Councils face decades of accumulated identity risk — legacy Active Directory domains, contractor churn, shared service accounts, and a compliance landscape that now demands demonstrable control evidence.
UK councils carry one of the most complex identity estates in the public sector — built up over decades, subject to constant workforce change, and increasingly scrutinised by NCSC, PSN, and the ICO.
Many councils operate Active Directory domains that predate modern identity governance practices. Stale accounts from staff who left years ago, service accounts with unknown owners, and Kerberos configurations from Windows Server 2003 migrations persist undetected and ungoverned.
Councils rely heavily on agency staff, contractors, and shared service arrangements. Each brings identity governance risk: accounts created for temporary workers that are never disabled, shared passwords for service desk tools, and cross-organisation access that outlasts the contract.
NCSC CAF, PSN Code of Connection, Cyber Essentials Plus grant conditions, and UK GDPR all converge on the same requirement: demonstrable, evidenced identity controls. Manual spreadsheet reviews no longer satisfy assessors and the ICO is increasingly active on data breach enforcement involving former employee access.
Each assessment maps findings directly to the specific frameworks and obligations that council IT leads, DPOs, and PSN assessors will reference.
Objective B2: Identity & Access Control. CNI-adjacent councils must demonstrate identity governance as part of CAF assessment. All admin accounts must be individually identified, MFA enforced, and access reviews evidenced. IdentityFirst supports evidence for each B2 sub-objective with named, timestamped findings.
Mandatory under many DLUHC/UKSPF grant conditions and PSN requirements. Access control (Requirement 4) failures on privileged accounts and MFA gaps are the leading cause of council CE+ failures. IdentityFirst identifies every Requirement 4 breach before the assessor does, with remediation evidence to address them.
Access to the Public Services Network requires demonstrable identity controls: no shared accounts, individual accountability, and leavers disabled within agreed SLA. PSN health checks regularly fail on stale Active Directory accounts. IdentityFirst surfaces every PSN CoCo identity gap before your annual health check.
Councils hold highly sensitive citizen data — benefits, social care, planning, and council tax records. ICO enforcement for data breaches caused by former employee account access is increasing. IdentityFirst provides the Article 5(1)(f) integrity and confidentiality evidence councils need to demonstrate access controls on sensitive data systems.
Representative findings from a council identity assessment — the kind of accumulated risk that is invisible to manual review and routine to automated assessment.
j.thornton@southfields-council.gov.uk
Account active 94 days post-resignation. Member of Housing_Benefits_Approvers group. Access to citizen financial records and Universal Credit case data retained. GDPR Article 5(1)(f) — integrity and confidentiality obligation breached.
Blast Radius: Critical — live access to citizen benefit records and payment authorisation workflow with no active user.
svc_revenues_portal — SPN: HTTP/revenues.southfields.local
RC4-HMAC encryption. Password last set 2018. Domain account with access to council tax database and benefit payment authorisation workflow. TGS ticket extractable from any domain-joined workstation and crackable offline with no domain security event generated.
Blast Radius: Critical — council tax and benefit payment systems accessible via offline credential attack against this service account.
planning-admin (shared password known to 5 staff)
No individual accountability. PSN CoCo Section 4.3 violation. CE+ Requirement 4 breach — admin accounts must be individually named. Audit log attribution impossible: actions cannot be traced to a specific individual.
Compliance Gap: PSN CoCo, CE+ Requirement 4 — no individual accountability for planning portal administrative actions.
cllr.m.whitfield — Domain Admins via group nesting
Elected member account is a member of Domain Admins OU via inherited group nesting. Councillor accounts should have no privileged IT access. CAF B2.a gap — admin accounts must be individually identified and justified. Privilege was not intentionally assigned.
Blast Radius: High — elected member account has effective domain administrator rights across the council IT estate.
Unconstrained forest trust — waste-mgmt.local
Unconstrained forest trust to waste-mgmt.local (third-party provider). Not reviewed in 3 years. Allows Kerberos ticket delegation across the trust boundary. No current contract reference found. Original commercial relationship may have ended.
