It looks like you're in the US. Switch to the US site
    Volobyte LogoVolobyte

    What is IAM?

    SSO, MFA, and user provisioning explained for non-technical teams. Updated for the April 2026 Cyber Essentials MFA mandate.

    Okta · Entra ID · Google Workspace · Passkeys

    Book a CallGet an Audit
    99.9%

    Attacks Blocked by MFA

    4-8 Weeks

    Typical Rollout

    April 2026

    MFA Mandatory (CE)

    Day 1

    New Hire Access

    The short version

    Identity and Access Management (IAM) controls who can log into what at your company. It covers authentication (verifying identity), authorisation (granting permissions), and provisioning (automating the account lifecycle).

    If your company uses cloud apps like Google Workspace, Slack, or Salesforce, IAM connects them to a single login and a single set of rules. Without it, each app has its own password, its own admin, and its own idea of who should have access.

    Authentication

    Proving who you are. SSO, MFA, passkeys, and biometrics.

    Authorisation

    Controlling what you can access. Roles, permissions, and conditional access.

    Provisioning

    Automating account creation, updates, and removal across all apps.

    What SSO actually does

    Single Sign-On lets your employees log in once and access all their apps without having to remember separate passwords. Any time you click "Sign in with Google" or "Sign in with Microsoft," that is SSO.

    It reduces the number of passwords people manage, gives IT a single place to control access, and means you can revoke access to every app at once when someone leaves. No more hunting through 30 different admin panels.

    The SSO tax

    Some vendors charge 2-5x more just to enable SSO. It is called the SSO tax. Check sso.tax for a full list of offenders.

    Volobyte helps you negotiate licensing and stop overpaying for features that should be standard.

    See our SaaS licensing service →

    SSO platforms compared

    Okta

    Platform-agnostic. Best for mixed tool environments.

    From £5/user/mo

    Entra ID

    Best for Microsoft-heavy stacks. Included with M365 E3+.

    Included with M365

    Google Workspace

    Works if your company already runs on Google.

    Included with Workspace

    What MFA actually does

    Multi-Factor Authentication adds a second step after your password. A code from an app, a push notification, or a biometric check. MFA exists because passwords get stolen. People reuse them, they get phished, and they appear in data breaches.

    According to Microsoft, MFA blocks over 99.9% of account compromise attacks. Modern MFA does not have to be annoying. Okta FastPass uses biometrics on your device. Passkeys are replacing passwords entirely in some setups.

    Not sure how your present configuration compares?

    Our free IT audit checks your identity and access setup in under 10 minutes.

    Take the free audit →

    What provisioning means

    Provisioning automates the account lifecycle across your apps. When someone joins, they create accounts everywhere. When they change roles, their permissions are adjusted. When they leave, access is removed instantly.

    Without it, someone manually creates accounts in each app, assigns permissions, and remembers to revoke everything on the last day. This takes time, creates mistakes, and leaves orphaned accounts that auditors will flag.

    It is not just for big companies

    IAM sounds like something for 500-person companies with a security team. It is not. Every company with cloud apps has an identity problem. The difference is scale.

    A well-configured setup requires little day-to-day management. The key is starting right and progressing as you grow.

    Progressive identity roadmap

    01

    Password Manager

    1Password or Bitwarden. Shared vaults, distinct passwords, basic MFA. Works for teams of 2 to 20.

    2-20 people

    02

    SSO

    One login for all apps. Google Workspace or Microsoft 365 as your identity provider. No more separate passwords per app.

    5+ people

    03

    SSO + MFA + Device Trust

    Conditional access, phishing-resistant MFA, Platform SSO. Sign into your Mac or PC once, and every app is already authenticated. No extra logins.

    20+ people

    04

    Full IAM

    Automated provisioning, access reviews, role-based permissions, joiners-movers-leavers workflows. For companies scaling past 50 or with compliance requirements.

    50+ people

    With Platform SSO on macOS, you sign into your device once with your company credentials. Safari, native apps, and any SAML or OIDC app get automatic SSO tokens. No extra prompts.

    Volobyte guides you through each stage. We do not sell you what you do not need. Start right, start small, scale when it matters.

    Talk to us about where to start →

    Compliance is not just for companies that need it

    Compliance models exist because they describe what security actually looks like. Build towards them, and you are secure by default, whether or not you ever do the audit. You do not need to be audit-ready on day one. But if your identity setup follows these principles from the start, you will not need to retrofit controls later.

    UK Deadline

    Cyber Essentials 2026

    From April 2026, Cyber Essentials v3.3 makes MFA an auto-fail criterion. If MFA is available on a cloud service you use and you have not enabled it, you fail certification automatically. Critical patches must be applied within 14 days.

    Deploy MFA and SSO now, and you will not scramble when the deadline arrives.

