Identity & Access: the login is the perimeter now

Where Stage 1 left you

Foundation got the basics in place: MFA is on, daily work happens in non-admin accounts, and you have an inventory that says who has access to what. Stage 2 turns those point-in-time wins into a system. Each step below keeps the same shape - What to do, Why it matters, and roughly What it costs - and the mapping table at the end ties every step back to the Essential Eight, ISO 27001:2022 Annex A, and NIST CSF 2.0.

Same honesty rule on money as Stage 1: public list prices get named, everything else is a clearly-labelled rough range. Treat the cost notes as order of magnitude, current as of June 2026.

1. Put every login behind one identity provider

Most small businesses accumulate logins the way drawers accumulate cables: every SaaS tool with its own username, password, and forgotten account list. Every one of those is a separate door an attacker can try, and a separate place you have to remember to close when someone leaves. The fix is single sign-on: one identity provider that every other application trusts.

What to do. Pick the identity provider you almost certainly already have - Microsoft Entra ID if you're on Microsoft 365, Google if you're on Workspace - and connect your other business applications to it via SSO, starting with the ones holding sensitive data. New apps don't get bought unless they support SSO. The goal state: a person has one identity, protected by one strong login, and disabling that identity cuts access to everything at once.

Why it matters. One front door means one place to enforce MFA, one place to watch sign-ins, and one switch to throw on departure. It's the prerequisite for nearly everything else in this stage - conditional access and a working leaver process both assume identity is centralised. ISO 27001 frames this as identity management (A.5.16): every identity accounted for, one per person.

Roughly what it costs. The identity provider is already in your Microsoft 365 or Google Workspace subscription. The catch is the SaaS side: some vendors paywall SSO behind higher tiers (the practice defenders call the "SSO tax"), so the real cost is per-app and worth checking before you renew. Time-wise, budget a few hours per application to connect and test.

2. Raise MFA from "on" to strong

Foundation turned MFA on. Stage 2 acknowledges an uncomfortable truth: not all MFA is equal, and attackers have moved on to beating the weak kinds - real-time phishing pages that relay codes, and push-notification fatigue attacks that spam approvals until someone taps yes.

What to do. Make MFA universal - every user, every service that supports it, no exceptions for executives (they're the most-targeted accounts in the building). Prefer phishing-resistant methods where you can: passkeys or FIDO2 hardware security keys, which cryptographically verify the site and can't be relayed by a fake login page. At minimum, move admins onto them. If you use push notifications, enable number matching so a tap can't be blind-approved. And treat MFA re-registration like a password reset: verify the person before help desk resets it - attackers ring help desks for exactly this.

Why it matters. The Essential Eight's multi-factor authentication strategy climbs in exactly this direction as maturity levels rise - broader coverage and phishing-resistant methods. The OAIC's notifiable data breach reports consistently put compromised credentials among the leading causes of reported breaches in Australia, and credential phishing is how most of them start.

Roughly what it costs. Passkeys are free on platforms that support them. Hardware security keys are a one-off, roughly AU$50-100 each at retail - buying two per admin (one as backup) for a handful of admins is a few hundred dollars total, not a project. Number matching and authenticator hardening are configuration, not licensing.

3. Tier your admin access

Stage 1 separated daily work from admin work. Stage 2 tightens who holds admin at all, and what an admin account is allowed to touch. The pattern that hurts small businesses: one all-powerful account, used by whoever needs it, signed in everywhere, with the password in a shared document.

What to do. Keep the global-administrator list tiny - most platforms and Microsoft's own guidance suggest a small handful, each a named person, never shared. Give everyone else the narrowest admin role that does the job (helpdesk roles for password resets, billing roles for invoices). Privileged accounts shouldn't browse the web or read email - that's the Essential Eight's explicit expectation as maturity rises - and admin access should be requested and granted deliberately, not accumulated. Finally, create one documented break-glass account with credentials stored offline (sealed envelope or safe), so an MFA outage can't lock you out of your own tenant.

Why it matters. "Restrict administrative privileges" is the Essential Eight strategy whose higher maturity levels live exactly here: validated requests for privileged access, privileged accounts blocked from internet and email, separate privileged environments. ISO 27001 A.8.2 requires privileged access rights to be specifically managed. And practically: the difference between a phished user and a phished admin is the difference between an incident and a disaster.

Roughly what it costs. Free to do the core of it - role assignment and process. If you're on Microsoft, Entra ID P2 adds just-in-time admin elevation (Privileged Identity Management) at a published list price of about US$9 per user per month, but only the people who hold privileged roles need it, and it's an optimisation, not a prerequisite.

4. Write the joiner-mover-leaver process down

Ghost accounts - logins that outlive the employment, the contract, or the role change - are the quiet failure mode of small-business identity. Nobody decided to leave the ex-employee's account active; there was just no process that made someone turn it off.

What to do. Write a one-page checklist for each of the three events. Joiner: access is requested by role (a template of what a salesperson gets, what an engineer gets), not copied from "whatever Dave has". Mover: a role change triggers a review that removes the old role's access, not just adds the new - this is how ten-year employees end up able to touch everything. Leaver: on the person's last day, their identity is disabled in the identity provider, sessions are revoked, mail is delegated, and any shared credentials they knew are rotated. Then close the loop: a recurring calendar slot (quarterly is fine) where a human reviews the account list against the staff list and the access inventory from Stage 1.

