Imagine your organization as a building. IAM (Identity and access management) is the name badge that says who you are, the key that lets you in, the rooms you’re allowed to enter, and the routines that keep everything organized. Simply put: make sure the right people have the right access at the right time.

Why it matters

Work today happens across applications, shared files, and data systems. If access is too loose, sensitive information can leak; if it’s too strict or slow, work grinds to a halt. IAM balances this—securely, simply, and consistently—so daily operations flow without unnecessary risk.

The core elements

There are many principles and concepts behind IAM, but the most important ones to understand at a general level are the following.

Identity

Identity is the core: who you are in the digital space—name, role, department, and other attributes that describe you in the organization’s systems.

Example: Maria is a project manager in the sales department. Her digital profile includes her email address, job title, department, employee ID, and the teams she belongs to. This is the “who” the system recognizes as Maria.

Authentication

For systems to know that it is actually Maria trying to use them, we need authentication: proof that she is who she claims to be. Typically, this is a password combined with an additional step such as a one-time code or a security key (MFA).

Example: When Maria logs in, she enters her password and confirms the sign-in using Microsoft Authenticator on her phone or a FIDO2 security key. Without that extra step, she is denied access—even if the password is correct.

Authorization

Once her identity is verified, authorization comes into play: the rules that determine what she is allowed to do—what applications she can open, which files she can view, and what actions she can perform based on her role.

Example: Maria can open the CRM system and read “Sales Report Q4” in SharePoint, but she cannot access the HR folder with payroll data. In Azure, she may be able to view project resources (Reader) but not change firewall rules (which require Contributor or Owner). Authorization ensures she has access to the right things—and only those things.

Governance 

Above this sits governance, which ensures access remains correct over time through clear approval processes, regular reviews, and cleanup when roles change or people leave.

Example: When Maria changes roles from project manager to sales manager, a “mover” process is triggered that automatically removes old access and grants new access after approval. Quarterly access reviews are conducted where managers confirm that access is still needed. When an employee leaves (“leaver”), access is removed the same day and shared keys are rotated. Temporary access is granted with an expiration (just-in-time), and sensitive access requires explicit approval.

Together, this ensures that the right person has the right access at the right time—securely, traceably, and aligned with the organization’s goals.

The access lifecycle

Joiner–Mover–Leaver describes the lifecycle of people in an organization and how access should follow them in a secure and orderly way. When someone starts (Joiner), they should have the tools they need from day one—not a week later. The identity is created, access is granted based on role, and everything is ready so they can be productive on their first day.

When they change roles (Mover), access changes along with responsibility: old permissions are removed and new ones are added. This prevents access from accumulating over time and creating risk. And when they leave (Leaver), access is removed immediately. No orphaned accounts, no keys left behind, and data remains protected.

Together, this provides a holistic, predictable, and secure approach to identity and access that supports business objectives.

Some examples of IGA-roles

Joiner (new hire)

Sofia starts as a project coordinator. On the same day, her user account is created, she is assigned the correct license, automatically added to the project’s groups and channels, given access to the project’s SharePoint site and CRM, and her laptop is configured with a standard security profile and MFA. She can work immediately without waiting for manual approvals.

Mover (role change)

Amir moves from customer service to finance. Access to the customer service system and shared folders is removed, and new access to ERP systems, financial reports, and the finance team is granted. Temporary access to sensitive data is provided only when needed and with time limits. Amir gets exactly the access his new role requires—no more, no less.

Leaver (departure)

Lina has her last working day. Her account is disabled when employment ends, active sessions and tokens are revoked, shared keys are rotated, and her work laptop is remotely wiped. Email is archived according to policy, and necessary content is transferred to the team. No “ghost accounts” or leftover access remain.

Everyday practices that make IAM work

As with many things, IAM can drift over time: weak governance creates exceptions, inflexible designs break when the organization changes, best practices are forgotten, and everyday security awareness slips. Organizations that anchor IAM in a few core principles—clear roles, least privilege, MFA by default, lifecycle automation, and regular access reviews—avoid these pitfalls and build a robust, scalable access model:

Map the landscape

Start by mapping the landscape. Who works in the organization, which applications exist, and where sensitive data resides. Without visibility, access management becomes a guessing game.

Example: Create an inventory of systems and classify data: “Payroll and HR” as sensitive, “Sales reports” as confidential, and “Marketing materials” as internal.

Define roles

Define a set of common roles and link each role to the minimum necessary access. This makes onboarding fast and accurate and prevents “access creep” over time.

Example: Start with 5–7 core roles (Sales, HR, Finance, Projects, IT Operations). Document which applications, folders, and permissions each role should have—and should not have.

Activate MFA (Multi-factor authentication)

Make MFA the default and tie access changes to HR events (Joiner, Mover, Leaver). Access follows the lifecycle, not chance.

Example: When a new employee is registered (Joiner), an account is created with MFA enabled and role-based access assigned. When roles change (Mover), old permissions are removed and new ones added. When someone leaves (Leaver), the account is disabled, active sessions are revoked, and access is removed the same day.

Plan regular reviews and activate important logs

Plan regular reviews and log important activity, especially around sensitive data. This provides evidence for audits and alerts for unusual behavior.

Example: Schedule quarterly access reviews and set up automated alerts when someone downloads large volumes of sensitive documents or attempts to access data they should not see. Retain audit logs that can be reviewed when needed.

IAM is not about locking doors and throwing away the keys; it’s about giving people exactly what they need—no more, no less. With clear roles, strong authentication, and consistent routines, you reduce risk, speed up onboarding, and keep work moving.

Read more about "Access management – Identity and Access Management (IAM)" here >