Qutzl Insights

Tutorial

Vendor access offboarding checklist

Contractors and MSPs change. Make sure their VPN, admin, and SaaS access changes with them.

1 min readBy Michael NarehoodSecurity

Advertisement

The project ended. The access did not. That is a common breach story.

1. Inventory where they could authenticate

VPN, RMM, Microsoft 365 guest accounts, firewall admin, hosting panels, password manager shares.

2. Disable in the same change window

Do not leave a vague “we’ll revoke Friday” sitting open for a week of forgotten portals.

3. Rotate shared secrets

Any password a vendor knew should be considered public to that vendor’s alumni.

4. Document what remains

If a vendor still monitors something, write it down. Ambiguity is how dual MSPs step on each other.

Need an access review? Open a ticket.