Access Control and Authentication Audit
Access Control and Authentication Audit

Photo by RDNE Stock project on Pexels
Access control is the gatekeeper of your business data. Every user account, every shared password, and every permission setting is a potential entry point for attackers. This lesson walks you through auditing who has access to what — and whether that access is properly secured.
Why Access Control Matters
According to Verizon's Data Breach Investigations Report, over 80% of breaches involve stolen or weak credentials. If you cannot answer "Who has access to our systems and data?" with confidence, you have a significant security gap.
Audit Checklist: User Accounts
Review every system where users log in: email, cloud services, local servers, applications, and network devices.
- List all active user accounts across all systems
- Identify and disable accounts for departed employees or contractors
- Check for shared accounts used by multiple people — eliminate these where possible
- Verify each user has the minimum permissions needed for their role (principle of least privilege)
- Review admin accounts — limit to 2-3 trusted individuals maximum
- Check for orphaned accounts — accounts created for temporary purposes that were never removed
Audit Checklist: Password Policies
Passwords are your first line of defense. Verify the following:
- Minimum length of 12 characters enforced
- Complexity requirements active (uppercase, lowercase, numbers, symbols)
- Password expiration policy in place (every 90-180 days)
- Account lockout after 5 failed attempts
- No passwords stored in plain text files, spreadsheets, or sticky notes
Multi-Factor Authentication (MFA) Verification
MFA should be mandatory on every system that supports it. Check each platform:
- Email — Microsoft 365, Google Workspace, and any other email provider
- Cloud services — AWS, Azure, Google Cloud, Dropbox, etc.
- Financial systems — Banking portals, accounting software, payment processors
- Remote access — VPN, Remote Desktop, team collaboration tools
- Social media accounts — Company LinkedIn, Facebook, Twitter/X
Use authenticator apps (Microsoft Authenticator, Google Authenticator, Authy) rather than SMS codes where possible. SMS-based MFA is vulnerable to SIM-swapping attacks.
Step-by-Step Access Review Process
- Inventory all systems — List every platform requiring login
- Export user lists — Pull active user reports from each system
- Cross-reference with HR — Match accounts to current employees
- Review permissions — Check for excessive or unnecessary access
- Test MFA — Attempt login without MFA to confirm it is enforced
- Audit admin logs — Review who has changed access in the last 90 days
- Document everything — Record findings, actions taken, and follow-up needed
Free Tools for Access Auditing
- Microsoft 365 Admin Center — Built-in user and access reports
- Google Workspace Admin Console — User audit and security reports
- Bitwarden — Free password manager for teams (up to 2 users free)
- Have I Been Pwned — Check if email accounts appear in known breaches
- KnowBe4 Free Tools — Free password strength tester and exposure check
Key Takeaways
- Review and prune user accounts regularly — departed employees should lose access within 24 hours
- Enforce MFA on every system that supports it
- Follow the principle of least privilege — give users only the access they need
- Use a password manager to eliminate shared and weak passwords
- Document your access review at least quarterly for compliance evidence
Access Control and Authentication Audit

Photo by RDNE Stock project on Pexels
Access control is the gatekeeper of your business data. Every user account, every shared password, and every permission setting is a potential entry point for attackers. This lesson walks you through auditing who has access to what — and whether that access is properly secured.
Why Access Control Matters
According to Verizon's Data Breach Investigations Report, over 80% of breaches involve stolen or weak credentials. If you cannot answer "Who has access to our systems and data?" with confidence, you have a significant security gap.
Audit Checklist: User Accounts
Review every system where users log in: email, cloud services, local servers, applications, and network devices.
- List all active user accounts across all systems
- Identify and disable accounts for departed employees or contractors
- Check for shared accounts used by multiple people — eliminate these where possible
- Verify each user has the minimum permissions needed for their role (principle of least privilege)
- Review admin accounts — limit to 2-3 trusted individuals maximum
- Check for orphaned accounts — accounts created for temporary purposes that were never removed
Audit Checklist: Password Policies
Passwords are your first line of defense. Verify the following:
- Minimum length of 12 characters enforced
- Complexity requirements active (uppercase, lowercase, numbers, symbols)
- Password expiration policy in place (every 90-180 days)
- Account lockout after 5 failed attempts
- No passwords stored in plain text files, spreadsheets, or sticky notes
Multi-Factor Authentication (MFA) Verification
MFA should be mandatory on every system that supports it. Check each platform:
- Email — Microsoft 365, Google Workspace, and any other email provider
- Cloud services — AWS, Azure, Google Cloud, Dropbox, etc.
- Financial systems — Banking portals, accounting software, payment processors
- Remote access — VPN, Remote Desktop, team collaboration tools
- Social media accounts — Company LinkedIn, Facebook, Twitter/X
Use authenticator apps (Microsoft Authenticator, Google Authenticator, Authy) rather than SMS codes where possible. SMS-based MFA is vulnerable to SIM-swapping attacks.
Step-by-Step Access Review Process
- Inventory all systems — List every platform requiring login
- Export user lists — Pull active user reports from each system
- Cross-reference with HR — Match accounts to current employees
- Review permissions — Check for excessive or unnecessary access
- Test MFA — Attempt login without MFA to confirm it is enforced
- Audit admin logs — Review who has changed access in the last 90 days
- Document everything — Record findings, actions taken, and follow-up needed
Free Tools for Access Auditing
- Microsoft 365 Admin Center — Built-in user and access reports
- Google Workspace Admin Console — User audit and security reports
- Bitwarden — Free password manager for teams (up to 2 users free)
- Have I Been Pwned — Check if email accounts appear in known breaches
- KnowBe4 Free Tools — Free password strength tester and exposure check
Key Takeaways
- Review and prune user accounts regularly — departed employees should lose access within 24 hours
- Enforce MFA on every system that supports it
- Follow the principle of least privilege — give users only the access they need
- Use a password manager to eliminate shared and weak passwords
- Document your access review at least quarterly for compliance evidence
There are no comments for now.