Infographic explaining Identity and Access Management (IAM), covering authentication, authorization, auditing, and ensuring the right people get the right access at the right time.

What Is Identity and Access Management? Plain-English Guide

Quick Answer: Identity and Access Management (IAM) is the system that controls who can log in to your business systems and what they can do once they are in. It answers two questions for every user, device, and app in your organisation: Are you who you say you are? And should you be allowed to access this?

Key Takeaways

  • IAM stands for Identity and Access Management – the framework that manages who gets access to what in your organisation.
  • 61% of all data breaches involve compromised credentials – weak or stolen passwords are the #1 way attackers get in. IAM directly fixes this.
  • The core IAM components are: MFA, SSO, RBAC, PAM, and SCIM – each one explained simply below.
  • Microsoft Entra ID (formerly Azure Active Directory) is the IAM platform built into Microsoft 365 – most Australian businesses already have it and are not using it fully.
  • IAM is a direct requirement for ACSC Essential Eight Maturity Level 2, the Privacy Act NDB scheme, and cyber insurance in Australia.
  • IAM is not just a security tool – it also saves time. Automated provisioning and SSO reduce helpdesk calls by up to 50%.

What Is Identity and Access Management - In Plain English?

Think of IAM like the front desk and security badge system in a large office building.

The front desk checks who you are before letting you in (identity). Your security badge determines which floors, rooms, and cupboards you can open once you are inside (access management).

Without a system like this, anyone who walks through the front door can go anywhere. That is exactly what happens in businesses without proper IAM.

Formally defined: IAM is the process of codifying not only users and groups in a system, but also what resources they are each able to access and what functions they are each able to perform.

It covers three things:

  • Authentication – proving you are who you say you are (login, MFA)
  • Authorisation – determining what you are allowed to access
  • Access control – enforcing those rules consistently, every time

Why Does IAM Matter Right Now?

The way people work has changed completely.

Staff now work from home, from cafes, from overseas. They use personal phones and laptops alongside company devices. They log in to dozens of cloud apps using the same password – or variations of it.

Each of these is an opportunity for an attacker.

The average employee uses 191 passwords – and 81% of data breaches are caused by weak, stolen, or reused passwords, according to the Verizon 2025 Data Breach Investigations Report.

The ASD Cyber Threat Report 2024–25 found that credential-based attacks were among the most reported cybercrime types in Australia – and Business Email Compromise, which almost always starts with a stolen password, cost Australian businesses over $152 million in 2024.

IAM is the direct solution to all of this. It makes stolen passwords significantly less useful by adding more verification layers – and limits the damage if an attacker does get in by restricting what any one account can access.

The 5 Core Components of IAM - Each Explained Simply

1. Multi-Factor Authentication (MFA)

What it is: MFA requires users to prove their identity using two or more things – typically a password plus a code from their phone or a fingerprint.

Why it matters: A stolen password alone is not enough to get in. The attacker also needs the second factor – which they almost certainly do not have.

Microsoft’s own data shows that MFA blocks 99.9% of automated account takeover attacks.

In plain English: Your password is one key. MFA adds a deadbolt.

For Australian businesses, MFA is a direct requirement under Essential Eight Maturity Level 1 – the baseline that every organisation should reach. Our conditional access policy examples show how to enforce MFA correctly using Microsoft Entra ID.

2. Single Sign-On (SSO)

What it is: SSO lets users log in once and access all their apps without logging in again to each one.

Why it matters: Without SSO, staff manage separate usernames and passwords for every app – and they reuse simple passwords out of frustration. With SSO, there is one secure login that unlocks everything.

Business benefit: IT spends less time resetting passwords. Staff spend less time logging in. And when an employee leaves, disabling their one SSO account immediately revokes access to every connected app – no manual removal from 15 different tools.

SSO reduces helpdesk password reset calls by up to 50%, according to Gartner.

Our full single sign-on implementation guide walks through SSO deployment step by step using Microsoft Entra ID.

3. Role-Based Access Control (RBAC)

What it is: RBAC assigns access based on a person’s job role – not individually, and not all-or-nothing.

Why it matters: Instead of giving every employee access to everything, RBAC means the sales team can access the CRM, finance can access the accounting system, and HR can access personnel files – but each group only sees what they need.

In plain English: Your security badge opens the rooms your role requires. Not every room in the building.

This directly addresses the principle of least privilege – one of the most important concepts in cybersecurity. Forrester research found that enforcing least privilege reduces insider threat risk by up to 75%.

