – IT teams need to identify all privileged accounts synced from Active Directory, create equivalent cloud-only accounts, assign roles, and update procedures to ensure only the new accounts are used.
📄️ Rollout PIM for Tier-Zero roles
Implementation Effort: Medium – IT and security teams must identify Tier-Zero roles, configure Privileged Identity Management (PIM) settings, and transition users to just-in-time (JIT) access workflows.
📄️ Discover & remediate existing over-privileged Workload Identities
Implementation Effort: High – Requires coordinated efforts across IT, security, and application teams to audit, assess, and reassign permissions for workload identities, often involving multiple systems and stakeholders.
📄️ Lock down Entra tenant config
Implementation Effort: High – Requires coordinated efforts across IT, security, and governance teams to review, standardize, and enforce tenant configurations, including establishing change control processes and integrating with CI/CD pipelines.
📄️ Rollout Access Reviews for cloud privileged accounts & groups
Implementation Effort: Medium – IT and security teams need to configure recurring access reviews, assign appropriate reviewers, and integrate review outcomes into existing governance processes.
📄️ Plan privileged accounts lifecycle (JML)
Implementation Effort: High – IT, security, and HR teams must work together to define, implement, and potentially automate processes that manage the lifecycle of privileged accounts.
📄️ Rollout PIM for remaining roles
Implementation Effort: Medium – IT and security teams must identify all remaining privileged roles, configure Privileged Identity Management (PIM) settings, and transition users to just-in-time (JIT) access workflows.
📄️ Discover & analyze privileged usage for Workload Identities (e.g., scripts)
Implementation Effort: High – Requires coordinated efforts across IT, security, and application teams to audit, assess, and reassign permissions for workload identities, often involving multiple systems and stakeholders.
📄️ Rollout strong auth credentials for Workload Identities
Implementation Effort: High – Transitioning to strong authentication methods requires coordinated efforts across IT, security, and application teams to audit, assess, and reconfigure authentication mechanisms for workload identities, often involving multiple systems and stakeholders.
📄️ Rollout Conditional Access for Workload Identities
Implementation Effort: High – Implementing Conditional Access for workload identities requires coordinated efforts across IT, security, and application teams to audit, assess, and reconfigure access policies for service principals, often involving multiple systems and stakeholders.
📄️ Enforce authentication with strong creds for all privileged accounts
Implementation Effort: High – Implementing strong authentication methods for all privileged accounts requires coordinated efforts across IT, security, and application teams to audit, assess, and reconfigure authentication mechanisms, often involving multiple systems and stakeholders.
📄️ Deploy Cloud Privileged Access Workstations
Implementation Effort: High – Establishing a Privileged Access Workstation (PAW) program requires coordinated efforts across procurement, IT, and security teams to define device standards, enforce strict configuration baselines, and implement robust monitoring and access controls.
📄️ Integrate all Entra logs into SIEM
Implementation Effort: Medium – Configuring comprehensive log integration requires setting up diagnostic settings, managing data pipelines to the SIEM, and ensuring appropriate storage and retention policies.
📄️ Develop security playbooks based on Entra logs
Implementation Effort: Medium – Requires collaboration between security operations teams and stakeholders to design, test, and implement comprehensive playbooks tailored to various incident scenarios.
📄️ Remediate risk signals from Identity Protection & MDI
Implementation Effort: High – Security operations teams must establish and maintain processes to monitor, investigate, and remediate identity-related risk signals, integrating them into existing workflows and tools.
📄️ Implement monitoring for Entra Connect Sync
Implementation Effort: Medium – Requires installation and configuration of monitoring agents across hybrid identity infrastructure, along with validation of connectivity and alerting mechanisms.
📄️ Remediate Entra Connect Health alerts
Implementation Effort: Medium – Requires IT and SecOps teams to establish processes for continuous monitoring, triaging, and resolving synchronization errors, including configuring alert notifications and integrating remediation steps into existing workflows.
📄️ Implement monitoring for on-premises connectors used by Entra
Implementation Effort: Medium – Requires deployment and configuration of monitoring tools for each on-premises connector, along with establishing alerting mechanisms and regular health checks.
📄️ Discover existing privileged roles
Implementation Effort: Medium – IT and security teams must identify privileged role holders, analyze their access, and determine if lower-privilege alternatives are appropriate.
📄️ Discover & remediate existing over privileged accounts
Implementation Effort: High – IT and security teams must conduct a thorough review of current role assignments, implement policy changes, and reassign roles to align with least privilege principles.
