Identity-First MSP Demo

Narrative arc

First install + delta run

Within two weeks of a read-only first install, MRI has already turned a messy hybrid identity estate into a prioritised board and MSP conversation. The data is still early, but it is already strong enough to direct action and prove movement.

MRI-MCFS-2026-01-07-A

Initial run · 7 Jan 2026

Posture score

52/100

Early, useful baseline

Findings

Week-one prioritised list

Data confidence

61%

Connector visibility still maturing

MFA coverage

Ten global admins only

Legacy auth

Mailboxes exposed

Unmanaged access

Recent sign-ins

This is a first install in a complex hybrid estate, not a polished baseline.

The data is useful because it creates a defensible priority list, even though MIM, AWS and SaaS lifecycle coverage are still maturing.

The most important early truth is stark: only ten global administrators had MFA at first install, while the wider user population did not.

MRI-MCFS-2026-01-22-B

Delta run · 22 Jan 2026

Posture score

59/100

Measurable uplift after remediation

Findings

Smaller, sharper backlog

Data confidence

68%

Coverage is broader, still honest

MFA coverage

19%

Visible rollout started

Legacy auth

Remaining operational exceptions

Unmanaged access

Narrower scope than week one

Resolved

Issues closed between runs

Newly surfaced

Mostly from broader app coverage

Delta comparison

The strongest story is progress with realism

Stale hybrid accounts

11 → 6 accounts

The highest-risk leaver and contractor identities were disabled first, including the treasury case surfaced in the first run.

Users with MFA enforced

10 → 285 users

The ten global administrators remain protected and the first user rollout now covers finance, operations management and remote-access users.

ADFS relying parties

14 → 11 trusts

Redundant claim paths were retired first; the remaining trusts are the ones with real business dependencies.

Standing Azure admin assignments

28 → 19 assignments

The emergency-support pattern is narrower, but everyday admin access is still broader than ideal.

AWS trust misalignments

6 → 4 paths

The highest-risk analytics trust paths were constrained, leaving a smaller residual set to retire.

SaaS orphaned access

23 → 18 entitlements

Some new visibility appeared as ServiceNow and collaboration evidence improved, so the count fell more slowly than the confidence rose.

Top themes

Week-one findings are already specific

Stale hybrid accounts

Leaver and contractor identities still active in AD and Entra, including treasury and VPN access.

accounts

ADFS trust sprawl

Several relying parties remain after partial migration to Entra-backed access.

trusts

MIM-driven entitlement drift

Mover events are not consistently stripping older on-prem application roles.

users

User MFA coverage gap

Only the ten global administrators currently have MFA enforced.

1490

users

Standing privileged access

Named and shared admin paths still exist across Entra, Azure and operational support roles.

assignments

AWS trust misalignment

Shared engineering and analytics workflows still rely on broader trust than intended.

paths

SaaS lifecycle drift

Guest, supplier and mover access remains in finance, HR and service-management tooling.

entitlements

Sensitive data oversharing

External sharing expiry and ownership are inconsistent across M365 workspaces.

126

links

Conditional Access gaps

P1-based controls exist, but are concentrated around admin access rather than the wider user estate.

controls

Priority findings

Identity-led findings, not generic security filler

criticalLifecyclenew

Former treasury analyst account remains active through AD sync, VPN access and an ADFS-published treasury portal

A leaver account remains active in AD, still synchronises to Entra, and still reaches a treasury servicing application through an unreduced ADFS trust path.

Business impact

This is the sort of low-noise access path that creates board concern because the failure is basic, cross-platform and hard to explain away.

Recommended action

Disable the account, remove the linked group memberships and evidence closure in the next run.

Owner: IAM lead with service partner oversight

criticalAuthenticationnew

Only ten global administrators have MFA enforced; the wider user estate does not

Meridian Crest has protected its ten Global Administrator accounts, but the remaining standard-user population still signs in without enforced MFA.

Business impact

For a regulated financial-services firm, the exposure is not just credential theft. It is the absence of a defensible user-access control baseline.

Recommended action

Start a phased P1-based MFA rollout for priority user groups immediately and evidence coverage growth between runs.

Owner: Identity and access management

highFederationnew

ADFS relying party trust sprawl keeps older finance and branch applications in scope

Fourteen relying parties remain active, including branch-servicing and treasury applications that have partly moved towards Entra-backed access.

Business impact

Residual federation paths complicate access governance, increase operational fragility and keep older trust assumptions alive.

Recommended action

Rationalise trusts, retire redundant claim rules and document business ownership for each remaining dependency.

Owner: Infrastructure engineering

highProvisioningnew

Historic MIM rules preserve old entitlements after department change

Thirty-seven mover records still carry historic attributes into legacy on-prem applications, especially across advisory support and servicing teams.

Business impact

Entitlement drift becomes harder to spot because the problem sits between HR process, AD state and older provisioning logic.

Recommended action

Review the highest-impact MIM attribute rules first and remove legacy entitlement mappings for department moves.

Owner: Identity engineering

highPrivilegedAccessnew

Azure production and operations roles remain broader than named operational need

Standing privileged assignments remain across production and non-production Azure subscriptions, including operational support and reporting workflows.

Business impact

The issue matters because the same small admin cohort can still affect access, monitoring and workload settings without tighter separation.

Recommended action

Reduce standing assignments, separate emergency access from everyday administration and prioritise named role clean-up.

Owner: Platform engineering

mediumCloudTrustnew

AWS analytics deployment trust is broader than intended for shared engineering workflows

A shared deployment role still reaches analytics-facing workloads and data stores through a wider trust policy than the target service boundary requires.

Business impact

This is a believable inherited cloud problem: not headline-grabbing on its own, but material in a hybrid control story.

Recommended action

Narrow the trust policy and separate the analytics deployment path from broader engineering access.

Owner: Cloud engineering

Second-run signal

What improved and what still matters

criticalAuthenticationpersistent

MFA is now rolling out, but 1,215 standard users still do not have it enforced

The second run proves movement, but the estate is still far from a defensible end state. The first rollout wave covered 285 users; the majority remain outside MFA.

Business impact

This makes the progress story credible. Risk has narrowed, but it has not disappeared into presentation theatre.

Recommended action

Continue the phased rollout by user risk and business criticality, using P1-based Conditional Access rather than waiting for a licensing upgrade story.

Owner: Identity and access management

highFederationimproved

Eleven ADFS trusts still support branch-servicing and treasury workflows

The remaining trust footprint is materially smaller, but the unresolved paths are the ones most likely to matter operationally.

Business impact

This is now a bounded hybrid-modernisation issue with clearer ownership and less sprawl.

Recommended action

Finish the trust rationalisation plan and move the remaining application owners onto a named retirement schedule.

Owner: Infrastructure engineering

highPrivilegedAccessimproved

Nineteen standing Azure production and support assignments remain active

The most exposed assignments were reduced, but standing privilege is still broader than named operational need across production support and reporting workflows.

Business impact

The risk is narrower and easier to challenge, which is exactly why the second run is useful.

Recommended action

Keep reducing standing assignments and separate named operational roles from emergency access patterns.

Owner: Platform engineering

mediumProvisioningimproved

MIM-driven entitlement drift is smaller but still visible across legacy servicing applications

The first remediation pass removed some inherited access, but department-move exceptions are still visible in legacy app role data.

Business impact

This is the kind of issue that rarely disappears in one sprint; it needs measured monthly work and evidence.

Recommended action

Keep a named MIM clean-up workstream and report residual exception counts monthly.

Owner: Identity engineering

mediumAccessGovernancenew

Supplier and SaaS lifecycle drift now looks smaller, sharper and more governable

The second run surfaces a tighter residual list across M365 guest access, ServiceNow fulfilment access and finance tooling.

