Plaidnox InfoSec
PLX-2025-023 . Confidential
Identity ManagementIAM Review14 Gaps Found

Identity & Access Review
[REDACTED]

IAM review covering SSO coverage, MFA adoption, role proliferation, and orphaned account hygiene for [REDACTED] Group. Engagement ref. ENG-2025-0560.

Report IDPLX-2025-023
Client[REDACTED]
MFA Coverage68% of users
AssessedApr 2025
01 . Overview

IAM Review Summary

Plaidnox reviewed the identity landscape for [REDACTED] Group across Microsoft Entra ID (Azure AD), on-premises Active Directory, and 12 SaaS applications. The review identified 14 significant gaps including a 32% MFA coverage gap, 847 orphaned accounts, and role proliferation with 3,200+ custom permission assignments outside of standard groups.

The most critical finding is that 143 accounts with access to patient data systems have never used MFA. These represent an immediate HIPAA and NHS Data Security Standard compliance risk.

02 . Identity Inventory

Account and access inventory

8,240
Total Accounts
847
Orphaned Accounts
68%
MFA Coverage
143
PHI Access w/o MFA
CategoryCountIssues FoundPriority
Regular User Accounts6,840MFA not enforced for 2,197High
Privileged Admin Accounts31268 with no MFA . 41 inactive 90+ daysCritical
Service Accounts741214 with excessive permissionsHigh
Orphaned / Stale Accounts847Active accounts for departed staffCritical
External / Guest Accounts500No expiry policy enforcedMedium
03 . Critical Gaps

Priority findings

IDFindingPriority
IAM-G01847 orphaned accounts . active AD/Entra accounts for staff with no HR recordCritical
IAM-G02143 PHI-access accounts without MFA . direct HIPAA compliance riskCritical
IAM-G03No joiner-mover-leaver (JML) process integrated with HR systemHigh
IAM-G04SSO coverage at 58% . 5 clinical applications not federated, using local accountsHigh
IAM-G05No Privileged Identity Management (PIM) . admin roles are permanent, not just-in-timeHigh
04 . Remediation Plan

IAM improvement roadmap

ActionTimelineOwner
Disable all 847 orphaned accounts pending access reviewImmediatelyIT / HR
Enforce MFA via Conditional Access for all PHI-access accountsWk 1-2IT
Integrate HR system with Entra ID for automated JML provisioningWk 2-8Plaidnox / IT
Federate 5 clinical applications via SAML/OIDC to Entra ID SSOWk 4-12Plaidnox
Deploy Azure AD PIM for all Global Admin and privileged rolesWk 3-6Plaidnox / IT
Conclusion
Orphaned accounts and the PHI MFA gap are the immediate compliance risks
[REDACTED] has a significant identity hygiene debt built up from years of growth without an automated JML process. 847 orphaned accounts and 143 PHI-accessible accounts without MFA are the immediate priority . both carry direct HIPAA and NHS Data Security Standard compliance risk. The JML integration project will prevent recurrence and is the foundational fix for long-term IAM health.
Plaidnox InfoSec . iam
Confidential . Authorised Distribution Only