# Investigation: EntraID & Azure AD Audit-as-a-Service (spark-029) **Analyst:** ARI **Date:** 2026-02-14 **Classification:** Business Opportunity Assessment **Verdict:** CONDITIONAL GO — viable but requires differentiation beyond basic scanning **Conviction:** 6/10 --- ## CONTEXT DJ is evaluating a productized service: automated EntraID/Azure AD security audits for mid-market companies (500–5,000 employees). Client grants read-only tenant access, agent team runs identity security assessment, delivers branded report with risk scores and remediation. Pricing: $1,500–3,000 per audit, $500/quarter ongoing. --- ## FINDINGS ### 1. Market Size & TAM **[MEDIUM CONFIDENCE]** - Microsoft claims 720M+ Entra ID users across millions of organizations (2025 figures) - Mid-market segment (500–5,000 employees): estimated 80,000–120,000 companies in North America use M365/Entra ID - Most mid-market companies lack dedicated identity security staff — typically 1-3 IT generalists managing M365 - **Addressable market estimate:** If 10% would buy an external audit at $2,000 avg = ~$16M–$24M TAM in North America - **Serviceable market (realistic reach):** 50–200 clients in year 1 = $100K–$600K revenue opportunity - The real TAM expansion is ongoing monitoring ($500/quarter × clients = recurring revenue) ### 2. Competition — THIS IS THE KEY RISK **[HIGH CONFIDENCE]** **Free/Open-Source Tools (DIRECT THREAT):** - **Maester.dev** — Open-source Entra ID security testing framework. Built on Pester + Microsoft Graph. Pre-built tests, maps to MITRE ATT&CK, generates interactive HTML reports. Free. Actively maintained. This does 70–80% of what the proposed service would do. - **CISA ScubaGear** — Free US government tool that evaluates M365 tenant configuration against CISA's Secure Configuration Baselines. Visual reports. Actively maintained since 2022. - **Microsoft Secure Score** — Built into every M365 tenant. Free. Covers identity, data, device, apps. - **Entra ID Security Config Analyzer (EIDSCA)** — Free, integrated into Maester **Commercial Competitors:** - **Varonis** — DatAdvantage for Azure AD. Enterprise pricing ($50K+/year). Not mid-market friendly. - **CrowdStrike Falcon Identity** — Identity threat detection. Enterprise. $15–25/endpoint/year. - **Semperis** — AD security specialist. Purple Knight (free AD assessment tool). Directory Services Protector (paid). - **Trellix/CoreSecurity** — Identity governance tools - **Boutique MSPs/MSSPs** — Many offer "M365 security assessments" as loss-leaders to sell managed services. Pricing: $0–$5,000. - **CIS Benchmarks** — Free configuration benchmarks for Azure AD **Assessment:** The scanning/reporting layer is heavily commoditized. Free tools exist. The value must come from interpretation, remediation guidance, and ongoing relationship. ### 3. Regulatory Drivers **[HIGH CONFIDENCE — Strong tailwinds]** - **SOC 2 Type II** — Requires identity access controls review. Annual audits need evidence of access reviews, MFA enforcement, privileged access management. - **HIPAA** — Access controls (§164.312(d)) require unique user identification, emergency access, automatic logoff, encryption. - **NIST 800-53 / NIST CSF** — Identity management controls (IA family) are foundational. - **Cyber Insurance** — Increasingly requires MFA evidence, privileged access controls, identity security posture documentation. This is the #1 growth driver. Insurers are mandating identity security assessments before binding/renewing policies. - **PCI DSS 4.0** — Enhanced identity/authentication requirements effective 2025. - **State Privacy Laws** — CCPA, CPRA, growing state-level requirements driving audit demand. - **SEC Cybersecurity Rules** — Public companies must disclose material cyber incidents; drives downstream vendor/partner audits. **Assessment:** Regulatory/insurance pressure is the strongest demand driver. Companies NEED documentation proving their identity posture is sound. Free tools generate reports but don't generate compliance artifacts with professional attestation. ### 