📄️ Design and Plan MDI Deployment
Implementation Effort: High – Requires comprehensive planning, including infrastructure assessment, capacity planning, and coordination across security and IT teams.
📄️ Create Inventory of On-Prem AD Infrastructure
Implementation Effort: Medium – Requires coordination between security and IT teams to catalog Active Directory components and assess readiness for sensor deployment.
📄️ Test Internet Access from AD Infra to MDI
Implementation Effort: Low – Requires executing targeted connectivity tests from servers designated for MDI sensors.
📄️ Deploy MDI on DCs, ADFS, AD CS, Entra Connect Servers
Implementation Effort: High – Requires coordinated deployment across multiple critical identity infrastructure components, including domain controllers, AD FS, AD CS, and Microsoft Entra Connect servers.
📄️ Run Post Deployment Tests and Configurations
Implementation Effort: Low – Administrators execute verification steps without major project overhead
📄️ Review Initial Health MDI Alerts
Implementation Effort: Medium – While reviewing alerts is straightforward, addressing them often requires coordination across IT and SecOps teams to resolve underlying issues such as sensor connectivity, credential management, or system configurations.
📄️ Configure Identity Entity Tags
Implementation Effort: Medium – Tagging entities requires coordination between security and identity teams to identify and classify accounts, especially for sensitive and honeytoken tags.
📄️ Review Identity Inventory
Implementation Effort: Medium – Reviewing the identity inventory requires coordination between security and identity teams to analyze user accounts across hybrid environments, identify dormant or risky accounts, and plan remediation actions.
📄️ Review / Tune Security Alerts
Implementation Effort: Medium – Tuning alerts requires collaboration between security and IT teams to analyze alert patterns, adjust thresholds, and implement tuning rules to reduce false positives and enhance detection accuracy.
📄️ Confirm MDI Internet Access Requirements
Implementation Effort: Medium – Ensuring proper internet connectivity for Defender for Identity sensors involves configuring proxies, firewalls, or ExpressRoute, and may require coordination across IT and network teams.
📄️ Identify Data Sources for Workforce Identity Data
Implementation Effort: Medium – Requires coordination between IT and HR teams to map and integrate various identity data sources into Microsoft Entra ID.
📄️ Deploy provisioning connectors for data sources for identity data
Implementation Effort: High – Deploying provisioning connectors requires configuration of Microsoft Entra provisioning agents, integration with systems like Active Directory or LDAP, and coordination with HR or IT systems, which constitutes a significant project for IT and SecOps teams.
📄️ Review and assess resulting data updates
Overview
📄️ Rollout workforce identity data flows
Implementation Effort: High – Rolling out workforce identity data flows requires configuring attribute mappings, deploying provisioning connectors, and coordinating with multiple departments to ensure accurate data synchronization.
📄️ Implement monitoring of workforce identity provisioning
Implementation Effort: Medium – Requires configuring diagnostic settings, integrating with Azure Monitor, and establishing workbooks and alerts to track provisioning health.
📄️ Define Attribute Schema, Semantics, and Data Flows
Implementation Effort: High – Requires cross-functional collaboration to define attribute schemas, evaluate data quality, and implement schema extensions in Microsoft Entra ID and Active Directory.
📄️ Identify tasks to automate issuance of authentication credentials for joiners
Implementation Effort: Medium – This task involves analysis and planning by IT and identity teams to identify which onboarding steps should be automated, such as issuing Temporary Access Passes or activating accounts.
📄️ Deploy custom logic runtime environment for lifecycle workflows
Implementation Effort: Medium – Requires coordination between IT and identity governance teams to design, deploy, and secure a logic app environment tied to Lifecycle Workflows.
📄️ Configure lifecycle workflows for workforce identities
Implementation Effort: High – Requires coordination between IT, HR, and identity governance teams to design, deploy, and maintain lifecycle workflows across the organization.
📄️ Validate workflows with manual triggering
Overview
📄️ Rollout lifecycle workflows
Implementation Effort: High – Requires coordination between IT, HR, and identity governance teams to define a rollout and validation strategy, potentially require investigation, debugging, and updates.
📄️ Implement monitoring of lifecycle workflows
Implementation Effort: Medium – Requires IT and identity governance teams to configure monitoring tools, set up reporting mechanisms, and establish alerting processes.
