IGA Glossary

User Deprovisioning

User deprovisioning is the process of revoking a user's access to systems, applications, and data when they leave an organization or no longer need that access. It is the "remove access" side of identity lifecycle management, and it is critical for security and compliance.

What happens during user deprovisioning?

When someone leaves your company -- whether they resign, get laid off, or their contract ends -- a series of steps need to happen to remove their access. In a Microsoft Entra ID environment, deprovisioning typically includes:

  • Disabling or deleting the Entra ID user account
  • Revoking active sessions and refresh tokens
  • Removing Microsoft 365 license assignments
  • Removing the user from security groups, Teams, and distribution lists
  • Revoking access to connected SaaS applications
  • Converting the user's mailbox to a shared mailbox or forwarding email
  • Transferring ownership of files, OneDrive data, and SharePoint content
  • Disabling any service accounts or API keys associated with the user

Miss any of these steps, and you have a gap. A disabled Entra ID account does not automatically revoke access to every SaaS tool the person used. An active Salesforce account for a former sales rep is a real security and data risk.

Why is deprovisioning harder than provisioning?

Most organizations are better at giving access than taking it away. There are a few reasons for this:

Urgency is asymmetric. When someone starts, there is pressure to get them working immediately. When someone leaves, the urgency to revoke access often does not feel as sharp -- unless it is a termination for cause. That delay is dangerous.

There is no single source of truth. IT may not know about every SaaS application a user signed up for, especially if teams adopt tools independently. Shadow IT makes deprovisioning incomplete by default.

Manual processes break down. The offboarding checklist that works when you have one departure per month falls apart when you have five in the same week. Steps get skipped. Accounts get forgotten.

Data preservation complicates things. You cannot just delete everything. The departing employee's files, emails, and project data may need to be preserved and transferred. This adds complexity to what seems like a simple "disable the account" task.

What are the risks of poor deprovisioning?

The risks are both immediate and long-term:

Security breaches. Orphaned accounts -- active accounts belonging to people who no longer work at the company -- are a well-known attack vector. If a former employee's credentials are compromised (through a data breach at another service where they reused their password, for example), an attacker can walk right in.

Data theft. A departing employee who retains access to company systems after their last day can download customer data, intellectual property, or sensitive business information. This is not hypothetical -- it happens regularly.

Compliance violations. SOC 2, ISO 27001, NIS2, and other frameworks require organizations to demonstrate timely access revocation. If an auditor finds active accounts for people who left months ago, that is a finding that needs to be explained and remediated.

License waste. Every orphaned account with an assigned Microsoft 365 license costs money. E3 licenses are not cheap. Multiply that by dozens of forgotten accounts and it adds up to meaningful waste.

How fast should deprovisioning happen?

The answer depends on the circumstances, but the general rule is: as fast as possible.

Involuntary terminations should trigger immediate deprovisioning -- ideally within minutes. If someone is being let go, their access should be revoked before or during the conversation. This requires coordination between HR and IT, and it is one of the strongest arguments for automated deprovisioning.

Voluntary departures typically allow more time, since the employee has given notice. But "more time" should still mean "on their last day," not "whenever IT gets to it next week." Access should be revoked at end of business on the employee's final day at the latest.

Contractor and vendor access is often the most neglected. Contracts end, projects wrap up, but the guest accounts and application access linger. Setting expiration dates on guest accounts in Entra ID and reviewing external access regularly helps address this.

How does automated deprovisioning work?

Automated deprovisioning follows the same principle as automated provisioning, but in reverse. When the HR system records that an employee's end date has arrived, that event triggers the deprovisioning workflow:

  1. The HR system marks the employee as terminated or sets their end date.
  2. The IGA tool (like Adcyma) detects the change.
  3. A defined workflow executes: the Entra ID account is disabled, sessions are revoked, group memberships are removed, licenses are unassigned, and connected application access is revoked via SCIM or API.
  4. Data preservation steps run: mailbox conversion, OneDrive transfer, etc.
  5. The entire process is logged for audit purposes.

This happens consistently, every time, with no steps skipped. The IT team does not need to remember a 15-item checklist at 5 PM on a Friday.

What is the difference between disabling and deleting an account?

In Entra ID, you have two options when deprovisioning a user:

Disabling (blocking sign-in) keeps the account in Entra ID but prevents the user from logging in. This is usually the right first step. It preserves the account data and allows for data transfer before permanent removal. Entra ID also has a "soft delete" state where deleted users can be restored within 30 days.

Deleting permanently removes the account (after the 30-day soft-delete window). This should happen only after all data has been preserved, licenses reclaimed, and any compliance retention requirements are met.

Most organizations follow a staged approach: disable immediately, transfer data within a defined window, then delete after a retention period.

Building a reliable deprovisioning process

If your current offboarding process relies on someone remembering to send IT a ticket, it is time to formalize it:

  1. Make HR the trigger. The deprovisioning process should start when HR records the departure, not when a manager sends an email two days after the person left.
  2. Automate the critical steps. Account disabling, session revocation, and license removal should happen automatically. These are the highest-risk items and should not depend on manual action.
  3. Define data retention rules. Decide in advance how long to keep email, files, and other data for departed employees. Document this so it is consistent.
  4. Include SaaS applications. Your deprovisioning process needs to cover more than just Entra ID. Map all the applications your organization uses and include them in the workflow.
  5. Audit regularly. Run periodic reports comparing your HR system's list of active employees against active Entra ID accounts. Any mismatches are orphaned accounts that need attention.

Adcyma automates deprovisioning for organizations using Entra ID. When an employee's end date arrives in the connected HR system, Adcyma executes the defined offboarding workflow automatically -- disabling the account, revoking access, and logging every action for compliance.

See how Adcyma handles this:

Explore Lifecycle Management

Put these concepts into practice

Adcyma makes identity governance simple for companies using Microsoft Entra ID. See how these terms translate into actual features.

Start Free Trial