4. Technical Feasibility — Microsoft Graph API Read-Only Access **[HIGH CONFIDENCE]** With read-only application permissions, you can audit: **Fully Accessible (Read-Only):** - ✅ User accounts, guest accounts, disabled accounts, stale accounts - ✅ Group memberships (security groups, M365 groups, dynamic groups) - ✅ Directory roles and privileged role assignments (Global Admin, etc.) - ✅ Conditional Access policies (read all policies, evaluate coverage gaps) - ✅ Application registrations and service principals (OAuth app sprawl) - ✅ Authentication methods per user (MFA status, passwordless, FIDO2) - ✅ Sign-in logs and audit logs (risky sign-ins, impossible travel) - ✅ Access reviews configuration - ✅ Named locations, trusted IPs - ✅ Administrative units - ✅ License assignments - ✅ Password policies (tenant-level) - ✅ Identity Protection risk detections and risky users **Partially Accessible:** - ⚠️ PIM (Privileged Identity Management) — read eligible/active assignments, but some PIM features require P2 license on the tenant - ⚠️ Entitlement Management — access packages readable but complex - ⚠️ Cross-tenant access settings — readable but interpretation requires context **Not Accessible / Limitations:** - ❌ Cannot read actual password hashes or password quality - ❌ Cannot test Conditional Access enforcement (only read policies, not simulate) - ❌ Cannot access on-premises AD sync details deeply (hybrid complexity) - ❌ Cannot read some security defaults without admin consent - ❌ Mail flow rules, Exchange transport rules (separate Exchange permissions) - ❌ SharePoint/OneDrive sharing settings (separate permissions) - ❌ Intune device compliance (separate permissions, but available) **Required Permissions (Application, Read-Only):** ``` Directory.Read.All AuditLog.Read.All Policy.Read.All IdentityRiskyUser.Read.All IdentityRiskEvent.Read.All UserAuthenticationMethod.Read.All AccessReview.Read.All EntitlementManagement.Read.All PrivilegedAccess.Read.AzureAD Application.Read.All ``` **Assessment:** Technical feasibility is strong. Graph API provides comprehensive read access for a meaningful security audit. The key limitation is that you're reading configuration, not testing enforcement — but that's true of most audit approaches. ### 5. DJ's Moat — EntraID + PeopleSoft HCM Expertise **[MEDIUM CONFIDENCE]** - **EntraID expertise alone:** Common among M365 admins. Not a moat. Thousands of people can run Maester or ScubaGear. - **PeopleSoft HCM + EntraID combo:** Genuinely rare. PeopleSoft HCM is a legacy Oracle product used by ~3,000–5,000 organizations globally (mostly large enterprises, government, higher ed). People who understand both identity lifecycle (HCM → provisioning → EntraID) are scarce. - **Where the combo creates value:** - Joiner/mover/leaver lifecycle audits — do accounts get disabled when people leave PeopleSoft? - Role mining — do EntraID group memberships align with HR job codes? - Orphaned account detection — PeopleSoft terminations vs. active EntraID accounts - Compliance evidence — proving HR-driven access governance - **How rare?** Estimated <500 people in the US have deep expertise in both PeopleSoft HCM identity processes AND modern EntraID security. Most PeopleSoft admins don't touch identity. Most identity engineers don't know PeopleSoft. - **Limitation:** The overlap market (companies using BOTH PeopleSoft HCM and EntraID) is shrinking as companies migrate off PeopleSoft to Workday/SuccessFactors. **Assessment:** The moat exists but is narrow and declining. It's a niche differentiator for ~2,000–3,000 potential clients, not a broad market advantage. Use it for initial credibility and case studies, don't build the whole business on it. ### 6. Pricing Validation **[MEDIUM CONFIDENCE]** | Service | Price Range | Notes | |---------|-------------|-------| | MSP "free" M365 assessment | $0 | Loss leader to sell managed services | | Boutique security assessment | $2,000–$10,000 | One-time, includes remediation consulting | | Varonis/enterprise tools | $50,000+/year | Enterprise