Skip to content
Cyber Replay logo CYBERREPLAY.COM
Book a Call
Back to all articles
Security Operations 14 min read Published Apr 2, 2026 Updated Apr 2, 2026

Identity and MFA Hardening Audit Worksheet for Security Teams

Practical audit worksheet and checklist to harden identity and MFA controls for security teams in healthcare settings.

By CyberReplay Security Team

Identity and MFA Hardening Audit Worksheet

TL;DR: Use this practical audit worksheet to reduce account takeover risk by up to 80% in 30-90 days - focus on high-risk accounts, enforce strong MFA, close legacy auth paths, and monitor authentications. This guide gives checklists, commands, examples for nursing homes, and clear next steps for MSSP/MDR handoff.

Table of contents

When this matters

Account compromise remains the primary initial access vector in most breaches. For nursing homes and other healthcare operators, credential theft and weak multi-factor authentication increase the risk of operational downtime, ePHI exposure, billing fraud, and regulatory fines. Typical breach costs and recovery timelines make identity hardening high ROI.

This worksheet is the “identity and mfa hardening audit worksheet” security teams can use for a quick, auditable baseline when an organization: has shared or generic accounts, lacks MFA on vendor or admin access, is experiencing suspicious sign-ins, or is preparing for an audit or regulatory review.

  • Average time to detect credential-based intrusions often exceeds 60 days, increasing lateral movement risk. See referenced incident studies below.
  • Mitigations focused on identity and MFA can stop 70 to 90 percent of automated credential attacks and reduce mean time to containment when paired with monitoring.

This worksheet focuses on concrete, auditable steps security teams can take immediately to lower risk and shorten response time.

Quick internal links: if you want an external team to run the worksheet, see CyberReplay’s Managed Security Service Provider offering or request immediate help after a compromise at CyberReplay - Help: I’ve been hacked. To book a short planning call, schedule your assessment.

If you prefer an internal first-pass, run Steps 1 and 2 in this guide to capture the required evidence and identify the highest-risk accounts for remediation.

Who should use this worksheet

  • Security teams or IT managers at nursing homes, clinics, and small health systems with limited security staff.
  • MSSP or MDR teams onboarding a healthcare client and needing a rapid identity posture assessment.
  • CIOs and owners who need a short, verifiable report to show auditors or boards.

Not for: teams with mature Identity Access Management programs already performing continuous identity threat detection with dedicated engineers. However, you can still use the worksheet as a gap check.

Quick answer - what to audit first

  1. Identify high-risk accounts - domain admins, EHR integrators, third-party vendors, shared operator accounts.
  2. Verify all high-risk accounts use phishing-resistant MFA methods such as FIDO2, hardware tokens, or certificate-based authentication.
  3. Block legacy authentication protocols and service accounts that bypass MFA.
  4. Validate self-service password reset (SSPR) recovery is secure and audited.
  5. Ensure authentication and Conditional Access logs are streaming to an MDR/SIEM for real-time alerting.

Key definitions

Identity and access management (IAM)

The processes and technologies used to manage user identities and their access to systems and data. For this worksheet, IAM includes account lifecycle, MFA, conditional access, and privileged access management.

Phishing-resistant MFA

Multi-factor authentication methods that do not rely on SMS or push-approval alone. Examples are hardware tokens, FIDO2/WebAuthn security keys, and certificate-based authentication.

Legacy authentication

Protocols such as IMAP, POP, SMTP AUTH, or older Exchange ActiveSync variants that often do not support modern MFA and are commonly abused to bypass protections.

Audit worksheet - how to run it (step-by-step)

Follow this step-by-step flow. Each step includes what to collect, what to check, and pass/fail criteria.

Step 1 - Scope and inventory (30-60 minutes)

What to collect

  • Complete list of identity providers (Azure AD, Google Workspace, on-prem AD, Okta).
  • Inventory of privileged roles and service accounts.

