case/workspace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b33de10902f95648cdae111e794b942d87f60b14
workspace/data/investigations/entraid-audit-service.md

283 lines
16 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Investigation: EntraID & Azure AD Audit-as-a-Service (spark-029)
**Analyst:** ARI
**Date:** 2026-02-14
**Classification:** Business Opportunity Assessment
**Verdict:** CONDITIONAL GO — viable but requires differentiation beyond basic scanning
**Conviction:** 6/10
---
## CONTEXT
DJ is evaluating a productized service: automated EntraID/Azure AD security audits for mid-market companies (5005,000 employees). Client grants read-only tenant access, agent team runs identity security assessment, delivers branded report with risk scores and remediation. Pricing: $1,5003,000 per audit, $500/quarter ongoing.
---
## FINDINGS
### 1. Market Size & TAM
**[MEDIUM CONFIDENCE]**
- Microsoft claims 720M+ Entra ID users across millions of organizations (2025 figures)
- Mid-market segment (5005,000 employees): estimated 80,000120,000 companies in North America use M365/Entra ID
- Most mid-market companies lack dedicated identity security staff — typically 1-3 IT generalists managing M365
- **Addressable market estimate:** If 10% would buy an external audit at $2,000 avg = ~$16M$24M TAM in North America
- **Serviceable market (realistic reach):** 50200 clients in year 1 = $100K$600K revenue opportunity
- The real TAM expansion is ongoing monitoring ($500/quarter × clients = recurring revenue)
### 2. Competition — THIS IS THE KEY RISK
**[HIGH CONFIDENCE]**
**Free/Open-Source Tools (DIRECT THREAT):**
- **Maester.dev** — Open-source Entra ID security testing framework. Built on Pester + Microsoft Graph. Pre-built tests, maps to MITRE ATT&CK, generates interactive HTML reports. Free. Actively maintained. This does 7080% of what the proposed service would do.
- **CISA ScubaGear** — Free US government tool that evaluates M365 tenant configuration against CISA's Secure Configuration Baselines. Visual reports. Actively maintained since 2022.
- **Microsoft Secure Score** — Built into every M365 tenant. Free. Covers identity, data, device, apps.
- **Entra ID Security Config Analyzer (EIDSCA)** — Free, integrated into Maester
**Commercial Competitors:**
- **Varonis** — DatAdvantage for Azure AD. Enterprise pricing ($50K+/year). Not mid-market friendly.
- **CrowdStrike Falcon Identity** — Identity threat detection. Enterprise. $1525/endpoint/year.
- **Semperis** — AD security specialist. Purple Knight (free AD assessment tool). Directory Services Protector (paid).
- **Trellix/CoreSecurity** — Identity governance tools
- **Boutique MSPs/MSSPs** — Many offer "M365 security assessments" as loss-leaders to sell managed services. Pricing: $0$5,000.
- **CIS Benchmarks** — Free configuration benchmarks for Azure AD
**Assessment:** The scanning/reporting layer is heavily commoditized. Free tools exist. The value must come from interpretation, remediation guidance, and ongoing relationship.
### 3. Regulatory Drivers
**[HIGH CONFIDENCE — Strong tailwinds]**
- **SOC 2 Type II** — Requires identity access controls review. Annual audits need evidence of access reviews, MFA enforcement, privileged access management.
- **HIPAA** — Access controls (§164.312(d)) require unique user identification, emergency access, automatic logoff, encryption.
- **NIST 800-53 / NIST CSF** — Identity management controls (IA family) are foundational.
- **Cyber Insurance** — Increasingly requires MFA evidence, privileged access controls, identity security posture documentation. This is the #1 growth driver. Insurers are mandating identity security assessments before binding/renewing policies.
- **PCI DSS 4.0** — Enhanced identity/authentication requirements effective 2025.
- **State Privacy Laws** — CCPA, CPRA, growing state-level requirements driving audit demand.
- **SEC Cybersecurity Rules** — Public companies must disclose material cyber incidents; drives downstream vendor/partner audits.
