What does user provisioning involve?
When a new employee starts at your company, they need accounts and access to do their job. User provisioning is the process of setting all of that up. In a Microsoft Entra ID environment, this typically means creating a user account in Entra ID, assigning the right Microsoft 365 licenses, adding the user to the correct security groups and Teams, granting access to business applications (Salesforce, Jira, Slack, etc.), setting up email and distribution group memberships, and configuring department-specific resources like SharePoint sites or shared drives.
For a single new hire, this might take an IT administrator 30 to 60 minutes if done manually. Multiply that by every new hire throughout the year, add the inevitable mistakes and follow-up tickets, and provisioning becomes a significant time sink.
Manual provisioning vs. automated provisioning
Manual provisioning is how most small and mid-sized companies start. A manager sends an email or IT ticket saying "we have a new hire starting Monday." IT creates the accounts, looks up what the last person in that role had access to, tries to replicate it, and hopes they did not miss anything.
The problems are predictable. It is slow — new hires often wait hours or days for full access. It is inconsistent — two people with the same job title end up with different access depending on who set up their accounts. It is error-prone — permissions get missed or over-granted. And there is no audit trail. If someone asks why a user has access to a particular system, the answer is often "because the person before them had it."
Automated provisioning uses rules and workflows to create accounts and assign access based on defined criteria. When a new hire is entered into the HR system with a specific department, title, and location, the provisioning system reads that data and automatically creates the Entra ID account, assigns the correct licenses, adds the user to the right groups, and grants application access.
The difference is significant. What used to take IT an hour of manual work per new hire happens in minutes with zero manual intervention. The new employee has everything they need from the moment they log in on day one.
How does automated provisioning work with Entra ID?
There are a few approaches to automating user provisioning in a Microsoft environment.
HR-driven provisioning connects your HR system (like Personio, HiBob, or SAP SuccessFactors) to Entra ID. When the HR team adds a new employee in the HR system, that data flows to Entra ID and triggers account creation. This is the gold standard because it uses HR as the authoritative source for identity data.
Rule-based group assignment uses Entra ID dynamic groups or an IGA tool to automatically assign group memberships based on user attributes. When a user's department is set to "Engineering," they are automatically added to all the groups that engineering team members need.
SCIM provisioning (System for Cross-domain Identity Management) is a standard protocol that Entra ID uses to automatically create, update, and deactivate user accounts in connected SaaS applications. If your Salesforce instance is connected to Entra ID via SCIM, creating a user in Entra ID can automatically create their Salesforce account too.
Adcyma connects to Entra ID and your HR system to automate the full provisioning workflow. You define what access each role should have, and Adcyma handles account creation, group assignments, license allocation, and application access — all triggered by HR data changes.
What is the real cost of slow provisioning?
The cost of manual provisioning is not just IT time.
If a new hire cannot access their tools on day one, they sit idle. At an average loaded cost of 400-600 SEK per hour, even a half-day delay adds up. Starting a new job and not being able to log into anything is also a poor first impression — it signals to the new hire that the company is disorganized.
When provisioning is manual, IT becomes a bottleneck for every new hire, role change, and project team setup. And when IT is rushed to set up a new hire, shortcuts happen: over-granting access is faster than carefully scoping permissions, and that creates risk that compounds over time.
What about provisioning for role changes?
Provisioning is not just a day-one activity. When someone changes roles — moving from sales to customer success, or getting promoted from individual contributor to manager — their access needs change too.
This "mover" scenario is often handled worse than initial provisioning. The employee gets their new access added, but their old access is rarely removed. Over months and years, people accumulate permissions from every role they have held. This is called privilege creep, and it is a real security and compliance concern.
Good provisioning practices handle role changes just like new hires: based on the new role definition, old access is removed and new access is granted. This is one of the core benefits of connecting provisioning to HR data and role-based access control — when the role changes in the HR system, the access updates automatically in both directions.
How to improve your provisioning process
If you are still provisioning manually, start by documenting your current process. Map out exactly what happens when someone joins, where the request comes from, what accounts get created, and how long it takes. Define standard role profiles — for each job function, list the access that role needs. Connect your HR system so that HR is the authoritative source and the trigger for provisioning. Automate incrementally, starting with Entra ID account creation and group assignment before expanding to application provisioning. And measure the results by tracking time-to-productivity for new hires and the number of provisioning-related IT tickets.