The challenge
750 staff, zero automated identity controls: with a CQC audit approaching
The organisation managed identity and access for approximately 750 healthcare staff: clinicians, nurses, ward administrators, IT personnel, and compliance teams: entirely through manual, ticket-based processes. HR emailed IT to request account creation on new hires, role changes were applied inconsistently, and leaver accounts were rarely disabled promptly.
In a regulated healthcare environment, this created direct exposure. Former employees retained active credentials with access to patient records. Clinical staff accumulated permissions across multiple departments as they moved roles. There was no audit trail, no authoritative source of identity, and no mechanism for time-bound privilege escalation. As a CQC inspection approached, the fragmented identity estate posed significant compliance and reputational risk.
3 to 7 day provisioning delays
New joiners waited days for access: unable to work from day one
Leaver accounts left active
38% of leavers retained active credentials beyond their exit date
Excessive cross-department access
62% of users held app entitlements beyond their department's scope
No PIM or privileged access controls
Admin roles permanently assigned: no time limits, no approvals, no audit logs
Workday disconnected from Entra ID
HR data and identity systems were siloed: every change required manual re-entry
CQC & IG audit approaching
Access logs were incomplete and access controls were entirely undocumented
Our findings
What the access audit revealed
Before designing the solution, garrisonOne conducted a full identity and access audit across all departments. We mapped every user account, application entitlement, privileged role assignment, and inactive account against the organisation's HR records in Workday.
3 to 7 days
Average provisioning time for new joiners
38%
Leaver accounts not disabled within 24 hrs of exit
62%
Users with app access beyond department scope
0
Departments using PIM for privileged role activation
Mover events were the most underserved scenario. Department transfers and ward rotations were processed without revoking old access: users accumulated permissions across every role they had ever held, creating toxic privilege combinations over time. The organisation had no department-to-application mapping maintained in any system, meaning all app assignments were applied ad-hoc with no consistency.
What we did
A phased JML automation deployment
Scoped to minimise disruption to clinical operations: phased delivery with no system downtime.
Phase 1
Identity & Access Audit
Full inventory of all 750+ user accounts, application entitlements, shared credentials, and inactive accounts. Mapped every user to their Workday record and identified orphaned accounts, excess access, and privileged role exposure.
Phase 2
Workday → Entra ID Provisioning Connector
Configured real-time automated sync between Workday and Microsoft Entra ID. All identity attributes: name, department, job title, cost centre, manager: flow automatically. New hires trigger account creation; exits trigger immediate disablement and revocation.
Phase 3
Department Access Matrix & App Assignment
Built a structured mapping of 14 clinical and administrative departments to their approved application entitlements: covering EHR, clinical imaging, PACS, HR portal, compliance tools, and M365 apps. Entitlements are applied automatically on join and recalculated on every mover event.
Phase 4
PIM Role Framework for Privileged Access
Deployed Microsoft Entra Privileged Identity Management across all elevated roles. All privileged access is now just-in-time, time-bound, and approval-gated. Permanent admin role assignments were eliminated entirely. Activation requests log to a full audit trail.
Phase 5
Mover Workflow & Leaver Automation
Department and role changes in Workday trigger an automated access recalculation in Entra ID: old entitlements are revoked and new ones are granted within one provisioning cycle. Terminations disable the account immediately, revoke all app access, and notify the line manager automatically.
Phase 6
Access Reviews & Governance Documentation
Configured quarterly automated access certifications via Entra ID Governance, with manager-driven approvals and auto-revocation on non-response. Delivered full access control policy documentation, audit log procedures, and role ownership records ready for CQC and IG review.
Key deliverables
-
Real-time Workday → Entra ID provisioning connector: Workday as single source of truth for all identity attributes
-
Department-to-application access matrix covering 14 departments and all approved clinical and administrative systems
-
PIM just-in-time privileged access framework with approval workflows, time limits, and full audit logging
-
Automated leaver workflow: exit in Workday triggers immediate account disable, access revocation, and manager notification
-
Automated mover handling: department or role change triggers access recalculation within one provisioning cycle
-
Quarterly access certifications via Entra ID Governance with manager-driven approvals and auto-revocation
-
Full access control policy, role ownership documentation, and audit log procedures for CQC and IG review
Outcomes
Results that went beyond the audit
The organisation entered its CQC and IG audit cycle with documented, automated controls in place for the first time. The engagement delivered measurable operational, security, and compliance improvements across every JML scenario.
Clean
CQC & IG audit: no identity findings
Access controls fully documented and automated: first clean identity audit in three years.
<15 min
Joiner provisioning (down from 3 to 7 days)
New staff have full role-appropriate access before they walk through the door.
100%
Leaver accounts closed same day
Exit in Workday triggers immediate revocation: no manual steps, no delays.
~90%
Reduction in excess entitlements
First quarterly access certification eliminated nearly all out-of-scope app assignments.
Zero
Standing privileged roles remaining
All elevated access is now just-in-time and time-bound via PIM: no permanent admins.
12 to 15 hrs
Weekly IT time reclaimed
Provisioning is fully automated: IT capacity redirected to security monitoring and infrastructure.
"We went from chasing IT tickets for three days to having a new nurse fully set up before they walked through the door. The difference for our clinical teams has been immediate and tangible."
: IT Manager, Healthcare Organisation
