Client confidentiality, matter privilege, and SRA Cybersecurity Guidance all depend on knowing who has access to what. IdentityFirst finds the gaps before your regulator does.
High staff turnover, external collaborators, and legacy infrastructure create identity sprawl that regulators are increasingly scrutinising.
A single misplaced group membership can expose privileged legal advice across matters. Departed associates and trainees retain access long after leaving — often because leaver processes are manual, inconsistent, and unmonitored. The result is a sprawling set of active accounts with no current business justification.
SRA Cybersecurity Guidance (updated 2023) explicitly requires law firms to implement access controls, conduct regular access reviews, and evidence remediation. Firms that cannot demonstrate this face regulatory action. Guidance inspections increasingly focus on whether firms can produce records of who had access, when, and what was done about it.
Guest identities, external counsel, and third-party e-disclosure platforms accumulate in Active Directory and cloud environments without proper lifecycle governance. Matter-specific access granted during litigation is rarely removed when matters close — leaving external parties with ongoing access to sensitive SharePoint libraries and collaboration spaces.
Four overlapping frameworks govern identity and access management for UK law firms and accountancy practices. IdentityFirst produces evidence for all of them.
These are representative findings from law firm and accountancy assessments — the kind of risk that is invisible to manual review and immediately relevant to SRA and ICAEW obligations.
12 former associates still enabled in Active Directory, 6 with active membership in matter management and DMS security groups. Departure dates confirmed against HR records — accounts were not disabled as part of the leaver process.
SRA Leaver Process Gap — access to client matter systems retained by former staff.
4 equity partners using legacy authentication for VPN connectivity, bypassing Conditional Access policy. These accounts have the broadest access across matter management, finance systems, and document libraries — with no second factor enforced remotely.
High Risk — privileged accounts reachable via password-only authentication from any network.
svc_precedent_mgmt used by multiple fee earners across two practice groups. No individual accountability for document access or changes. Password shared informally and changed infrequently. SRA Cybersecurity Guidance requires individual, attributable accounts.
Compliance Gap — SRA requirement for individual access accountability cannot be met with shared credentials.
23 Entra ID guest accounts provisioned for external counsel during previous matters. 17 inactive for 180+ days. 4 retain active SharePoint access to closed matter libraries. No lifecycle governance applied to guest accounts at matter close.
Critical — former external parties retain read access to closed client matter document libraries.
iManage/NetDocuments integration SPN registered with RC4 encryption. Password age: 3 years. Any domain-joined workstation can request and extract a TGS ticket for this account and crack it offline — with no domain event triggered.
Technical Risk — DMS service account credential extractable; access to all matter document stores if cracked.
Read-only throughout. No access to client documents. No changes to matter permissions. Results in 24–48 hours.
A read-only domain service account and Entra ID read permission are configured. No Domain Admin rights required. No agents installed. No changes made to Active Directory, group policy, or matter permissions.
All user accounts, group memberships, service accounts, SPNs, and guest identities are enumerated in full — including stale accounts, leaver accounts not yet disabled, and external guest accounts from previous matters.
Active Directory findings are correlated with Entra ID guest accounts and Okta where connected — surfacing external identities with active access to SharePoint, Teams, and collaboration platforms used for client matters.
A prioritised findings report is produced within 24–48 hours, including a leaver process audit, privileged account inventory, external identity review, and compliance evidence formatted for SRA and ICAEW inspection.
What IdentityFirst does not access
IdentityFirst reads identity metadata only: account names, group memberships, last logon timestamps, and SPN registrations. It does not connect to document management systems, matter management platforms, email, or any system containing client data. No client documents, legal advice, financial records, or privileged communications are accessed at any point.
Straight answers to the questions we hear most often from regulated professional services firms.
No. IdentityFirst uses read-only connectors to identity systems only — Active Directory, Entra ID, and Okta. It does not connect to document management systems (iManage, NetDocuments, SharePoint document libraries), matter management platforms (Clio, Aderant, Elite), or any system containing client data.
Only identity metadata is read: account names, group memberships, last logon timestamps, and SPN registrations. No document content, matter records, client communications, or privileged legal advice is accessed at any point.
IdentityFirst produces documented evidence of access control reviews, stale account identification, and privileged access management — formatted for SRA inspection. The output includes:
Yes. The Entra ID guest account review identifies all external identities provisioned in your tenant — including external counsel, barristers' clerks, e-disclosure vendors, expert witnesses, and any other third party granted access during matters.
For each guest account, IdentityFirst reports: last sign-in date, current group memberships, SharePoint site access, and Teams membership. Accounts inactive for configurable thresholds (typically 90 or 180 days) are flagged for review regardless of matter status.
Initial Active Directory findings are available within 24 hours of connector setup. The full report — including external identity review and SRA evidence pack — is delivered within 48 hours.
Connector setup typically takes less than an hour and requires only a read-only domain service account. No agents are installed, no infrastructure changes are made, and no matter systems are touched.
No. IdentityFirst reads identity metadata only — account names, group memberships, last logon timestamps, and SPN registrations. No document content, matter records, client communications, financial records, or privileged legal advice is accessed or processed at any point during the assessment.
The assessment scope is limited to identity and access management infrastructure: Active Directory objects, Entra ID identities and guest accounts, and Okta user records where connected.
Explore a sample IdentityMRI assessment report, or book a live session to see how IdentityFirst maps your identity estate and produces SRA-ready access control evidence — in 48 hours, read-only.
Read-only • No matter data accessed • SRA evidence pack included • UK-hosted & ICO registered