Nobody puts it on the IT budget line
You won't find "manual provisioning" anywhere in your IT spend. There's no invoice for it. No PO, no SaaS subscription, no consultant retainer.
That's the problem. The cost is real. It just hides in places nobody looks at.
Let me walk through where it actually lives.
The time you don't count
A 200-person company does roughly 15 to 20 access changes a week. New hires, role changes, contractors starting, contractors ending, leave coverage, project access, the occasional "I can't get into SharePoint" Teams ping.
Pessimistic estimate: 15 minutes each, end to end. Find the request, check the manager, make the change in Entra ID, verify, message the user, close the ticket.
That's around five hours a week. Two hundred and fifty hours a year. A month and a half of someone's working time, gone, clicking through admin centers.
And that's the good scenario. The one where you have a process. Most teams don't. They have a Slack thread, a half-finished Confluence page from 2022, and one person who remembers how things are supposed to work.
The license you forgot to remove
Pull the report. How many Entra ID P1 licenses are assigned right now? How many Intune? How many of those users actually used the feature in the last 60 days?
Somewhere between 15% and 25% of mid-market license spend is wasted. It goes to people who left, changed roles, or never needed the license in the first place. On a 200-person company that's easily 30 to 50 licenses. At Microsoft's prices, that's not a rounding error.
The reason is simple. Provisioning is built for adding. Nobody owns the removing. (Orphaned accounts are the same problem in a slightly different costume.)
The breach you didn't have yet
A former employee account still active four months after they left. A contractor whose Azure resource group access nobody disabled. The intern from summer 2024 who somehow still has Teams on her personal phone.
Most of the time, nothing happens. People don't go back into systems they walked away from. They forget the password. They get a new laptop.
But the one time something does happen, it's a real problem. NIS2 wants you to prove that access was revoked. ISO 27001 calls a stale account a control failure. Cyber insurance underwriters now ask the question on the renewal form.
You can argue this is a security risk, not a cost. Until you've actually had to write the incident report. Then it's a cost. (Offboarding is where this hides.)
The audit you'll lose a month to
Auditor asks for a list of all current users and their access. Sounds simple. It's not.
Manual provisioning leaves no audit trail worth the name. You can pull current state from Entra ID. You can't easily prove who approved what, when, or why.
So you build it. Retroactively. From email threads, from old tickets, from memory. Two senior people, two to four weeks. That's the math at most companies the first time it happens. Repeat every year.
(Running a real access review is a different problem, but related.)
What the line item actually looks like
Add it up for a 200-person company. Five hours a week of admin time. Thirty to fifty unused licenses. One audit catch-up project per year. A non-zero offboarding risk you're carrying on the books.
Conservatively, north of 80,000 SEK a year. Before anything actually breaks.
It just doesn't arrive as one invoice. So nobody flags it.
A quieter way
Full transparency, this is our product, so take it with the appropriate context. Adcyma automates the lifecycle triggers and the manual steps. New hire lands in your HR system, access is provisioned. They leave, access is gone. Role changes, permissions follow.
If your IT team is spending a chunk of every week on manual access work, the lifecycle automation is worth a look. Faster to set up than you'd guess.