Pull up the access list for someone who's been at your company five years. Take a real look. Half those permissions are from projects that ended in 2023. Sites they joined for one meeting. Shared mailboxes they were added to "just in case."
This is access creep. The slow accumulation of permissions a person picked up over time and never lost. Nobody designed it. Nobody approved most of it on purpose. It just grew.
How it actually happens
Somebody joins a new project. Gets added to a SharePoint site, a Teams group, two shared mailboxes, maybe a license bundle. Project ends. Access stays.
Then they change roles. They get the new permissions for the new role. The old ones stay too, because nobody owns that cleanup.
Then they cover for a colleague on parental leave. Temporary access to a finance group. Colleague comes back. Temporary access is now permanent.
Now multiply that by every employee, every project, every leave cover. Add every "can you give me access real quick" Teams message over four years. That's your access list today.
Why nobody catches it
Manual provisioning is built for adding access, not removing it. When a project ends, there's no Jira ticket that says "remove eight people from this SharePoint site." When someone changes role, the old manager assumes the new manager is cleaning up. The new manager assumes the old one already did.
And honestly, for a while it works fine. Nothing breaks. The user has more access than they need, but they're not malicious, so nothing happens.
Then somebody quits, or clicks a phishing link, or you get audited. Suddenly the access list everyone ignored is the only thing anyone is looking at.
What it actually costs you
Three specific things.
First, audit findings. Any auditor doing a serious sample of user access in Entra ID will find people with permissions they don't need. ISO 27001 calls that a control failure. You get to write a corrective action plan.
Second, breach blast radius. If an account is compromised, the attacker gets everything that user can reach. Picture a finance person. They have access to four old project sites. Two shared mailboxes from a previous role. A Teams group from a vendor onboarding two years ago. That's a much bigger problem than a finance person with finance access.
Third, licenses. People collect Entra ID P1, Intune, and app licenses as they move between roles. A 200-person company can easily be paying for 30 to 50 licenses nobody actually uses.
Cleaning it up without losing a month
Don't try to clean up everything. You'll burn out and quit halfway through.
Pick the riskiest 10 percent and start there. That's usually people who changed roles in the last 24 months. People in privileged groups. Shared mailboxes with more than five members.
Pull the current access list per user. Show it to their manager. Ask one question. "Is any of this still needed?"
Most managers look at the list and say "no, kill half of that."
Do this once a quarter for the high-risk group. Once a year for everyone else. Write down what you removed and why. That's your audit trail.
The bit nobody mentions: you also need triggers. Role change. Project end. Leave start. Leave end. Contractor end date. If access doesn't get reviewed at those moments, creep just rebuilds itself.
A quieter way to do this
Full transparency, this is our product, so take it with the appropriate context. Adcyma handles the Entra ID lifecycle triggers and access reviews. No six-month rollout like the enterprise IGA tools want. If you're tired of doing this in spreadsheets, have a look.
How it actually happens
Somebody joins a new project. Gets added to a SharePoint site, a Teams group, two shared mailboxes, maybe a license bundle. Project ends. Access stays.
Then they change roles. They get the new permissions for the new role. The old ones stay too, because nobody owns that cleanup.
Then they cover for a colleague on parental leave. Temporary access to a finance group. Colleague comes back. Temporary access is now permanent.
Now multiply that by every employee, every project, every leave cover. Add every "can you give me access real quick" Teams message over four years. That's your access list today.
Why nobody catches it
Manual provisioning is built for adding access, not removing it. When a project ends, there's no Jira ticket that says "remove eight people from this SharePoint site." When someone changes role, the old manager assumes the new manager is cleaning up. The new manager assumes the old one already did.
And honestly, for a while it works fine. Nothing breaks. The user has more access than they need, but they're not malicious, so nothing happens.
Then somebody quits, or clicks a phishing link, or you get audited. Suddenly the access list everyone ignored is the only thing anyone is looking at.
What it actually costs you
Three specific things.
First, audit findings. Any auditor doing a serious sample of user access in Entra ID will find people with permissions they don't need. ISO 27001 calls that a control failure. You get to write a corrective action plan.
Second, breach blast radius. If an account is compromised, the attacker gets everything that user can reach. Picture a finance person. They have access to four old project sites. Two shared mailboxes from a previous role. A Teams group from a vendor onboarding two years ago. That's a much bigger problem than a finance person with finance access.
Third, licenses. People collect Entra ID P1, Intune, and app licenses as they move between roles. A 200-person company can easily be paying for 30 to 50 licenses nobody actually uses.
Cleaning it up without losing a month
Don't try to clean up everything. You'll burn out and quit halfway through.
Pick the riskiest 10 percent and start there. That's usually people who changed roles in the last 24 months. People in privileged groups. Shared mailboxes with more than five members.
Pull the current access list per user. Show it to their manager. Ask one question. "Is any of this still needed?"
Most managers look at the list and say "no, kill half of that."
Do this once a quarter for the high-risk group. Once a year for everyone else. Write down what you removed and why. That's your audit trail.
The bit nobody mentions: you also need triggers. Role change. Project end. Leave start. Leave end. Contractor end date. If access doesn't get reviewed at those moments, creep just rebuilds itself.
A quieter way to do this
Full transparency, this is our product, so take it with the appropriate context. Adcyma handles the Entra ID lifecycle triggers and access reviews. No six-month rollout like the enterprise IGA tools want. If you're tired of doing this in spreadsheets, have a look.