only | | Penetration test (identity-focused) | $10,000–$30,000 | Much broader scope | | Virtual CISO (ongoing) | $3,000–$10,000/month | Includes identity + everything else | | Compliance audit prep | $5,000–$15,000 | SOC2/HIPAA readiness | **$1,500–$3,000 for an automated audit:** This is the danger zone. It's: - Too expensive for what a free tool (Maester) can do with a $150/hr consultant running it - Too cheap to signal "premium expert assessment" - Competing with MSPs who give it away free to win managed service contracts **Recommended pricing pivot:** - **Lead magnet:** Free automated scan (Maester-based) → generates leads - **Paid tier:** $3,000–$5,000 "Expert Identity Security Assessment" with human analysis, prioritized remediation roadmap, 1-hour walkthrough call, and compliance-ready documentation - **Ongoing:** $1,000–$2,000/quarter monitoring with alerting and quarterly review call ### 7. Employment Agreement Risk **[MEDIUM CONFIDENCE]** - **Non-compete clauses:** Common in enterprise IT. Typically restrict working for direct competitors, NOT starting a side consulting practice in a different market segment. However, if DJ's employer is an MSP or consulting firm, conflict risk is higher. - **Moonlighting restrictions:** ~40–50% of large employers have moonlighting policies. Many require disclosure but don't prohibit. Key risk: if the side work uses skills/knowledge from the day job. - **IP assignment clauses:** Many employment agreements assign ALL work-related IP to the employer, even if created on personal time. If DJ builds audit tooling using knowledge from his employer's EntraID environment, this is a gray area. - **Client solicitation:** If any audit clients overlap with DJ's employer's clients, this is high-risk. - **Mitigation:** 1. Read employment agreement carefully (specifically: non-compete, moonlighting, IP assignment, non-solicitation) 2. Never use employer's systems, data, or client lists 3. Operate under an LLC 4. Consider disclosing to employer if agreement requires it 5. Target different market segment than employer serves ### 8. Revenue Projections **Conservative (solo, nights/weekends, slow start):** | Metric | 6 Months | 12 Months | |--------|----------|-----------| | Audits/month | 1 | 2 | | Avg price | $2,500 | $3,000 | | Monitoring clients | 0 | 3 | | Monthly revenue | $2,500 | $7,500 | | **Annual run rate** | **$30,000** | **$90,000** | **Moderate (part-time dedicated, some marketing):** | Metric | 6 Months | 12 Months | |--------|----------|-----------| | Audits/month | 3 | 5 | | Avg price | $3,500 | $4,000 | | Monitoring clients | 3 | 10 | | Monthly revenue | $12,000 | $25,000 | | **Annual run rate** | **$144,000** | **$300,000** | **Aggressive (full-time, strong referral network, content marketing):** | Metric | 6 Months | 12 Months | |--------|----------|-----------| | Audits/month | 8 | 15 | | Avg price | $4,000 | $5,000 | | Monitoring clients | 10 | 30 | | Monthly revenue | $37,000 | $90,000 | | **Annual run rate** | **$444,000** | **$1,080,000** | **Key assumption:** Moderate and aggressive require quitting the day job or hiring. Conservative is the only scenario compatible with full-time employment. ### 9. Synergies with Other Ideas - **spark-002 (Consulting):** Direct synergy. Audit service is a productized entry point to broader consulting. Audit → find problems → sell remediation consulting at $200–300/hr. This is the classic "land and expand" model. - **spark-012 (Migration Assessments):** Strong synergy. Companies doing identity audits often discover they need to migrate from legacy AD to pure Entra ID, or from PeopleSoft to modern HR. Assessment → migration project ($50K–$200K). - **Combined play:** Position as "Identity Lifecycle Specialist" — audit → remediate → migrate → monitor. Full lifecycle captures 10x the revenue of audit alone. ### 10. Key Risks & Mitigations | Risk | Severity | Mitigation | |------|----------|------------| | Free tools commoditize scanning | HIGH | Differentiate on interpretation, compliance docs, human