Home Compliance & Certification Disabling and Locking User Accounts Screenshot Guide

Disabling and Locking User Accounts Screenshot Guide

Last updated on Sep 25, 2025

1. Purpose of this Guide

This artefact proves your company has the ability to promptly disable or lock user accounts when employees leave, change roles, or when suspicious activity is detected. Cyber compliance requires this because dormant or uncontrolled accounts are golden keys for attackers. Showing you can lock or disable them demonstrates proper account lifecycle management.

2. What You Will Submit

You will need:

  • screenshot from your user management system showing an account being disabled or locked.

  • The screenshot must clearly show:

    • The account identifier (e.g. email or username).

    • Its status (Disabled, Locked, Inactive).

    • Timestamp or context of the action.

3. How to Collect / Obtain / Generate This Evidence

Microsoft 365 / Azure AD (Entra):

  1. Open Microsoft Entra Admin Center → Users.

  2. Select a user account.

  3. Under Account, show the toggle for Block sign-in = Yes.

  4. Screenshot this view.

Google Workspace (Admin Console):

  1. Log in to Google Admin Console → Directory → Users.

  2. Select a user account.

  3. Click Suspend User.

  4. Screenshot the suspended status.

AWS Console (IAM):

  1. Open IAM → Users.

  2. Select the user account.

  3. Remove or deactivate login credentials (passwords, access keys).

  4. Screenshot showing the account marked inactive.

Okta / Identity Providers:

  1. Log into your IdP admin console.

  2. Select a user profile.

  3. Use Deactivate / Suspend function.

  4. Screenshot the confirmation.

Other SaaS tools (Atlassian, GitHub, GitLab, etc.):

  • Open user management.

  • Select a user and mark them disabled or inactive.

  • Screenshot the result.

4. Evidence Format

  • Accepted file types: PNG, JPG, PDF.

  • Suggested naming format:
    YourCompanyName_DisabledUserAccount_YYYY-MM-DD.png
    Example: AcmeCorp_DisabledUserAccount_2025-07-01.png

5. What “Good” Looks Like

  • Screenshot shows a real account marked disabled/inactive.

  • Status clearly visible (e.g. “Blocked,” “Suspended”).

  • Context shows it’s from an actual system (Microsoft, Google, AWS, etc.).

  • Ideally from a recent action, not years old.

Why it matters: auditors want proof you can shut off access quickly and effectively — a vital safeguard when staff leave or if there’s a breach.

6. Tips

  • If you have no user accounts that were locked, that's fine. You just need to explain to the auditor that there were no accounts that met the criteria to be disabled or locked out.

  • Redact personal details (names, emails) before uploading.

  • Show at least one disabled account — auditors don’t need every single record.

  • Link this with your Account Inventory List to prove lifecycle management is consistent.