**Assessment:** Regulatory/insurance pressure is the strongest demand driver. Companies NEED documentation proving their identity posture is sound. Free tools generate reports but don't generate compliance artifacts with professional attestation.
### 4. Technical Feasibility — Microsoft Graph API Read-Only Access
**[HIGH CONFIDENCE]**
With read-only application permissions, you can audit:
**Fully Accessible (Read-Only):**
- ✅ User accounts, guest accounts, disabled accounts, stale accounts
- ✅ Group memberships (security groups, M365 groups, dynamic groups)
- ✅ Directory roles and privileged role assignments (Global Admin, etc.)
- ✅ Conditional Access policies (read all policies, evaluate coverage gaps)
- ✅ Application registrations and service principals (OAuth app sprawl)
- ✅ Authentication methods per user (MFA status, passwordless, FIDO2)
- ✅ Sign-in logs and audit logs (risky sign-ins, impossible travel)
- ✅ Access reviews configuration
- ✅ Named locations, trusted IPs
- ✅ Administrative units
- ✅ License assignments
- ✅ Password policies (tenant-level)
- ✅ Identity Protection risk detections and risky users
**Partially Accessible:**
- ⚠️ PIM (Privileged Identity Management) — read eligible/active assignments, but some PIM features require P2 license on the tenant
- ⚠️ Entitlement Management — access packages readable but complex
- ⚠️ Cross-tenant access settings — readable but interpretation requires context
**Not Accessible / Limitations:**
- ❌ Cannot read actual password hashes or password quality
- ❌ Cannot test Conditional Access enforcement (only read policies, not simulate)
- ❌ Cannot access on-premises AD sync details deeply (hybrid complexity)
- ❌ Cannot read some security defaults without admin consent
- ❌ Mail flow rules, Exchange transport rules (separate Exchange permissions)
- ❌ SharePoint/OneDrive sharing settings (separate permissions)
- ❌ Intune device compliance (separate permissions, but available)
**Required Permissions (Application, Read-Only):**
```
Directory.Read.All
AuditLog.Read.All
Policy.Read.All
IdentityRiskyUser.Read.All
IdentityRiskEvent.Read.All
UserAuthenticationMethod.Read.All
AccessReview.Read.All
EntitlementManagement.Read.All
PrivilegedAccess.Read.AzureAD
Application.Read.All
```
**Assessment:** Technical feasibility is strong. Graph API provides comprehensive read access for a meaningful security audit. The key limitation is that you're reading configuration, not testing enforcement — but that's true of most audit approaches.
### 5. DJ's Moat — EntraID + PeopleSoft HCM Expertise
**[MEDIUM CONFIDENCE]**
- **EntraID expertise alone:** Common among M365 admins. Not a moat. Thousands of people can run Maester or ScubaGear.
- **PeopleSoft HCM + EntraID combo:** Genuinely rare. PeopleSoft HCM is a legacy Oracle product used by ~3,0005,000 organizations globally (mostly large enterprises, government, higher ed). People who understand both identity lifecycle (HCM → provisioning → EntraID) are scarce.
- **Where the combo creates value:**
- Joiner/mover/leaver lifecycle audits — do accounts get disabled when people leave PeopleSoft?
- Role mining — do EntraID group memberships align with HR job codes?
- Orphaned account detection — PeopleSoft terminations vs. active EntraID accounts
- Compliance evidence — proving HR-driven access governance
- **How rare?** Estimated <500 people in the US have deep expertise in both PeopleSoft HCM identity processes AND modern EntraID security. Most PeopleSoft admins don't touch identity. Most identity engineers don't know PeopleSoft.
- **Limitation:** The overlap market (companies using BOTH PeopleSoft HCM and EntraID) is shrinking as companies migrate off PeopleSoft to Workday/SuccessFactors.
**Assessment:** The moat exists but is narrow and declining. It's a niche differentiator for ~2,0003,000 potential clients, not a broad market advantage. Use it for initial credibility and case studies, don't build the whole business on it.
