Permission creep is real: people change roles, vendors get added “just for a week,” and test accounts linger. A lightweight quarterly review keeps access lean, reduces audit headaches, and prevents avoidable incidents — without new tools or jargon.

✅ What You’ll Achieve (in ~20 minutes)

Remove unused accounts and over-broad roles
Confirm MFA is on for every active user
Close out vendor/app access no longer needed
Produce a simple record that satisfies client/insurer audits

�� Prep (5 minutes)

Where to check:

Identity & email: Google Workspace or Microsoft 365
Key apps: storage (Drive/SharePoint), finance, CRM, helpdesk, source control
Vendors: any third-party with logins or API keys

What to export:

Active users list (with last sign-in if available)
Admins/owners per app
MFA status per user (if visible)

Tip: Save exports to a “Access Review YYYY-Q#” folder so you can compare quarter to quarter.

🪜 The 5-Step Review

1) Match people to access (Who still needs what?)

Cross-check your active staff/contractor list against each app’s user list.
Suspend anyone who’s left (don’t delete yet; preserve data).
Remove guest/vendor accounts no longer needed.

If you recently had a departure, run our offboarding checklist to avoid missed steps. See Related Post below.

2) Right-size roles (Default to least privilege)

Reduce Admin/Owner roles that aren’t essential.
Swap “full access” shares for folder/project-specific access.
Confirm finance, HR, and client-data areas are restricted.

3) Check MFA coverage (Everyone, every app)

Turn on MFA for accounts missing it.
Rotate backup codes for shared mailboxes or emergency access.
For app-specific tokens, note any that don’t support MFA and limit their scope.

4) Clean up old keys & shares

Rotate stale API keys and disable test tokens.
Remove public or “anyone with the link” sharing.
Archive old vendor SSO/OAuth connections.

5) Record the outcome (Your audit receipt)

Log the date, who reviewed, the systems checked, changes made, and any follow-ups. A one-page note (or spreadsheet) is enough.

📝 Copy-Paste Log Template

Review date: YYYY-MM-DD
Reviewed by: Name/Role
Systems: Workspace/M365, Storage, CRM, Finance, Helpdesk, Code, Other
Actions taken: (e.g., “Suspended 1 leaver, removed 2 vendor logins, reduced 3 admin roles, enabled MFA for 2 users, rotated 1 API key.”)
Open items: (owner + due date)

🧪 Quick Spot-Checks That Catch Most Issues

Admin count: keep to the smallest practical number
Last sign-in: suspend accounts with 60–90 days inactivity (confirm with manager)
Shared mailboxes: restrict who can send-as; rotate credentials; enable MFA on owners
Client folders: verify only the current project team has access
Finance apps: confirm vendor accounts and bookkeepers still required

🙋 Common Questions

How often is “enough” for small teams?
Quarterly works well. If you’re adding staff/contractors frequently, do a monthly light pass.

Should we delete or suspend leavers?
Suspend first to preserve files and audit trails, then delete when retention obligations are met.

Do we need a fancy tool?
Not to start. Export lists, review, act, log. Later you can automate exports or add alerts.

🎁 Free Resource

Need ready-to-use checklists and quick staff training?
👉 Download the Free Cyber Security Training Kit

Related post:
Running a leaver process soon? Read When Someone Leaves: A Simple Offboarding Security Checklist for Small Teams next.

Quarterly Access Reviews in 20 Minutes: A Small-Team Playbook