Group 12: Identity & Access

Authentication and authorization surfaces: Entra ID (tenant directory), Entra External ID (B2C style), Managed Identities, and Role-Based Access Control (RBAC). Broader controls (Conditional Access, PIM, MFA) extend posture but core selection revolves around trust boundary, user type, secret management, and least privilege automation.

Design Tenet: Centralize identity (single tenant) where feasible; project isolation via authorization not identity silos unless regulatory or sovereignty drivers require separation.

Selection Model

Internal Users Conditional Access Directory Ext Federation Device Mgmt Compliance External Users User Journey Scale Branding Social Login Secretless Rotation Least Priv Automation Custom Policy Scope Depth Audit Custom Role

Score_Entra  = 0.26*C_internalUsers + 0.22*C_condAccess + 0.18*C_directoryExt + 0.14*C_federation + 0.12*C_device + 0.08*C_compliance
Score_ExtID  = 0.30*C_externalUsers + 0.24*C_userJourney + 0.16*C_scale + 0.14*C_brand + 0.10*C_social + 0.06*(10 - C_internalUsers)
Score_MngdId = 0.32*C_secretless + 0.24*C_rotation + 0.16*C_leastPriv + 0.14*C_automation + 0.08*(10 - C_customPolicy) + 0.06*(10 - C_brand)
Score_RBAC  = 0.28*C_leastPriv + 0.22*C_scopeDepth + 0.18*C_audit + 0.14*C_compliance + 0.10*C_customRole + 0.08*C_scale

{{s.name}}: {{s.val | number:2}}