Advancing IAM Maturity for a Mid-Sized U.S. City

Client Context

A U.S. city government with approximately 2,000 employees engaged Lockstock to modernize its identity and access management (IAM) program. The city was under growing compliance scrutiny while managing the unique constraints of public sector governance, including budget limitations, public accountability, and the need for uninterrupted municipal services.

Client Challenge

The city’s IAM program was in an emerging stage of maturity. Conditional Access policies had been deployed in part but lacked comprehensive coverage. Service accounts, privileged users, and high-value targets remained vulnerable, while break-glass accounts and token-based exceptions created additional risk. Resistance to mobile authenticator apps further complicated rollout.

At the same time, compliance pressures from auditors and regulators required stronger evidence of security controls. Leadership recognized the need to modernize IAM without disrupting the essential services relied upon by residents.

Lockstock Approach

Lockstock designed and executed a phased Conditional Access rollout using Microsoft Entra ID. The engagement was grounded in Microsoft security benchmarks crosswalked to NIST 800-53. The work included:

• Framework alignment to ensure Conditional Access policies satisfied both Microsoft and regulatory expectations.

• Phased rollout strategy covering core user groups, administrators, service accounts, and high-risk employees in a controlled sequence.

• Control hardening for break-glass accounts, privileged administrators, and opt-out token users.

• Monitoring enablement through templated KQL queries for risky sign-ins, service account usage, and automated alerts.

• Knowledge transfer with training for IT leadership to run queries, test service accounts, and sustain monitoring practices.

The structured program balanced immediate improvement in identity security with sustainable governance.

Results and Impact

The project delivered measurable improvements in the city’s identity security.

• Reduction in risky logins and faster incident response enabled by templated monitoring.

• Increased MFA adoption that covered high-risk users and exceptions.

• Improved leadership confidence in IAM maturity, reinforced by transparent monitoring and reporting.

• Reduced disruption to essential city services during rollout.

The city is now positioned for complete Conditional Access implementation and ongoing compliance confidence.

Strategic Positioning

This engagement highlights Lockstock's differentiated value for public sector organizations.

• Public sector expertise, aligning IAM improvements with compliance requirements while ensuring continuity of services.

• Zero Trust leadership, using Conditional Access as a foundation for a broader Zero Trust roadmap that includes privileged access management, continuous monitoring, phishing-resistant MFA, and passwordless authentication.

• Repeatable methodology, applying a phased rollout model that can be templated across cities, states, and other government entities.

With Lockstock’s advisory support, the city is positioned to expand IAM maturity into a full Zero Trust architecture. The roadmap includes future-state capabilities such as phishing-resistant MFA, passwordless authentication, and continuous access evaluation. These advancements will further reduce identity risk while maintaining usability for employees and resilience against evolving threats.