Vendor access control (least privilege + offboarding)
Most small businesses accumulate vendor access over time and never clean it up. The result is “ghost access”—accounts and permissions that stay active long after a project ends.
This guide gives you a simple access model and offboarding checklist you can implement immediately.
If you want help tightening access across Microsoft 365, vendor portals, and endpoints, start with MSP Cybersecurity or request a security audit. To understand how incidents and access mistakes impact operations, use the Downtime Cost Calculator.
We can quickly review your setup and show you what’s working and what needs improvement.
Use the IT Cost Savings Calculator to estimate annual waste from recurring support drag, outages, emergency work, and security cleanup before you pitch the fix internally.
The vendor risk pattern (what goes wrong)
- Shared logins get reused and never rotated
- Vendor accounts keep admin access “just in case”
- Offboarding is informal, so access stays open
- No one owns the quarterly review
Least-privilege roles (what vendors should and shouldn’t have)
The baseline rule: vendors should have their own named account and the minimum role required for the task.
- Do: scoped roles, separate accounts, time-bound access, MFA
- Don’t: shared admin logins, permanent global admin, no audit trail
Time-bound access + approvals
If a vendor only needs access for a migration or project window, make it time-bound. The goal is a default-off posture.
Offboarding checklist
- Disable the vendor user account(s) immediately
- Remove roles and group memberships
- Rotate any shared credentials they touched (better: eliminate them)
- Review mailbox forwarding rules and admin audit logs
- Document what was removed and why
Quarterly access review routine
Once per quarter, list every vendor and what access they have. Remove anything that doesn’t map to an active deliverable.
Local help (Clearwater)
If you want hands-on help cleaning up access and implementing a repeatable process, see IT Support in Clearwater.
FAQ
Should vendors use our accounts or their own?
Use their own named account with MFA. Shared accounts kill accountability and make clean offboarding harder.
How do we handle emergency access?
Use time-bound access with approvals and log every use. Emergency access should be rare, documented, and reviewed.
What systems need strict vendor control?
Email/admin platforms, domain/DNS, backups, accounting, remote access tools, and anything that can change payments or identity.
Next step
Request a security audit
Explore MSP Cybersecurity
Browse Cybersecurity articles
Get the PDF instantly. Use it to tighten your baseline and reduce avoidable incidents.
Related posts
Keep reading with the most relevant next articles.
Cybersecurity Risk Assessment for Non-Technical Owners (Plain-English Framework)
A simple risk assessment framework: assets, threats, controls, and priorities—so owners can fund the right security improvements.
Backup and Recovery Plan for Small Business (Simple, Testable)
Backups that actually work: what to include, how often to run, how to test restores, and how to recover from ransomware quickly.
Endpoint Protection for Small Business (Practical Checklist)
Choose endpoint protection that reduces real risk: coverage, response, visibility, patching, and recovery—not just “next-gen” buzzwords.