### 6. Pricing Validation
**[MEDIUM CONFIDENCE]**
| Service | Price Range | Notes |
|---------|-------------|-------|
| MSP "free" M365 assessment | $0 | Loss leader to sell managed services |
| Boutique security assessment | $2,000$10,000 | One-time, includes remediation consulting |
| Varonis/enterprise tools | $50,000+/year | Enterprise only |
| Penetration test (identity-focused) | $10,000$30,000 | Much broader scope |
| Virtual CISO (ongoing) | $3,000$10,000/month | Includes identity + everything else |
| Compliance audit prep | $5,000$15,000 | SOC2/HIPAA readiness |
**$1,500$3,000 for an automated audit:** This is the danger zone. It's:
- Too expensive for what a free tool (Maester) can do with a $150/hr consultant running it
- Too cheap to signal "premium expert assessment"
- Competing with MSPs who give it away free to win managed service contracts
**Recommended pricing pivot:**
- **Lead magnet:** Free automated scan (Maester-based) generates leads
- **Paid tier:** $3,000$5,000 "Expert Identity Security Assessment" with human analysis, prioritized remediation roadmap, 1-hour walkthrough call, and compliance-ready documentation
- **Ongoing:** $1,000$2,000/quarter monitoring with alerting and quarterly review call
### 7. Employment Agreement Risk
**[MEDIUM CONFIDENCE]**
- **Non-compete clauses:** Common in enterprise IT. Typically restrict working for direct competitors, NOT starting a side consulting practice in a different market segment. However, if DJ's employer is an MSP or consulting firm, conflict risk is higher.
- **Moonlighting restrictions:** ~4050% of large employers have moonlighting policies. Many require disclosure but don't prohibit. Key risk: if the side work uses skills/knowledge from the day job.
- **IP assignment clauses:** Many employment agreements assign ALL work-related IP to the employer, even if created on personal time. If DJ builds audit tooling using knowledge from his employer's EntraID environment, this is a gray area.
- **Client solicitation:** If any audit clients overlap with DJ's employer's clients, this is high-risk.
- **Mitigation:**
1. Read employment agreement carefully (specifically: non-compete, moonlighting, IP assignment, non-solicitation)
2. Never use employer's systems, data, or client lists
3. Operate under an LLC
4. Consider disclosing to employer if agreement requires it
5. Target different market segment than employer serves
### 8. Revenue Projections
**Conservative (solo, nights/weekends, slow start):**
| Metric | 6 Months | 12 Months |
|--------|----------|-----------|
| Audits/month | 1 | 2 |
| Avg price | $2,500 | $3,000 |
| Monitoring clients | 0 | 3 |
| Monthly revenue | $2,500 | $7,500 |
| **Annual run rate** | **$30,000** | **$90,000** |
**Moderate (part-time dedicated, some marketing):**
| Metric | 6 Months | 12 Months |
|--------|----------|-----------|
| Audits/month | 3 | 5 |
| Avg price | $3,500 | $4,000 |
| Monitoring clients | 3 | 10 |
| Monthly revenue | $12,000 | $25,000 |
| **Annual run rate** | **$144,000** | **$300,000** |
**Aggressive (full-time, strong referral network, content marketing):**
| Metric | 6 Months | 12 Months |
|--------|----------|-----------|
| Audits/month | 8 | 15 |
| Avg price | $4,000 | $5,000 |
| Monitoring clients | 10 | 30 |
| Monthly revenue | $37,000 | $90,000 |
| **Annual run rate** | **$444,000** | **$1,080,000** |
**Key assumption:** Moderate and aggressive require quitting the day job or hiring. Conservative is the only scenario compatible with full-time employment.
### 9. Synergies with Other Ideas
- **spark-002 (Consulting):** Direct synergy. Audit service is a productized entry point to broader consulting. Audit find problems sell remediation consulting at $200300/hr. This is the classic "land and expand" model.
- **spark-012 (Migration Assessments):** Strong synergy. Companies doing identity audits often discover they need to migrate from legacy AD to pure Entra ID, or from PeopleSoft to modern HR. Assessment migration project ($50K$200K).
- **Combined play:** Position as "Identity Lifecycle Specialist" audit remediate migrate monitor. Full lifecycle captures 10x the revenue of audit alone.
