TL;DR: Ad-hoc access requests by email or verbal request are one of the most common sources of access control failures in SMBs - people end up with access they should not have, and there is no record of why it was granted or when it should be removed. This form template creates a simple, consistent process for requesting, approving, and tracking all IT access changes.
Why Access Management Matters
The principle of least privilege - giving users only the access they need for their role, nothing more - is a foundational security control. It limits the blast radius of a compromised account and reduces the risk of accidental or intentional data access.
Most SMBs understand this in principle but fail to implement it consistently because they have no process. Access is granted by email (“hey, can you give me access to X?”), verbal request, or because someone once had access to something and their permissions were never reviewed. Over time, the cumulative effect is an environment where:
- Former staff retain access to systems after they leave (either because no one noticed or because there was no formal process to revoke it)
- Staff have access to data that is not relevant to their role
- There is no audit trail of who approved what access, or when
- Temporary access granted for a specific project becomes permanent by default
A simple access request form - and the process around it - prevents all of these problems.
Form Template: Standard IT Access Request
Copy, customise, and add to your intranet, SharePoint, or HR system.
IT ACCESS REQUEST FORM
Date of request: _______________
Section A: Requester Details
| Field | Response |
|---|---|
| Requester name | |
| Requester role | |
| Requester email | |
| Requester manager |
Section B: Access Required
| Field | Response |
|---|---|
| Person requiring access | |
| Their role/title | |
| Their employment status | Full-time / Part-time / Contractor / Consultant / Vendor |
| Start date (if new) | |
| End date (if temporary) | Ongoing / Date: _______________ |
Access requested:
| System/Application | Access Level Required | Business Justification |
|---|---|---|
| Read / Write / Admin | ||
| Read / Write / Admin | ||
| Read / Write / Admin | ||
| Read / Write / Admin |
Additional details (file shares, SharePoint sites, distribution lists, etc.):
Section C: Type of Access Request
Select all that apply:
- New user account creation
- Access to existing system (user already has account)
- Elevated permissions (admin or privileged access)
- Guest or external access (non-employee)
- Temporary access (specific end date)
- Modification to existing access
- Access removal
Section D: Justification
Why does this person need this access? What business activity requires it?
Is this access temporary? Yes / No
If yes, when should access be removed? _______________
Who is responsible for notifying IT when temporary access should be revoked? _______________
Section E: Manager Approval
I confirm that this access request is appropriate for the person’s role and business need.
| Field | Response |
|---|---|
| Manager name | |
| Manager signature | |
| Date approved |
For elevated/admin access, a second approval is required:
| Field | Response |
|---|---|
| Second approver name | |
| Second approver role | |
| Date approved |
Section F: IT Processing (Completed by IT)
| Action | Date Completed | Completed by |
|---|---|---|
| User account created | ||
| Access granted | ||
| Confirmation sent to requester | ||
| Temporary access end date set in calendar | ||
| Access added to asset register/access log |
Form Template: Privileged/Admin Access Request
Elevated access requests (local admin, application admin, Global Admin, Finance system admin) require additional justification and approval.
PRIVILEGED ACCESS REQUEST FORM
Date: _______________
User Requesting Elevated Access:
Name: _______________ Role: _______________ Manager: _______________
Elevated Access Required:
| System | Current Access | Requested Access | Duration |
|---|---|---|---|
| Ongoing / Temporary until: | |||
Justification:
Describe specifically why this elevated access is required and what tasks it will be used for. Elevated access must be justified by specific operational need.
Have standard access options been considered and found insufficient? Yes / No
If yes, explain why standard access is insufficient:
Security acknowledgement (to be signed by the user):
I understand that elevated access grants capabilities beyond those required for my standard role. I agree to:
- Use elevated access only for the specific purposes stated in this request
- Not share elevated credentials with others
- Report any suspected misuse or compromise of elevated access immediately
- Accept that my use of elevated access may be logged and audited
Signature: _______________ Date: _______________
Approvals (two required for elevated access):
Manager approval: _______________ Date: _______________ IT Lead or Director approval: _______________ Date: _______________
Form Template: Access Removal Request
IT ACCESS REMOVAL REQUEST
Date: _______________
User whose access is being removed:
Name: _______________ Role: _______________ Last working day: _______________ Reason for removal: Resignation / Termination / Role change / Engagement ended / Other: _______________
Access to be removed:
- All Microsoft 365 access (suspend account, revoke sessions)
- All business application access
- Physical access (building key cards, alarm codes)
- Remote access (VPN, RDP)
- Specific systems only (list below):
Data handling:
- Mailbox to be converted to shared mailbox - grant access to: _______________
- OneDrive access to be granted to manager for handover - duration: _______________
- Mailbox / OneDrive to be deleted after: _____ days
- Retain data only - no access granted
Device return:
- Company device to be returned - expected return date: _______________
- Device is personal (BYOD) - selective wipe to be initiated
Requested by:
Name: _______________ Role: _______________ Date: _______________
Completed by IT:
Account suspended: _______________ Sessions revoked: _______________ Application access removed: _______________ Device wiped/returned: _______________
Using the Forms: Process Guidelines
For Requesters
- Submit the access request form a minimum of 2 business days before access is needed (5 business days for new user accounts)
- Ensure manager approval is obtained before submitting to IT
- For temporary access, set a reminder to submit a removal request when the access period ends - do not rely on IT to track this automatically
For Approvers
- Approve only the minimum access necessary for the stated business need
- Do not approve access that will remain permanently active when the need is temporary
- For elevated access: apply extra scrutiny. Elevated access is a significant security risk and should be genuinely necessary.
For IT
- Process access requests within 1 business day (standard) or 4 hours (urgent, with manager escalation)
- Record all access granted in the access log
- Set calendar reminders for all temporary access end dates
- Confirm access removal requests are completed and documented within 4 hours of the user’s last working day
Implementing This in Microsoft 365
If you use Microsoft 365, you can implement this process without a separate tool:
Microsoft Forms: Create a digital version of this form using Microsoft Forms. Responses automatically populate an Excel spreadsheet that becomes your access log.
Power Automate: Build a flow that sends the form to the approver when submitted, records approval in the spreadsheet, and sends a task to IT when approved.
SharePoint: Store the access log on SharePoint so it is accessible to both IT and management.
This creates a complete digital audit trail - request, approval, and completion - with zero additional software cost if you are on Microsoft 365 Business Premium.
See Microsoft 365 Hidden Features Guide for details on Microsoft Forms and Power Automate.
For related resources:
