Skip to Content
PurviewStarter Leaver Access Review
SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload
▸ View skill file
---
name: Starter Leaver Access Review
description: "Maps a user's SharePoint, Teams, group, mailbox, and app access and recommends an onboarding baseline or an audit-safe revocation order."
---

# Starter Leaver Access Review

> **TL;DR:** This skill produces a consolidated access map for a named user across SharePoint, Teams, Microsoft 365 Groups, distribution lists, mailbox delegations, and assigned apps, then recommends the onboarding baseline (starter) or the revocation order (leaver).

## How does the Starter Leaver Access Review skill consolidate a user's access?

This skill produces a single consolidated access map for a named user across SharePoint, Microsoft Teams, Microsoft 365 Groups, security groups, distribution lists, mailbox delegations, and assigned applications and licences. For leavers it recommends an audit-safe revocation order that blocks sign-in first to preserve evidence; for starters it compares against the role baseline and recommends the joining set. It draws on Microsoft Entra identity governance and supports Essential Eight ML2 evidence for Control 5.

## When should you run this skill?

- "Review access for a leaver"
- "Run a starter or leaver access review"
- "Prepare an offboarding access pack"
- "What does this user have access to?"

## How this skill works, step by step

1. Confirm the user (UPN, employee ID) and the direction (Starter or Leaver)
2. Enumerate SharePoint site memberships and permission levels
3. Enumerate Teams memberships and channel ownership
4. Enumerate Microsoft 365 Groups, security groups, and distribution lists
5. Enumerate mailbox delegations (Send As, Send on Behalf, Full Access)
6. Enumerate assigned licences and application access
7. For Leavers: order revocations as sign-in block, licence reclaim, group removal, delegation removal, mailbox conversion, SharePoint membership removal
8. For Starters: compare against the role baseline and recommend the joining set
9. Produce the access map below

## Output format

| Resource Type | Resource | Role / Permission | Action |

Followed by:

- Total resources: N
- Recommended revocation order (Leaver) OR recommended joining set (Starter)
- Estimated licence cost change (AUD)

## Scope and safety

Read-only — recommendations only. This skill does NOT:

- Revoke or grant access (read-only — recommendations only)
- Disable the user account
- Reset passwords or revoke sessions

## Licensing and permissions

### Licences and add-ons

| Capability used | Minimum licence |
| --- | --- |
| Reading Entra ID users, group, role, and app assignments | Microsoft Entra ID P1 |
| Reviewing assigned Microsoft 365 licences and app access | Microsoft 365 subscription with assigned licences |
| Reading mailbox delegations (Full Access, Send As, Send on Behalf) | Exchange Online (Microsoft 365) |

### Least-privilege roles

- Global Reader — read-only visibility across Entra ID, groups, roles, and licences
- Security Reader — read-only access to identity and access posture
- Exchange recipient read access (for example View-Only Recipients) — to enumerate mailbox delegations

### Microsoft Graph permissions (read-only)

- `Directory.Read.All` — reads users, group memberships, security groups, and assigned licences
- `User.Read.All` — reads the target user profile and assignments
- `Group.Read.All` — reads Microsoft 365 Group, security group, and distribution list membership
- `Sites.Read.All` — reads SharePoint site memberships and permission levels
- `Team.ReadBasic.All` — reads Teams membership and channel ownership
- `Application.Read.All` — reads assigned application access and service principals
- `AuditLog.Read.All` — reads sign-in and audit activity to support audit-safe revocation ordering

Mailbox delegations (Full Access, Send As, Send on Behalf) are enumerated via Exchange Online PowerShell rather than Microsoft Graph.

## Sources and compliance

- For leavers, the revocation order is designed to preserve audit evidence (block sign-in first, then reclaim) — pair with the Inactive Licence Recovery Report for spend impact
- Reference: [Revoke user access in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/users/users-revoke-access)
- Supports E8 ML2 evidence for Control 5 (Restrict Administrative Privileges) and the joiner-mover-leaver portion of the ISM personnel security family
- Run as part of the standard onboarding and offboarding checklist
- Output in Australian English
How to use this skill
  1. Get the file. Download or copy the SKILL.md from the panel above.
  2. Load it into your host:
    • Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
    • Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
    • Any chat host — paste the file contents as your prompt.
  3. Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
  4. Provide your tenant scope and run it (a site, a collection, or the whole tenant).
  5. Review the report and action the risk-ranked recommendations.

