Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Knowledge Center · Cybersecurity

Identity & Access Management

The authority hub for identity and authentication — MFA, passwordless and passkeys, SSO/federation, Conditional Access, and privileged identity management.

Something YouKnowPassword, PINSomething YouHavePhone, hardware keySomething YouAreFingerprint, face scanMFA = factors from at least two different circlesTwo passwords (both "something you know") does not qualify as MFA
Multi-factor authentication requires factors from at least two different categories — two passwords is not MFA, even though it is two secrets.

Downloads

Downloadable Resources

Free templates and guides — preview, copy, or download as Markdown or plain text.

Checklist

MFA Rollout Checklist

A step-by-step checklist for rolling out multi-factor authentication without a support-desk avalanche.

Open →

Worksheet

Conditional Access Policy Worksheet

A planning worksheet for designing Conditional Access policies before building them in the identity platform.

Open →

Guide

Privileged Access Governance Guide

A guide for reducing standing administrative privilege through just-in-time activation, break-glass accounts, and periodic review.

Open →

Guide

Passwordless Adoption Guide

A phased guide for rolling out passkeys and FIDO2/WebAuthn authentication across an organization.

Open →

Checklist

Identity Governance Checklist

A checklist covering provisioning, access reviews, and deprovisioning discipline across the identity lifecycle.

Open →

Template

Joiner-Mover-Leaver Template

A fill-in-the-blank template for documenting your organization's onboarding, role-change, and offboarding procedures.

Open →

Guide

Identity Security Best Practices

A consolidated reference covering the full set of current identity and authentication best practices in one document.

Open →

Guide

Authentication Architecture Guide

A reference architecture guide covering how authentication, SSO, Conditional Access, and privileged access fit together as one system.

Open →

Workbook

Conditional Access Planning Workbook

A multi-phase rollout workbook for planning a Conditional Access implementation from baseline to advanced policy sets.

Open →

Worksheet

Identity Governance Review Worksheet

A structured worksheet for conducting a periodic identity access review, with fields for findings and remediation.

Open →

Quick Reference

The Short Version

Full treatment lives in the articles above.

Phishing-Resistant MFA

Hardware keys and passkeys cryptographically bind to the real destination — a fake login page cannot complete the exchange, unlike SMS or app codes.

Just-in-Time Privilege

A standing admin account is a full-time target. Time-boxed, justified activation shrinks the exposure window to only when privilege is actually in use.

Same-Day Offboarding

Delayed access revocation after an employee departs is one of the most frequently cited findings in security and compliance reviews.

Report-Only Before Enforcement

The most common Conditional Access incident is a policy that locks administrators out of their own tenant — test in Report-only mode first.

FAQ

Common Questions

What is the difference between authentication and authorization?

Authentication verifies who you are; authorization determines what you're allowed to do once verified. A correctly authenticated user can still be authorized for very little, and vice versa — see Authentication Fundamentals for the full distinction.

Is SMS-based MFA still worth using?

Yes, as a baseline it is dramatically better than no MFA — but it is meaningfully weaker than an authenticator app or hardware key against a targeted phishing attack. Reserve stronger, phishing-resistant methods for administrative and high-value accounts.

How does this cluster relate to Password Security?

Password Security covers the credential itself — length, uniqueness, storage. Identity & Access Management covers everything around that credential: how it's verified (MFA), how access is centralized (SSO), how context changes the decision (Conditional Access), and how privilege is governed over time.

How does this cluster relate to Microsoft 365 Security & Entra ID?

This cluster covers identity and authentication concepts generally, applicable to any identity platform. The Microsoft 365 Security & Entra ID hub applies those same concepts specifically to Microsoft 365 — Entra ID licensing, Defender for Office 365, Secure Score, and workload-specific Conditional Access patterns.

Operational Support

Need to close identity and access gaps across your organization?

IT KORR can design and implement Conditional Access policy, roll out phishing-resistant MFA, configure Privileged Identity Management, and build reliable identity lifecycle governance.

No commitment required — we respond within one business day.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT