Security Audit Checklist

Export the full account list from Entra ID (Get-MgUser) and on-prem AD (Get-ADUser). Reconcile against the HR system of record — orphan accounts almost always live in the gap between IT and HR exports.

Audit Domain Admins, Enterprise Admins, Global Admins, and any custom privileged role groups. Standing membership should be near-zero — privileged access belongs in PAM (CyberArk, Delinea) with JIT elevation, not as a permanent group assignment.

Verify the conditional access policy blocks IMAP, POP, SMTP AUTH, and other legacy protocols org-wide. MFA on the front door is meaningless if attackers can password-spray a basic-auth endpoint that bypasses it.

Pull last-sign-in data from Entra ID sign-in logs and AD lastLogonTimestamp. Disable (do not delete) so the audit trail is preserved. Flag service accounts separately — they may show no interactive sign-in but still be in active use.

Pull the rule base from Fortinet, Palo Alto, or Meraki and sort by hit count. Any rule with zero hits over 90 days is a remediation candidate — most are leftovers from departed vendors or one-off troubleshooting that never got cleaned up.

Walk switches, routers, APs, and firewalls against the vendor's current recommended release (not necessarily latest — vendor advisories often flag a specific stable train). Document any device deferred for an upcoming maintenance window.

Confirm split-tunnel exclusions don't expose internal subnets to home networks, and that legacy full-tunnel VPN users are migrated to ZTNA per-app authorization. Revoke certificates for departed users; orphan VPN certs are a recurring offboarding gap.

Run an external Nmap or Tenable scan against all public IPs. Any open port that isn't tied to a documented service is a finding. RDP and SMB exposed to the internet are immediate P1 escalations regardless of audit cadence.

Confirm BitLocker on Windows file servers, LUKS or native encryption on Linux, and storage-level encryption on the SAN/NAS. Validate that recovery keys are escrowed (Entra ID for BitLocker, vault for LUKS) — a key you can't recover is encryption that fails the auditor.

Pick a representative VM and a representative file share and restore both into an isolated environment from Veeam, Datto, or Rubrik. Time the restore against the documented RTO. A green backup dashboard means nothing if the restore fails — this is the only step that proves the backup is usable.

A failed restore drill is a P1. Page the on-call engineer, open a vendor ticket, and trigger the BCP communication path to leadership. Do not close this audit until the underlying cause is identified and a follow-up restore succeeds.

Validate the 3-2-1 setup end to end: 3 copies, 2 media types, 1 immutable offsite (object lock, write-once tape, or separate cloud account with no production credentials). Ransomware-resilient backup is only ransomware-resilient if production cannot write or delete the offsite copy.

Pull patch status from Intune, SCCM, or Automox by ring (test, pilot, prod). Confirm the latest Patch Tuesday cycle has fully reached prod within the documented SLA. Devices stuck behind by 60+ days usually have a broken agent — open a remediation ticket per device, not in bulk.

Pull the software inventory from the RMM (NinjaOne, Datto RMM) or Intune. Compare against the approved-software list. Unauthorized installs are usually shadow-IT productivity tools, but occasional finds are RMM-trojan installers — investigate anything unfamiliar before assuming it's benign.

Push uninstall via the RMM or Intune. For licensed software found outside the SAM tool, decide: license and document, or remove. License true-ups discovered during audit are cheaper than during a Microsoft or Adobe audit.

Run Tenable, Qualys, or Rapid7 with credentials — unauthenticated scans miss the local vulnerabilities that matter. Attach the report so the remediation triage step has the source-of-truth findings to work from.

Walk the runbook against current reality: phone numbers, on-call rotation, vendor contacts, cyber insurance hotline, legal counsel. The most common IR gap is a contact list that hasn't been updated since the last person rotated off the team.

Pick a realistic scenario — ransomware via a compromised vendor account, BEC of the CFO, ESXi-targeted ransomware. Walk the runbook with the actual IR team, including someone playing legal and someone playing comms. Document gaps and assign owners.

Confirm Sentinel, Splunk, or your SIEM is ingesting from every domain controller, EDR console, firewall, and identity provider. Check retention against the compliance floor (commonly 90 days hot, 12 months cold for SOC 2; 6 years for HIPAA). Missing log sources are the most painful gap to discover during an actual incident.