IAM0.5 The Northgate Engineering Scenario

How the NE scenario works in this course

Every module in this course follows a dual-track pattern. You work in your own tenant first — running the queries, examining the output, making the design decisions for your environment. Then you see the same problem through Northgate Engineering's lens — a worked example with specific numbers, named personas, and documented findings that illustrate the governance decision in a concrete organizational context.

NE appears in blockquotes throughout every section. When you see the "> At Northgate Engineering:" label, that's the worked example. Your own tenant is the primary learning environment. NE is the reference case — a consistent scenario you can compare against, with governance gaps that map directly to the module that fixes them.

This section establishes the NE environment, the personas you'll encounter, the identity composition, and the eight governance gaps the course resolves.

Estimated time: 25 minutes.

Northgate Engineering — the organization

Northgate Engineering is an 810-employee engineering firm headquartered in Bristol, UK, with satellite offices in Manchester, Edinburgh, and a project site in Rotterdam. The company designs and manufactures industrial control systems for water treatment, power distribution, and manufacturing automation. NE's clients include UK water utilities, European energy companies, and municipal infrastructure operators.

NE runs Microsoft 365 E5 with Entra ID, Exchange Online, SharePoint Online, Teams, Defender for Endpoint, Defender for Office 365, Defender for Cloud Apps, and Microsoft Sentinel. The E5 license includes Entra ID P2, which provides Identity Protection, Conditional Access with risk-based policies, and basic PIM. NE does not currently have the Entra ID Governance add-on — lifecycle workflows, entitlement management, and access reviews require it, and Phil Greaves hasn't secured the budget.

NE has a hybrid environment. On-premises Active Directory syncs to Entra ID through Entra Connect. The HR system (a standalone application with no API) doesn't integrate with Entra ID. All user provisioning is manual — Phil Greaves creates accounts through the Entra admin center based on email requests from HR.

The personas

Six personas appear throughout the course. Each represents a role in NE's identity governance landscape — or the absence of one.

Rachel Okafor — CISO. Rachel joined NE 18 months ago from a financial services firm with a mature IAM program. She knows what governance looks like and knows NE doesn't have it. She's the executive sponsor for the IAM program — she secured the budget conversation with the board and now needs the program built. Rachel appears in decision-point scenarios where the governance recommendation meets organizational reality — budget constraints, political resistance, competing priorities.

Phil Greaves — IT Director. Phil has managed NE's M365 environment for four years. He creates every account manually, manages group memberships through the admin center, and handles password resets. Phil is competent at administration and has never been asked to build governance. He's the person who knows where everything is configured but can't explain why it's configured that way. Phil represents the admin-to-governance transition — technically capable, not yet thinking in lifecycle terms.

Tom Ashworth — L1 SOC Analyst. Tom manages NE's SOC operations and supervises Priya Sharma. He runs the annual group access review and approves all 96 memberships for his 12 team members in 47 seconds. Tom isn't negligent — he's overwhelmed. He doesn't know what half the groups grant access to, and the review interface doesn't tell him. Tom represents the reviewer problem — access reviews that produce compliance evidence without governance value.

Priya Sharma — L1 SOC Analyst. Priya transferred from the finance team to SOC 14 months ago. She still holds membership in SG-Finance-Readers, SG-Project-Alpha, and Team-Office-Migration-2023. Her current manager Tom doesn't know about her pre-transfer access. Priya is the mover problem personified — the identity that changes roles and keeps old access because no lifecycle mechanism triggers reassignment.

Marcus Webb — Security Architect. Marcus designed NE's Conditional Access policies and Defender configuration. He thinks in security controls, not identity lifecycle. Marcus can explain why each CA policy exists but can't tell you whether the service principal excluded from MFA still needs the exclusion. Marcus represents the security-without-governance gap — controls configured without the lifecycle that maintains them.

Elena Petrova — GRC Analyst. Elena handles audit responses and compliance evidence. She produces the access review completion reports, the role assignment exports, and the group membership snapshots that auditors request. Elena knows the evidence satisfies the checklist. She also knows the evidence doesn't prove the controls work — the review completed but the deny rate was 0.6%, and the membership snapshot shows access but not justification. Elena represents the compliance-without-governance problem.

