How to Run a 30-Minute Identity Risk Review

SMEs often assume identity reviews require specialist skills or expensive tools. In reality, a meaningful review can be completed in 30 minutes using a simple, structured approach.

Start by listing all active user accounts across your core systems. Look for dormant accounts—any user who hasn't logged in for 60–90 days. These are high-risk and should be disabled immediately. Next, review admin roles. Every admin should have a clear, current justification. Temporary access should be revoked.

Then check MFA enforcement. It must be enabled everywhere, not just on "important" systems. Attackers target the weakest link, not the strongest. Finally, document any exceptions you discover. A defensible posture requires evidence of decisions, not perfection.

This simple review won't solve every problem, but it will surface the most common identity risks SMEs face. It also builds the foundation for more advanced governance using AISF.

Why identity reviews matter

Every day your organisation operates without visibility into its identity landscape is a day that accumulated risks go undetected. A dormant account sits unused. An admin role that should have been removed after a project remains active. A contractor who left six months ago still has valid access to your CRM.

These aren't theoretical risks. They're the actual attack surface that adversaries exploit. And they're entirely preventable with regular review.

The 30-minute framework

This framework breaks your identity review into five focused activities. Each takes approximately six minutes. Complete them in order—the output of each stage informs the next.

Stage 1: Inventory your accounts (6 minutes)

Start by answering a simple question: who has access to what?

Gather lists from your core systems:

• Active Directory / Entra ID: All user accounts
• Email system: All mailboxes, including shared mailboxes
• Cloud platforms: AWS IAM, Google Workspace, Azure
• SaaS tools: Your top 5 most important business applications
• VPN and remote access: All accounts with network access

For each system, export a user list. If you can't export, screen capture is acceptable—you're building evidence of your review.

What to look for:

• Accounts you don't recognise
• Accounts with generic names (admin, test, temp)
• Accounts that appear in multiple systems with different attributes

Output: A consolidated list of all identities with access to your critical systems.

Stage 2: Find dormant accounts (6 minutes)

Now examine your consolidated list for accounts that haven't been used recently.

Define "dormant" as no login for 60-90 days. In Active Directory, you can run this query:

Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 -UsersOnly | Select Name, LastLogonDate, DistinguishedName

In Entra ID, check the "Sign-ins" blade for accounts with no recent activity.

What to look for:

• Dormant user accounts for current employees (why haven't they logged in?)
• Dormant admin accounts (these are high-risk)
• Dormant contractor accounts (these should have been disabled when the engagement ended)
• Dormant service accounts (these should be reviewed for necessity)

Action: Flag every dormant account for immediate review. If you can't verify the account is still needed, disable it.

Output: A list of dormant accounts requiring action.

Stage 3: Review admin roles (6 minutes)

Privileged accounts are your highest-value targets. Review every account with elevated permissions.

For each admin account, ask:

• Is this person still with the organisation?
• Do they still need this level of access?
• Was this access granted for a specific project that has ended?
• Is there documentation of why this access was granted?

Common admin privilege risks:

• Domain/Enterprise Admins: Should be limited to 2-3 individuals for break-glass scenarios
• Global Administrators: Only for identity management; day-to-day admins shouldn't have this
• Application Administrators: Review each app assignment—is it still needed?
• Cloud platform admins: Check for accumulated roles from previous projects

Action: Remove admin access that lacks current justification. Revoke temporary admin access immediately after projects end.

Output: A documented list of admin accounts with justification for each.

Stage 4: Check MFA coverage (6 minutes)

Multi-factor authentication is your most effective defence against credential compromise. But it only works if it's enforced everywhere.

For each of your critical systems, verify:

• Is MFA required for all users?
• What MFA methods are supported? (SMS is weak; authenticator apps are better; FIDO2 is best)
• Are there any exceptions or exclusions?
• Are service accounts protected?

What to look for:

• Systems without MFA enabled
• MFA enforced only for admins (not regular users)
• SMS-based MFA (vulnerable to SIM-swapping)
• Service accounts without MFA (these should use certificate-based authentication or API keys instead)
• Conditional Access policies that exclude certain users or groups

Action: Enable MFA everywhere. Prefer authenticator apps or FIDO2 tokens over SMS. Document any legitimate exceptions.

Output: MFA coverage map showing which systems are protected and which need work.

Stage 5: Document exceptions (6 minutes)

Now document everything you've found.

For each risk you've identified, record:

• The specific finding (e.g., "Dormant account j.smith@company.com, last login 7 months ago")
• The risk it creates (e.g., "Account could be used for unauthorized access if credentials compromised")
• The action you're taking (e.g., "Disabled account pending manager verification")
• The owner responsible for follow-up
• The target date for resolution

This documentation serves two purposes:

1. It creates evidence that you conducted a review and took action
2. It gives you a working list for your next review

Output: A documented risk register with findings, actions, and owners.

What to do next

You've completed your first review. Here's what happens now:

Immediate actions (this week)

• Disable all clearly dormant accounts
• Remove admin access that lacks justification
• Enable MFA on systems where it's missing

Short-term actions (this month)

• Verify the status of accounts flagged for review
• Implement MFA on remaining systems
• Create a schedule for your next review (quarterly is minimum; monthly is ideal)

Long-term improvements

• Consider implementing automated identity governance
• Integrate identity reviews into your onboarding/offboarding processes
• Implement continuous monitoring for drift detection

When to use automated tools

A manual 30-minute review is an excellent starting point. But as your organisation grows, manual reviews become unsustainable.

Automated identity governance tools can:

• Continuously monitor all systems for identity changes
• Automatically detect drift from expected states
• Alert you to risks in real-time
• Generate audit-ready evidence automatically

If you're conducting manual reviews monthly and still finding significant risks each time, it's worth evaluating automated solutions.

The bigger picture

This 30-minute review won't solve every identity security problem. But it will dramatically reduce your attack surface and build the muscle memory for ongoing governance.

The organisations that avoid breaches aren't the ones with the biggest security budgets. They're the ones that do the basics consistently. A 30-minute identity review every month is one of the highest-return security investments you can make.