How to enforce least privilege on all platforms?

How to implement least privilege access

1. Map out existing privileges

Start by listing all users, roles, and service accounts with elevated or administrator permissions. Look at how those permissions are assigned, either directly, through groups, or via policies, and whether they’re actually being used.

For example: in AWS, scan for IAM users and roles with AdministratorAccess. In Entra ID, check who’s in Global Administrator or Privileged Role Administrator groups. In Okta, look for SUPER_ADMIN or users with multiple admin roles.

Sola helps you generate this view automatically with queries across platforms, so you’re not manually combing through each provider’s console.

2. Remove what’s not being used

If a permission hasn’t been used in the past 90 days, it’s likely not needed. Target those first, as it’s low effort and provides immediate reward. Whether it’s an old contractor’s role in Okta or a service account in AWS that hasn’t touched anything in months, cutting unused access is a clean first step.

3. Spot and fix risky over-permissioning

Check for users with an unusually high number of permissions or roles. These accounts often have excessive reach, especially if they span environments (for example, the same user is an admin in Okta and Azure). In addition, flag users who can grant or modify access, as they present privilege escalation risk.

4. Track changes over time

Even if your current permissions are clean, drift happens. Monitor new role assignments, changes to high-privilege users, and growing permission footprints. Regular reviews help ensure the least privilege model holds.