Identity and Access Management Assessment
Use this to review identity lifecycle, MFA, access governance, least privilege, and access review practices.
IT Operations & Cybersecurity Encyclopedia
Entra ID user lifecycle operations control how employees, contractors, vendors, shared accounts, and privileged users are created, changed, licensed, monitored, and removed. A disciplined joiner-mover-leaver process reduces account sprawl, stale access, license waste, audit gaps, and security risk.
Why it matters
A user account is often the first control point for Microsoft 365, Entra ID, SaaS applications, VPN access, device management, email, Teams, SharePoint, and administrative portals. If onboarding, role changes, and offboarding are inconsistent, users accumulate access they no longer need and former workers may remain active longer than the business realizes.
A practical Entra ID lifecycle process connects HR events, manager approvals, group membership, application assignment, license handling, privileged role control, Conditional Access, sign-in monitoring, audit logs, and help desk tickets. The goal is not only to create and delete accounts, but to prove that access is appropriate throughout the entire user lifecycle.
Practical rule: every identity lifecycle workflow should answer five questions: who requested the change, who approved it, what access changed, when it was completed, and what evidence proves the account is in the correct final state.
Review scope
Create accounts from approved HR or manager requests, assign licenses and groups by role, require MFA, and validate first sign-in readiness.
When users change departments, locations, or responsibilities, remove old access before adding new access and document manager approval.
Disable sign-in, revoke sessions, remove groups, handle mailbox and OneDrive retention, recover licenses, and confirm no privileged access remains.
Apply expiration, sponsorship, access reviews, MFA requirements, and application limits for non-employee identities.
Review administrator assignments, eligible roles, emergency accounts, role activation records, and separation of duties.
Use audit logs, sign-in logs, access-review results, group reports, and license reports to prove lifecycle controls are working.
Review matrix
| Area | What to verify | Questions to answer | Evidence |
|---|---|---|---|
| New employee onboarding | Create the account, assign the correct role-based groups and licenses, require MFA, and validate first-day access. | Was the request approved and was access limited to the user’s role? | Onboarding ticket, group assignment report, license record, MFA status. |
| Role or department change | Remove old group memberships, application roles, mailbox permissions, and privileged assignments before adding new access. | Which previous access is no longer justified after the move? | Mover ticket, before/after group export, manager approval, access review note. |
| Termination and offboarding | Disable sign-in, revoke sessions, reset credentials if needed, remove groups, recover licenses, and apply retention steps. | Can the former user still sign in, access data, or hold privileged rights? | Disable timestamp, revoke-session evidence, license removal, group removal. |
| Guest and contractor review | Validate sponsor, expiration, MFA, application access, and continued business need. | Which external users still need access and who owns them? | Guest report, sponsor list, access review results, expiration settings. |
| Privileged identity control | Review global admins, role admins, exchange/sharepoint admins, eligible roles, and emergency accounts. | Which privileged assignments are permanent, unused, or excessive? | Role export, PIM records where used, access-review approval, emergency account check. |
| Audit and monitoring | Review audit logs, sign-in logs, risky sign-ins, failed sign-ins, and administrative changes. | Can IT prove what changed and who performed the action? | Audit log export, sign-in log samples, alert records, investigation notes. |
Step-by-step review
Export active, disabled, guest, contractor, shared, privileged, break-glass, and stale accounts. Confirm ownership and business purpose.
Map departments and job functions to groups, applications, Teams, SharePoint sites, mailbox permissions, licenses, and security controls.
Use approved requests, naming standards, group-based licensing, MFA registration, authentication methods, and first-day validation.
Before adding new access, remove access from the prior role. Validate mailbox, Teams, SharePoint, SaaS, VPN, and administrative changes.
Disable sign-in, revoke sessions, remove groups and roles, convert or preserve mailbox data, recover licenses, and document the final state.
Run recurring access reviews, license reviews, stale-account cleanup, privileged-role review, and audit-log checks with documented owners.
Common risks
Mover workflows often grant new access while old department, mailbox, application, or privileged access remains.
Former employees, vendors, or contractors may keep active sessions, licenses, group access, or shared data access longer than intended.
External users without sponsors, expiration, or review cadence can become long-term unmanaged access paths.
Unused Microsoft 365 licenses, orphaned service plans, and disabled accounts with licenses create avoidable cost.
Administrator roles can accumulate through projects, emergencies, and old assignments unless reviewed and documented.
Without tickets, approvals, audit logs, and before/after exports, IT cannot prove lifecycle controls during audit or incident review.
Related support
IT Perfection can help standardize Microsoft 365 and Entra ID user lifecycle operations, including onboarding, offboarding, group cleanup, license review, MFA enforcement, and help desk runbooks. Start with Microsoft 365 support when the priority is implementation and operational improvement.
When identity lifecycle risk affects cybersecurity, audit readiness, cyber insurance, or executive oversight, OC Security Audit cybersecurity assessment tools can support broader security review and planning.
Created by Ali Hassani, CISO
Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.
This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.
Ali Hassani, CISO, brings 25+ years of Microsoft infrastructure, cybersecurity, compliance, managed IT, and identity operations experience to help organizations turn user lifecycle work into a controlled business process.
Related validation tools
After reviewing this IT Perfection guide, administrators can use these OC Security Audit resources to validate the same control areas from a security, audit-readiness, or risk-review perspective.
Use this to review identity lifecycle, MFA, access governance, least privilege, and access review practices.
These tools are for initial guidance only and do not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.
FAQ
It is the lifecycle workflow for onboarding new users, changing access when roles change, and removing access when users leave the organization.
Disable sign-in, revoke sessions, remove groups and roles, recover licenses, handle mailbox and OneDrive retention, document exceptions, and verify that privileged access is removed.
Review privileged roles frequently, high-risk applications regularly, and general group or guest access on a recurring schedule based on business risk, compliance needs, and staffing changes.
Keep request tickets, manager approvals, group and license exports, role assignment reports, audit logs, sign-in logs, offboarding timestamps, access review results, and exception approvals.
After reviewing joiner, mover, leaver workflows, group membership, MFA, role assignment, and access review evidence, administrators can use these OC Security Audit resources to validate the same identity lifecycle controls covered in this guide. These tools are for initial guidance only and do not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review. These tools are for initial guidance only and do not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.
Use this to evaluate identity lifecycle, MFA, access review, least privilege, and governance for Entra users.
Use this to focus on privileged Entra roles, administrator lifecycle, emergency access, and monitoring controls.
Use this when lifecycle findings require stronger Entra ID hardening, conditional access, role governance, or implementation work.
These resources help administrators make Entra lifecycle operations auditable, measurable, and aligned with least privilege.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.