What to check

  • Are there any accounts with permanent admin privileges beyond role-based assignments?
  • Are vendor and third-party accounts using shared credentials?

Pass criteria

  • All privileged access is mapped to named accounts or managed service principals with expiration or justification.

Step 2 - MFA enforcement audit (45-90 minutes)

What to collect

  • MFA registration status report for all users.
  • Conditional Access or access policy definitions.

What to check

  • High-risk users have phishing-resistant MFA methods.
  • MFA bypass or ‘remember this device’ settings are minimized.

Pass criteria

  • 100% of admin and vendor accounts require phishing-resistant MFA.

Step 3 - Legacy auth and service account audit (30-60 minutes)

What to collect

  • Sign-in logs showing protocol usage.
  • List of service accounts and apps using app passwords or legacy protocols.

What to check

  • Any SMTP/IMAP/POP/legacy client successes are clearly authorized.
  • Service accounts have managed credentials or certificates, not user-level app passwords.

Pass criteria

  • Legacy auth blocked or justified and under exception control.

Step 4 - Recovery and override paths (30 minutes)

What to collect

  • SSPR configuration, admin reset logs, break-glass account usage logs.

What to check

  • Admin password reset requires multi-person approval or is logged and alerted.
  • Break-glass accounts are rotated and monitored.

Pass criteria

  • No silent override path exists that bypasses MFA without audit.

Step 5 - Monitoring and anomaly detection (60-120 minutes)

What to collect

  • Authentication logs, conditional access evaluation logs, Identity Protection risk detections.

What to check

  • Are logs forwarded to an MDR/SIEM with retention suitable for investigations (90 days minimum recommended)?
  • Are there playbook automations for risky sign-ins or impossible travel?

Pass criteria

  • Alerts trigger a defined response within the SLA you set - example: acknowledge within 15 minutes, investigate within 2 hours.

Step 6 - Remediation plan and verification (ongoing)

What to collect

  • Records of changes, ticket IDs, remediation owners.

What to check

  • Are remediations applied in a prioritized order - high-risk accounts first, then service accounts, then general users?

Pass criteria

  • High-risk remediations completed within 30 days; low-risk within 90 days.

Checklist: controls to verify and harden

Use this checklist as a one-page evidence capture form.

  • Inventory
    • Identity providers documented and owner assigned
    • Privileged accounts listed and justified
  • MFA
    • Admins use FIDO2 or hardware tokens
    • No admin uses SMS for primary MFA
    • All vendor accounts require MFA
  • Legacy auth
    • Legacy protocols blocked at the tenant or network edge
    • Exceptions documented and time-limited
  • Service accounts
    • Use managed identities or service principals with credential rotation
    • No permanent app passwords in use
  • Recovery
    • SSPR configured with risk-based challenge and audit logs enabled
    • Break-glass accounts have rotation policy and isolated credentials
  • Monitoring
    • Authentication logs forwarded to MDR/SIEM
    • Baseline and anomaly detection configured
    • Alerting SLA defined and tested

Commands and quick evidence collection samples

Collecting evidence quickly is key during an audit. Below are sample commands for common platforms. Modify for your tenant names and scopes.

Azure AD - list conditional access policies (PowerShell)

# Connect and list Conditional Access policies
Connect-AzureAD
Get-AzureADMSConditionalAccessPolicy | Select DisplayName, State, Conditions, GrantControls

Microsoft 365 - find legacy auth sign-ins (OfficeSignInLogs via Exchange Online PowerShell)

# Requires Exchange Online Management
Connect-ExchangeOnline -UserPrincipalName admin@tenant.com
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType AzureActiveDirectory |
 Where-Object { $_.Operations -match 'Authenticate' -and $_.ResultStatus -eq 'Success' -and $_.ClientIP -ne $null }

Google Workspace - list 2-step enrollment status (Admin SDK via gam)

# Using GAM (admin tool)
gam print users query "isSuspended=false" fields primaryEmail,isEnrolledIn2Sv

Evidence export - sample SIEM forwarding check (Linux syslog example)

# Check rsyslog forwarding
sudo grep -i 'omfwd' /etc/rsyslog.conf /etc/rsyslog.d/*
# Validate connection
sudo systemctl status rsyslog

Nursing home scenario - practical example

Problem

  • A medium-sized nursing home has 80 staff and uses a hosted EHR plus Google Workspace for email. Staff share generic shift accounts for medication administration logging. An external vendor has remote access tied to a single shared admin account.

