Access Control Checklist

Reconcile Entra ID / Okta against Workday, BambooHR, or whichever HRIS is canonical. Flag mismatches: active in IdP but terminated in HR (offboarding gap), active in HR but no IdP account (provisioning gap). SCIM provisioning should make this small but rarely makes it zero.

Confirm the Entra ID password policy aligns with NIST SP 800-63B (length over rotation cadence). Verify the Conditional Access policy blocking IMAP, POP, SMTP basic-auth, and ActiveSync legacy auth is still in report-only or enabled mode — attackers password-spray the legacy endpoints to bypass MFA entirely.

Pull open new-hire and access-change tickets from ServiceNow / Halo PSA / Autotask. Confirm each request has a manager approval attached and lists the role / department for RBAC group assignment. Reject requests that say 'same as Bob' — clone-from-user grants are how access creep happens.

For each departure on the HR list: disable (don't delete) the Entra ID account, revoke all active sessions, remove MFA registrations, and convert the mailbox to shared per the offboarding runbook. License revocation comes after mailbox conversion — flipping the order strands data.

For each Tier 0 and business-critical system (AD, Entra ID, M365, finance ERP, code repo, backup console), capture the role-to-group mapping in IT Glue or Hudu. Note any standing privilege that should be migrated to JIT elevation in the next quarter.

Pull current membership of Domain Admins, Enterprise Admins, Schema Admins, Global Administrators, and equivalents in Entra ID. Each member needs a justification on file. Helpdesk technicians in Domain Admins is the classic finding — pass-the-hash from one help-desk laptop = full domain compromise.

Rotate non-managed service account passwords through CyberArk / Delinea / Keeper. For accounts running scheduled tasks or services, coordinate with the application owner — rotating without a restart plan breaks downstream services. Convert legacy service accounts to gMSAs where the OS supports it.

Spot-check recent JIT elevation requests in Entra PIM, BeyondTrust, or CyberArk. Each elevation should have a ticket reference and an approver other than the requester. Sessions auto-expire — confirm none have been extended past the role's max activation window.

Confirm the baseline Conditional Access policy requires phishing-resistant MFA (FIDO2, Windows Hello for Business, or number-matching Authenticator) for all users. SMS and voice are no longer acceptable for admin roles per CISA guidance. Document any exclusion groups and the business reason.

Verify sign-in frequency policies for admin roles (typically 4-8 hours) and standard users (1-30 days). Revoke long-lived refresh tokens for any user flagged as risky in Entra ID Identity Protection. For shared workstations, enforce screen-lock GPO at 10 minutes idle.

Check Okta Verify, Duo Authentication Proxy, ADFS connectors, and Entra Connect for available updates. IdP infrastructure is a SEV1 target — Lapsus$ and Scattered Spider both pivot through MFA-fatigue and IdP misconfig. Apply security updates within the standard change window, not the next quarter.

Two break-glass Global Admin accounts excluded from Conditional Access, credentials in a sealed envelope (or split across a vault and a physical safe). Sign in from an admin workstation, confirm the account works, rotate the password, re-seal. If the break-glass account fails, document the gap before the next IdP outage tests it for you.

Reflect any changes from the last quarter: new SaaS apps under SSO, deprecated systems, updated approval chains, new client tiers (for MSP teams). Map controls to SOC 2 CC6 and NIST SP 800-53 AC family if the org carries those attestations.

Push the quarterly KnowBe4 / Hoxhunt module on phishing and credential hygiene. Track completion through the LMS — repeat clickers from the prior simulation get manager-notified targeted remediation, not a generic re-send.

Confirm remote access flows through the ZTNA gateway (Cloudflare Access, Zscaler ZPA, Twingate, Tailscale) with per-app authorization, not full-tunnel VPN with implicit network trust. For any legacy site-to-site VPN still in use, document the migration target.

Send each manager their team's current entitlements via Entra Access Reviews or the equivalent IGA workflow. Pay attention to high-risk groups: file-share ACLs that contain Domain Users, shared mailbox delegations, and SaaS app admin roles. Flag orphan accounts (no manager, no recent sign-in) for remediation.

For each finding from the access review: disable orphan accounts, remove the user from over-privileged groups, and document the change ticket. Coordinate with the application owner before removing access from active users — silent removal during business hours is the fastest way to escalate to a P1.

Review the SIEM (Sentinel, Splunk, Sumo) for impossible-travel alerts, MFA-fatigue patterns, and privileged-group changes outside the change window. Pull the corresponding tickets — every alert should have a closure note with root cause, not a 'closed-no-action' status.

For each incident, file a corrective action: tighter Conditional Access scope, additional alerting rule, runbook update, or targeted user training. Owners and due dates land in the GRC tool (Vanta, Drata) so SOC 2 auditors can trace finding → remediation.

Capture playbook updates in IT Glue / Hudu / Confluence: new detection logic, escalation contacts, vendor support PINs, and revised RACI. The runbook gets exercised in the next tabletop — if it isn't updated here, the tabletop tests last quarter's reality.