Organizations are living entities with people joining, switching departments, changing roles, and leaving. Other contributors to this activity include third-party personnel, such as consultants, trainers, auditors, and contractors. All enjoy varying levels of access to a company’s systems, such as ERP, CRM, and HRM – just to name a few. And when they leave or dissociate with the organization, it’s crucial that their access be revoked in a matter of hours, not days. As a first step towards this goal, their user accounts must be deprovisioned in Active Directory. Remember: securing your organization is about securing access.
What is Deprovisioning?
Deprovisioning is the process of deleting a user and revoking their access to an organization’s applications, data, and resources inside a network. On the other hand, provisioning is about creating users and giving them access to an organization’s systems.
A user’s life cycle management revolves around provisioning and deprovisioning their accounts within an organization. The IT team makes sure that data and resources are accessible only to the users within the company, while preventing it from getting into the hands of outsiders.
Manual vs. Automated Deprovisioning
Manual Deprovisioning
Manual deprovisioning means that IT has to deprovision users manually. On receiving a request from HR to deprovision a user, IT must manually perform several steps, such as disable the user’s directory account, remove all subscriptions and licenses, remove the user from group memberships, and more. And this task sequence has to be performed for every user who leaves the organization.
Automated Deprovisioning
Automated deprovisioning removes this burden off the IT team. A deprovisioning solution connects to the HR system and deprovisions users based on certain business rules. It automatically disables users in the directory, unsubscribes them from services, revokes access to folders and file shares; in short, performs all tasks required for deprovisioning.
How Automated Deprovisioning Secures Organizations
Manual deprovisioning comes with huge security risks. There can be instances where the person responsible for deprovisioning might delay the task or in some cases, may forget it. As a result, old accounts laden with permissions continue to accumulate in the directory, with several ex-employees having active accounts in your company’s domain. In a situation such as this, data breaches by ex-employees should not come as a surprise.
Automated deprovisioning can help prevent these precarious mishaps and eliminate human error, that can prove costly for your organization. Automated deprovisioning removes a user account from Active Directory and revokes all user entitlements. The task takes a few minutes as compared to the lengthy manual process, and it effectively enhances network security.
Deprovisioning User Accounts in AD, Azure AD and MS 365
The stages involved in deprovisioning user accounts in Active Directory, Azure AD, and Microsoft 365 are discussed below.
Steps to Deprovision User Objects in Active Directory
A typical process of deprovisioning in Active Directory involves the following steps:
- Deactivating the user’s Active Directory account.
- Removing the users from the membership of all groups.
- Adding the user to a security group for disabled users, that has no access to the company’s resources.
- Moving the user’s account to a separate OU in Active Directory.
Deprovision a User in Active Directory using PowerShell Cmdlets
PowerShell cmdlets can remove a user from the membership of all AD groups and then disable or delete the user account. The commands are:
Remove a User From All Groups
#import the Active Directory module if not already up and loaded
$module = Get-Module | Where-Object {$_.Name -eq 'ActiveDirectory'}
if ($module -eq $null) {
Write-Host "Loading Active Directory PowerShell Module"
Import-Module ActiveDirectory -ErrorAction SilentlyContinue
}
$employeeSAN = Read-Host "Enter employee login/alias/SamAccountName "
$adServer = "adserver.yourcompany.com"
try{
Get-ADUser -Identity $employeeSAN -Server $adServer
#if that doesn't throw you to the catch this person exists. So you can continue
$ADgroups = Get-ADPrincipalGroupMembership -Identity $employeeSAN | where {$_.Name -ne "Domain Users"}
if ($ADgroups -ne $null){
Remove-ADPrincipalGroupMembership -Identity $employeeSAN -MemberOf $ADgroups -Server $adServer -Confirm:$false
}
}#end try
catch{
Write-Host "$employeeSAN is not in AD"
}
Disable a User
Disable-ADAccount -Identity “sAMAccountName of the user”
Delete a User
Remove-ADUser -Identity "sAMAccountName of the User”
Move the User Accounts to a Specific OU
Move-ADObject -TargetPath "disntinguishedName of the OU where you want to move the disabled account"
Steps to Deprovision User Objects in Azure Active Directory
Azure AD uses an automated solution called Azure AD Provisioning Service to deprovision users. With this service, Azure AD provisions users to SaaS applications or other systems by connecting to user API management endpoints provided by application vendors. The deprovisioning action is immediately triggered when a user leaves the company. This means that the Azure AD Provisioning Service disables or deletes the user and removes their access to all applications and network systems all at once.
To manually deprovision a user in Azure AD:
- Deactivate the account. Set the “Block Sign-in” option to Yes.
- Clear the groups from the Groups tab.
- Remove the associated licenses from the user’s properties.
Steps to Deprovision User Objects in Microsoft 365
To deprovision an Office 365 account:
- Reset the user account’s password to force the user’s sign out and restrict access.
- Block the user’s access to Microsoft services by selecting the “Block the user from signing in” option.
- The licenses assigned to the user must be removed so that they can be reassigned to another user (as licenses are typically limited).
- Delete the account.
To save the user’s data, export the data to a .pst file and import it to another email account. Another way to secure information is by converting that user’s mailbox to a shared mailbox and assigning a different owner to it.
Best Practices for Deprovisioning User Objects in Directory Services
Deprovisioning is indispensable to an organization’s security. Hence, IT administrators must adopt deprovisioning practices that prevent security breaches from happening in the first place. The following are some of the best practices to maintain and deprovision user accounts in directory services:
- Implement the Principle of Least Privilege
- Implement Dotted Line Reporting
- Monitor Users’ Access
- Disable all Accounts of a User
Implement the Principle of Least Privilege
A user should be given as much access as required by their job role, which is a way to limit users’ access to valuable resources in the organization.
