Data & AI
Security
Financial Services
6 min read
Allica Bank is a UK challenger bank focused on serving established small and medium sized businesses. Their strategy centres on combining modern digital banking capabilities with personalised service for growing companies. To support this vision, Allica has invested heavily in scalable technology platforms and internal automation. As the organisation grows, efficient identity and access management becomes critical — employees need the right systems and permissions from day one, and access must be removed immediately when staff leave. Reliable Joiner, Mover, Leaver (JML) processes and consistent access governance across all systems are therefore central to maintaining both operational efficiency and regulatory compliance.
esynergy engaged with Allica through the CTO, Ravneet Shah. esynergy was already working with the bank on automation related to identity processes. During this engagement, a clear opportunity to strengthen the identity landscape came into focus. A change in the bank's HR platform, delivered as a SaaS solution, had shifted the integration between the HR system and SailPoint, the identity governance tool previously used by Allica. This created an opening to review how identity management processes were running, including how user accounts were activated and deactivated and how group memberships were maintained. With the original SailPoint integration outside the vendor's standard support, Allica had a chance to step back and reassess the architecture rather than extend the existing setup.
The timing aligned well with wider strategic factors. Allica was approaching the end of its SailPoint contract and had room to get more value from its identity tooling. Microsoft had also recently released new Entra ID governance capabilities that offered a strong alternative to third-party tooling. Together these factors created an opportunity to rethink the identity architecture and shape something better suited to Allica's current and future needs.
A further opportunity sat alongside the JML work. Allica operated a number of disconnected applications, systems with no direct API integration and no Entra ID connection, where access was managed through manual processes. Bringing these into a consistent governance model would close gaps around access drift, entitlement enforcement and audit, and complement the JML automation.
Allica's immediate priority was to put reliable identity automation in place. The broader opportunity was to build a unified access governance model covering all applications, connected and disconnected, under a single operating framework.
The engagement began with investigation and stabilisation. The team first identified the root cause of the JML failures: a schema change introduced by the HR platform update had broken the integration used by SailPoint, causing several identity attributes and provisioning workflows to behave incorrectly. esynergy worked with Allica to prioritise the most urgent breakages, focusing immediate remediation on preventing incorrect account activation or deactivation and controlling access risks.
Once the environment was stabilised, the team designed a simplified architecture based entirely on Microsoft Entra ID governance capabilities. Instead of relying on SailPoint as an intermediary layer, identity lifecycle management was moved directly into the Microsoft ecosystem.
The technical implementation included several components. The HR platform was integrated directly with Entra ID to automate the creation of user accounts when new employees joined the organisation. Automated workflows were implemented to disable accounts immediately upon employee termination. Birthright group membership was introduced so that employees automatically received the baseline access required for their role. Additional automation handled specialised roles, ensuring that appropriate permissions were granted based on job function. When an employee changed roles, their specialised group memberships were replaced automatically to reflect the new position.
With JML processes restored and improved, the team then turned to the disconnected application problem. For these systems — where no API integration exists and access changes had relied entirely on manual effort — esynergy designed and built a Disconnected Application Access Management (DAAM) solution.
DAAM works by defining expected access centrally, using SharePoint to hold role-based access definitions and target system lists. A Logic Apps reconciliation engine compares the expected users for each system against the actual users extracted from those systems. Where discrepancies are found — users with access they should not have, or users missing access they require — the system automatically creates tickets in Jira and routes them to the appropriate teams for execution. The result is a consistent, auditable remediation workflow that removes the dependence on ad hoc manual reviews.
Critically, the DAAM platform also mirrors those SharePoint-held role assignments into Entra ID groups. Disconnected applications therefore expose their access state through Entra in the same form as natively integrated systems. Downstream governance platforms — including Allica’s RiskSmart — can consume app role assignments for disconnected applications exactly as they would for connected ones, without bespoke connectors or manual workarounds.
Together, the two approaches create a complete identity governance model: preventative controls via HR-driven provisioning for connected systems, and detective and corrective controls via DAAM for disconnected ones. Progress across both workstreams was tracked through weekly steering sessions with Allica Bank's stakeholders.
Grant Ongers, Security practice lead, esynergy
The engagement delivered both immediate operational improvements and long-term strategic value.
Most visibly, Allica regained stable identity lifecycle automation. JML processes now operate with a higher level of automation than the bank previously had — with account creation, role changes, and terminations all handled reliably and without manual intervention.
Compliance and governance also improved across the board. Microsoft licence assignments are now automatically aligned with employee roles. For disconnected systems, the DAAM reconciliation engine provides continuous evidence of access review — identifying anomalies and enforcing consistent remediation — which directly supports regulatory and internal audit requirements.
A further consequence is that disconnected applications now sit inside the same governance fabric as their connected counterparts. Because their role assignments are mirrored into Entra ID groups, platforms like RiskSmart treat every application identically — whether natively integrated with Entra or not. Allica gains a single, consistent view of entitlements across the entire estate, with no carve-outs in access reviews and no separate evidence trails for disconnected systems.
The architecture simplification delivered measurable cost benefits. By replacing SailPoint with native Entra ID governance functionality, Allica removed the associated licensing costs and reduced the number of systems the IT team must manage. Fewer systems means less operational overhead and greater organisational resilience — removing a third-party dependency reduces the risk of outages affecting employee access.
Beyond the technology itself, the engagement strengthened Allica’s internal capabilities. esynergy worked closely with the bank’s IAM team through a structured knowledge transfer programme, ensuring the team could continue evolving the automation independently as the organisation grows.
Data & AI
Security
Financial Services
Ravneet Shah, CTO, Allica Bank
