---
name: Starter Leaver Access Review
description: "Maps a user's SharePoint, Teams, group, mailbox, and app access and recommends an onboarding baseline or an audit-safe revocation order."
---

# Starter Leaver Access Review

> **TL;DR:** This skill produces a consolidated access map for a named user across SharePoint, Teams, Microsoft 365 Groups, distribution lists, mailbox delegations, and assigned apps, then recommends the onboarding baseline (starter) or the revocation order (leaver).

## How does the Starter Leaver Access Review skill consolidate a user's access?

This skill produces a single consolidated access map for a named user across SharePoint, Microsoft Teams, Microsoft 365 Groups, security groups, distribution lists, mailbox delegations, and assigned applications and licences. For leavers it recommends an audit-safe revocation order that blocks sign-in first to preserve evidence; for starters it compares against the role baseline and recommends the joining set. It draws on Microsoft Entra identity governance and supports Essential Eight ML2 evidence for Control 5.

## When should you run this skill?

- "Review access for a leaver"
- "Run a starter or leaver access review"
- "Prepare an offboarding access pack"
- "What does this user have access to?"

## How this skill works, step by step

1. Confirm the user (UPN, employee ID) and the direction (Starter or Leaver)
2. Enumerate SharePoint site memberships and permission levels
3. Enumerate Teams memberships and channel ownership
4. Enumerate Microsoft 365 Groups, security groups, and distribution lists
5. Enumerate mailbox delegations (Send As, Send on Behalf, Full Access)
6. Enumerate assigned licences and application access
7. For Leavers: order revocations as sign-in block, licence reclaim, group removal, delegation removal, mailbox conversion, SharePoint membership removal
8. For Starters: compare against the role baseline and recommend the joining set
9. Produce the access map below

## Output format

| Resource Type | Resource | Role / Permission | Action |

Followed by:

- Total resources: N
- Recommended revocation order (Leaver) OR recommended joining set (Starter)
- Estimated licence cost change (AUD)

## Scope and safety

Read-only — recommendations only. This skill does NOT:

- Revoke or grant access (read-only — recommendations only)
- Disable the user account
- Reset passwords or revoke sessions

## Licensing and permissions

### Licences and add-ons

| Capability used | Minimum licence |
| --- | --- |
| Reading Entra ID users, group, role, and app assignments | Microsoft Entra ID P1 |
| Reviewing assigned Microsoft 365 licences and app access | Microsoft 365 subscription with assigned licences |
| Reading mailbox delegations (Full Access, Send As, Send on Behalf) | Exchange Online (Microsoft 365) |

### Least-privilege roles

- Global Reader — read-only visibility across Entra ID, groups, roles, and licences
- Security Reader — read-only access to identity and access posture
- Exchange recipient read access (for example View-Only Recipients) — to enumerate mailbox delegations

### Microsoft Graph permissions (read-only)

- `Directory.Read.All` — reads users, group memberships, security groups, and assigned licences
- `User.Read.All` — reads the target user profile and assignments
- `Group.Read.All` — reads Microsoft 365 Group, security group, and distribution list membership
- `Sites.Read.All` — reads SharePoint site memberships and permission levels
- `Team.ReadBasic.All` — reads Teams membership and channel ownership
- `Application.Read.All` — reads assigned application access and service principals
- `AuditLog.Read.All` — reads sign-in and audit activity to support audit-safe revocation ordering

Mailbox delegations (Full Access, Send As, Send on Behalf) are enumerated via Exchange Online PowerShell rather than Microsoft Graph.

## Sources and compliance

- For leavers, the revocation order is designed to preserve audit evidence (block sign-in first, then reclaim) — pair with the Inactive Licence Recovery Report for spend impact
- Reference: [Revoke user access in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/users/users-revoke-access)
- Supports E8 ML2 evidence for Control 5 (Restrict Administrative Privileges) and the joiner-mover-leaver portion of the ISM personnel security family
- Run as part of the standard onboarding and offboarding checklist
- Output in Australian English