📄️ Identify automation tasks for lifecycle events
Implementation Effort: Medium – Requires collaboration among IT, HR, and identity governance teams to map lifecycle events to appropriate automated tasks and configure workflows accordingly.
📄️ Identify custom logic requirements
Overview
📄️ Stop using on-premises groups to assign access to new applications / resources
Implementation Effort: High – IT and identity teams must transition from on-premises group-based access control to cloud-native group management. This involves driving alignment accross the organization, coordination across application owners and redefine operational procedures.
📄️ Identify Access Lifecycle custom logic requirements
Implementation Effort: Medium – Requires collaboration between IT, application owners, and governance teams to analyze access package workflows and define custom automation needs beyond built-in entitlement management capabilities.
📄️ Map organizational role model to platform capabilities of Microsoft Entra ID Governance
Implementation Effort: High – Requires collaboration between IT, HR, and security teams to analyze existing role models and translate them into Microsoft Entra ID Governance structures.
📄️ Design policies to assign access per job function
Implementation Effort: High – Requires collaboration between IT, HR, and security teams to analyze job functions, define access requirements, and configure policies in Microsoft Entra ID Governance.
📄️ Create Access Packages per job function
Implementation Effort: High – Requires collaboration between IT, HR, and security teams to analyze job functions, define access requirements, and configure access packages accordingly.
📄️ Roll out Entra ID access packages / initial assignment of entitlements
Implementation Effort: High – Deploying access packages involves defining catalogs, configuring policies, coordinating with resource owners, and running pilot deployments, which requires structured project planning.
📄️ Define and rollout reconciliation processes for access provisioning
Implementation Effort: High – Reconciliation for provisioning requires coordination between IT, identity governance, and application teams to review logs, validate external system states, and remediate inconsistencies.
📄️ Implement Monitoring of Role-Based Access Assignments
Implementation Effort: Medium – Configuring monitoring involves setting up reporting tools, establishing audit log integrations, and defining alerting mechanisms, requiring coordinated efforts from IT and security teams.
📄️ Inventory applications and resources, attributes needed from users, and owners
Implementation Effort: High – This task requires coordinated efforts to audit applications, identify required user attributes, and assign or confirm ownership, involving multiple stakeholders across IT and security teams.
📄️ Deploy custom logic runtime environment for Entitlement Management Extensions
Implementation Effort: High – Deploying a custom logic runtime environment involves setting up Azure Logic Apps, configuring custom extensions, and integrating with Microsoft Entra ID, requiring significant coordination between IT, resource owners, and security teams.
📄️ Define the organization's policy with user prerequisites and other constraints for access to an application
Implementation Effort: High – Defining and enforcing access policies involves policy design, stakeholder coordination, and integration into entitlement management and Conditional Access systems.
📄️ Define approach for stand-alone groups
Implementation Effort: High – Establishing governance for stand-alone groups requires defining policies, configuring lifecycle management, and coordinating with group owners.
📄️ Determine sequence of application onboarding and Entra Provisioning Integration
Implementation Effort: High – Sequencing and executing application onboarding for both SSO and provisioning requires significant coordination, system analysis, and phased rollout planning across IT, identity, and application teams.
📄️ Deploy provisioning connectors for apps
Implementation Effort: High – Configuring provisioning connectors for cloud and on-premises applications involves setting up integrations, customizing attribute mappings, and coordinating with application owners, especially for non-standard or custom applications.
📄️ Configure attribute flows for app provisioning
Implementation Effort: High – Attribute mapping requires careful alignment between identity source data and the schema expected by each application, often involving custom logic and coordination between identity and application teams.
📄️ Roll out app automated provisioning
Implementation Effort: High – enabling automated provisioning involves configuring provisioning schedules, applying scoping filters, and validating behavior with selected users and apps.
📄️ Define and rollout reconciliation processes for access provisioning
Implementation Effort: High – Reconciliation for provisioning requires collaboration across IT, identity governance, and application teams to define control processes, implement monitoring, and resolve discrepancies in target systems.
📄️ Implement Monitoring of Application Provisioning
Implementation Effort: High – Establishing comprehensive monitoring involves configuring diagnostic settings, integrating with Azure Monitor, and developing custom workbooks and alerts.
📄️ Deploy ECMA connector host (if needed)
Implementation Effort: Medium – IT teams must plan, install, and configure the ECMA host service, and validate integration with Entra provisioning agents.
