IT KORR Knowledge Center
Identity Security Best Practices
A consolidated reference covering the full set of current identity and authentication best practices in one document.
Authentication
- Enforce MFA for all users, all applications, with no standing undocumented exceptions.
- Block legacy authentication protocols that bypass MFA.
- Prioritize phishing-resistant methods (hardware key, passkey) for high-value accounts.
Access Control
- Use Conditional Access (or equivalent) to evaluate context, not just credentials.
- Test new policies in Report-only mode before enforcement.
- Maintain documented, monitored break-glass accounts excluded from policy.
Privileged Access
- Move standing administrative privilege to just-in-time activation where possible.
- Review standing privileged role assignments on a recurring schedule.
- Apply the same scrutiny to service account privilege as human accounts.
Identity Lifecycle
- Provision access from role-based templates, not ad hoc requests.
- Treat every role change as a full access review, including removal.
- Revoke access same-day on offboarding, triggered directly from HR notification.
Related Resources
- Authentication Fundamentals — /knowledge-center/cybersecurity/identity-access-management/authentication-fundamentals
- Identity & MFA Readiness Assessment — /tools/identity-mfa-readiness-assessment