Business impact

The point is not that the issue vanished. The point is that it is now explicit enough to package into a recurring MSP review motion.

Recommended action

Turn guest and supplier access into a standing monthly review pack with named business owners.

Owner: Service partner lead

The first delta run makes the story stronger because it shows visible movement without claiming the estate is now tidy.

The MFA position is still uncomfortable, but it is no longer hidden: the starting point of ten protected global administrators has become a first phased rollout covering 285 users.

Your MSP partner now has a credible monthly conversation around lifecycle closure, federation retirement, privileged-access reduction and evidence-backed reporting.

Priority actions

Disable stale hybrid identities with VPN, treasury and branch-servicing access before the next run.
Begin a phased MFA rollout using Entra ID P1 Conditional Access, starting with finance, remote access, and privileged operational users.
Retire redundant ADFS relying parties and document ownership for the remaining regulated application dependencies.
Reduce standing Azure admin assignments and separate emergency access from routine administration.
Target MIM-driven entitlement drift and supplier guest access as named monthly review workstreams.

Narrative arc

First install + delta run

MRI-MCFS-2026-01-07-A

Initial run · 7 Jan 2026

Posture score

52/100

Early, useful baseline

Findings

Week-one prioritised list

Data confidence

61%

Connector visibility still maturing

MFA coverage

Ten global admins only

Legacy auth

Mailboxes exposed

Unmanaged access

Recent sign-ins

This is a first install in a complex hybrid estate, not a polished baseline.

The data is useful because it creates a defensible priority list, even though MIM, AWS and SaaS lifecycle coverage are still maturing.

The most important early truth is stark: only ten global administrators had MFA at first install, while the wider user population did not.

MRI-MCFS-2026-01-22-B

Delta run · 22 Jan 2026

Posture score

59/100

Measurable uplift after remediation

Findings

Smaller, sharper backlog

Data confidence

68%

Coverage is broader, still honest

MFA coverage

19%

Visible rollout started

Legacy auth

Remaining operational exceptions

Unmanaged access

Narrower scope than week one

Resolved

Issues closed between runs

Newly surfaced

Mostly from broader app coverage

Delta comparison

The strongest story is progress with realism

Stale hybrid accounts

11 → 6 accounts

The highest-risk leaver and contractor identities were disabled first, including the treasury case surfaced in the first run.

Users with MFA enforced

10 → 285 users

The ten global administrators remain protected and the first user rollout now covers finance, operations management and remote-access users.

ADFS relying parties

14 → 11 trusts

Redundant claim paths were retired first; the remaining trusts are the ones with real business dependencies.

Standing Azure admin assignments

28 → 19 assignments

The emergency-support pattern is narrower, but everyday admin access is still broader than ideal.

AWS trust misalignments

6 → 4 paths

The highest-risk analytics trust paths were constrained, leaving a smaller residual set to retire.

SaaS orphaned access

23 → 18 entitlements

Some new visibility appeared as ServiceNow and collaboration evidence improved, so the count fell more slowly than the confidence rose.

Top themes

Week-one findings are already specific

Stale hybrid accounts

Leaver and contractor identities still active in AD and Entra, including treasury and VPN access.

accounts

ADFS trust sprawl

Several relying parties remain after partial migration to Entra-backed access.

trusts

MIM-driven entitlement drift

Mover events are not consistently stripping older on-prem application roles.

users

User MFA coverage gap

Only the ten global administrators currently have MFA enforced.

1490

users

Standing privileged access

Named and shared admin paths still exist across Entra, Azure and operational support roles.

assignments

AWS trust misalignment

Shared engineering and analytics workflows still rely on broader trust than intended.

paths

SaaS lifecycle drift

Guest, supplier and mover access remains in finance, HR and service-management tooling.

entitlements

Sensitive data oversharing

External sharing expiry and ownership are inconsistent across M365 workspaces.

