Hybrid identity security for government access: what changed here?

TL;DR: A US state agency modernised workforce and citizen access with RSA and Microsoft integration to support passwordless sign-in, hybrid identity management, BYOD protection, and secure proofing for onboarding and recovery, according to RSA Security. The underlying lesson is that convenience, fraud resistance, and hybrid interoperability now have to be governed together, not treated as separate IAM projects.

NHIMG editorial — based on content published by RSA Security: State government agency enhances security of workforce and citizen access with RSA and Microsoft integration

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: How should government teams govern passwordless access across hybrid environments?

A: Government teams should govern passwordless access as a full identity assurance journey, not just a stronger login method.

Q: Why do onboarding and recovery flows matter so much in public-sector IAM?

A: Onboarding and recovery determine whether the person requesting access is truly entitled to it.

Q: What breaks when hybrid IAM is managed as separate cloud and legacy projects?

A: Policy consistency breaks first.

Practitioner guidance

• Map recovery flows as high-risk trust events Review enrollment, password reset, and account recovery steps separately from everyday authentication.
• Align passwordless to device trust and fallback governance Document which devices, contexts, and recovery methods are allowed to complete passwordless access.
• Unify hybrid policy decisions across legacy and cloud systems Identify where Microsoft-centric identity policies diverge from controls enforced in on-premises or legacy applications.

What's in the full article

RSA Security's full article covers the operational detail this post intentionally leaves for the source:

• The specific RSA ID Plus, Risk AI, Mobile Lock, and ID Proofing implementation choices used in the agency environment.
• The integration details for Microsoft Entra ID and how the hybrid identity stack was configured for different user populations.
• The deployment and professional services elements that reduced implementation complexity and shortened time-to-value.
• The customer outcome statements that describe how the agency balanced usability, compliance, and operational disruption.

👉 Read RSA Security's article on government hybrid identity modernization with Microsoft integration →

Hybrid identity security for government access: what changed here?

Explore further

View Full Forum →  |  NHI Foundation Course →