IdentityFirst Demo

Meridian Crest Financial Services Ltd

Three months of repeated review showing trend, evidence quality, recurring MSP value, and board-level control movement. This page uses the current webapp surface and report structure with a fictional UK financial-services scenario kept explicit about representative data, P1-only licensing, and what is and is not yet mature.

Blast radius framing

Three months later, the blast radius is materially narrower and better governed

Most of the critical paths from the first install have been closed. The residual exposure is concentrated in one shared emergency account and two remaining ADFS dependencies, both under active monthly review.

Blast Radius Summary

Blast score

Affected identities

Systems

Applications

Executive Summary

medium impact

Three months of measured remediation have reduced the blast radius from 78 to 34. The residual exposure is concentrated in one shared emergency account and two ADFS-dependent workflows, both under monthly governance review.

Score

Systems

Users

Apps

Data stores

Regulatory impact

Cyber EssentialsISO 27001DORA

Recommended action

Replace the shared weekend emergency account with named accountable access and complete the ADFS trust retirement plan for the two remaining regulated workflows.

Affected Identities

sharedadmin-weekend

Shared account / Azure

critical

ext-advisory@pwc.com

Guest / M365

high

svc-branch-servicing

Service account / AD / ADFS

medium

k.chen (legacy servicing)

Employee / AD / MIM

medium

Path Explanation

A shared emergency account holds standing Contributor access to production subscriptions, which grants implicit read access to Key Vault secrets.

1sharedadmin-weekend → Azure production subscriptions
A shared emergency administration account still holds standing Contributor access across two production subscriptions used during weekend operations support.
2Azure production subscriptions → Key Vault (production secrets)
The Contributor role on production subscriptions grants implicit read access to Key Vault secrets, including database connection strings and API keys.

Control Failures

Paths with controls5

Paths without controls3

Controls reduce blast radius by44 pts

2 weak or unknown controls

weakShared emergency account accountability

0 covered/2 uncovered

Replace the shared weekend account with named accountable access.

unknownADFS residual trust retirement

0 covered/1 uncovered

Complete the application-by-application retirement plan.

strongMFA phased rollout

3 covered/0 uncovered

strongLeaver lifecycle cadence

2 covered/0 uncovered

Change Confidence

84%High confidence

88% of paths backed by confirmed evidence

Source confidence

healthyActive Directory

88%

healthyMicrosoft Entra ID

96%

healthyMicrosoft 365

91%

healthyAzure

84%

partialADFS

64%

partialMIM

57%

partialAWS IAM

63%

partialServiceNow

54%

Back to command centre Open board report Open technical report