126

links

Conditional Access gaps

P1-based controls exist, but are concentrated around admin access rather than the wider user estate.

controls

Priority findings

Identity-led findings, not generic security filler

criticalLifecyclenew

Former treasury analyst account remains active through AD sync, VPN access and an ADFS-published treasury portal

A leaver account remains active in AD, still synchronises to Entra, and still reaches a treasury servicing application through an unreduced ADFS trust path.

Business impact

This is the sort of low-noise access path that creates board concern because the failure is basic, cross-platform and hard to explain away.

Recommended action

Disable the account, remove the linked group memberships and evidence closure in the next run.

Owner: IAM lead with service partner oversight

criticalAuthenticationnew

Only ten global administrators have MFA enforced; the wider user estate does not

Meridian Crest has protected its ten Global Administrator accounts, but the remaining standard-user population still signs in without enforced MFA.

Business impact

For a regulated financial-services firm, the exposure is not just credential theft. It is the absence of a defensible user-access control baseline.

Recommended action

Start a phased P1-based MFA rollout for priority user groups immediately and evidence coverage growth between runs.

Owner: Identity and access management

highFederationnew

ADFS relying party trust sprawl keeps older finance and branch applications in scope

Fourteen relying parties remain active, including branch-servicing and treasury applications that have partly moved towards Entra-backed access.

Business impact

Residual federation paths complicate access governance, increase operational fragility and keep older trust assumptions alive.

Recommended action

Rationalise trusts, retire redundant claim rules and document business ownership for each remaining dependency.

Owner: Infrastructure engineering

highProvisioningnew

Historic MIM rules preserve old entitlements after department change

Thirty-seven mover records still carry historic attributes into legacy on-prem applications, especially across advisory support and servicing teams.

Business impact

Entitlement drift becomes harder to spot because the problem sits between HR process, AD state and older provisioning logic.

Recommended action

Review the highest-impact MIM attribute rules first and remove legacy entitlement mappings for department moves.

Owner: Identity engineering

highPrivilegedAccessnew

Azure production and operations roles remain broader than named operational need

Standing privileged assignments remain across production and non-production Azure subscriptions, including operational support and reporting workflows.

Business impact

The issue matters because the same small admin cohort can still affect access, monitoring and workload settings without tighter separation.

Recommended action

Reduce standing assignments, separate emergency access from everyday administration and prioritise named role clean-up.

Owner: Platform engineering

mediumCloudTrustnew

AWS analytics deployment trust is broader than intended for shared engineering workflows

A shared deployment role still reaches analytics-facing workloads and data stores through a wider trust policy than the target service boundary requires.

Business impact

This is a believable inherited cloud problem: not headline-grabbing on its own, but material in a hybrid control story.

Recommended action

Narrow the trust policy and separate the analytics deployment path from broader engineering access.

Owner: Cloud engineering

Second-run signal

What improved and what still matters

criticalAuthenticationpersistent

MFA is now rolling out, but 1,215 standard users still do not have it enforced

The second run proves movement, but the estate is still far from a defensible end state. The first rollout wave covered 285 users; the majority remain outside MFA.

Business impact

This makes the progress story credible. Risk has narrowed, but it has not disappeared into presentation theatre.

Recommended action

Continue the phased rollout by user risk and business criticality, using P1-based Conditional Access rather than waiting for a licensing upgrade story.

Owner: Identity and access management

highFederationimproved

Eleven ADFS trusts still support branch-servicing and treasury workflows

The remaining trust footprint is materially smaller, but the unresolved paths are the ones most likely to matter operationally.

Business impact

This is now a bounded hybrid-modernisation issue with clearer ownership and less sprawl.

Recommended action

Finish the trust rationalisation plan and move the remaining application owners onto a named retirement schedule.

Owner: Infrastructure engineering

highPrivilegedAccessimproved

Nineteen standing Azure production and support assignments remain active

The most exposed assignments were reduced, but standing privilege is still broader than named operational need across production support and reporting workflows.

