Identity & Access Capability Map

A capability-area view of identity and access across the cloud estate. Tenant and RBAC foundation, conditional access posture, privileged access management, identity threat detection — the four pillars that together constitute a mature identity capability.

ForCIO · CISO

Compass

Businesspersona, use case, outcome
Capabilitywhat the org needs to do
Technologythe technology choices
Sourcewhere the evidence sits

Guided journey · Step 1 of 4

Landing Zone — Identity Foundation

Tenant and RBAC foundation. Single Entra ID tenant, management group hierarchy, RBAC at management-group scope. The hardest-to-reverse pillar in the capability.

~ 6 weeks

Search any SKU, capability, risk, or source on this map.

Filter by type

All maps

Narrative intro

Identity is the modern perimeter. The four pillars below are the identity capability area in maturity order: tenant and RBAC foundation, conditional access, privileged access management, identity threat detection. Together they constitute a mature identity capability — individually they're partial postures that don't add up. Identity sits across the org chart: CIO owns the platform; CISO owns the threat-detection posture. This map is dual-persona for that reason. Use it for joint identity programme conversations, identity-maturity benchmarking, and the structural decisions that determine whether identity is a single capability or two parallel ones.

Key takeaways

Identity is one capability owned by two functions. Joint CIO/CISO ownership is the working model; siloed ownership produces gaps.
The maturity arc is foundation → perimeter → privilege → threat detection. Skipping a step produces a posture that fails audit.
Entra ID P2 is the floor for credible identity threat detection. Identity Protection is the source of the highest-fidelity identity detections.
PIM is the control insurers and regulators ask about first. Standing Global Admin is the configuration that ends up in the breach report.

Programme shape

Estimated duration: 16–40 weeks
Estimated FTE: Identity architect, security architect, platform engineering, IAM operations. Identity is owned jointly by CIO (platform) and CISO (security posture) — the map is dual-persona.
Spend tier: moderate
Risk level: moderate

Capability-area map rather than a cluster or programme map. The four pillars are the canonical identity capability areas; the path is the maturity arc rather than a delivery sequence. Cross-cluster relevance: identity sits between Cloud Foundation (platform) and Security Operations (threat detection).

Source references

Microsoft Entra ID documentation — Canonical Entra ID documentation — covers all four capability pillars.
NIST SP 800-63 Digital Identity Guidelines — Industry-standard identity assurance framework.

Back to all maps