What we found

  • Shared shift accounts used the same password across 12 tablets.
  • Vendor account had access without MFA and used legacy SMTP to send reports.
  • No streaming of authentication logs to an external MDR; logs retained locally for 14 days.

Remediation plan applied

  1. Remove shared accounts. Replace with individual accounts for staff tied to role-based access in the EHR. This reduced exposure and improved audit trails.
  2. Require vendor to register hardware security keys and enforce Conditional Access for their IP ranges. Vendor MFA adoption took two weeks and required a short exception for legacy equipment which was replaced within 45 days.
  3. Forward authentication logs to MDR and set an alert for impossible travel and repeated failed MFA attempts. SLA: alert acknowledgement within 15 minutes and initial investigation within 2 hours.

Outcome after 90 days

  • Credential exposure events reduced - observed failed phishing simulator click rate fell from 18% to 6% across staff.
  • Time to detect suspicious sign-in dropped from median 48 hours to under 4 hours because of MDR alerts and monitored authentication telemetry.
  • Operational downtime due to account incidents dropped to zero in the month following remediation because break-glass procedures were clarified and staff retrained.

Common objections and responses

”MFA will slow our staff and break workflows” - Response

Use risk-based or conditional access to avoid unnecessary MFA prompts for low-risk, on-prem devices. Prioritize phishing-resistant methods for admins and vendors. Expect a small time cost during initial registration - typically 5-10 minutes per user - with large reduction in incident risk.

”We cannot replace legacy systems quickly” - Response

Implement exception controls: isolate legacy systems to a segmented network, use tenant-level policies to require app passwords only for specific source IPs, and schedule replacement within a defined window - recommended 30-90 days.

”We do not have budget for hardware tokens” - Response

Start by enforcing phishing-resistant MFA only for high-risk accounts and use platform authenticators or mobile passkeys for general staff. Evaluate token procurement for admins and vendor users where risk justifies the spend.

Proof points and expected outcomes

Quantified expectations you can include in a board or vendor report:

  • Risk reduction: blocking legacy auth and enforcing phishing-resistant MFA on admins and vendors can reduce credential-based compromise attempts by 70-90% in the first 30-90 days.
  • Time savings: automating detection to MDR alerting reduces median investigation start time from days to under 4 hours when properly instrumented.
  • Compliance wins: documented MFA enforcement and audit logs close common audit findings for HIPAA access control requirements and reduce regulatory exposure.

Evidence mapping

  • Claim: MFA reduces credential-based breach success - Source: industry incident response studies in references.
  • Claim: Legacy protocol blocking reduces bypass risk - Source: platform vendor guidance and hardening guides.

References

(These are source pages with specific guidance on authentication, MFA, legacy protocol risks, and recommended mitigations.)

Get your free security assessment

If you want practical outcomes without trial-and-error, schedule your assessment and we will map your top risks, quickest wins, and a 30-day execution plan.

Next step recommendation

If you need focused help: run this worksheet as a 1 to 2 day rapid assessment with a prioritized remediation plan. If you lack in-house capacity to implement the controls, engage an MSSP or MDR provider to execute the remediation and maintain monitoring. CyberReplay provides managed identity hardening and incident-ready monitoring that can convert the audit results into a prioritized, SLA-backed remediation plan. See CyberReplay’s Cybersecurity Services and our Managed Security Service Provider page for engagement options.