Business impact

The risk is narrower and easier to challenge, which is exactly why the second run is useful.

Recommended action

Keep reducing standing assignments and separate named operational roles from emergency access patterns.

Owner: Platform engineering

mediumProvisioningimproved

MIM-driven entitlement drift is smaller but still visible across legacy servicing applications

The first remediation pass removed some inherited access, but department-move exceptions are still visible in legacy app role data.

Business impact

This is the kind of issue that rarely disappears in one sprint; it needs measured monthly work and evidence.

Recommended action

Keep a named MIM clean-up workstream and report residual exception counts monthly.

Owner: Identity engineering

mediumAccessGovernancenew

Supplier and SaaS lifecycle drift now looks smaller, sharper and more governable

The second run surfaces a tighter residual list across M365 guest access, ServiceNow fulfilment access and finance tooling.

Business impact

The point is not that the issue vanished. The point is that it is now explicit enough to package into a recurring MSP review motion.

Recommended action

Turn guest and supplier access into a standing monthly review pack with named business owners.

Owner: Service partner lead

The first delta run makes the story stronger because it shows visible movement without claiming the estate is now tidy.

The MFA position is still uncomfortable, but it is no longer hidden: the starting point of ten protected global administrators has become a first phased rollout covering 285 users.

Your MSP partner now has a credible monthly conversation around lifecycle closure, federation retirement, privileged-access reduction and evidence-backed reporting.

Priority actions

Disable stale hybrid identities with VPN, treasury and branch-servicing access before the next run.
Begin a phased MFA rollout using Entra ID P1 Conditional Access, starting with finance, remote access, and privileged operational users.
Retire redundant ADFS relying parties and document ownership for the remaining regulated application dependencies.
Reduce standing Azure admin assignments and separate emergency access from routine administration.
Target MIM-driven entitlement drift and supplier guest access as named monthly review workstreams.

A calmer, boardroom-grade demo built around the real MRI-led product experience.

First install + delta run

Initial run · 7 Jan 2026

Delta run · 22 Jan 2026

The strongest story is progress with realism

Week-one findings are already specific

Identity-led findings, not generic security filler

Former treasury analyst account remains active through AD sync, VPN access and an ADFS-published treasury portal

Only ten global administrators have MFA enforced; the wider user estate does not

ADFS relying party trust sprawl keeps older finance and branch applications in scope

Historic MIM rules preserve old entitlements after department change

Azure production and operations roles remain broader than named operational need

AWS analytics deployment trust is broader than intended for shared engineering workflows

What improved and what still matters

MFA is now rolling out, but 1,215 standard users still do not have it enforced

Eleven ADFS trusts still support branch-servicing and treasury workflows

Nineteen standing Azure production and support assignments remain active

MIM-driven entitlement drift is smaller but still visible across legacy servicing applications

Supplier and SaaS lifecycle drift now looks smaller, sharper and more governable

Priority actions

A calmer, boardroom-grade demo built around the real MRI-led product experience.

First install + delta run

Initial run · 7 Jan 2026

Delta run · 22 Jan 2026

The strongest story is progress with realism

Week-one findings are already specific

Identity-led findings, not generic security filler

Former treasury analyst account remains active through AD sync, VPN access and an ADFS-published treasury portal

Only ten global administrators have MFA enforced; the wider user estate does not

ADFS relying party trust sprawl keeps older finance and branch applications in scope

Historic MIM rules preserve old entitlements after department change

Azure production and operations roles remain broader than named operational need

AWS analytics deployment trust is broader than intended for shared engineering workflows

What improved and what still matters

MFA is now rolling out, but 1,215 standard users still do not have it enforced

Eleven ADFS trusts still support branch-servicing and treasury workflows

Nineteen standing Azure production and support assignments remain active

MIM-driven entitlement drift is smaller but still visible across legacy servicing applications

Supplier and SaaS lifecycle drift now looks smaller, sharper and more governable

Priority actions