RBAC is also what powers identity lifecycle management – when someone changes roles, their access automatically updates to match their new position rather than accumulating permissions over time.

4. Privileged Access Management (PAM)

What it is: PAM is a stricter layer of IAM specifically for accounts with admin-level access – IT administrators, database managers, senior executives with financial authority.

Why it matters: Admin accounts are the most targeted accounts in any organisation. An attacker who compromises a regular employee account gets limited access. An attacker who compromises an admin account can access everything, change security settings, disable monitoring, and cause catastrophic damage.

PAM typically works by making admin rights just-in-time – an admin requests elevated access for a specific task, uses it for that task, then the elevated access disappears automatically.

In Microsoft terms: This is Microsoft Entra Privileged Identity Management (PIM). Instead of anyone having permanent Global Admin rights, they activate their admin role when needed – for 1 hour, 4 hours, or 8 hours – then it expires.

Essential Eight alignment: PAM directly satisfies the “Restrict Administrative Privileges” control, required at Maturity Level 1.

5. Automated Provisioning and Deprovisioning (SCIM)

What it is: Provisioning is creating a user account and giving them access when they join. Deprovisioning is removing all access when they leave. SCIM (System for Cross-domain Identity Management) automates both.

Why it matters: When someone joins your business, they need access to email, the CRM, the HR system, and project tools – all set up correctly on day one. When they leave, every single access point must be revoked immediately.

Without automation, offboarding is done manually – and it gets missed. 11% of organisations have experienced a data breach caused by an ex-employee’s account that was never deactivated.

With SCIM, disabling someone in your HR system or Microsoft Entra ID automatically cascades to every connected app in minutes.

Our identity lifecycle management guide covers the full Joiner-Mover-Leaver process including SCIM automation.

IAM vs PAM: What Is the Difference?

This question comes up often – so here is the short answer:

 

IAM

PAM

Who it covers

All users (everyone)

Admin and privileged accounts only

Focus

Authentication + access control

Protecting high-risk, high-power accounts

Access model

RBAC – based on role

Just-in-time – activate when needed

Risk level

Medium

Critical

Tools

Entra ID, Okta, JumpCloud

Entra PIM, CyberArk, BeyondTrust

PAM is a specialised, stricter subset of IAM. Most organisations implement IAM first, then add PAM for their highest-risk accounts.

What Does IAM Look Like in a Microsoft 365 Environment?

For the majority of Australian businesses running Microsoft 365, Microsoft Entra ID (formerly Azure Active Directory) is the IAM platform.

It is already included in your subscription. Most businesses are not using it to its full potential.

Here is what Entra ID provides across each IAM component:

  • MFA – Microsoft Authenticator, FIDO2 passkeys, SMS (legacy fallback)
  • SSO – connects to 3,000+ apps in the Entra App Gallery (Salesforce, Xero, MYOB, Dropbox, Zoom, and more)
  • RBAC – role assignments for Microsoft 365 apps and connected SaaS tools
  • PAM – Entra Privileged Identity Management (PIM) for just-in-time admin access
  • SCIM provisioning – automatic account creation and removal in connected apps
  • Conditional Access – policy engine that enforces IAM rules (require MFA, require compliant device, block overseas logins)

Our Entra ID explained guide covers the full platform. For configuration, see our Microsoft 365 security guide.

IAM and Australian Compliance - Why It Is Not Optional

Compliance Requirement

IAM Control That Satisfies It

Essential Eight – MFA (ML1+)

MFA enforced via Conditional Access

Essential Eight – Restrict Admin Privileges (ML1+)

RBAC + PAM (Entra PIM)

Essential Eight – Patch Applications (ML1+)

Device compliance via Intune + Conditional Access

Privacy Act NDB – Reasonable steps

MFA, SSO, least privilege, audit logs

Privacy Act NDB – Breach investigation

Sign-in logs and access audit trails

Cyber insurance 2026

MFA, LAPS, SSO, PAM – all on insurer questionnaires

ISO 27001 Annex A.5.18

Access rights management and review

APRA CPS 234

Access controls commensurate with risk

In plain English: if you do not have IAM properly configured, you are likely failing one or more of these requirements – and you may not know it until you make an insurance claim or face a regulator.

For the full Essential Eight mapping, see our Essential Eight checklist.

What Happens Without IAM? A Real Example

A 40-person accounting firm in Sydney had no formal IAM programme. Staff shared admin passwords for key systems. Remote access was via a VPN with one shared password. Offboarding consisted of a manager’s email to IT – which was often delayed by days.

