In the threat modelling methodology I use, I ask teams to capture the authentication and authorization methods that the different parts of their system implement (for those bits in-scope). This ask, as it turns out, has been something that teams have really struggled with. It seems to be a combination of not always having the difference between authn and authz very clear in their mind, and the fact that sometimes the difference is indeed not very clear at all anyway! (IP allow-lists is a good example - authn or authz? or it depends?).
In an effort to at least bring some consistency in how the teams I work with capture authn and authz, I created some Examples and some Guidance to help them, which I thought I would share, in case it helps others as well.
If you know of any authn/z guidance, examples or docs that might help others, please do share.