NE's identity composition

The numbers you've seen in IAM0.1 through IAM0.4 are NE's numbers. If you built the lab environment in IAM0.6, verify the NE personas are in place:

Confirm the NE lab numbers match the scenario:

$nePersonas = Get-MgUser -All | Where-Object {
  $_.DisplayName -match "Okafor|Ashworth|Sharma|Webb|Petrova|Greaves|Whitfield|Blackwood|Chen|Okonkwo|Taylor|Kowalski|Hughes|Al-Rashid|Morrison"
}
$neGroups = Get-MgGroup -All | Where-Object { $_.DisplayName -match "^(SG-|Team-)" }
$neApps = Get-MgApplication -All | Where-Object { $_.DisplayName -like "NE-*" }
$neGuests = Get-MgUser -All | Where-Object { $_.UserType -eq "Guest" }

Write-Host "NE Lab Verification:"
Write-Host "  Personas: $($nePersonas.Count) / 15"
Write-Host "  Groups:   $($neGroups.Count) / 13"
Write-Host "  Apps:     $($neApps.Count) / 7"
Write-Host "  Guests:   $($neGuests.Count) / 5"

If any count is short, return to IAM0.6 and re-run the relevant setup section. The full NE numbers for a production-scale scenario are:

Human identities. 810 member accounts. 23 guest accounts (14 stale or never signed in). 14 disabled accounts (11 still holding group memberships). Governance attribute gaps: 80% missing employeeHireDate, 25% missing manager, 23% missing department. Average group membership for 3+ year employees: 14.8 groups. 31 active accounts with no sign-in for 90+ days.

Group infrastructure. 214 groups. 67 ownerless (31%). 89 without descriptions (42%). 12 dynamic groups (6%). The remaining 202 groups depend on manual membership management. No naming convention. No lifecycle policy. No group attestation process.

Non-human identities. 347 app registrations. 89 with credentials — 31 expired, 7 expiring within 30 days. 1,247 service principals (891 Microsoft first-party, 198 organizational, 158 third-party). Zero credential rotation policy. Zero permission reviews. Zero lifecycle governance. The Data Migration Tool app holds 12 application permissions including tenant-wide read/write — created by a contractor who left 8 months ago.

Security controls. 14 Conditional Access policies. MFA enforced via push notification (not phishing-resistant). Sentinel deployed. Defender XDR active. No access reviews. No entitlement management. No lifecycle workflows. PIM available (E5 includes it) but not configured beyond default settings.

Eight governance gaps mapped to modules

NE's governance problems aren't random. They map directly to the modules that solve them. This mapping is your roadmap — it shows what you'll build, in what order, and why each module exists.

Gap 1 — No identity lifecycle automation. Accounts created manually. No joiner workflow (no pre-hire tasks, no day-one automation). No mover detection (role changes don't trigger access reassignment). No leaver automation (accounts disabled manually, group memberships not cleaned up). → Module 2: HR-Driven Provisioning and Lifecycle Workflows.

Gap 2 — Group sprawl without governance. 214 groups, 67 ownerless, 89 undescribed, only 12 dynamic. Groups created for projects that ended, never cleaned up. No naming convention. No lifecycle policy. No ownership enforcement. → Module 3: Group Architecture and Role-Based Access.

Gap 3 — No self-service access model. All access granted by Phil through the admin center. No request workflow, no approval chain, no time-bound access, no automatic expiry. Users email IT and wait. → Module 4: Entitlement Management.

Gap 4 — Rubber-stamp access reviews. One annual review with 0.6% deny rate. Reviewers lack context — don't know what groups grant, don't see usage data, don't have time to investigate 400 items. → Module 5: Access Reviews and Certification.

Gap 5 — No application access governance. 347 app registrations with no consent policy, no permission reviews, no OAuth grant analysis. Users consent to third-party apps without admin review. 158 third-party service principals with unknown permission scopes. → Module 6: Application Access Governance.

Gap 6 — Unconfigured privileged access governance. PIM available but using default settings. 7 identities with multiple directory roles. Phil has Global Administrator as a permanent assignment, not an eligible role. No activation workflow, no review cadence, no emergency access procedures. → Module 7: Privileged Access Governance.

