Curated demo content by default.
The /demo route group is a public demonstration surface. Its stories, report packs, and portal views are intentionally curated unless a live tenant is explicitly selected.
First assessment visibility with a second run that proves movement without pretending the data is complete. This page uses the current webapp surface and report structure with a fictional UK financial-services scenario kept explicit about representative data, P1-only licensing, and what is and is not yet mature.
Detailed technical findings, attack-path evidence, policy violations, and remediation ownership for engineering and identity operations teams.
Report credibility
Every field is shown explicitly. Items not yet provided are labelled (Roadmap, Unavailable, Not applicable, Missing) rather than hidden.
Demo seed — period derived from synthetic profile, not live tenant telemetry
Reference IF-TECH-MRI-MCFS
No prior version to diff — the public demo regenerates deterministically per request.
Named report owner is captured in webapp tenant scope settings — surfaced once a tenant is provisioned.
Engineering remediation runbooks are reviewed at change-management gate, not via report sign-off.
Substantia signed-evidence chain is exercised in the authenticated webapp, not in the public demo route.
This is the concise answer a buyer expects first: what matters most, which exposure to address now, who owns it, and how much exposure the current remediation plan removes.
Dominant finding
Eleven stale AD-linked accounts still retain active access
CRITICAL severity on Active Directory, owned by Identity and access management.
Evidence posture
0/8
0 evidence bundle records in this pack. Confidence score: 64%.
Ownership gaps
0
8 findings already have explicit remediation owners.
ROI / exposure
3.9x
4 overdue actions and 18 stale privileged accounts remain in scope.
What the buyer should conclude
A technical buyer expects more than a list of findings. They expect to see scope, assessment confidence, ownership, evidence linkage, and a clear path from finding to action. This section makes that framing explicit so the demo behaves more like an assessment artifact and less like a marketing surface.
Assessment scope
8 sources
1,842 canonical identities assessed across 7 represented platforms.
Evidence posture
0/8
0 evidence bundle records in this pack. Confidence score: 64%.
Ownership
0
Ownerless or unassigned findings reduce accountability. 8 findings already show an explicit owner in this report.
Action value
26
4 overdue actions, 18 stale privileged accounts, and ROI framed at 3.9x.
The highest modelled blast radius in this report is 71/100, spanning 128 reachable identities across up to 4 lateral hops. This is the point of the report: not just to list hygiene issues, but to show how one compromised identity can become consequential reach.
What matters first: Every finding shown here already has an explicit owner.
What proves it: 0 of 8 findings currently carry an evidence-bundle reference.
What changes next: 26 remediation actions are tracked, with 4 overdue and an ROI framing of 3.9x.
These findings are rendered from the MRI demo report pack. The structure is real, but this public report should not imply that every finding row, owner, and due date shown here is already coming from live tenant-backed workflow state.
| High | ADFS relying party trust sprawl still exposes legacy access paths |
| Medium | AWS analytics role trust remains broader than intended for shared engineering workflows |
| Critical | Eleven stale AD-linked accounts still retain active access |
| High | Legacy service accounts retain broad access across Azure automation and branch batch jobs |
| High | MIM-driven attribute exceptions are still granting outdated on-prem app entitlements |
| High | Standing Entra and Azure administrative access remains broader than operational need |
| Medium | MFA and Conditional Access remain inconsistent for remote and contractor access |
| Medium | Joiner, mover, leaver mismatches persist across SaaS finance, HR, and ticketing tools |
Joiners Pending Review
14
Movers Pending Review
37
Leavers Still Active
11
Ghost Accounts
23
Hidden privilege, concentration, and standing access are real MRI themes. In this report they are represented through the demo dataset, but the underlying product pattern is anchored to the privilege inference and posture engine design.
Tier-0 Identities
12
Tier-1 Identities
81
Without JIT
21
Stale Privileged
18
93 total privileged identities across all tiers. Tier-0 accounts hold Domain Admin / Global Admin equivalents.
MITRE mapping and threat-language framing are illustrative on this public route. Treat them as representative detection storytelling rather than a claim that every mapped technique here is already verified from live attack telemetry.
alan.hargreavesDetected: 22 Jan 2026Policy and evidence structure mirrors the live product model. Evidence bundle links and captured artifacts in this public report remain illustrative unless the underlying tenant data source is live and explicitly evidenced.
