Access Control Checklist
Quarterly access control review for IT operations and MSP teams. Covers identity lifecycle, privileged access, authentication enforcement, policy maintenance, and incident response — anchored to Entra ID / Active Directory and SSO-manage...
User Account Lifecycle
-
Sync the IdP with the HR system of record
Reconcile Entra ID / Okta against Workday, BambooHR, or whichever HRIS is canonical. Flag mismatches: active in IdP but terminated in HR (offboarding gap), active in HR but no IdP account (provisioning gap). SCIM provisioning should make this small but rarely makes it zero.
-
Enforce password policy and block legacy auth
Confirm the Entra ID password policy aligns with NIST SP 800-63B (length over rotation cadence). Verify the Conditional Access policy blocking IMAP, POP, SMTP basic-auth, and ActiveSync legacy auth is still in report-only or enabled mode — attackers password-spray the legacy endpoints to bypass MFA entirely.
-
Review pending account provisioning requests
Pull open new-hire and access-change tickets from ServiceNow / Halo PSA / Autotask. Confirm each request has a manager approval attached and lists the role / department for RBAC group assignment. Reject requests that say 'same as Bob' — clone-from-user grants are how access creep happens.
Collects list -
Disable departing users on the scheduled date
For each departure on the HR list: disable (don't delete) the Entra ID account, revoke all active sessions, remove MFA registrations, and convert the mailbox to shared per the offboarding runbook. License revocation comes after mailbox conversion — flipping the order strands data.
Privileged Access and Permissions
-
Document RBAC roles per critical system
For each Tier 0 and business-critical system (AD, Entra ID, M365, finance ERP, code repo, backup console), capture the role-to-group mapping in IT Glue or Hudu. Note any standing privilege that should be migrated to JIT elevation in the next quarter.
-
Audit Domain Admin and Tier 0 membership
Pull current membership of Domain Admins, Enterprise Admins, Schema Admins, Global Administrators, and equivalents in Entra ID. Each member needs a justification on file. Helpdesk technicians in Domain Admins is the classic finding — pass-the-hash from one help-desk laptop = full domain compromise.
-
Rotate service account credentials
Rotate non-managed service account passwords through CyberArk / Delinea / Keeper. For accounts running scheduled tasks or services, coordinate with the application owner — rotating without a restart plan breaks downstream services. Convert legacy service accounts to gMSAs where the OS supports it.
-
Validate just-in-time elevation through PAM
Spot-check recent JIT elevation requests in Entra PIM, BeyondTrust, or CyberArk. Each elevation should have a ticket reference and an approver other than the requester. Sessions auto-expire — confirm none have been extended past the role's max activation window.
Authentication and MFA
-
Enforce MFA via Conditional Access policies
Confirm the baseline Conditional Access policy requires phishing-resistant MFA (FIDO2, Windows Hello for Business, or number-matching Authenticator) for all users. SMS and voice are no longer acceptable for admin roles per CISA guidance. Document any exclusion groups and the business reason.
-
Configure session timeouts and revoke stale sessions
Verify sign-in frequency policies for admin roles (typically 4-8 hours) and standard users (1-30 days). Revoke long-lived refresh tokens for any user flagged as risky in Entra ID Identity Protection. For shared workstations, enforce screen-lock GPO at 10 minutes idle.
-
Patch IdP agents and MFA endpoints
Check Okta Verify, Duo Authentication Proxy, ADFS connectors, and Entra Connect for available updates. IdP infrastructure is a SEV1 target — Lapsus$ and Scattered Spider both pivot through MFA-fatigue and IdP misconfig. Apply security updates within the standard change window, not the next quarter.
-
Test the break-glass account quarterly
Two break-glass Global Admin accounts excluded from Conditional Access, credentials in a sealed envelope (or split across a vault and a physical safe). Sign in from an admin workstation, confirm the account works, rotate the password, re-seal. If the break-glass account fails, document the gap before the next IdP outage tests it for you.
Policy and Documentation
-
Update the access control policy document
Reflect any changes from the last quarter: new SaaS apps under SSO, deprecated systems, updated approval chains, new client tiers (for MSP teams). Map controls to SOC 2 CC6 and NIST SP 800-53 AC family if the org carries those attestations.
-
Train staff on access control procedures
Push the quarterly KnowBe4 / Hoxhunt module on phishing and credential hygiene. Track completion through the LMS — repeat clickers from the prior simulation get manager-notified targeted remediation, not a generic re-send.
-
Enforce ZTNA controls for remote access
Confirm remote access flows through the ZTNA gateway (Cloudflare Access, Zscaler ZPA, Twingate, Tailscale) with per-app authorization, not full-tunnel VPN with implicit network trust. For any legacy site-to-site VPN still in use, document the migration target.
Access Review and Incident Response
-
Run the quarterly user access review
Send each manager their team's current entitlements via Entra Access Reviews or the equivalent IGA workflow. Pay attention to high-risk groups: file-share ACLs that contain Domain Users, shared mailbox delegations, and SaaS app admin roles. Flag orphan accounts (no manager, no recent sign-in) for remediation.
Collects list Collects file -
Remediate orphan accounts and stale entitlements
For each finding from the access review: disable orphan accounts, remove the user from over-privileged groups, and document the change ticket. Coordinate with the application owner before removing access from active users — silent removal during business hours is the fastest way to escalate to a P1.
-
Investigate access control incidents this quarter
Review the SIEM (Sentinel, Splunk, Sumo) for impossible-travel alerts, MFA-fatigue patterns, and privileged-group changes outside the change window. Pull the corresponding tickets — every alert should have a closure note with root cause, not a 'closed-no-action' status.
Collects list Collects paragraph -
Apply corrective actions from incident findings
For each incident, file a corrective action: tighter Conditional Access scope, additional alerting rule, runbook update, or targeted user training. Owners and due dates land in the GRC tool (Vanta, Drata) so SOC 2 auditors can trace finding → remediation.
-
Update the IR runbook with lessons learned
Capture playbook updates in IT Glue / Hudu / Confluence: new detection logic, escalation contacts, vendor support PINs, and revised RACI. The runbook gets exercised in the next tabletop — if it isn't updated here, the tabletop tests last quarter's reality.