User access reviews can feel like a lot to manage, especially if you're doing them for the first time. You're checking who has access to what, making sure those permissions still make sense, and keeping records for your next audit.
The good news is that you don't have to do this all manually. LastPass gives you admin tools and reporting features that handle much of the heavy lifting for credential and password access. In addition, LastPass's Business Max subscription allows you to spot unapproved AI and SaaS applications right from the browser so you can make sure your business is protected on all fronts.
- Understand what user access reviews cover and what you're looking for.
- Connect LastPass to your identity provider so user data syncs automatically.
- Pull access reports from the LastPass Admin Console to see who has access to what.
- Review the Security Dashboard for red flags like dormant accounts and weak passwords.
- Clean up issues directly in LastPass by removing users or adjusting permissions.
- Export reports for compliance documentation so you're ready for auditors.
- Set up recurring reports and alerts to keep things running smoothly between reviews.
- Use LastPass to surface unapproved AI and SaaS apps - after you've cleaned up known access issues, SaaS Monitoring scans for AI and SaaS tools employees are signing into with corporate credentials that never went through an approval process. Use SaaS Protect to set rules or block access to anything that shouldn't be there.
How to run user access reviews for your business
1. Understand what user access reviews cover
A user access review is a check on who can access what in your organization. You look at each user account, confirm the person still needs that access, and verify their permission level matches their current role.
When someone has access they don't need, it creates risk. If their account gets compromised, an attacker can reach systems they shouldn't. And if that person leaves the company on bad terms, they might still be able to get to sensitive data.
For compliance frameworks like SOC 2 and ISO/IEC 27001, auditors expect to see that organizations regularly review user access and maintain clear records of what was reviewed and why changes were made. Similar requirements also appear in SOX, PCI DSS, GDPR, and NIST frameworks, all of which emphasize strong access controls, least privilege, and auditable evidence of enforcement. Regular access reviews aren't just a best practice—they're a foundational control for meeting regulatory and security requirements.
To support these requirements, organizations should define and enforce a formal user access policy. This policy should clearly outline expectations for least-privilege access, user provisioning and deprovisioning (including immediate revocation to prevent orphaned accounts), segregation of duties, and audit logging. Having these standards documented—and consistently applied—makes access reviews more effective and far easier to defend during an audit.
2. Connect LastPass to your identity provider
If you haven't already, connect LastPass to your identity provider. LastPass integrates with Microsoft Entra ID, Google Workspace, Okta, Active Directory, and OneLogin, so your user data syncs automatically.
The AD Connector syncs user profiles in real-time, so you're always working with current data when you run your reviews.
This means when someone joins your company or changes roles, their LastPass access updates to match. When someone leaves and you remove them from your directory, their LastPass access goes away too. No more orphaned accounts sitting around.
3. Pull access reports from the LastPass Admin Console
Log in to your LastPass Admin Console and head to the reporting section. From here, you can pull reports showing all your users, their access levels, and recent activity.
This saves you from building spreadsheets manually or chasing down information from different systems. The data is already there, organized and ready to review.
You can filter by team, role, or activity level to focus on the areas that matter most. If you're reviewing a specific department, you can pull just that group instead of sorting through everyone.
4. Review the Security Dashboard for red flags
The LastPass Security Dashboard highlights the issues you should pay attention to. It flags weak passwords, reused credentials, and old passwords that haven't been updated in a while.
Look for dormant accounts that haven't been used in 30, 60, or 90 days. These might belong to former contractors, employees who switched teams, or people who just stopped using a particular tool.
Dark web monitoring alerts you if any credentials have shown up in a third-party breach. If something gets flagged here, you'll want to address it right away.
5. Clean up issues directly in LastPass
Once you've identified problems, you can fix them right in the Admin Console. Remove users who shouldn't have access anymore, adjust permission levels, or revoke access to specific shared folders.
LastPass gives you four role types to work with: users, helpdesk admin, admin, and super admin. Each has different permissions, so you can give people the right level of access for their job without over-provisioning.
With 120 customizable security policies, you can also tighten up rules for things like password strength, multifactor authentication, and sharing permissions.