When a senior accountant left under difficult circumstances, their VPN credentials and cloud access remained active. Six weeks after their departure, those credentials were used to access client financial records – not by the former employee, but by an attacker who had obtained the credentials through a phishing email sent weeks earlier.

The firm could not determine the scope of data accessed. They could not confirm when the breach began. The audit trail was insufficient to support an NDB investigation.

What IAM would have changed:

  • SCIM automation would have revoked all access within minutes of the HR offboarding record being updated
  • Conditional Access would have blocked the VPN access from an unrecognised device
  • Audit logs in Entra ID would have provided a complete access timeline for the NDB assessment

The cost of the incident – legal, regulatory, and reputational – significantly exceeded the cost of implementing IAM.

If this scenario sounds familiar, contact our team for an IAM assessment.

Related Reading

Frequently Asked Questions

What is identity and access management (IAM)?

Identity and Access Management (IAM) is the framework that controls who can log in to your business systems and what they are allowed to do once inside. It manages authentication (proving who you are), authorisation (deciding what you can access), and access control (enforcing those rules). IAM tools include multi-factor authentication (MFA), single sign-on (SSO), role-based access control (RBAC), privileged access management (PAM), and automated provisioning. Together, these controls ensure that the right people have the right access - and nothing more.

What is the difference between identity management and access management?

Identity management focuses on the "who" - creating, maintaining, and removing user accounts and verifying that users are who they claim to be (via passwords, MFA, biometrics). Access management focuses on the "what" - determining which systems, files, and functions each verified user is permitted to reach. In practice, both work together: identity management authenticates the user, access management authorises what they can do. IAM as a term covers both.

Why is IAM important for cybersecurity?

IAM is important because compromised credentials are the leading cause of data breaches globally. The Verizon 2025 Data Breach Investigations Report found that 81% of breaches involve weak, stolen, or reused passwords. IAM addresses this directly by adding MFA (so stolen passwords alone cannot grant access), enforcing least privilege (so an attacker who does get in can only reach a limited slice of data), and providing audit logs (so breaches can be detected and investigated). For Australian businesses, IAM is also directly required by the ACSC Essential Eight, Privacy Act, and most cyber insurance policies.

What is the difference between IAM and PAM?

IAM covers all users in an organisation - managing access for employees, contractors, and external users. PAM (Privileged Access Management) is a more intensive subset of IAM specifically for accounts with administrative or elevated privileges - IT admins, database managers, finance controllers. PAM applies stricter controls like just-in-time access (admin rights that activate for a specific task and expire automatically) because these accounts are the highest-value targets for attackers. In practice, IAM is implemented first for all users, with PAM layered on top for the highest-risk accounts.

What IAM tools does Microsoft 365 include?

Microsoft 365 Business Premium includes Microsoft Entra ID Plan 1, which provides the core IAM capabilities: multi-factor authentication, single sign-on to 3,000+ apps, Conditional Access policies, role-based access control, and Microsoft Entra Privileged Identity Management (PIM). It also includes SCIM provisioning for automated account creation and removal in connected apps. These tools, properly configured, cover most of the Essential Eight identity requirements and the Privacy Act's "reasonable steps" obligation for credential protection. Our Entra ID and Microsoft 365 security guides cover the specific configuration steps.

Is IAM required for cyber insurance in Australia?

Effectively, yes. Australian cyber insurers in 2026 ask specifically about MFA (is it enforced for all users?), admin privilege controls (are admin accounts separated from standard accounts?), SSO (are applications connected for centralised access management?), and offboarding procedures (how quickly is access removed when staff leave?). "No" answers to these questions result in higher premiums, coverage exclusions, or in some cases renewal refusal. Implementing a basic IAM programme covering MFA, RBAC, and automated offboarding directly improves your insurance position.

How long does it take to implement IAM?

For a business using Microsoft 365, basic IAM - MFA for all users, Conditional Access blocking legacy authentication, separated admin accounts - can be implemented in two to four weeks. Adding SSO for all SaaS applications, RBAC review, and SCIM provisioning for the main apps typically takes two to three months. Full PAM with Entra PIM for privileged accounts adds another month. The most important step is starting with Identity (MFA and Conditional Access) because it delivers the highest security improvement per dollar and time invested. The complete roadmap is covered in our Zero Trust maturity model guide.

This guide is maintained by the CodeHyper security team. For an IAM assessment or implementation engagement, contact our team or visit codehyper.com.au.

Related Posts

10% Off Microsoft 365

Get a 10% discount on Microsoft 365 services for the first 3 months.*