Gap 7 — Zero non-human identity governance. 347 app registrations with no inventory, no classification, no credential policy, no permission right-sizing, no lifecycle governance. 31 expired credentials. 12 apps with tenant-wide high-risk permissions. A departed contractor's migration tool with Directory.ReadWrite.All. → Modules 9–11: Service Principals, Workload Identity, AI Agent Governance.

Gap 8 — No governance metrics or compliance evidence. Rachel can't answer "how do you know access is governed?" Elena produces review completion reports that show the process ran, not that it worked. No stale identity monitoring. No permission creep detection. No credential health dashboards. No compliance evidence mapped to ISO 27001 or SOC 2. → Modules 12–13: Monitoring and Detection, Compliance Evidence.

Each gap has a module. Each module produces governance artifacts — ADRs, governance cadence documents, risk register entries, compliance evidence. By Module 14, NE has a complete IAM program. Your own tenant follows the same trajectory.

Verify the gaps in your lab

If you've built the NE lab environment from IAM0.6, confirm the governance gaps are present. These gaps are deliberate — the lab was designed to reproduce them so you have real findings to work with across the course.

Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All",
  "Application.Read.All", "RoleManagement.Read.Directory",
  "AccessReview.Read.All"

Write-Host "=== NE GOVERNANCE GAP VERIFICATION ==="

# Gap 1: No lifecycle automation
try {
  $workflows = Get-MgIdentityGovernanceLifecycleWorkflow -ErrorAction Stop
  Write-Host "Gap 1 (Lifecycle): $($workflows.Count) workflows configured"
} catch {
  Write-Host "Gap 1 (Lifecycle): CONFIRMED — no lifecycle workflows"
}

# Gap 2: Group sprawl
$groups = Get-MgGroup -All -Property id, displayName, description
$ownerless = 0
foreach ($g in $groups) {
  if ((Get-MgGroupOwner -GroupId $g.Id -ErrorAction SilentlyContinue).Count -eq 0) {
    $ownerless++
  }
}
$noDesc = ($groups | Where-Object { -not $_.Description }).Count
Write-Host "Gap 2 (Groups): $($groups.Count) groups, $ownerless ownerless, $noDesc undescribed"

# Gap 3: No entitlement management
try {
  $catalogs = Get-MgEntitlementManagementCatalog -ErrorAction Stop
  Write-Host "Gap 3 (Entitlement): $($catalogs.Count) catalogs"
} catch {
  Write-Host "Gap 3 (Entitlement): CONFIRMED — no catalogs configured"
}

# Gap 4: No access reviews
$reviews = Get-MgIdentityGovernanceAccessReviewDefinition -All -ErrorAction SilentlyContinue
Write-Host "Gap 4 (Reviews): $(if ($reviews) { "$($reviews.Count) reviews" } else { "CONFIRMED — no reviews" })"

# Gap 5: App registration governance
$apps = Get-MgApplication -All
Write-Host "Gap 5 (App governance): $($apps.Count) app registrations, zero consent policy"

# Gap 6: Privileged access
$philRoles = Get-MgUser -Filter "displayName eq 'Phil Greaves'" | ForEach-Object {
  (Get-MgUserMemberOf -UserId $_.Id -All |
    Where-Object { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.directoryRole' }).Count
}
Write-Host "Gap 6 (Privileged): Phil Greaves holds $philRoles directory roles (permanent)"

# Gap 7: Non-human identity governance
$withCreds = ($apps | Where-Object { $_.PasswordCredentials.Count -gt 0 -or $_.KeyCredentials.Count -gt 0 }).Count
Write-Host "Gap 7 (Non-human): $withCreds apps with credentials, zero governance"

# Gap 8: No monitoring
Write-Host "Gap 8 (Monitoring): No KQL rules, no dashboards, no alerting"

Write-Host "`n=== All 8 governance gaps confirmed ==="

How NE appears in the course

NE blockquotes appear after the reader runs a query or makes a design decision in their own tenant. The pattern is always the same: you do it first in your environment, then the NE worked example shows how the same problem manifests with specific personas, specific numbers, and specific organizational context.

NE is not a substitute for your own tenant work. It's a reference implementation — a consistent scenario that illustrates the governance decision with enough detail to ground the abstract in the specific. When Module 5 teaches access review design, you design your review program first. Then the NE blockquote shows Rachel's review design for NE's 214 groups, with specific scope decisions, reviewer assignments, and cadence choices driven by the findings from earlier modules.