6. Export reports for compliance documentation
Auditors may want to see records of your access reviews. LastPass lets you export reports that show who had access, what changes were made, and when.
Keep these exports organized by review date so you can find them easily when audit time comes around. A simple folder structure by quarter or year works well.
If you need more advanced reporting, LastPass integrates with SIEM platforms like Splunk and Azure Sentinel. This lets you build custom reports and automate compliance tracking.
7. Set up recurring reports and alerts
Instead of starting fresh every quarter, set up automated reports that run on a schedule. This way, the data is ready when you need it.
You can also configure alerts to notify you when something changes, like a new user being added or someone's permissions getting updated. This helps you catch issues between formal reviews.
The goal is to make access reviews part of your regular routine rather than a scramble every few months.
How to review access for your other business tools
LastPass handles credential and password access, but your organization likely has other systems that need reviewing too, like your CRM, accounting software, or cloud platforms.
For these, you'll need to check access separately. Many of these tools have their own admin consoles and reporting features. The process is similar: pull a list of users, verify they still need access, and clean up anything outdated.
If your identity provider is connected to these systems, provisioning and deprovisioning may already be automated. Check your IdP's admin console to see what's synced and what needs manual review.
This is where LastPass Business Max goes further. SaaS Monitoring automatically discovers every AI and SaaS tool your employees are signing into with corporate credentials — including unapproved apps you may not know exist. Instead of chasing down unmanaged AI and other apps manually, you get visibility into what's actually being used. SaaS Protect then lets you act on that visibility: set usage rules, block unapproved tools, and flag duplicate subscriptions, all from one dashboard.
What should you look for during an access review?
Dormant accounts are a good place to start. These are accounts that haven't been used in 30, 60, or 90 days. They might belong to former contractors, employees who changed roles, or people who switched to a different tool.
Privilege creep is another thing to watch for. This happens when someone collects permissions over time as they move between projects or teams. Someone who moved from engineering to marketing six months ago may still have access to systems they no longer use.
Shared accounts can be tricky because multiple people use the same credentials, which makes it harder to track who did what. If you spot shared accounts, it's worth considering whether each person could have their own login instead.
Unapproved AI and SaaS tools are increasingly part of this picture. Employees often sign up for tools on their own using corporate credentials, which means access is happening outside your visibility entirely. LastPass Business Max's SaaS Monitoring surfaces these apps automatically, so you're not relying on self-reporting to know what's in use.
Beyond that, look for mismatches between job roles and access levels. Does an intern have admin permissions? Does someone in accounting have access to the developer tools? These gaps are easier to catch when you're comparing access against current job functions.
You'll also want to check for accounts with access to sensitive data, like customer records or financial systems. These deserve a closer look to make sure the access is still justified.
What are common access review mistakes to avoid?
Treating access reviews as a one-time project can cause problems down the road. Access changes constantly as people join, leave, and switch roles, so a regular review schedule helps you keep up.
Sparse documentation can make things harder during audits. Keeping records of what you found and what actions you took gives you something concrete to reference later.
Flagging issues without following through is another easy trap. Building cleanup time into your review process helps make sure the fixes happen while everything is still fresh.
Finally, reviewing in isolation can mean missing context. Looping in department managers or team leads helps you understand whether someone's access still makes sense for their current work.
How LastPass helps you run user access reviews
LastPass makes access reviews easier with built-in admin tools. The Admin Console shows you who has access to what, so you're not pulling data from multiple places and stitching it together yourself.
The Security Dashboard flags weak passwords, reused credentials, and dormant accounts. Dark web monitoring alerts you if any credentials show up in a third-party data breach. These features surface the issues that need attention so you can focus your review time on making decisions, not hunting for problems.
You get 120 customizable security policies and 4 admin role types: users, helpdesk admin, admin, and super admin. This lets you give people the right level of access for their job and delegate reviews to the people who know each area best.
LastPass is SOC 2 Type II, SOC 3, ISO 27001, and ISO 27701 certified, so the platform meets the same compliance standards you're working toward.
Try LastPass Business Max and see how it can simplify your next access review.