This skill is read-only by default — it inspects and reports, and never changes your tenant.

Starter Leaver Access Review

TL;DR: This skill produces a consolidated access map for a named user across SharePoint, Teams, Microsoft 365 Groups, distribution lists, mailbox delegations, and assigned apps, then recommends the onboarding baseline (starter) or the revocation order (leaver).

How does the Starter Leaver Access Review skill consolidate a user’s access?

This skill produces a single consolidated access map for a named user across SharePoint, Microsoft Teams, Microsoft 365 Groups, security groups, distribution lists, mailbox delegations, and assigned applications and licences. For leavers it recommends an audit-safe revocation order that blocks sign-in first to preserve evidence; for starters it compares against the role baseline and recommends the joining set. It draws on Microsoft Entra identity governance and supports Essential Eight ML2 evidence for Control 5.

When should you run this skill?

  • “Review access for a leaver”
  • “Run a starter or leaver access review”
  • “Prepare an offboarding access pack”
  • “What does this user have access to?”

How this skill works, step by step

  1. Confirm the user (UPN, employee ID) and the direction (Starter or Leaver)
  2. Enumerate SharePoint site memberships and permission levels
  3. Enumerate Teams memberships and channel ownership
  4. Enumerate Microsoft 365 Groups, security groups, and distribution lists
  5. Enumerate mailbox delegations (Send As, Send on Behalf, Full Access)
  6. Enumerate assigned licences and application access
  7. For Leavers: order revocations as sign-in block, licence reclaim, group removal, delegation removal, mailbox conversion, SharePoint membership removal
  8. For Starters: compare against the role baseline and recommend the joining set
  9. Produce the access map below

Output format

| Resource Type | Resource | Role / Permission | Action |

Followed by:

  • Total resources: N
  • Recommended revocation order (Leaver) OR recommended joining set (Starter)
  • Estimated licence cost change (AUD)

Scope and safety

Read-only — recommendations only. This skill does NOT:

  • Revoke or grant access (read-only — recommendations only)
  • Disable the user account
  • Reset passwords or revoke sessions

Licensing and permissions

Licences and add-ons

Capability usedMinimum licence
Reading Entra ID users, group, role, and app assignmentsMicrosoft Entra ID P1
Reviewing assigned Microsoft 365 licences and app accessMicrosoft 365 subscription with assigned licences
Reading mailbox delegations (Full Access, Send As, Send on Behalf)Exchange Online (Microsoft 365)

Least-privilege roles

  • Global Reader — read-only visibility across Entra ID, groups, roles, and licences
  • Security Reader — read-only access to identity and access posture
  • Exchange recipient read access (for example View-Only Recipients) — to enumerate mailbox delegations

Microsoft Graph permissions (read-only)

  • Directory.Read.All — reads users, group memberships, security groups, and assigned licences
  • User.Read.All — reads the target user profile and assignments
  • Group.Read.All — reads Microsoft 365 Group, security group, and distribution list membership
  • Sites.Read.All — reads SharePoint site memberships and permission levels
  • Team.ReadBasic.All — reads Teams membership and channel ownership
  • Application.Read.All — reads assigned application access and service principals
  • AuditLog.Read.All — reads sign-in and audit activity to support audit-safe revocation ordering

Mailbox delegations (Full Access, Send As, Send on Behalf) are enumerated via Exchange Online PowerShell rather than Microsoft Graph.

Sources and compliance

  • For leavers, the revocation order is designed to preserve audit evidence (block sign-in first, then reclaim) — pair with the Inactive Licence Recovery Report for spend impact
  • Reference: Revoke user access in Microsoft Entra ID 
  • Supports E8 ML2 evidence for Control 5 (Restrict Administrative Privileges) and the joiner-mover-leaver portion of the ISM personnel security family
  • Run as part of the standard onboarding and offboarding checklist
  • Output in Australian English

Licensed under CC BY 4.0  by Educ4te . Adapted from the open HybridSP skills catalogue.

Last updated on
MFA and Strong Authentication Coverage AuditInactive Licence Recovery