Each user in an IT ecosystem — including both employees and third parties like consultants, trainers, auditors and contractors — needs to be provisioned access to the data and systems they need to do their job. In most cases, these IT resources involve sensitive information and applications such as email, customer databases, and ERP or CRM systems.
Accordingly, when someone leaves the organization, it is essential to promptly deprovision their account, so that neither former employees or an adversary who compromises their account can access the organization’s IT resources. This article details the steps you need to take to manually deprovision users in Active Directory (AD), Entra ID (formerly Azure AD) and Microsoft 365. Then it explains the benefits of automated deprovisioning and offers a software solution that automates not just deprovisioning but user lifecycle management.
How to Deprovision Accounts in AD, Entra ID and Microsoft 365
Deprovisioning Users in Active Directory
Deprovisioning in Active Directory typically involves some or all of the following steps:
- Disable the user’s Active Directory account.
- Remove the user account from all groups.
- Move the account to a designated OU for disabled users.
- Delete the user account.
The most efficient way to accomplish these steps is to use PowerShell. Here are scripts you can use.
Disable an AD User Account
Disable-ADAccount -Identity “SAMaccountName of the user”
Remove a User Account from All Groups
#import the Active Directory module if not already up and loaded $module = Get-Module | Where-Object {$_.Name -eq 'ActiveDirectory'} if ($module -eq $null) { Write-Host "Loading Active Directory PowerShell Module" Import-Module ActiveDirectory -ErrorAction SilentlyContinue } $employeeSAN = Read-Host "Enter employee login/alias/SamAccountName " $adServer = "adserver.yourcompany.com" try{ Get-ADUser -Identity $employeeSAN -Server $adServer #if that doesn't throw you to the catch this person exists. So you can continue $ADgroups = Get-ADPrincipalGroupMembership -Identity $employeeSAN | where {$_.Name -ne "Domain Users"} if ($ADgroups -ne $null){ Remove-ADPrincipalGroupMembership -Identity $employeeSAN -MemberOf $ADgroups -Server $adServer -Confirm:$false } }#end try catch{ Write-Host "$employeeSAN is not in AD" }
Move a User Account to a Specific OU
Move-ADObject -TargetPath "distinguishedName of the target OU"
Delete a User Account
Remove-ADUser -Identity "sAMAccountName of the User”
Deprovisioning a User in Entra ID or Microsoft 365
To deprovision a cloud user, take the following steps:
- Deactivate or disable the account.
- Remove the user from all groups.
- Remove all licenses from the account’s properties so that they can be reassigned to another user.
- Delete the account.
Making a User’s Email Available to Another User
To make the email data of a disabled user account available to someone else, such as their manager, you can do either of the following:
- Export the data to a .pst file and import it to another email account.
- Convert the user’s mailbox to a shared mailbox and assign a different owner to it.
Manual vs. automated deprovisioning
Deprovisioning users manually as described above is both time consuming and prone to human error. Indeed, relying on a manual process increases the chances that accounts will not be deprovisioned promptly when a user leaves the organization or, even worse, the task will be completely forgotten or neglected. As a result, orphaned accounts laden with permissions will accumulate in the directory. These accounts can enable the former employees to continue to access your organization’s data and systems, and are ripe for takeover by attackers looking to blend in with normal network activity.
Automated deprovisioning improves security while reducing IT team workload. A deprovisioning solution connects to the HR system and deprovisions selected users based on defined rules. It can perform all the steps in the deprovisioning process, such as disabling accounts and revoking their access to IT resources, in just a few minutes.
Automated Deprovisioning with Netwrix GroupID
Netwrix GroupID automates the process of deprovisioning users. You simply create a synchronize job and schedule it to run at a desired frequency. Let’s suppose you want to automatically disable the user account of anyone who is terminated in your HR database. Here are the settings for the job:
- Data source and destination: Choose the HR database as the source and Active Directory as the destination.
- Object types to deprovision: Netwrix GroupID can deprovision of multiple types of Active Directory objects, including users, contacts, mail-enabled users, mailbox-enabled users and mail-enabled contacts.
- Disable subscriptions: You can elect to have the deprovisioning job disable all Office 365 and G Suite subscriptions for mailbox-enabled users.
- Fields for data sync: Specify the fields or object attributes to be updated at the destination when the job runs, such as the user’s department, title or phone number.
- Transformations: Transformation manipulates the source data before saving it to the destination. For example, you can combine the values of two source fields into one destination field or assign a string constant to a destination field regardless of source restrictions. For example, you might update the Description field to indicate the date the user was terminated.
Creating Multiple Deprovisioning Jobs
With Netwrix GroupID, you can create multiple deprovisioning jobs that automatically run in sequence to deprovision user accounts in various systems. For example, you might create the following three jobs:
- A job that reads a list of terminated users from an HR Excel workbook and disables (or deletes) the corresponding accounts in Active Directory.
- A second job that uses the updated Active Directory records to disable (or delete) the appropriate accounts in your ERP database.
- A third job that uses the updated AD to revoke user privileges at another destination, such as a Novell Directory server or an Open LDAP directory server.
All changes that a job makes are logged to ensure accountability and facilitate troubleshooting.
Additional Benefits of Netwrix GroupID
Netwrix GroupID is not simply a deprovisioning tool; it is an identity and access management (IAM) solution that help automate a broad range of user lifecycle management tasks, including:
- User provisioning in Active Directory and other enterprise applications during onboarding
- Easily and accurately reprovisioning users when they change roles within the organization
- Revoking access when a user leaves the organization
- Managing Active Directory groups and group membership
Conclusion
Promptly deprovisioning users who leave the organization is vital to security and compliance. Manual deprovisioning processes are notoriously tedious and highly prone to errors.
Automating the deprovisioning process with a solution like Netwrix GroupID ensure that whenever employees leave, their accounts are disabled and their access is automatically removed for all connected applications. Moreover, Netwrix GroupID helps you properly manage the entire user lifecycle. As a result, organizations can reduce IT workload and costs while slashing the risk of orphaned accounts being used to illicitly access sensitive data and other IT resources.
FAQ
What is user deprovisioning?
User deprovisioning is the process of removing a user account and systematically revoking its access to IT systems, apps and data. It is a crucial step in managing the user lifecycle as required for security and compliance.
User deprovisioning can be done manually, but tools like Netwrix GroupID automate the process, reducing both IT workload and the risk of costly errors.
What is an example of deprovisioning?
An example of deprovisioning is disabling a former employee’s Active Directory user account, removing it from all security groups, and moving it to an OU for disabled users. This process ensures that the user loses access to the organization’s resources.
What is the difference between deprovisioning an account and deleting an account?
Deleting a user account permanently removes it from the directory. The purpose of deprovisioning is to revoke an account’s access to IT resources, so it can involve deleting the account or simply disabling it and removing all its access rights.