Published:

In a small business, identity is the control that quietly sits underneath everything else.
If the wrong person can still sign in, if admin access is too broad, or if old accounts remain active longer than they should, then good intentions elsewhere do not go very far.
Device standards help. Patching helps. Malware controls help. But weak sign-in control can still make the rest of the baseline easier to bypass.
That is why identity should usually be the first thing you review in a Cyber Essentials-style baseline.
What “identity as the control plane” means
In plain English, it means this: your sign-in system decides who can get to what, from where, using which device, and with what level of privilege.
If that decision point is weak, the rest of the environment becomes harder to defend.
For SMEs using Microsoft 365, identity is often the front door to email, files, admin portals, devices, SaaS apps and user lifecycle changes. That makes it the place where a lot of avoidable risk either gets stopped early or slips through.
Why identity failure undermines other controls
A business can have decent devices and still have poor access control.
For example:
a former employee account is still live
an everyday user has standing admin rights
an admin account is shared informally
MFA exists, but not for the riskiest accounts
sign-in methods vary by habit rather than policy
When those gaps exist, other controls become easier to work around. A well-built laptop does not solve the problem if the wrong account can authenticate to cloud services anyway.
The first five things to review in an identity baseline
1. MFA coverage
Start with a simple question: who can sign in with only a password, and should they be able to?
For most SMEs, the priority is clear coverage for all users, with stronger protection for admins and other sensitive roles.
2. Admin role list
You should be able to produce a current list of privileged accounts and explain why each one still needs that access.
Too many SMEs discover that privileged access has grown by convenience rather than by design.
3. Stale and dormant accounts
Accounts that are no longer needed should not linger because nobody owns the cleanup.
Monthly review of stale users and prompt action on leavers is one of the simplest ways to reduce unnecessary exposure.
4. Sign-in method policy
Different users do not always need the same sign-in experience. But they do need a defined policy.
That means deciding:
who requires stronger MFA
whether privileged accounts have stricter controls
how recovery works
what exceptions are allowed, if any
5. Joiner, mover, leaver discipline
Identity control is not only about preventing compromise. It is also about keeping access aligned to reality.
A baseline becomes more defensible when onboarding, role changes and offboarding follow clear rules instead of informal tickets.
Common SME gaps
The most common gaps are not especially technical.
They are usually:
shared administrator identities
old accounts not disabled promptly
weak or inconsistent MFA methods
unclear approval for elevated access
no recurring access review cycle
These are exactly the kinds of issues that create access drift.
The business outcome
Review identity first and the rest of the baseline becomes easier to operate.
Onboarding becomes cleaner. Offboarding becomes less risky. Admin rights become more defensible. Security questions become easier to answer because there is less ambiguity about who has access and why.
That is the real point. Identity is not the first control because it is fashionable. It is the first control because if sign-in is weak, everything downstream is harder to trust.

Managed IT Services
Joiner, Mover, Leaver Automation: A Guide for SMEs

Modern Workplace
What Defensible IT Looks Like for a Microsoft 365 SME

Managed IT Services
What a Monthly IT Review Should Include for a 10-25 User SME

Backup & Disaster Recovery
7 Questions to Ask a Managed IT Provider About Security, Backup and Accountibility

Cyber Security