Suggested immediate action

  • Assign an owner and run Step 1 and Step 2 from this worksheet this week. Record evidence and flag any account with missing MFA or legacy auth within 48 hours.

Contact framing for vendors and procurement

  • Ask any vendor with privileged access for documented MFA posture and SSO integration support. Require registration of vendor users with phishing-resistant methods as a condition of remote access.

What to measure after running the worksheet

  • Percent of privileged accounts using phishing-resistant MFA (target 100%)
  • Number of legacy auth successes per 30 days (target 0 or documented exceptions)
  • Mean time to acknowledge identity alerts (target < 15 minutes)
  • Reduction in successful simulated phishing clicks (target > 50% reduction in 90 days)

What to deliver to auditors

  • Inventory spreadsheet of privileged accounts, service accounts, and exceptions with owner and expiry dates.
  • MFA enforcement report and Conditional Access policy screenshots or exports.
  • SIEM/MDR forwarding confirmation and alert SLA documentation.

What we did not cover

  • Full privileged access management implementation details for complex environments.
  • Deep-dive on certificate lifecycle management; consider this for large estates.

Schema and reporting snippet

Include this sample JSON for a simple audit report entry. Use your reporting format or import into a ticketing system.

{
  "account": "vendor-admin@client.org",
  "role": "third-party admin",
  "mfa_status": "none",
  "legacy_auth_found": true,
  "remediation_owner": "it-manager@client.org",
  "remediation_due": "2026-05-15"
}

Closing

Identity and MFA hardening is one of the highest-leverage investments a small healthcare operator or nursing home can make. Use this worksheet to get auditable evidence quickly, fix the highest-risk gaps first, and bring in managed detection if you need continuous monitoring and fast incident response.

Common mistakes

Many teams attempt identity and MFA hardening but repeat common mistakes that slow progress and leave residual risk. Watch for:

  • Treating MFA as a checkbox rather than enforcing phishing-resistant methods for high-risk accounts. The identity and mfa hardening audit worksheet must prioritize admins, vendors, and service principals first.
  • Leaving legacy protocols enabled while blocking modern clients globally. Exceptions without expiry become permanent attack vectors.
  • Using SMS or simple push notifications as the primary protection for privileged users.
  • Not streaming authentication logs to an MDR or SIEM with adequate retention for investigations.
  • Failing to rotate or isolate break-glass credentials and not alerting on their use.

Address these mistakes early in the remediation plan to avoid repetitive findings and audit gaps.

FAQ: quick questions

What immediate wins can we expect from the identity and mfa hardening audit worksheet?

You should see a rapid reduction in exploitable authentication paths: disabling legacy auth and enforcing phishing-resistant MFA for admins and vendors typically cuts automated credential attacks by 70 to 90 percent within 30 to 90 days. Expect faster detection when authentication telemetry is forwarded to MDR or SIEM.

Which MFA methods are considered phishing-resistant?

Phishing-resistant methods include FIDO2/WebAuthn security keys, hardware tokens using secure challenge-response, and certificate-based authentication. Platform passkeys that implement FIDO2 are also phishing-resistant when deployed correctly.

How should we handle legacy systems that cannot support modern MFA?

Use isolation - network segmentation, conditional access limited to known IPs, time-limited exceptions, and service principals or managed identities with certificate-based auth where possible. Log and review every exception and set short expiry dates.

What evidence should we deliver to auditors after the audit?

Provide an inventory spreadsheet of privileged accounts and exceptions, MFA enforcement reports or policy exports, Conditional Access policy screenshots or exports, and SIEM/MDR forwarding confirmation with retention and alert SLA documentation.

How long does it take to see measurable improvement?

Basic hardening of high-risk accounts and block of legacy auth can be done in 30 days. Full remediation for all service accounts and organization-wide MFA coverage is often 60 to 90 days depending on complexity.