Skip to content
Stratum

TARGETED PROJECT

Identity Modernization.

A fixed-price move from on-prem Active Directory to Entra ID, with the MFA and Conditional Access work that usually gets pushed to next quarter.

  • 3–5 weeks

    typical engagement duration

  • 6–12 hours

    total time required from your team

  • $4,000–$8,000

    fixed standalone or add-on

Why this matters.

Identity is the thing that stops being a problem only when it stops being a target. Most SMB and nonprofit environments still run on-prem Active Directory the same way they did in 2014 — domain-joined laptops, password-only logons for at least some apps, MFA enabled on email but not on the VPN, and Conditional Access either off entirely or set up once and never tuned. The cost of leaving identity in that state used to be theoretical; in 2026 it's quantifiable. Cyber insurance underwriters now ask the question explicitly, and the gap between "we have MFA" and "we have phish-resistant MFA with risk-based Conditional Access" shows up in the premium quote. The modernization is the move that closes the gap on a defensible timeline, not on a vendor's renewal cycle.

What we do.

Current-state identity assessment up front — what's joined, who has admin, where the legacy service accounts live, what's federated already, and which SaaS apps are still on per-app passwords. Entra ID configuration: tenant baseline, hybrid join if AD stays in the picture, group structure that survives the rollout. SSO setup for one to three SaaS apps inside the engagement (more get scoped as a follow-on). MFA rollout to all users with a real communications plan, not a Friday-afternoon broadcast. Conditional Access policy baseline — at minimum, location-aware policies, device-compliance gates where Intune is in play, and risk-based policies on the high-value identities. Documentation that the next person to touch the environment can actually read.

What you walk away with.

A modern identity baseline you can hand to a cyber insurance underwriter without flinching. MFA enforced everywhere it needs to be, with the help-desk volume that surfaces from the rollout planned for instead of absorbed in panic. A Conditional Access policy set you can explain to a board: who can sign in from where, on what device, under what risk conditions. SSO running for the SaaS apps that drove the most password-reset tickets. An identity architecture document, written for the next IT lead — not for the sales meeting it justifies. Identity modernization pairs naturally with the M365 Migration — they share a change window and right-size analysis. If a broader environment baseline comes first, the IT Health Check is the right starting point.

What's in scope.

Current-state identity assessment (Active Directory, Entra ID, federation, MFA posture, SaaS app authentication patterns). Entra ID tenant configuration baseline. Microsoft Entra hybrid join (formerly Hybrid Azure AD join) if on-prem AD stays in the environment; full cloud-only configuration if cutover is complete. Group structure design (security groups, dynamic groups where appropriate, naming conventions). SSO setup for one to three named SaaS apps inside the engagement. MFA rollout to all users with phased communication plan. Conditional Access policy baseline (location, device-compliance, risk-based policies on privileged accounts). Self-service password reset configuration. Privileged identity management (PIM) baseline if Entra ID P2 / Microsoft 365 E5 is in license posture. Identity architecture document. End-user MFA rollout communications. 30 days of post-rollout support for identity-related issues.

What's out of scope.

SSO migration for more than three SaaS apps in a single engagement (per-app add-on at fixed cost). In-depth Intune device enrollment beyond MFA-aware Conditional Access policies (separate Intune sprint or follow-on engagement). Legacy AD decommissioning past hybrid-join configuration (separate scope; usually requires application-by-application migration testing). Custom claim transformations or non-standard SAML configurations for SSO. Penetration testing or formal compliance audit work (different sales motion, different credentialing). Active incident response on identity compromise (escalation only; emergency identity work is a different engagement shape). On-prem RADIUS, NPS, or VPN authentication migration unless explicitly added at engagement start.

This is the right engagement when…

  • You're stuck on on-prem AD with no Entra ID baseline, and a cyber insurance renewal is coming up that's going to ask harder questions than last year's did.
  • You have MFA on email but not on VPN, RDP, or your top three SaaS apps — and "we'll get to it" has been the answer for two quarters.
  • You went through M365 Migration with another firm or in-house, and identity got skipped or did the minimum (security defaults on, nothing else) — and now you're seeing the failure modes that surface when Conditional Access isn't doing the work it should.
  • A compliance framework (SOC 2, HIPAA-aligned, CMMC-prep) is starting to apply to your environment, and the identity gaps are the loudest control failures.
  • You're inside an active M365 Migration engagement and the right-size analysis surfaced that you should be on Business Premium — which means Conditional Access and Intune are already paid for, and now they should actually be configured.

What you receive across the engagement.

  • Identity architecture document Written for the next IT lead. Names what's deployed, why, and where the boundaries of the configuration are. Includes the Conditional Access policy set with the rationale for each rule.
  • Configuration runbook Separate operational document. How to add a user, how to remove a user, how to onboard a new SaaS app to SSO, how to investigate a Conditional Access block that surprised someone. Yours to use; reusable for new IT hires.
  • End-user MFA rollout communications Drafted in your branding, ready to send. Pre-rollout notice, day-of guide, post-rollout reference. The communications are most of why MFA rollouts succeed or stall — we don't skip them.
  • MFA registration verification Every user accounted for at the end of the engagement. Stragglers identified and chased; legacy auth-only accounts closed or quarantined. Per-user verification report.
  • 30 days of identity Q&A Follow-up access while your team works through the operational shape. Help-desk-tier escalations, not implementation work.

Here's the shape of what the engagement documents — the kind of posture gap this work closes before a cyber insurance underwriter or an auditor asks about it.

Pricing model — standalone or add-on.

The engagement is fixed-price standalone at $4,000–$8,000 (banded by user count, AD complexity, and SSO app count) — that's the right path when identity modernization is the wedge engagement, or when M365 is already in place and the gap is identity-only.

Inside an active M365 Migration engagement, the same identity work is available as a $2,500 add-on. The lower price reflects shared discovery (the M365 migration's platform assessment already names the AD shape) and shared change-management (one rollout window, one set of end-user communications, one cutover weekend). The add-on path is the right answer when the migration was already going to need an MFA rollout anyway — bundling avoids a second engagement on a second cutover.

We don't sell identity work on time-and-materials. T&M is the industry default because identity engagements run long when Conditional Access starts surfacing edge cases — exactly the part of the work that should be inside the productized scope, not billed separately.

How we're different.

  • Fixed-price productized. Most identity work is sold T&M, which transfers schedule risk to you. Conditional Access edge cases are inside the scope, not a change order — that's the point of productizing the engagement.
  • Communications inside the scope, not on top. Help-desk volume during MFA rollout is what stops most modernization projects from finishing. The end-user communications and verification work are inside the engagement, not optional add-ons.
  • Vendor-neutral on identity tooling. No reseller relationship with Microsoft, no Conditional Access policy template ported in from another client. The architecture document is written for your environment; if the answer is "stay where you are on the SSO side, scope the engagement to MFA only," that's the answer.

Ready to close the identity gap before the next renewal asks?

Schedule a free discovery call

Indiana · U.S. remote