### 10. Key Risks & Mitigations
| Risk | Severity | Mitigation |
|------|----------|------------|
| Free tools commoditize scanning | HIGH | Differentiate on interpretation, compliance docs, human expertise |
| MSPs give away assessments free | HIGH | Target companies without MSPs, or companies unhappy with MSP |
| Employment agreement conflict | MEDIUM | Legal review, LLC, separate market segment |
| Client acquisition cost | MEDIUM | Content marketing, LinkedIn, referral partnerships with M365 VARs |
| Liability/E&O insurance | MEDIUM | Professional liability insurance ($1,000$3,000/year) |
| PeopleSoft market shrinking | LOW | Don't over-index on PeopleSoft angle |
---
## ANALYSIS
This is a **viable but crowded** opportunity. The core scanning/reporting layer is commoditized by free tools (Maester, ScubaGear, Microsoft Secure Score). However, there are three genuine value layers above the commodity:
1. **Expert interpretation** Free tools generate findings. Mid-market companies can't interpret them. "You have 47 findings which 5 actually matter for your business?" That's worth $3,000$5,000.
2. **Compliance documentation** SOC2 auditors, cyber insurance underwriters, and HIPAA assessors want professional-grade documentation, not a Maester HTML report. Branded, formatted, attestation-quality deliverables are the product.
3. **Ongoing relationship** Quarterly monitoring with human review creates sticky recurring revenue and positions for upsell to remediation/migration projects.
The danger is positioning this as "we run a scanner and give you the output." That's a race to zero. The positioning must be "identity security expertise delivered as a service, backed by automated scanning."
---
## CONFIDENCE
- Market exists: **HIGH** regulatory and insurance drivers are real and growing
- Technical feasibility: **HIGH** Graph API provides excellent read-only audit capabilities
- Competitive differentiation possible: **MEDIUM** requires deliberate positioning above free tools
- Pricing works at $3K$5K with human analysis: **MEDIUM** validated by comparable services
- DJ can execute while employed: **LOW-MEDIUM** depends on employment agreement and available time
- Revenue hits $100K+ in year 1: **LOW** requires significant sales effort and pipeline
**Overall conviction: 6/10** Good idea, real market, but execution risk is high and differentiation requires more than scanning.
---
## SO WHAT
**Do this IF:**
- Employment agreement allows it (check FIRST)
- You position above the commodity layer (expert analysis + compliance docs, not just scan results)
- You price at $3,000$5,000 (not $1,500) to signal expertise
- You use audits as a wedge to sell higher-value consulting and migration work
- You build a content/referral engine (LinkedIn, M365 community, VAR partnerships)
**Don't do this IF:**
- You plan to compete on automation/price alone (free tools win)
- Employment agreement has broad non-compete or IP assignment
- You can't commit 10+ hours/week to sales and delivery
---
## MONEY
- **Startup costs:** ~$2,000$5,000 (LLC, E&O insurance, branding, basic tooling)
- **Marginal cost per audit:** ~24 hours of DJ's time + tool costs (~$50). High margin.
- **Break-even:** 23 audits covers startup costs
- **Best case 12-month:** $300K revenue, $250K+ profit (moderate scenario)
- **Worst case 12-month:** $30K revenue, $25K profit (conservative, side hustle)
- **Recommended next step:** Review employment agreement, then build one sample audit report using Maester + custom analysis template on a test tenant. Use that as the sales demo.
---
## RECOMMENDATION
**CONDITIONAL GO** Proceed to validation phase.
1. **Week 1:** Review employment agreement for restrictions
2. **Week 2:** Build sample audit on personal/test tenant using Maester + custom report template
3. **Week 3:** Show sample to 35 contacts in mid-market IT for pricing feedback
4. **Week 4:** Go/no-go decision on launching LLC and first paid client
The idea has legs, but only if DJ executes above the commodity layer. The PeopleSoft angle is a nice niche differentiator for initial clients but not the long-term moat. The long-term moat is "trusted identity security advisor" with recurring monitoring relationships.
Reference in New Issue View Git Blame Copy Permalink