case/workspace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Full sync - all projects, memory, configs

Browse Source
This commit is contained in:
Case
2026-03-21 20:27:59 -05:00
parent 2447677d4a
commit b33de10902
395 changed files with 1635300 additions and 459211 deletions
Download Patch File Download Diff File Expand all files Collapse all files

282
data/investigations/entraid-audit-service.md Normal file
View File

@ -0,0 +1,282 @@
# Investigation: EntraID & Azure AD Audit-as-a-Service (spark-029)
**Analyst:** ARI
**Date:** 2026-02-14
**Classification:** Business Opportunity Assessment
**Verdict:** CONDITIONAL GO — viable but requires differentiation beyond basic scanning
**Conviction:** 6/10
---
## CONTEXT
DJ is evaluating a productized service: automated EntraID/Azure AD security audits for mid-market companies (5005,000 employees). Client grants read-only tenant access, agent team runs identity security assessment, delivers branded report with risk scores and remediation. Pricing: $1,5003,000 per audit, $500/quarter ongoing.
---
## FINDINGS
### 1. Market Size & TAM
**[MEDIUM CONFIDENCE]**
- Microsoft claims 720M+ Entra ID users across millions of organizations (2025 figures)
- Mid-market segment (5005,000 employees): estimated 80,000120,000 companies in North America use M365/Entra ID
- Most mid-market companies lack dedicated identity security staff — typically 1-3 IT generalists managing M365
- **Addressable market estimate:** If 10% would buy an external audit at $2,000 avg = ~$16M$24M TAM in North America
- **Serviceable market (realistic reach):** 50200 clients in year 1 = $100K$600K revenue opportunity
- The real TAM expansion is ongoing monitoring ($500/quarter × clients = recurring revenue)
### 2. Competition — THIS IS THE KEY RISK
**[HIGH CONFIDENCE]**
**Free/Open-Source Tools (DIRECT THREAT):**
- **Maester.dev** — Open-source Entra ID security testing framework. Built on Pester + Microsoft Graph. Pre-built tests, maps to MITRE ATT&CK, generates interactive HTML reports. Free. Actively maintained. This does 7080% of what the proposed service would do.
- **CISA ScubaGear** — Free US government tool that evaluates M365 tenant configuration against CISA's Secure Configuration Baselines. Visual reports. Actively maintained since 2022.
- **Microsoft Secure Score** — Built into every M365 tenant. Free. Covers identity, data, device, apps.
- **Entra ID Security Config Analyzer (EIDSCA)** — Free, integrated into Maester
**Commercial Competitors:**
- **Varonis** — DatAdvantage for Azure AD. Enterprise pricing ($50K+/year). Not mid-market friendly.
- **CrowdStrike Falcon Identity** — Identity threat detection. Enterprise. $1525/endpoint/year.
- **Semperis** — AD security specialist. Purple Knight (free AD assessment tool). Directory Services Protector (paid).
- **Trellix/CoreSecurity** — Identity governance tools
- **Boutique MSPs/MSSPs** — Many offer "M365 security assessments" as loss-leaders to sell managed services. Pricing: $0$5,000.
- **CIS Benchmarks** — Free configuration benchmarks for Azure AD
**Assessment:** The scanning/reporting layer is heavily commoditized. Free tools exist. The value must come from interpretation, remediation guidance, and ongoing relationship.
### 3. Regulatory Drivers
**[HIGH CONFIDENCE — Strong tailwinds]**
- **SOC 2 Type II** — Requires identity access controls review. Annual audits need evidence of access reviews, MFA enforcement, privileged access management.
- **HIPAA** — Access controls (§164.312(d)) require unique user identification, emergency access, automatic logoff, encryption.
- **NIST 800-53 / NIST CSF** — Identity management controls (IA family) are foundational.
- **Cyber Insurance** — Increasingly requires MFA evidence, privileged access controls, identity security posture documentation. This is the #1 growth driver. Insurers are mandating identity security assessments before binding/renewing policies.
- **PCI DSS 4.0** — Enhanced identity/authentication requirements effective 2025.
- **State Privacy Laws** — CCPA, CPRA, growing state-level requirements driving audit demand.
