Projects · Entra ID

Identity-Centric Security Design for Healthcare

By Andreas Krisby 2026-05-29 2 min read

Background

I built this project to explore how identity and access management could be designed for a small healthcare environment handling sensitive information.

The goal was to better understand how technologies such as Microsoft Entra ID, Conditional Access, FIDO2, RBAC and Managed Identities can work together as part of a modern security design.

Rather than focusing primarily on network-based security, I wanted to explore what happens when identity becomes the primary security boundary.

The Challenge

Healthcare environments often contain different types of users with different access requirements.

For this project, I wanted to explore questions such as:

  • How should access be managed for different roles?
  • How can external consultants be given access securely?
  • How can access be removed when it is no longer needed?
  • How can security be improved without creating unnecessary complexity?

What I Built

I created a small Azure-based environment centered around Microsoft Entra ID.

The environment included:

  • Microsoft Entra ID
  • Azure Web App
  • Azure Blob Storage
  • FIDO2 passwordless authentication
  • Conditional Access
  • Security Groups
  • Role-Based Access Control (RBAC)
  • Managed Identities

The project was inspired by common challenges found in healthcare environments, where multiple user types need different levels of access to sensitive information.

Identity and Access Model

Access was managed through groups and roles rather than direct user permissions.

Different user types were simulated, including:

  • Healthcare assistants
  • Nurses
  • Physicians
  • Laboratory personnel
  • External consultants

The goal was to explore how role-based access control can simplify administration while reducing unnecessary privileges.

Security Controls

To improve security, I implemented controls such as:

  • FIDO2 authentication
  • Conditional Access policies
  • Multi-factor authentication
  • Group-based RBAC
  • Managed Identities
  • Logging and auditing

The focus was on applying common security principles in a practical way rather than building a highly complex environment.

What I Learned

This project helped me better understand how different identity and security technologies fit together.

Some of the areas I explored included:

  • Identity lifecycle management
  • Access governance
  • Role-based access control
  • External user management
  • Conditional Access
  • Managed Identities
  • Identity-first security design

It also reinforced how important identity has become in modern security architectures.

Reflection

The most valuable part of this project was moving beyond individual technologies and thinking more about the bigger picture.

Instead of focusing on a single feature or product, I had to think about how identities, access, governance and security controls work together as part of a complete system.

The project gave me a better understanding of the trade-offs between usability, administration and security, especially in environments handling sensitive information.