Under attack? Call 1300 112 313
Client PortalInsightsContact
Home / Insights / Guide
Checklist · 6 min

Privileged access review checklist

A practical checklist for reviewing administrator access and reducing privilege risk.

Administrators hold the keys

Privileged accounts — domain admins, global admins, root accounts, database administrators — are the highest-value targets for attackers. Compromising a single privileged account can give an attacker complete control of the environment. Governing privileged access is not optional; it is the most impactful security control you can implement.

Just-in-time access

Shift away from standing admin privileges. Administrators should request elevation for a specific time window to perform a specific task, then have that access automatically revoked. This dramatically reduces the window of exposure if credentials are compromised.

In Microsoft environments, use Privileged Identity Management (PIM). In AWS, use IAM Access Analyzer and session policies. The principle is the same everywhere: nobody should have persistent administrative access.

MFA on everything privileged

There should be zero exceptions for MFA on administrative accounts. None. Not for service accounts (use managed identities instead), not for break-glass accounts (store the MFA device securely), not for "temporary" access that has been temporary for eighteen months.

Regular auditing

Review all global admins, domain admins, and highly privileged service accounts monthly. Not quarterly — monthly. Privileged access creep is one of the most common findings in security assessments because organisations review access too infrequently.

  • List all accounts with administrative privileges across identity, cloud, and infrastructure
  • Verify each account has a documented business justification
  • Verify each account has MFA enforced
  • Remove or downgrade any account that no longer requires elevated access
  • Document the review with timestamps and reviewer names for audit evidence

Break-glass procedures

Maintain emergency access accounts that bypass normal controls, but protect them rigorously. Store credentials in a physical safe or hardware security module. Monitor these accounts for any sign-in — any use of a break-glass account should trigger an immediate alert and investigation. Test break-glass access quarterly to ensure it works when needed.

Need help applying this?

Turn the guide into an action plan.

Tenodex can assess your current state, prioritise the practical work and help implement the operating model.

Book a Briefing