expertise | | MSPs give away assessments free | HIGH | Target companies without MSPs, or companies unhappy with MSP | | Employment agreement conflict | MEDIUM | Legal review, LLC, separate market segment | | Client acquisition cost | MEDIUM | Content marketing, LinkedIn, referral partnerships with M365 VARs | | Liability/E&O insurance | MEDIUM | Professional liability insurance ($1,000–$3,000/year) | | PeopleSoft market shrinking | LOW | Don't over-index on PeopleSoft angle | --- ## ANALYSIS This is a **viable but crowded** opportunity. The core scanning/reporting layer is commoditized by free tools (Maester, ScubaGear, Microsoft Secure Score). However, there are three genuine value layers above the commodity: 1. **Expert interpretation** — Free tools generate findings. Mid-market companies can't interpret them. "You have 47 findings — which 5 actually matter for your business?" That's worth $3,000–$5,000. 2. **Compliance documentation** — SOC2 auditors, cyber insurance underwriters, and HIPAA assessors want professional-grade documentation, not a Maester HTML report. Branded, formatted, attestation-quality deliverables are the product. 3. **Ongoing relationship** — Quarterly monitoring with human review creates sticky recurring revenue and positions for upsell to remediation/migration projects. The danger is positioning this as "we run a scanner and give you the output." That's a race to zero. The positioning must be "identity security expertise delivered as a service, backed by automated scanning." --- ## CONFIDENCE - Market exists: **HIGH** — regulatory and insurance drivers are real and growing - Technical feasibility: **HIGH** — Graph API provides excellent read-only audit capabilities - Competitive differentiation possible: **MEDIUM** — requires deliberate positioning above free tools - Pricing works at $3K–$5K with human analysis: **MEDIUM** — validated by comparable services - DJ can execute while employed: **LOW-MEDIUM** — depends on employment agreement and available time - Revenue hits $100K+ in year 1: **LOW** — requires significant sales effort and pipeline **Overall conviction: 6/10** — Good idea, real market, but execution risk is high and differentiation requires more than scanning. --- ## SO WHAT **Do this IF:** - Employment agreement allows it (check FIRST) - You position above the commodity layer (expert analysis + compliance docs, not just scan results) - You price at $3,000–$5,000 (not $1,500) to signal expertise - You use audits as a wedge to sell higher-value consulting and migration work - You build a content/referral engine (LinkedIn, M365 community, VAR partnerships) **Don't do this IF:** - You plan to compete on automation/price alone (free tools win) - Employment agreement has broad non-compete or IP assignment - You can't commit 10+ hours/week to sales and delivery --- ## MONEY - **Startup costs:** ~$2,000–$5,000 (LLC, E&O insurance, branding, basic tooling) - **Marginal cost per audit:** ~2–4 hours of DJ's time + tool costs (~$50). High margin. - **Break-even:** 2–3 audits covers startup costs - **Best case 12-month:** $300K revenue, $250K+ profit (moderate scenario) - **Worst case 12-month:** $30K revenue, $25K profit (conservative, side hustle) - **Recommended next step:** Review employment agreement, then build one sample audit report using Maester + custom analysis template on a test tenant. Use that as the sales demo. --- ## RECOMMENDATION **CONDITIONAL GO** — Proceed to validation phase. 1. **Week 1:** Review employment agreement for restrictions 2. **Week 2:** Build sample audit on personal/test tenant using Maester + custom report template 3. **Week 3:** Show sample to 3–5 contacts in mid-market IT for pricing feedback 4. **Week 4:** Go/no-go decision on launching LLC and first paid client The idea has legs, but only if DJ executes above the commodity layer. The PeopleSoft angle is a nice niche differentiator for initial clients but not the long-term moat. The long-term moat is "trusted identity security advisor" with recurring monitoring relationships.