    See how Volobyte deploys MFA and SSO →
    US Standard

    SOC 2 Type II

    SOC 2 is the standard US clients and investors ask for. It requires logical access controls, MFA for production systems, least privilege, audit logging, and user access reviews. IAM gives you most of these controls out of the box.

    Even if you never pursue the audit, building towards SOC 2 means your access controls remain defensible, documented, and ready for due diligence.

    Talk to us about compliance readiness →

    That is the difference between building right and bolting on security after the fact. We provide controls and evidence to support audits and questionnaires. Certification decisions sit with your auditor.

    When do you need IAM?

    There is no minimum size. A 5-person startup with Google Workspace already has the basics. Here are the signs you need to formalise it:

    • You are adding cloud apps faster than you can track who has access to what.
    • Onboarding or offboarding people more than once a month.
    • A security incident or near-miss involving account access.
    • A client, investor, or partner has asked about SOC 2, ISO 27001, or Cyber Essentials and you are not sure where you stand.
    • An auditor has asked about access controls, and you did not have a clear answer.
    • Your IT team spends time resetting passwords or chasing access requests.

    If none of these applies, shared password managers like 1Password is able to bridge the gap for smaller teams.

    What a typical implementation looks like

    A standard IAM rollout takes 4 to 8 weeks. It starts with an audit of your current apps and access patterns. Then the identity provider is configured, SSO is connected app by app, MFA is rolled out, and provisioning is automated where possible.

    The goal is incremental change with minimal interruption. Most employees notice nothing except fewer password prompts. See our IAM case study for a 450-person rollout completed in three weeks.

    Need help with IAM?

    Book a free 20-minute call. We will tell you what you need, what you do not need, and what it costs.

    Book Free Call IAM Services

    IAM & Access Management FAQs

    What do we need to provide before starting?

    Three things: admin access to your identity provider and key apps, a decision owner (IT lead or similar) for approvals, and a list of your core applications with any compliance deadlines. We handle the rest.

    How long does a typical IAM rollout take?

    Most implementations take 4 to 8 weeks depending on the number of applications and complexity. We start with your most critical apps and expand from there.

    Do we need to replace our existing identity provider?

    Usually not. We work with what you have: Okta, Entra ID (Azure AD), Google Workspace, or others. If a migration makes sense, we will tell you why.

    What happens when someone leaves the company?

    With proper lifecycle automation, access is revoked automatically when HR updates their system. No manual chasing, no orphaned accounts.

    Will this help us pass security audits?

    Yes. We deliver the controls and evidence documentation that auditors look for: access policies, admin registers, JML runbooks, and architecture diagrams.

    Can you integrate with our HR system?

    In most cases, yes. We connect identity provisioning to your HR system so joiners, movers, and leavers are handled automatically. If your current HR system does not support integrations, we can deploy HiBob for you. It is built for modern identity workflows and we have done multiple rollouts.

    How do I know which pricing model is right for me?

    We work it out with you. Discovery is always included, so we scope your needs before quoting. If you have clear requirements, fixed project pricing works best. For complex or fast-changing environments, we recommend project plus managed. We will tell you which fits after a scoping call.

    Will this disrupt our employees during rollout?

    No. We deploy incrementally, app by app, with clear comms before each change. Most users notice nothing except fewer password prompts.

    We have legacy apps that do not support SSO. What then?

    We audit everything first. Apps that support SAML or OIDC get proper SSO. Apps that do not get password vaulting through 1Password, our recommended partner, or controlled workarounds. Nothing gets left behind or swept under the rug.

    Does MFA slow people down?

    Absolutely not. Okta FastPass is biometric and on-device. You do not even pull your phone out. Passkeys and device trust mean users authenticate once and stay signed in across apps. We design for minimal friction, not security theatre.

    What does an IAM consulting engagement involve?

    Our IAM consulting starts with discovery: mapping your applications, current authentication flows, and compliance requirements. We then design the target architecture, implement SSO and MFA across your apps, build automation for joiners/movers/leavers, and document everything for audit readiness. Most projects are 4-8 weeks.

    Do you provide Okta consulting and implementation services?

    Yes. We are Okta specialists and have deployed Okta Workforce Identity across dozens of organisations. This includes SSO integration, MFA rollout, lifecycle automation, and advanced features like Okta FastPass and device trust. We also work with Microsoft Entra ID and Google Workspace for organisations on those platforms.

    Related reading

    Service

    IAM & Access Management

    SSO, MFA, conditional access, and user lifecycle automation for your business.

    Read more     Case Study

    IAM Case Study

    How a 450-person scaleup deployed Okta SSO and lifecycle automation in three weeks.

    Read more     Guide

    Do I Need MDM?

    A plain English guide to device management for Mac and Windows.

    Read more

    Cookie Preferences

    This site uses cookies for bookings and core features. Optional cookies help us improve your experience.

    Privacy Policy