A.5.16 Identity Management

What is this control?

ISO 27001 control A.5.16 Identity Management ensures unique identification of individuals and systems and enables proper identity lifecycle management through Joiner, Mover, Leaver processes. The control ensures all identities, both human and non-human, are created, modified, and revoked through formal, auditable processes. Microsoft Entra ID serves as the sole authoritative identity provider with UserPrincipalName as the unique identifier never re-issued after termination.

How to implement in Microsoft 365

Implement A.5.16 by provisioning all personnel with a single, unique identity in Microsoft Entra ID using UserPrincipalName. Deploy an automated New Employee Microsoft Form and Power Automate workflow for identity creation. Create accounts in disabled state initially, assign baseline security groups, and require organisational induction acceptance upon first sign-in.

Enable accounts only on the official employee start date. For role changes as part of the Mover process, conduct mandatory review of group memberships and adjust permissions to align with least privilege. For terminations as part of the Leaver process, disable accounts in a timely manner per A.5.11.

What an auditor looks for

Auditors will verify the user inventory showing all personnel have unique UPNs with no duplicates. They will confirm no UPNs have been reused after employee termination. Auditors will check that Service Principals and Managed Identities are documented and inventoried separately.

They will verify the New Employee Microsoft Form and Power Automate workflow is configured with audit logging. Auditors will review evidence of the Mover process reviewing group memberships for role changes. They will verify the Leaver process disables accounts within the defined timeframe.

Related controls

• A.5.15
• A.8.2