Services

Managed identity services and one-time engagements

Identefi provides two service types: ongoing managed services billed per user per month, and fixed-scope one-time engagements for assessment, onboarding, and remediation work.

Managed Service Tiers

Ongoing identity operations

Monthly service. Billed per user. Requires a completed Identity Assessment before onboarding. All tiers include access to the Identefi client portal for status and reporting.

Core identity coverage

Starter

$12per user / month
$400 monthly minimum

The Starter tier provides consistent monitoring and enforcement of your Microsoft Entra baseline. Right for organizations that need documented identity controls but do not yet need active lifecycle management.

Start with Assessment
MFA enforcement monitoring
Monthly verification that MFA is enforced for all users via conditional access — not just enabled.
Monthly offboarding verification
Confirm that departed employees are fully disabled across Entra ID and connected apps.
Conditional access baseline review
Quarterly review of conditional access policies against your baseline configuration.
Guest account audit (quarterly)
Identify stale guest accounts and accounts with excessive permissions.
Stale account detection
Monthly report of accounts with no sign-in activity in 90+ days.
Monthly status report
Written summary of identity posture, outstanding issues, and completed actions.
Email support
Questions and requests handled via email with next-business-day response.
Most common
Active lifecycle management

Standard

$22per user / month
$600 monthly minimum

Standard adds active joiner/mover/leaver operations and access governance. Right for organizations actively hiring or restructuring, or those preparing for compliance requirements.

Start with Assessment
Everything in Starter
All monitoring, reporting, and baseline controls included.
Joiner / mover / leaver lifecycle ops
We handle access provisioning for new hires, role changes, and departures using standardized workflows.
Privileged role review (monthly)
Monthly audit of all Entra ID directory roles — Global Administrator, Exchange Admin, and others.
Conditional access policy management
Ongoing policy adjustments as your environment changes, including new app integrations.
SaaS app access tracking
Inventory of connected SaaS applications and tracking of access outside Entra ID.
Power Automate lifecycle workflows
Automated provisioning and deprovisioning workflows built and maintained in Power Automate.
Priority email and Teams support
Same-day response. Dedicated Teams channel for your organization.
Quarterly access review report
Full access review documentation suitable for audits, formatted per your compliance requirements.
Full identity operations

Advanced

$40per user / month
$1,200 monthly minimum

Advanced provides the full identity operations function. Right for compliance-driven organizations, those with complex Entra environments, or those requiring audit-ready documentation and SLA-backed support.

Start with Assessment
Everything in Standard
All lifecycle, governance, and policy management included.
Privileged Identity Management (PIM)
Just-in-time privileged access, approval workflows, and PIM activation auditing in Entra ID.
Continuous conditional access tuning
Ongoing policy refinement based on sign-in risk, named locations, and compliance signals.
Custom SSO integrations (up to 2/yr)
SAML or OIDC app integrations with Entra ID — included in the annual scope.
Power BI identity dashboard
Live operational dashboard showing MFA coverage, role assignments, and lifecycle metrics.
Audit-ready documentation
Maintained policy documentation, access review records, and configuration change logs.
Named account manager
A single point of contact who knows your environment and handles all escalations.
Dedicated Teams channel
Direct access to your account manager and support team via a shared Teams channel.
SLA-backed response times
4-hour response for critical issues, same-day for standard requests.
One-Time Services

Fixed-scope professional services

Project-based engagements with fixed scope and fixed price. Most one-time services are prerequisites for or complements to managed services — they are not standalone substitutes for ongoing identity management.

Identity Assessment

$750–$1,500by tenant size

A structured audit of your Microsoft Entra environment across eight identity domains. Delivers a written report with a tenant health score, prioritized remediation list, and recommended service tier. Required before onboarding to any managed service tier.

Deliverables
  • Tenant health score (0–100)
  • Findings report across 8 identity domains
  • Prioritized remediation list
  • Recommended service tier

Onboarding

$3,000–$8,000fixed scope

Remediation of critical gaps identified in the assessment, followed by baseline configuration of all required identity controls. Sets the foundation for ongoing managed services.

Deliverables
  • MFA enforcement via conditional access
  • Privileged role cleanup
  • Offboarding process setup
  • Baseline conditional access policies
  • Power Automate workflow deployment

Migration

$5,000–$20,000by scope

Tenant-to-tenant migration, Azure AD B2B consolidation, or transition from a legacy identity provider to Microsoft Entra ID. Scoped after discovery.

Deliverables
  • Pre-migration tenant discovery
  • User and group migration
  • App registration transfer
  • Conditional access policy rebuild
  • Post-migration validation

Custom SSO Integration

$750–$2,500per application

SAML 2.0 or OIDC integration of a third-party application with Microsoft Entra ID. Includes testing, documentation, and handoff.

Deliverables
  • App registration in Entra ID
  • SAML or OIDC configuration
  • Attribute mapping and claims setup
  • User assignment configuration
  • Integration test documentation

Incident Cleanup

From $3,000time and scope

Post-incident identity remediation following a compromise, unauthorized access event, or phishing. We contain the exposure, remove persistence, and rebuild your identity controls.

Deliverables
  • Compromised account identification
  • Session revocation and credential reset
  • OAuth grant audit and cleanup
  • Admin role review
  • Post-incident remediation report
Scope Boundaries

What we don't do

Identefi is a specialist provider. Our scope is identity and access management within Microsoft Entra ID. The following services are explicitly out of scope — not because they are unimportant, but because specialist delivery requires clear boundaries.

We do not do helpdesk. If you need end-user IT support, password resets, or device troubleshooting, that function belongs with your internal IT team or a generalist MSP.

Helpdesk and end-user support

We do not do helpdesk. Password resets, device issues, and end-user troubleshooting are out of scope. These functions require different tooling, staffing, and SLAs. Your Microsoft 365 partner or internal IT handles these.

Endpoint management (Intune / MDM)

Device enrollment, compliance policy, and endpoint configuration are separate from identity management. We work alongside your endpoint management solution but do not operate it.

Backup and disaster recovery

Data backup for Exchange, SharePoint, and OneDrive is outside our scope. These are distinct services with dedicated tooling.

Email security and filtering

Defender for Office 365, anti-phishing policies, and email flow rules are not included. Identity and email security overlap in some areas (like MFA), but email security operations are a separate function.

Network and firewall management

We are not a network security provider. Conditional access in Entra ID can enforce named location policies, but firewall configuration is outside our scope.

General IT consulting

We do not provide general IT strategy, vendor selection, or technology roadmap consulting beyond the identity domain. Our scope is narrow by design.

Technology

Built on Microsoft's identity platform

All Identefi services are delivered within your existing Microsoft 365 environment. No new platforms to license, no third-party identity vendors to evaluate.

Microsoft Entra ID

Client-owned license

The identity platform at the center of all our services. We configure, monitor, and operate within your Entra tenant. Licenses remain yours.

Power Automate

Included in M365

Lifecycle workflows — provisioning, deprovisioning, and access change notifications — are built and maintained in Power Automate.

Power BI

Advanced tier

Identity operational dashboards for Advanced tier clients. MFA coverage, role assignments, sign-in anomalies, and lifecycle metrics in one view.

Every engagement starts with an assessment

We do not onboard clients to managed services without first auditing their environment. The assessment determines scope, identifies critical gaps, and ensures the right service tier is recommended.

Book an Identity AssessmentAbout Identefi