- **SEC Cybersecurity Rules** — Public companies must disclose material cyber incidents; drives downstream vendor/partner audits.
**Assessment:** Regulatory/insurance pressure is the strongest demand driver. Companies NEED documentation proving their identity posture is sound. Free tools generate reports but don't generate compliance artifacts with professional attestation.
### 4. Technical Feasibility — Microsoft Graph API Read-Only Access
**[HIGH CONFIDENCE]**
With read-only application permissions, you can audit:
**Fully Accessible (Read-Only):**
- ✅ User accounts, guest accounts, disabled accounts, stale accounts
- ✅ Group memberships (security groups, M365 groups, dynamic groups)
- ✅ Directory roles and privileged role assignments (Global Admin, etc.)
- ✅ Conditional Access policies (read all policies, evaluate coverage gaps)
- ✅ Application registrations and service principals (OAuth app sprawl)
- ✅ Authentication methods per user (MFA status, passwordless, FIDO2)
- ✅ Sign-in logs and audit logs (risky sign-ins, impossible travel)
- ✅ Access reviews configuration
- ✅ Named locations, trusted IPs
- ✅ Administrative units
- ✅ License assignments
- ✅ Password policies (tenant-level)
- ✅ Identity Protection risk detections and risky users
**Partially Accessible:**
- ⚠️ PIM (Privileged Identity Management) — read eligible/active assignments, but some PIM features require P2 license on the tenant
- ⚠️ Entitlement Management — access packages readable but complex
- ⚠️ Cross-tenant access settings — readable but interpretation requires context
**Not Accessible / Limitations:**
- ❌ Cannot read actual password hashes or password quality
- ❌ Cannot test Conditional Access enforcement (only read policies, not simulate)
- ❌ Cannot access on-premises AD sync details deeply (hybrid complexity)
- ❌ Cannot read some security defaults without admin consent
- ❌ Mail flow rules, Exchange transport rules (separate Exchange permissions)
- ❌ SharePoint/OneDrive sharing settings (separate permissions)
- ❌ Intune device compliance (separate permissions, but available)
**Required Permissions (Application, Read-Only):**
```
Directory.Read.All
AuditLog.Read.All
Policy.Read.All
IdentityRiskyUser.Read.All
IdentityRiskEvent.Read.All
UserAuthenticationMethod.Read.All
AccessReview.Read.All
EntitlementManagement.Read.All
PrivilegedAccess.Read.AzureAD
Application.Read.All
```
**Assessment:** Technical feasibility is strong. Graph API provides comprehensive read access for a meaningful security audit. The key limitation is that you're reading configuration, not testing enforcement — but that's true of most audit approaches.
### 5. DJ's Moat — EntraID + PeopleSoft HCM Expertise
**[MEDIUM CONFIDENCE]**
- **EntraID expertise alone:** Common among M365 admins. Not a moat. Thousands of people can run Maester or ScubaGear.
- **PeopleSoft HCM + EntraID combo:** Genuinely rare. PeopleSoft HCM is a legacy Oracle product used by ~3,0005,000 organizations globally (mostly large enterprises, government, higher ed). People who understand both identity lifecycle (HCM → provisioning → EntraID) are scarce.
- **Where the combo creates value:**
- Joiner/mover/leaver lifecycle audits — do accounts get disabled when people leave PeopleSoft?
- Role mining — do EntraID group memberships align with HR job codes?
- Orphaned account detection — PeopleSoft terminations vs. active EntraID accounts
- Compliance evidence — proving HR-driven access governance
- **How rare?** Estimated <500 people in the US have deep expertise in both PeopleSoft HCM identity processes AND modern EntraID security. Most PeopleSoft admins don't touch identity. Most identity engineers don't know PeopleSoft.
- **Limitation:** The overlap market (companies using BOTH PeopleSoft HCM and EntraID) is shrinking as companies migrate off PeopleSoft to Workday/SuccessFactors.
**Assessment:** The moat exists but is narrow and declining. It's a niche differentiator for ~2,0003,000 potential clients, not a broad market advantage. Use it for initial credibility and case studies, don't build the whole business on it.
