IT & Access Control
1. Identity First
We use Entra ID (Azure AD) as our central identity provider.
- Username:
firstname.lastname@thetechdeputies.com - MFA: Mandatory for all accounts. No exceptions.
- SSO: Wherever possible, third-party apps (HubSpot, Zoom) must use "Sign in with Microsoft."
2. Device Management (Intune)
- BYOD (Bring Your Own Device): Permitted, but must enroll in "Company Portal" to access data.
- Encryption: BitLocker (Windows) / FileVault (Mac) must be enabled.
- Updates: OS updates forced within 7 days of release.
3. Access Levels (RBAC)
We assign access based on Roles, not individuals.
| Role | M365 License | SharePoint Access | HubSpot Role | Thinkific Role | Zapier Role |
|---|---|---|---|---|---|
| Founder/Admin | Business Premium | Global Admin (All) | Super Admin | Site Owner | Owner |
| Operations Lead | Business Premium | Edit (All) | Super Admin | Site Admin | Admin |
| Sales Rep | Business Standard | Read (Marketing), Edit (Sales) | Sales User | View Only | None |
| Fulfillment Agent | Business Standard | Edit (Projects), Read (SOPs) | Service User | Course Creator | None |
| Contractor | Basic / Guest | Edit (Assigned Folder Only) | Restricted | None | None |
Note: Zapier access is restricted to Admin/Ops Lead only.
4. Onboarding Workflow (IT)
Trigger: "Signed Offer Letter" from System 08.
- Create User: In M365 Admin Center.
- Assign Groups: Add to
All Staff,Department Team. - License: Assign M365 Business Premium.
- Hardware: Order laptop (if applicable) or send BYOD instructions.
- Welcome Email: Send temporary password and "Day 1 Login Guide" to personal email.
5. Offboarding Workflow (IT)
Trigger: "Termination Notice" from System 08.
- Immediate: Reset Password. Revoke Sessions.
- Access: Block sign-in. Remove from Groups.
- Data: Convert mailbox to "Shared Mailbox" (delegate to Manager).
- Device: Initiate "Remote Wipe" of company data.
Related Documents: