Key Application & Active Directory Privileged User Access Review Process

Purpose: To ensure only current, authorized users retain privileged access across key platforms and Active Directory, and to offboard any unnecessary or outdated accounts.

1. Preparation

Scope Includes

  • Active Directory (AD)
  • Entra ID
  • Mimecast
  • Egress
  • Varonis
  • BeyondTrust
  • Netskope
  • Vectra
  • HYPR Control Center

Tools Needed

  • Admin/audit access to each platform
  • Access to AD group membership reports
  • Vendor contact list
  • Documentation template (spreadsheet or ticketing system)

Expected Outcome

  • A full review of all the systems and services listed
  • Documented actions logged within the automated ticked

2. Active Directory/Entra ID Review

a. Privileged Groups Audit

Review: 

  • bt-team-xxxx groups
  • bt-admins-xxxx groups
  • bt-az-admins
  • Global Admins
  • Global Readers

Actions

  • Identify and remove disabled accounts.
  • Validate necessity of each privileged account.
  • Document all changes with justification.

b. Third-Party OU Review

Identify all third-party Organizational Units (OUs).

Actions

  • Contact each vendor/stakeholder to confirm current users.
  • Disable and remove access for inactive or unverified users.
  • Record vendor responses and offboarding actions.
  • Move any disabled teams, users or groups to Left Firm Third Parties OU

 

3. Application-Level Admin Access Review

For each platform, follow this checklist:

Mimecast

Review Super Admins and Support accounts.

Remove outdated or unused accounts.

Egress

Audit admin roles and support accounts.

Remove any accounts not tied to current operations.

Varonis

Check admin and service accounts.

Revoke access for inactive or legacy users.

BeyondTrust

Review privileged access groups and session logs.

Remove accounts unused in the last 90 days.

 Netskope

Audit admin roles and integration accounts.

Remove vendor/support accounts no longer in use.

Vectra

Review admin and analyst roles.

Revoke access for disabled or non-current users.

HYPR Control Center

Audit: 

  • Admin users
  • Third-party access
  • Remove any off-boarded account registrations

Actions

  • Validate each account’s necessity.
  • Remove any accounts tied to previous admins or inactive vendors.
  • Document all changes and confirmations.

4. Documentation & Reporting

Log all findings and actions: 

  • User removed
  • Group membership revoked
  • Vendor confirmation received

Include: 

  • Date/time
  • Analyst name
  • Justification

Generate a summary report for management and compliance.