Active Directory Best Practice
Active Directory and Microsoft 365 Account Provisioning And User Lifecycle Management: Hidden Costs and Recommendations
At its core, user provisioning is a process that makes sure that user accounts are created, given the most appropriate level of permissions and managed moving forward across an enterprise.
Keep in mind, however, that these days most Microsoft environments, in particular, are hybrid, meaning that they have both on-premises Active Directory components and Azure AD, plus Microsoft 365 and more. Because of that, the cloud-based Azure AD provision process is about so much more than just account creation and deletion. It’s about the entire lifecycle of a user account from top to bottom, not just the initial cycle.
Whenever you hire a new employee, for example, obviously they’ll need to be able to access your business’ internal network and its various SaaS applications to do their job. User provisioning not only makes sure that they have an account to call their own, but that all information flowing into and out of that account is protected at all times.
The Problem With Manual User or Group Provisioning
Once you begin the user provisioning process in your own environment, you’ll immediately run into the number one pain point for most people: it’s incredibly expensive.
In fact, it’s estimated that the process can cost anywhere between $15 and $60 per user – and keep in mind, that’s just for the creation of the account. When you also add in all of the additional costs associated with updating or deprovisioning the account, those numbers climb even higher. Once the context of the entire user lifecycle is considered, those costs could double – or, in some cases triple – on a per user basis.
Scripting Can Be an Answer, But It’s Not the Only One
In an effort to speed things up and to avoid the cost issue outlined above, some organizations turn to PowerShell scripts as a first attempt at automating things as much as possible. The key thing to keep in mind is that PowerShell scripts are more often than not written by full-time IT professionals, NOT professional developers. This means that the code is usually not subject to any form of rigorous testing before going into production.
What this means is that if the script-writer goes on some type of extended leave or leaves the organization entirely, any issues with the scripts cannot be easily fixed. This is especially true with organizations of 1000+ employees. If something goes wrong and a script breaks, user accounts might suddenly lose access to SaaS apps or another critical user object. Some group assignments may no longer have access to resources, while others do. Even the process needed to create update files becomes an uphill battle. It will all quickly prove to be a nightmare – and one without an easy solution that provisions users in the way you need.
In addition to being generally unstable and prone to errors, Microsoft user provisioning scripts also create issues in terms of security. Because they cannot be delegated easily, running one requires escalated privileges. If you wanted to be able to connect to Office to manage users, for just one example, that would require privilege escalation that may not be in your environment’s best interest.
Writing and maintaining scripts is also inherently complex, as it requires advanced knowledge of platforms, schema, the mappings section, data types and even metadata formats. This means that you will need to pay for senior-level resources to maintain this, further increasing costs at a time when you’re no doubt looking to save as much as possible. The way that script is used to manage users will also likely vary depending on who wrote it.
In the end, PowerShell scripts are great for internal proofs of concept, but true automation by way of a user management API for the source system is the best long-term solution.
User and App Provisioning Best Practices
In order to make sure that the Azure AD provisioning service is automatically creating the right user attributes as efficiently as possible and that you’re doing things in a cost effective manner, there are a few key best practices you’ll want to rely on.
Chief among them is the idea that you should be automating the deprovisioning process as much as possible, leaving the arduous task of cleaning up obsolete accounts to software built for this express purpose. Get a list from your human resources department of everyone who has left the company over the last few months. Then, lock those accounts down and get rid of any data you don’t need any longer.
Not only does this help protect you from situations where those former employees attempt to log back in and steal proprietary information, but in many industries it’s also necessary for compliance purposes as well.
Likewise, you’ll want to automate user provisioning itself, ideally from human resources/ERP/SIS data. This is true even if you’re working with a text file. Unfortunately, working with any type of authoritative data may present a challenge. If something is incomplete or otherwise slow to update, this could delay the process longer than you’d like so be sure to plan accordingly with your IT staff or with any vendor partners you’re working with.
Finally, be sure to automate entitlement assignments whenever you have the opportunity to do so. This involves not only automatically assigning mailboxes, but also group memberships and any default entitlement configurations you’re working with.
Provided that you keep all of these best practices in mind, you’ll dramatically streamline the Active Directory and Microsoft 365 account provisioning process in a way that makes sure A) everyone has access to the assets they need, while B) dramatically reducing your risk surface from a security and compliance perspective as well. Plus, thanks to automation, this will help generate the most important benefit of all: freeing up as much time as possible on the part of your IT employees so that they can focus on those matters that truly need them.
A Better Solution: Automate User Provisioning and Deprovisioning with Cayosoft Administrator
Cayosoft can help you strengthen compliance and improve IT efficiency while getting new users to work faster with automated user account provisioning that eliminates costly help desk tickets and mistakes from complex account creation procedures. Cayosoft Administrator’s Rule-based automation streamlines user provisioning and can be configured to use information from virtually any HR/ERP/SIS system, completely provisions user accounts and assigns the resources required for the user to perform their job. To learn more, visit the Cayosoft automated account provisioning page which explains more on hybrid user lifecycle management.