The estate is operating on Entra ID P1. MFA coverage improved between runs, but several contractor and unmanaged-device journeys still rely on policy exceptions rather than fully consistent control paths.
SaaS entitlements are no longer chaotic, but lifecycle ownership still varies enough to leave avoidable residual access after role change and contract end.
Remediation prioritisation is a real product pattern. On this demo route the playbooks, dates, and ownership are curated so the story stays stable, but the intended live experience is to ground these deltas in blast-radius and simulation-backed consequence changes.
| Severity | Finding | Due Date |
|---|---|---|
| Critical | Eleven stale AD-linked accounts still retain active accessOverdue | 29 Jan 2026 |
| High | ADFS relying party trust sprawl still exposes legacy access pathsOverdue | 5 Feb 2026 |
| High | Standing Entra and Azure administrative access remains broader than operational needOverdue | 7 Feb 2026 |
| High | Legacy service accounts retain broad access across Azure automation and branch batch jobsOverdue | 11 Feb 2026 |
| High | MIM-driven attribute exceptions are still granting outdated on-prem app entitlementsOverdue | 12 Feb 2026 |
| Medium | MFA and Conditional Access remain inconsistent for remote and contractor accessOverdue | 14 Feb 2026 |
| Medium | AWS analytics role trust remains broader than intended for shared engineering workflowsOverdue | 19 Feb 2026 |
| Medium | Joiner, mover, leaver mismatches persist across SaaS finance, HR, and ticketing toolsOverdue | 21 Feb 2026 |
Compliance snapshot
This appendix exposes the raw MRI demo findings behind the technical report. It is intended for engineering review and filtering, but it remains public demo data rather than a guarantee of live workflow parity on every authenticated route.
| ID | Severity | Platform | Title | Detected |
|---|---|---|---|---|
| MCFS-I-001 | Critical | Active Directory | Eleven stale AD-linked accounts still retain active access The first two runs still show leaver and contractor identities synchronised from Active Directory into Entra, with the highest-value cases retaining VPN and treasury application access. | 22 Jan 2026 |
| MCFS-I-002 | High | ADFS | ADFS relying party trust sprawl still exposes legacy access paths Fourteen relying party trusts remain active for services that have partly moved to Entra. Claim-rule hygiene and trust ownership are inconsistent across wealth, treasury, and branch servicing applications. | 22 Jan 2026 |
| MCFS-I-003 | High | MIM | MIM-driven attribute exceptions are still granting outdated on-prem app entitlements Historic MIM rules continue to preserve role attributes after department moves, especially across acquired advisory teams and older servicing applications. | 22 Jan 2026 |
| MCFS-I-004 | High | Microsoft Entra ID | Standing Entra and Azure administrative access remains broader than operational need A small set of platform and operations users still hold standing administrative access in Entra and Azure production subscriptions without a tighter named-elevation pattern. | 22 Jan 2026 |
| MCFS-I-005 | High | Azure | Legacy service accounts retain broad access across Azure automation and branch batch jobs Service identities created for older reconciliation and branch-reporting workflows retain wide permissions in Azure automation, file shares, and scheduled tasks. | 22 Jan 2026 |
| MCFS-I-006 | Medium | Microsoft Entra ID | MFA and Conditional Access remain inconsistent for remote and contractor access The estate is operating on Entra ID P1. MFA coverage improved between runs, but several contractor and unmanaged-device journeys still rely on policy exceptions rather than fully consistent control paths. | 22 Jan 2026 |
| MCFS-I-007 | Medium | AWS IAM | AWS analytics role trust remains broader than intended for shared engineering workflows A shared CI role can still assume analytics-facing AWS roles that should now be limited to a smaller service boundary. | 22 Jan 2026 |
| MCFS-I-008 | Medium | SaaS Applications | Joiner, mover, leaver mismatches persist across SaaS finance, HR, and ticketing tools SaaS entitlements are no longer chaotic, but lifecycle ownership still varies enough to leave avoidable residual access after role change and contract end. | 22 Jan 2026 |
Technical Report · Prepared by IdentityFirst Ltd · Prepared for Meridian Crest Financial Services Ltd · Ref IF-TECH-MRI-MCFS · v1.0 · Confidential - Demonstration Use Only · SAMPLE - SYNTHETIC DATA - NOT FOR DISTRIBUTION