### 6. Pricing Validation
**[MEDIUM CONFIDENCE]**
| Service | Price Range | Notes |
|---------|-------------|-------|
| MSP "free" M365 assessment | $0 | Loss leader to sell managed services |
| Boutique security assessment | $2,000$10,000 | One-time, includes remediation consulting |
| Varonis/enterprise tools | $50,000+/year | Enterprise only |
| Penetration test (identity-focused) | $10,000$30,000 | Much broader scope |
| Virtual CISO (ongoing) | $3,000$10,000/month | Includes identity + everything else |
| Compliance audit prep | $5,000$15,000 | SOC2/HIPAA readiness |
**$1,500$3,000 for an automated audit:** This is the danger zone. It's:
- Too expensive for what a free tool (Maester) can do with a $150/hr consultant running it
- Too cheap to signal "premium expert assessment"
- Competing with MSPs who give it away free to win managed service contracts
**Recommended pricing pivot:**
- **Lead magnet:** Free automated scan (Maester-based) generates leads
- **Paid tier:** $3,000$5,000 "Expert Identity Security Assessment" with human analysis, prioritized remediation roadmap, 1-hour walkthrough call, and compliance-ready documentation
- **Ongoing:** $1,000$2,000/quarter monitoring with alerting and quarterly review call
### 7. Employment Agreement Risk
**[MEDIUM CONFIDENCE]**
- **Non-compete clauses:** Common in enterprise IT. Typically restrict working for direct competitors, NOT starting a side consulting practice in a different market segment. However, if DJ's employer is an MSP or consulting firm, conflict risk is higher.
- **Moonlighting restrictions:** ~4050% of large employers have moonlighting policies. Many require disclosure but don't prohibit. Key risk: if the side work uses skills/knowledge from the day job.
- **IP assignment clauses:** Many employment agreements assign ALL work-related IP to the employer, even if created on personal time. If DJ builds audit tooling using knowledge from his employer's EntraID environment, this is a gray area.
- **Client solicitation:** If any audit clients overlap with DJ's employer's clients, this is high-risk.
- **Mitigation:**
1. Read employment agreement carefully (specifically: non-compete, moonlighting, IP assignment, non-solicitation)
2. Never use employer's systems, data, or client lists
3. Operate under an LLC
4. Consider disclosing to employer if agreement requires it
5. Target different market segment than employer serves
### 8. Revenue Projections
**Conservative (solo, nights/weekends, slow start):**
| Metric | 6 Months | 12 Months |
|--------|----------|-----------|
| Audits/month | 1 | 2 |
| Avg price | $2,500 | $3,000 |
| Monitoring clients | 0 | 3 |
| Monthly revenue | $2,500 | $7,500 |
| **Annual run rate** | **$30,000** | **$90,000** |
**Moderate (part-time dedicated, some marketing):**
| Metric | 6 Months | 12 Months |
|--------|----------|-----------|
| Audits/month | 3 | 5 |
| Avg price | $3,500 | $4,000 |
| Monitoring clients | 3 | 10 |
| Monthly revenue | $12,000 | $25,000 |
| **Annual run rate** | **$144,000** | **$300,000** |
**Aggressive (full-time, strong referral network, content marketing):**
| Metric | 6 Months | 12 Months |
|--------|----------|-----------|
| Audits/month | 8 | 15 |
| Avg price | $4,000 | $5,000 |
| Monitoring clients | 10 | 30 |
| Monthly revenue | $37,000 | $90,000 |
| **Annual run rate** | **$444,000** | **$1,080,000** |
**Key assumption:** Moderate and aggressive require quitting the day job or hiring. Conservative is the only scenario compatible with full-time employment.
### 9. Synergies with Other Ideas
- **spark-002 (Consulting):** Direct synergy. Audit service is a productized entry point to broader consulting. Audit find problems sell remediation consulting at $200300/hr. This is the classic "land and expand" model.
- **spark-012 (Migration Assessments):** Strong synergy. Companies doing identity audits often discover they need to migrate from legacy AD to pure Entra ID, or from PeopleSoft to modern HR. Assessment migration project ($50K$200K).