During a user’s life cycle, from provisioning to deprovisioning, the principle of least privilege holds significant importance. When a user switches roles, this principle must be kept in mind while readjusting their access and permissions.
User privileges can be effectively managed through:
- Group Security Type: Some IAM tools enable you to assign a security type to a group, based on the criticality of resources the group governs. Security types control access to the group.
- Private groups: only group owners can add or remove members.
- Semi-private groups: users can place join and leave requests that are approved by group owners.
- Public groups: open to all users.
- Query-based Groups: In query-based groups, user attributes, such as role, department, and location, determine their group memberships. Relevant memberships denote relevant access.
Implement Dotted Line Reporting
When a user leaves an organization, it is important to verify that all their access and group memberships are removed. Here dotted line managers can play a vital role. When users have primary and additional managers specified, every manager is responsible for ensuring that their terminated direct reports are disabled, and their access is revoked in applications they own. If a manager is on leave, there is always another manager to take care of terminated direct reports.
For users without managers, a manager suggestion feature can be used to ensure that no user is left without a manager.
Monitor Users’ Access
IT admins must keep a check on the access and entitlements assigned to users to measure the overall security of the organization. To achieve this:
- Administrators can regularly run reports on Active Directory, Exchange, and Microsoft 365 to monitor what resources are available to which set of users, detect disabled user accounts with active permissions, and locate unused orphan accounts.
- Administrators can view and evaluate the effective NTFS permissions assigned to users. Administrators can select files or shared folders to view users that have been granted permissions on them or select a user to view the permissions assigned to it.
Knowing what you have in your directory is the first step to fixing the problem. Getting rid of unnecessary accounts and extra permissions is a proactive way of tackling security threats.
Disable all Accounts of a User
When a user leaves an organization, IT, in collaboration with application owners, must ensure that all accounts of the user, existing in systems and applications across the organization, are disabled or deleted in a timely manner. These systems may include Office 365, HR systems, accounting software, collaboration tools, and more.
Most of the time, the user account is disabled in the directory, but continues to exist in other systems. This can prove risky over time and encourage unauthorized access. Make sure the user account is deprovisioned in all applications to block access to the entire ecosystem.
To manage disabled accounts:
- Generate reports on disabled users in the directory.
- Move these users to an OU for disabled users.
- In query-based groups, add a parameter to the query to remove disabled objects from group memberships.
IAM Tools for Deprovisioning
If an organization’s network infrastructure is huge, manually managing the user life cycle is an exceedingly challenging and labor-intensive job. IAM tools like GroupID can help automate user life cycle processes without the need for human interference. Some examples are:
- Provisioning users in Active Directory and other applications
- Providing the required access to users
- Managing the users’ group memberships in Active Directory
- Revoking access when a user leaves the company
With provisioning tools, administrators can easily provision and deprovision users besides reaping the following benefits:
- Speed up the user life cycle process
- Assign the correct access policies to users
- Track all user actions for audit
- Limit the dangers of external access to the company’s resources
- Beef up security
How GroupID Synchronize Automates Deprovisioning
GroupID Synchronize enables you to sync data from a source to a destination, including files, directory servers, and databases. This positions Synchronize as a great tool to provision, update, and deprovision users in the directory and other applications used at your organization.
To automate deprovisioning, you can create a Synchronize job with preconfigured settings, and schedule it to run at a desired frequency. Settings include:
- Set a Data Source and Destination
- Specify Object Types to Deprovision
- Disable Subscriptions
- Choose the Fields for Data Sync
- Apply Transformation to your Data
Let’s dig into each of them.
- Set A Data Source and Destination: A job syncs user data from a source to a destination. Let us assume your source is an HR database and destination is Active Directory. The flow would be as:
- When a user leaves the organization, HR updates its records.
- When the Synchronize job runs, it synchronizes the directory with the HR system, making sure that all terminated users are disabled or deleted in the directory (based on your configuration preferences).
- Specify Object Types to Deprovision: Synchronize allows for the provisioning and deprovisioning of multiple Active Directory objects, like users, contacts, mail-enabled users, mailbox-enabled users, and mail-enabled contacts.
- Disable Subscriptions: For mailbox-enabled users, the deprovisioning job also unsubscribes them from Office 365 and G Suite services.
- Choose The Fields for Data Sync: Identify the fields or object attributes that must be updated at the destination while deprovisioning users. Include these fields in your Synchronize job.
- Apply Transformation to Your Data: Transformation manipulates the source data before saving it to the destination. For example, you can combine the values of two source fields into one destination field or assign a string constant to a destination field regardless of source restrictions. This enables you to set specific values for user attributes when deprovisioning accounts.
Synchronize Process Flow
You can create multiple deprovisioning jobs in Synchronize that auto run in a sequence to deprovision user accounts in various systems. For example:
- A first job with an HR Excel workbook as source and AD as the destination reads terminated users from the source file and disables (or deletes) their accounts at the destination.
- A second job with AD as the source and an ERP database as the destination reads the disabled (or deleted) users in the source and disables (or deletes) them at the destination.
- A third job may run after that, which takes AD or your ERP database as the source and revokes user privileges at another destination.
When user data is auto synced from a source to a destination as a routine practice, user info remains current across systems and applications, with security, scalability, and process optimization as key benefits.
Summing Up
Automated deprovisioning plays a key role in network security, as it ascertains that whenever employees leave, their accounts are disabled, and their access is automatically removed for all connected applications. Changes are tracked and logged, which builds accountability into the deprovisioning chain. And since automation speeds up the entire process, reduces costs, involves minimal human involvement, and eliminates human error, optimization is guaranteed.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.