Why it matters. ISO 27001 A.5.18 requires access rights to be reviewed and removed on change or termination - it's one of the controls auditors and customer security questionnaires probe first, because it's cheap to check and frequently failed. It's also an insider-risk and breach-cost control: an account nobody owns is an account nobody notices being used.

Roughly what it costs. Free. This is the highest-value document-and-discipline control in the stage: a checklist, a calendar reminder, and the will to follow it. Automation exists in HR and identity tooling as you grow, but the process has to exist before it can be automated.

5. Make context part of every sign-in

A password plus MFA answers "is this probably the right person?" Conditional access also asks: from where, on what device, using what protocol? It's the difference between a door with a lock and a door with a lock and someone who notices you're trying it at 3am from a country you've never visited.

What to do. Three policies do most of the work. First, block legacy authentication - older protocols (IMAP, POP, SMTP basic auth) that can't do MFA at all and are the standard way around it; password-spray attacks specifically hunt for them. Second, require MFA on every sign-in by policy, rather than per-user settings that drift. Third, if you manage devices, require a known or compliant device for access to sensitive data. On Microsoft, free Security Defaults give you a fixed version of the basics; custom Conditional Access policies need Entra ID P1. Whatever you build, test policies in report-only mode first and always exclude the break-glass account.

Why it matters. This is the control that catches stolen credentials being used - the sign-in that's technically valid but contextually wrong. The Essential Eight's MFA and admin-restriction strategies at higher maturity assume this kind of policy enforcement, and NIST CSF 2.0 PR.AA expects authentication appropriate to the risk of the transaction. It's also increasingly a cyber-insurance question.

Roughly what it costs. Security Defaults are free on every Microsoft tenant. Custom conditional access comes with Entra ID P1 - about US$6 per user per month at Microsoft's published list price, and already included in Microsoft 365 Business Premium, so check what you're licensed for before buying anything. Google's equivalent (context-aware access) sits in Workspace's higher tiers. The design and testing time is a day or two, not a project.

6. Run a password manager for everything else

SSO won't cover everything - there's always the supplier portal, the social media login, the website admin panel, the Wi-Fi password. Without a system, those end up reused, weak, or in a spreadsheet named passwords.xlsx. That spreadsheet is the first thing an intruder searches for, by name.

What to do. Deploy a business password manager for every staff member, and make it the only sanctioned place credentials live. Use it to generate long, unique, random passwords - uniqueness is the property that kills credential stuffing. Use its shared vaults for genuinely shared credentials so access is granted by group membership and revocable in one click - never by forwarding the password. Follow modern guidance (NIST SP 800-63B and ASD's ISM agree here): long passphrases, no forced periodic rotation - rotate on suspicion of compromise instead - and screen new passwords against known-breached lists where your platform supports it.

Why it matters. Reused passwords turn somebody else's breach into yours: credential stuffing is exactly the replay of leaked passwords against your services. ISO 27001 A.5.17 requires authentication information to be managed properly, and a password manager is the only realistic way a small business does that at scale. It also quietly fixes the leaver problem for non-SSO accounts - revoke vault access, rotate the handful of shared secrets, done.

Roughly what it costs. Business password manager tiers cluster around US$2-8 per user per month depending on vendor and plan (rough range; check current pricing). For a 20-person business that's hundreds of dollars a year, against credential reuse being one of the most common ways in. This is usually the first actual purchase the guide recommends - and it's a small one.

7. Govern the identities that aren't people

Not every account belongs to a human. Service accounts, API keys, automation tokens, and third-party app grants all hold standing access, rarely have MFA, and never resign - which makes them ideal for attackers and invisible to a people-shaped leaver process.

What to do. Extend the Stage 1 inventory to non-human identities: every service account, API key, and integration, each with a named human owner and a written purpose. Give them least privilege and, where supported, rotate or expire their credentials. Then govern OAuth app consent in your tenant: restrict users from granting applications access to company data on their own, and review the apps already granted. Attackers actively abuse this - a malicious app that a user consents to gets durable API access to mailboxes and files without ever stealing a password. We've published a full defender's breakdown of that technique: detecting OAuth consent phishing in Microsoft 365. Finally, give contractor and vendor accounts an expiry date at creation, so access ends by default instead of by memory.

Why it matters. ISO 27001 A.5.16 explicitly covers non-human identities, and NIST CSF 2.0 PR.AA-01 manages credentials for "users, services, and hardware". In practice this is where mature small businesses still get burned: the forgotten integration with tenant-wide permissions, the API key in a script that never rotates, the vendor login from a project that ended two years ago.

Roughly what it costs. Free - inventory, ownership, and consent settings are configuration and process. The OAuth consent restriction in particular is a single admin setting in Microsoft 365 and Google Workspace tenants, and turning it on costs nothing but the occasional legitimate app request needing an admin's approval.

Where this maps

Same deal as Stage 1: every step ties to a recognised control, so the answer to "says who?" is the frameworks. International readers: swap the Essential Eight column for CIS Controls v8.1 (Controls 5 and 6 cover this stage almost one-for-one); the ISO and NIST columns are unchanged.