15+
Years of experience
Identity Architecture
I architect complex identity change without losing operational control.
I design identity architecture programs for business-critical transitions: tenant-to-tenant migrations, M&A integration, IAM modernization, privileged access governance, and hybrid Active Directory transformation. The goal is always the same: secure continuity, predictable execution, and measurable reduction of access risk.
Tenant-to-Tenant ProgramsM&A and Carve-Out IdentityHybrid Directory TransformationOperational Hardening
Prefer to review expertise firstMattia Grandi
Special focus
Programs where identity is business-critical, not just technical.
Migrations, mergers, separation scenarios, hybrid estates, and governance hardening need clear architecture decisions and disciplined execution.
My contribution spans strategy, execution governance, and post go-live operational stabilization, with specific focus on IAM, PIM, Active Directory, and privileged identity in on-premise and hybrid contexts.
- Identity strategy with delivery depth
- Strong Microsoft ecosystem specialization
- Focus on risk, continuity, and governance
80+
Enterprise projects
13+
F100 clients
Stack tecnologico
Tecnologie e strumenti
Ecosistema Microsoft completo, con competenze approfondite su ogni componente della catena identitaria.
Active Directory
Azure AD / Entra ID
AAD Connect
Defender for Identity
Azure PIM / PAM
ADFS
Conditional Access
Microsoft Intune
Microsoft Sentinel
PowerShell
Microsoft Graph
Exchange Hybrid
Approach
My approach
Each engagement follows a structured process that ensures technical quality, decision transparency, and measurable outcomes.
Case Studies
Selected transformation scenarios
Real-world identity work where architecture decisions directly affect business continuity.
Active Directory M&A Migration: multi-tenant consolidation with zero downtime
0
Perceived Downtime
Context
HVAC multinational with two acquired entities and heterogeneous identity estates: separate on-premise Active Directory domains (one still on Windows Server 2003), distinct Microsoft 365 tenants, and hybrid/cloud-only workloads.
Challenge
Deliver a tenant-to-tenant (T2T) migration and AD consolidation with no disruption to user access. Complexity drivers: Windows Server 2003 uplift, hybrid identity coexistence, and tightly coordinated cutover windows.
Outcome
Phased execution completed with AD consolidation, legacy uplift, and full migration of users, groups, permissions, and servers across cloud and on-prem environments. Result: zero perceived downtime and 100% migration completion with lower post-M&A identity complexity.
Active Directory Disaster Recovery: BCDR plan for critical identity infrastructure
< 2h
Full Recovery Time
Context
Large Italian steel multinational (5,000+ users) relying on Active Directory for authentication, DNS, GPO, and application access across more than 10 global sites.
Challenge
No formal Business Continuity and Disaster Recovery (BCDR) plan for Active Directory or Entra ID, with direct exposure to ransomware, domain corruption, and human error. Recovery procedures and RTO targets were not validated.
Outcome
Implemented an Active Directory Disaster Recovery model on Quest On-Demand Recovery with isolated cloud backup and tested orchestration across manual and automated steps. Results: RTO below 2 hours and 100% recovery coverage for authentication, DNS, and GPO services.
Privileged Access Management on Active Directory
85%
Privileged Accounts Reduced
Context
Italian chemical industry group with long-evolved on-premise Active Directory infrastructure. An independent security assessment identified high-risk gaps in privileged access governance.
Challenge
More than 50 Domain Admin accounts were present, with fewer than 10 mapped to active and justified owners; some accounts had expired credentials and no recent logon. Risk profile included uncontrolled privilege escalation and weak auditability.
Outcome
Implemented a Privileged Identity Management (PIM) operating model on Microsoft Entra ID with recurring Access Reviews, removal of unjustified standing privileges, and approved just-in-time (JIT) access windows. Privileged accounts were reduced by 85%.