Access Control Checklist

Quarterly access control review for IT operations and MSP teams. Covers identity lifecycle, privileged access, authentication enforcement, policy maintenance, and incident response — anchored to Entra ID / Active Directory and SSO-managed SaaS.

5 sections 20 steps Collects data
1

User Account Lifecycle

  1. Sync the IdP with the HR system of record

    • Reconcile Entra ID / Okta against Workday, BambooHR, or whichever HRIS is canonical. Flag mismatches: active in IdP but terminated in HR (offboarding gap), active in HR but no IdP account (provisioning gap). SCIM provisioning should make this small but rarely makes it zero.

  2. Enforce password policy and block legacy auth

    • Confirm the Entra ID password policy aligns with NIST SP 800-63B (length over rotation cadence). Verify the Conditional Access policy blocking IMAP, POP, SMTP basic-auth, and ActiveSync legacy auth is still in report-only or enabled mode — attackers password-spray the legacy endpoints to bypass MFA entirely.

  3. Review pending account provisioning requests

    • Pull open new-hire and access-change tickets from ServiceNow / Halo PSA / Autotask. Confirm each request has a manager approval attached and lists the role / department for RBAC group assignment. Reject requests that say 'same as Bob' — clone-from-user grants are how access creep happens.

    Collects list
  4. Disable departing users on the scheduled date

    • For each departure on the HR list: disable (don't delete) the Entra ID account, revoke all active sessions, remove MFA registrations, and convert the mailbox to shared per the offboarding runbook. License revocation comes after mailbox conversion — flipping the order strands data.

2

Privileged Access and Permissions

  1. Document RBAC roles per critical system

    • For each Tier 0 and business-critical system (AD, Entra ID, M365, finance ERP, code repo, backup console), capture the role-to-group mapping in IT Glue or Hudu. Note any standing privilege that should be migrated to JIT elevation in the next quarter.

  2. Audit Domain Admin and Tier 0 membership

    • Pull current membership of Domain Admins, Enterprise Admins, Schema Admins, Global Administrators, and equivalents in Entra ID. Each member needs a justification on file. Helpdesk technicians in Domain Admins is the classic finding — pass-the-hash from one help-desk laptop = full domain compromise.

  3. Rotate service account credentials

    • Rotate non-managed service account passwords through CyberArk / Delinea / Keeper. For accounts running scheduled tasks or services, coordinate with the application owner — rotating without a restart plan breaks downstream services. Convert legacy service accounts to gMSAs where the OS supports it.

  4. Validate just-in-time elevation through PAM

    • Spot-check recent JIT elevation requests in Entra PIM, BeyondTrust, or CyberArk. Each elevation should have a ticket reference and an approver other than the requester. Sessions auto-expire — confirm none have been extended past the role's max activation window.

3

Authentication and MFA

  1. Enforce MFA via Conditional Access policies

    • Confirm the baseline Conditional Access policy requires phishing-resistant MFA (FIDO2, Windows Hello for Business, or number-matching Authenticator) for all users. SMS and voice are no longer acceptable for admin roles per CISA guidance. Document any exclusion groups and the business reason.

  2. Configure session timeouts and revoke stale sessions

    • Verify sign-in frequency policies for admin roles (typically 4-8 hours) and standard users (1-30 days). Revoke long-lived refresh tokens for any user flagged as risky in Entra ID Identity Protection. For shared workstations, enforce screen-lock GPO at 10 minutes idle.

  3. Patch IdP agents and MFA endpoints

    • Check Okta Verify, Duo Authentication Proxy, ADFS connectors, and Entra Connect for available updates. IdP infrastructure is a SEV1 target — Lapsus$ and Scattered Spider both pivot through MFA-fatigue and IdP misconfig. Apply security updates within the standard change window, not the next quarter.

  4. Test the break-glass account quarterly

    • Two break-glass Global Admin accounts excluded from Conditional Access, credentials in a sealed envelope (or split across a vault and a physical safe). Sign in from an admin workstation, confirm the account works, rotate the password, re-seal. If the break-glass account fails, document the gap before the next IdP outage tests it for you.

4

Policy and Documentation

  1. Update the access control policy document

    • Reflect any changes from the last quarter: new SaaS apps under SSO, deprecated systems, updated approval chains, new client tiers (for MSP teams). Map controls to SOC 2 CC6 and NIST SP 800-53 AC family if the org carries those attestations.

  2. Train staff on access control procedures

    • Push the quarterly KnowBe4 / Hoxhunt module on phishing and credential hygiene. Track completion through the LMS — repeat clickers from the prior simulation get manager-notified targeted remediation, not a generic re-send.

  3. Enforce ZTNA controls for remote access

    • Confirm remote access flows through the ZTNA gateway (Cloudflare Access, Zscaler ZPA, Twingate, Tailscale) with per-app authorization, not full-tunnel VPN with implicit network trust. For any legacy site-to-site VPN still in use, document the migration target.

5

Access Review and Incident Response

  1. Run the quarterly user access review

    • Send each manager their team's current entitlements via Entra Access Reviews or the equivalent IGA workflow. Pay attention to high-risk groups: file-share ACLs that contain Domain Users, shared mailbox delegations, and SaaS app admin roles. Flag orphan accounts (no manager, no recent sign-in) for remediation.

    Collects list Collects file
  2. Remediate orphan accounts and stale entitlements

    • For each finding from the access review: disable orphan accounts, remove the user from over-privileged groups, and document the change ticket. Coordinate with the application owner before removing access from active users — silent removal during business hours is the fastest way to escalate to a P1.

  3. Investigate access control incidents this quarter

    • Review the SIEM (Sentinel, Splunk, Sumo) for impossible-travel alerts, MFA-fatigue patterns, and privileged-group changes outside the change window. Pull the corresponding tickets — every alert should have a closure note with root cause, not a 'closed-no-action' status.

    Collects list Collects paragraph
  4. Apply corrective actions from incident findings

    • For each incident, file a corrective action: tighter Conditional Access scope, additional alerting rule, runbook update, or targeted user training. Owners and due dates land in the GRC tool (Vanta, Drata) so SOC 2 auditors can trace finding → remediation.

  5. Update the IR runbook with lessons learned

    • Capture playbook updates in IT Glue / Hudu / Confluence: new detection logic, escalation contacts, vendor support PINs, and revised RACI. The runbook gets exercised in the next tabletop — if it isn't updated here, the tabletop tests last quarter's reality.

Use this template

Copy it to your account, customize the steps, and run it with your team in minutes.

Use this workflow Start free trial
Sections 5
Steps 20
Category Systems Administration
Price Free to start
Need a different process

Browse hundreds of free templates across every team and industry.

Back to template library

Related templates

More workflows your team can run.

Systems Administration

Cloud Outage Response

View
Systems Administration

Network Troubleshooting Checklist

View
Systems Administration

User Offboarding Checklist

View
Systems Administration

IT Resource Allocation Checklist

View

Run Access Control Checklist with your team

Customize the steps, assign roles, set a schedule, and keep a complete record for every run.

Use this workflow Start free trial