📄️ Identify on-premises groups needed to manage access per app and resource inventory
Implementation Effort: High – IT and identity teams must collaborate with application and resource owners to map access requirements to existing or new on-premises groups, and configure synchronization and governance policies accordingly.
📄️ Configure group provisioning to AD
Implementation Effort: Medium – IT teams must deploy and configure Microsoft Entra Cloud Sync, including setting up provisioning agents, defining scoping filters, and mapping attributes to synchronize cloud groups to on-premises Active Directory.
📄️ Transfer SOA of existing groups
Overview
📄️ Roll out group provisioning to AD for resources and applications
Implementation Effort: High – IT teams must deploy and configure the Microsoft Entra provisioning agent, classify cloud groups, and implement a phased rollout strategy to progressively enable group writeback to Active Directory.
📄️ Prioritize remediation of existing per inventory
Implementation Effort: High – IT and security teams must analyze access inventories, define prioritization criteria, and coordinate remediation efforts across stakeholders.
📄️ Conduct access reviews of existing resources
Implementation Effort: High – IT and governance teams must configure and schedule access reviews, define review scopes, and coordinate with resource owners and reviewers across the organization.
📄️ Clean up unused groups (cloud and on-prem) based on inventory
Implementation Effort: High – IT and identity teams must analyze group usage, validate it is no longer in use, and execute a phased cleanup strategy across both cloud and on-premises environments.
📄️ Review and triage existing guest identities
Implementation Effort: High – IT and governance teams must consolidate guest account data, map originating organizations, assess business context, and evaluate collaboration levels and external organization security posture.
📄️ Define patterns of initial access for guests
Implementation Effort: Medium – IT and identity governance teams must analyze collaboration scenarios, catalog onboarding workflows, and standardize access grant mechanisms for external users.
📄️ Assign sponsors to existing guests
Implementation Effort: Medium – IT administrators must audit existing guest accounts, identify appropriate internal sponsors, and update guest user profiles accordingly.
📄️ Convert existing guests to governed
Implementation Effort: Medium – Identity governance teams must identify eligible guest users, assess their access assignments, and use Microsoft Entra ID tools to transition them to governed status.
📄️ Roll out access packages for guests
Implementation Effort: High – Identity governance teams must define access requirements, configure access packages, and establish approval workflows and approvers tailored to external collaboration scenarios.
📄️ Roll out guest cleanup processes
Implementation Effort: Medium – Identity governance teams must configure access reviews, analyze guest activity data, and coordinate with sponsors to manage guest accounts effectively.
📄️ Define guest cleanup criteria
Overview
📄️ Implement monitoring of guest accounts
Implementation Effort: Medium – IT and identity governance teams must configure monitoring tools, analyze guest activity data, and establish processes for ongoing oversight.
📄️ Define requirements to onboard new partner organizations
Implementation Effort: Medium – IT and governance teams must establish onboarding procedures, configure connected organizations, and assess partner security postures.
📄️ Roll out Conditional Access with Authentication Strength Controls
Implementation Effort: High – Requires policy updates and potentially authentication method registration programs.
📄️ Deploy Conditional Access policies based on trusted networks and private access apps
Implementation Effort: Medium – Requires configuration of compliant network checks and per-app access policies.
📄️ Roll out Conditional Access for SharePoint Sites
Implementation Effort: Medium – Requires configuring authentication contexts and applying them to sites or sensitivity labels.
📄️ Integrate MDI Alerts / Incidents into SIEM
Implementation Effort: Medium – Requires coordination between security and IT teams to configure log forwarding and validate end-to-end integration with existing SIEM infrastructure.
📄️ Configure MDI Email Notifications
Implementation Effort: Low – Setting up email notifications involves straightforward configuration within the Microsoft Defender portal, requiring minimal administrative effort.
📄️ Review / Investigate MDI Incidents
Implementation Effort: Medium – This is an operational task conducted by the SecOps team as part of standard monitoring and response procedures.
📄️ Review MDI Secure Score Recommendations and Security Exposure Management Initiatives
Implementation Effort: Medium – Reviewing recommendations and initiatives is a targeted administrative action that fits within ongoing security assessment processes.
📄️ Review MDI Health Alerts
Implementation Effort: Medium – Involves setting up and maintaining a standard operating procedure for administrators to monitor and respond to health alerts.
📄️ Proactively Hunt and Create Custom Detections using Advanced Hunting in XDR
Implementation Effort: Medium – Requires security teams to develop queries and maintain custom detection rules, involving ongoing tuning and investigation cycles.