- **Combined play:** Position as "Identity Lifecycle Specialist" audit remediate migrate monitor. Full lifecycle captures 10x the revenue of audit alone.
### 10. Key Risks & Mitigations
| Risk | Severity | Mitigation |
|------|----------|------------|
| Free tools commoditize scanning | HIGH | Differentiate on interpretation, compliance docs, human expertise |
| MSPs give away assessments free | HIGH | Target companies without MSPs, or companies unhappy with MSP |
| Employment agreement conflict | MEDIUM | Legal review, LLC, separate market segment |
| Client acquisition cost | MEDIUM | Content marketing, LinkedIn, referral partnerships with M365 VARs |
| Liability/E&O insurance | MEDIUM | Professional liability insurance ($1,000$3,000/year) |
| PeopleSoft market shrinking | LOW | Don't over-index on PeopleSoft angle |
---
## ANALYSIS
This is a **viable but crowded** opportunity. The core scanning/reporting layer is commoditized by free tools (Maester, ScubaGear, Microsoft Secure Score). However, there are three genuine value layers above the commodity:
1. **Expert interpretation** Free tools generate findings. Mid-market companies can't interpret them. "You have 47 findings which 5 actually matter for your business?" That's worth $3,000$5,000.
2. **Compliance documentation** SOC2 auditors, cyber insurance underwriters, and HIPAA assessors want professional-grade documentation, not a Maester HTML report. Branded, formatted, attestation-quality deliverables are the product.
3. **Ongoing relationship** Quarterly monitoring with human review creates sticky recurring revenue and positions for upsell to remediation/migration projects.
The danger is positioning this as "we run a scanner and give you the output." That's a race to zero. The positioning must be "identity security expertise delivered as a service, backed by automated scanning."
---
## CONFIDENCE
- Market exists: **HIGH** regulatory and insurance drivers are real and growing
- Technical feasibility: **HIGH** Graph API provides excellent read-only audit capabilities
- Competitive differentiation possible: **MEDIUM** requires deliberate positioning above free tools
- Pricing works at $3K$5K with human analysis: **MEDIUM** validated by comparable services
- DJ can execute while employed: **LOW-MEDIUM** depends on employment agreement and available time
- Revenue hits $100K+ in year 1: **LOW** requires significant sales effort and pipeline
**Overall conviction: 6/10** Good idea, real market, but execution risk is high and differentiation requires more than scanning.
---
## SO WHAT
**Do this IF:**
- Employment agreement allows it (check FIRST)
- You position above the commodity layer (expert analysis + compliance docs, not just scan results)
- You price at $3,000$5,000 (not $1,500) to signal expertise
- You use audits as a wedge to sell higher-value consulting and migration work
- You build a content/referral engine (LinkedIn, M365 community, VAR partnerships)
**Don't do this IF:**
- You plan to compete on automation/price alone (free tools win)
- Employment agreement has broad non-compete or IP assignment
- You can't commit 10+ hours/week to sales and delivery
---
## MONEY
- **Startup costs:** ~$2,000$5,000 (LLC, E&O insurance, branding, basic tooling)
- **Marginal cost per audit:** ~24 hours of DJ's time + tool costs (~$50). High margin.
- **Break-even:** 23 audits covers startup costs
- **Best case 12-month:** $300K revenue, $250K+ profit (moderate scenario)
- **Worst case 12-month:** $30K revenue, $25K profit (conservative, side hustle)
- **Recommended next step:** Review employment agreement, then build one sample audit report using Maester + custom analysis template on a test tenant. Use that as the sales demo.
---
## RECOMMENDATION
**CONDITIONAL GO** Proceed to validation phase.
1. **Week 1:** Review employment agreement for restrictions
2. **Week 2:** Build sample audit on personal/test tenant using Maester + custom report template
3. **Week 3:** Show sample to 35 contacts in mid-market IT for pricing feedback
4. **Week 4:** Go/no-go decision on launching LLC and first paid client
The idea has legs, but only if DJ executes above the commodity layer. The PeopleSoft angle is a nice niche differentiator for initial clients but not the long-term moat. The long-term moat is "trusted identity security advisor" with recurring monitoring relationships.