Risk: Unconstrained trust allows Kerberos TGT delegation across forest boundary to an uncontrolled third-party domain.
IdentityFirst uses read-only connectors to identity stores only. At no point during the assessment does IdentityFirst access, read, query, or process any of the following council systems or data:
Read-only identity store connectors only: Active Directory, Entra ID, PAM tools. No agents installed. No production changes required. Full connector list available on request.
A four-stage pipeline that requires no agents, no production changes, and no access to any citizen-facing system.
Read-only LDAP and API connectors attach to Active Directory, Entra ID, and PAM tools using a read-only service account. No agents installed. No citizen systems touched. No domain administrator credentials required.
IdentityMRI™ enumerates every identity, group membership, privilege assignment, and delegation scope across your council estate. 14+ connectors supported. 40+ risk checks applied. Nothing sampled.
Each finding is scored by blast radius and mapped to the specific CAF objective, PSN CoCo requirement, CE+ Requirement 4 sub-control, or UK GDPR article it evidences or breaches. First findings available within 24 hours.
Board-ready PDF and assessor-ready evidence pack delivered within 48 hours. Named findings, timestamps, CAF B2 mapping, PSN CoCo gap analysis, and remediation playbooks structured for council governance boards and external assessors.
Straight answers to the questions council IT leads, DPOs, and security teams ask most often.
No. IdentityFirst uses read-only LDAP and API connectors to Active Directory and cloud identity systems only. It does not access, read, or process citizen records, benefits data, housing management systems, planning applications, council tax records, or social care data at any point during the assessment. The assessment is confined entirely to identity and access management infrastructure.
IdentityFirst provides documented evidence for PSN CoCo identity requirements including enumeration of stale and departed accounts, detection of shared accounts without individual attribution, leavers process gap analysis with days-since-departure per account, and individual accountability audit trails. Output is structured to evidence PSN health check requirements around account lifecycle, unique individual authentication, and access control governance.
PSN health checks regularly fail on stale Active Directory accounts from former employees and contractors. IdentityFirst surfaces every such account before the assessor visit, with sufficient detail to evidence remediation actions taken.
Yes. IdentityFirst maps findings directly to NCSC CAF Objective B2 sub-objectives: B2.a (individual identification of all administrative accounts), B2.b (MFA enforcement on admin and remote access accounts), and B2.c (access reviews and leaver process evidence). Each finding includes the specific CAF objective it evidences or breaches.
The resulting evidence pack is designed to satisfy CAF assessor questions about identity governance: which admin accounts exist, who holds them, how they are governed, whether MFA is enforced, and when access was last reviewed. IdentityFirst supports evidence for CAF B2 — it does not perform the CAF assessment itself, which remains the role of an accredited CAF assessor.
Yes. IdentityFirst includes connectors for both Entra ID (Microsoft 365) and on-premises Active Directory, covering the hybrid environments common across UK local government. The Entra ID connector works across commercial and GovCloud tenancies. The Active Directory connector covers all domain-joined assets including those managed via SCCM, without requiring access to the SCCM infrastructure itself.
Councils operating shared service arrangements across multiple AD domains or federated Entra ID tenancies can assess the full estate in a single run, with cross-domain identity correlation surfacing accounts that span multiple environments.
Cyber Essentials Plus Requirement 4 (User Access Control) requires that administrative accounts are individually named, MFA is enforced on all internet-facing services, and access is limited to what is necessary for the role. These are the most common CE+ failure points for councils.
IdentityFirst enumerates every Requirement 4 breach before the assessor visit: shared admin accounts, MFA gaps on privileged accounts, excessive privilege assignments beyond role requirements, and stale accounts that should have been removed. Findings are mapped directly to CE+ Requirement 4 sub-controls, providing the remediation evidence needed to address failures prior to assessment.
Book a live demo to see how IdentityFirst maps your council’s identity estate against CAF, PSN, and CE+ obligations — or explore a sample report now.
Read-only • No agents • Findings in 24 hours • UK-hosted & ICO registered