The eight gaps above are your checklist. As you complete each module, the corresponding gap closes. By Module 14, you'll have built the same governance program for your own tenant that the NE worked examples illustrate.

Your governance maturity baseline

The eight gaps map to a four-level governance maturity model. Score your own organization (or the NE scenario) against each level. This baseline becomes the Module 14 comparison — you'll run the same assessment after completing the capstone and measure the maturity gain.

Level 0 — Administered. Identities are created and managed. No governance mechanisms exist. Access is granted manually and never reviewed. Stale accounts persist. Group memberships accumulate. Non-human identities are ungoverned. This is where NE starts — and where most organizations are.

Level 1 — Reactive governance. Basic mechanisms exist but respond to problems rather than preventing them. Access reviews run but produce rubber-stamp approvals. PIM is deployed with default settings. Some groups have owners. No lifecycle automation. Evidence is produced for auditors but doesn't reflect actual governance effectiveness.

Level 2 — Structured governance. Lifecycle workflows automate joiner/mover/leaver processes. Access reviews run with meaningful deny rates (5–15%) because reviewers have context and usage data. Entitlement management provides self-service access with approval and time-bound expiry. Groups follow a naming convention with enforced ownership. Non-human identity credentials are monitored. Delegation boundaries exist through AUs.

Level 3 — Adaptive governance. Governance mechanisms adjust based on risk signals. Identity Protection risk scores influence access decisions in real time. AI-assisted access review recommendations reduce reviewer burden and improve decision quality. Governance metrics feed back into design — review completion rates, lifecycle workflow coverage, credential health scores drive continuous improvement. Compliance evidence is generated automatically. The governance program is self-monitoring.

Score each gap against the levels:

Write-Host "=== GOVERNANCE MATURITY SELF-ASSESSMENT ==="
Write-Host ""
Write-Host "Rate each gap 0-3 based on your current state:"
Write-Host ""

$gaps = @(
  "Gap 1: Identity lifecycle automation",
  "Gap 2: Group governance",
  "Gap 3: Self-service access model",
  "Gap 4: Access review effectiveness",
  "Gap 5: Application access governance",
  "Gap 6: Privileged access governance",
  "Gap 7: Non-human identity governance",
  "Gap 8: Governance metrics and evidence"
)

# NE scores (fill in your own)
$neScores = @(0, 0, 0, 0, 0, 0, 0, 0)  # NE starts at Level 0 across the board

for ($i = 0; $i -lt $gaps.Count; $i++) {
  Write-Host "  $($gaps[$i]): Level $($neScores[$i])"
}

$avg = [math]::Round(($neScores | Measure-Object -Average).Average, 1)
Write-Host ""
Write-Host "  COMPOSITE MATURITY: Level $avg"
Write-Host "  TARGET (Module 14): Level 2.0+"

=== GOVERNANCE MATURITY SELF-ASSESSMENT ===

Rate each gap 0-3 based on your current state:

  Gap 1: Identity lifecycle automation: Level 0
  Gap 2: Group governance: Level 0
  Gap 3: Self-service access model: Level 0
  Gap 4: Access review effectiveness: Level 0
  Gap 5: Application access governance: Level 0
  Gap 6: Privileged access governance: Level 0
  Gap 7: Non-human identity governance: Level 0
  Gap 8: Governance metrics and evidence: Level 0

  COMPOSITE MATURITY: Level 0
  TARGET (Module 14): Level 2.0+

NE starts at Level 0 across every gap. Your organization might score higher in some areas — perhaps you already have access reviews (Level 1 for Gap 4) or PIM configured (Level 1 for Gap 6). Record your baseline. The course takes every gap to at least Level 2, with the Monitoring and Compliance modules (12–13) pushing Gaps 4, 6, and 8 toward Level 3.

At Northgate Engineering: Elena Petrova runs the maturity assessment and gets straight zeros. Rachel Okafor isn't surprised — she hired Elena specifically to build the governance program. The zeros aren't a failure. They're the starting position. Every IAM program starts somewhere. NE's advantage is that Rachel knows what governance looks like (from her previous role in financial services) and has the executive authority to build it. The maturity assessment quantifies the starting point. The course provides the build plan. Module 14 measures the outcome.