Client Credential Management Workflow for MSPs
How to collect, store, rotate, and audit client credentials without creating a security liability. Covers vault selection, access controls, rotation schedules, and offboarding procedures.
Workflow guide · Updated Feb 2026
Contents
- 1.Credentials Are the Highest-Risk Documentation Category
- 2.Collect credentials during onboarding using a structured intake
- 3.Store in a purpose-built vault with access controls
- 4.Define and enforce rotation schedules
- 5.Audit access logs and credential hygiene regularly
- 6.Handle offboarding and staff departures
- 7.Shared credentials are a liability
- 8.Enable MFA on everything you can
- 9.How should MSPs handle client credentials received via email?
- 10.Should MSPs use a separate password manager or the documentation platform's vault?
- 11.What should MSPs do about legacy credentials inherited from a previous provider?
Credentials Are the Highest-Risk Documentation Category
Collect credentials during onboarding using a structured intake
Use a standardized credential intake form during client onboarding. For each system, collect: the credential type (local admin, domain admin, service account, API key), the username or account identifier, the access method (RDP, SSH, web portal, VPN), who needs access and at what level, and the current rotation status. Never accept credentials via email or chat. Use your vault's secure sharing feature or a one-time secret tool. If a client sends credentials in email, rotate them immediately and explain why.
Store in a purpose-built vault with access controls
Credentials belong in a vault with role-based access controls, full audit logging, and encryption at rest. IT Glue, Hudu, and N-able Passportal all provide this functionality as part of their documentation platforms. Configure access so that technicians can only see credentials for clients they're assigned to. Implement "checkout" workflows for high-privilege credentials (domain admin, firewall admin) that log who accessed what and when. Store emergency access credentials in a separate, sealed section that triggers alerts when accessed.
Define and enforce rotation schedules
Not all credentials need the same rotation frequency. High-privilege credentials (domain admin, firewall admin, cloud tenant admin) should rotate quarterly at minimum and immediately after any staff change. Service accounts should rotate annually unless they're tied to a compliance framework that requires more frequent rotation. Standard user credentials follow the client's password policy. Automate rotation where possible. Some vault platforms (notably Passportal) support automated rotation for Active Directory accounts, though most MSP documentation platforms handle credential storage and auditing rather than automated rotation. For credentials that can't be automated, schedule rotation as recurring PSA tickets with assigned owners.
Audit access logs and credential hygiene regularly
Review credential access logs monthly for anomalies: credentials accessed outside of ticket context, bulk credential access, or access by users who are no longer assigned to that client. These patterns may indicate a security concern or a process gap. Quarterly, audit credential completeness: are all client systems represented in the vault? Are there stale credentials that haven't been used or rotated within the defined interval? Are there orphaned credentials for decommissioned systems?
Handle offboarding and staff departures
When a technician leaves the MSP, rotate every credential they had access to. This is non-negotiable. A departing employee who retains access to client credentials is a compliance violation and a security risk. When a client offboards, revoke all MSP access to their systems, rotate any shared credentials, and document the access revocation. Keep an offboarding log that proves when access was removed, in case questions arise later.
Shared credentials are a liability
Generic credentials shared across the team ("the firewall password") cannot be audited individually and cannot be rotated without coordinating with everyone who uses them. Eliminate shared credentials wherever possible. Each technician should have individual accounts for client systems, or at minimum, use a vault that logs which individual checked out the shared credential.
Enable MFA on everything you can
Multi-factor authentication on client systems reduces the blast radius of a compromised credential. Push for MFA on all remote access paths (VPN, RDP gateways, cloud admin portals), all MSP tools (RMM, PSA, documentation platform), and all client admin accounts. The credential itself becomes less valuable when it can't be used without the second factor.
How should MSPs handle client credentials received via email?
+Rotate the credential immediately. Then explain to the client why emailed credentials are a security risk (they persist in email archives, can be forwarded, and are visible to anyone with mailbox access). Set up a secure sharing method for future credential exchanges: your vault's share feature, a one-time secret tool, or an encrypted channel.
Should MSPs use a separate password manager or the documentation platform's vault?
+Using your documentation platform's built-in vault (IT Glue, Hudu, Passportal) is usually preferable because it keeps credentials linked to client records, devices, and SOPs in one place. A separate password manager (like 1Password or Keeper) adds a disconnected silo that requires manual cross-referencing. The exception is if your documentation platform's vault lacks essential features like audit logging or granular access controls.
What should MSPs do about legacy credentials inherited from a previous provider?
+Treat inherited credentials as compromised until proven otherwise. Rotate all admin-level credentials within the first 48 hours of taking over a client. Validate that no unauthorized accounts exist (check Active Directory for unknown admin accounts, check cloud portals for unrecognized global admins). Document everything you find and everything you change.