Are You Still Manually Provisioning New Users in Hybrid Active Directory/Office 365?

Are You Still Manually Provisioning New Users in Hybrid Active Directory/Office 365 

Microsoft estimates that 70% of organizations will run a hybrid environment of AD/Office 365 for at least some period of time.  

Many of these hybrid organizations will move to hybrid mode with the thought that they will manually provision new users. 

In Hybrid environments, this strategy deserves a second look because on-boarding accounts is more than twice as complex as on-premises alone. Provisioning will likely touch on-premises AD, Exchange, Azure AD, and Office 365. 

And, user management is more than just creating users in these environments. There are changes to the accounts of existing users as well as the termination/departure of employees, contractors, interns, etc.  

For example, an organization of 1,000 people with 10% turnover will deal with 100 new users, 100 departing users, and all the changes to the other 900 employees which then have to propagate into multiple environments. The additional IT Management burden can reduce some of the operational benefits of moving to Office 365 in the first place.   

Provisioning costs to the organization can be quantified. If one takes the average salary of an IT Administrator and estimates the time devoted to the manual provisioning of a single user, it can cost as much as $60 per user. In contrast, automation of user provisioning is estimated to cost only a fraction of the cost, likely $1 or less. 

User management also has implications in the form of Office 365 license management. New employees will likely need access to certain Office 365 capabilities right away. But organizations don’t want to turn on features that employees are not using, and as employees leave their licenses can be recycled to new employees.     

As Brien Posey, noted IT expert and 17-time MS MVP summarized at a recent presentation to our hybrid customers, “Active Directory Management is one of the biggest issues organizations run into in the hybrid transition. A simple password change by a user in Office 365 creates a host of synchronization and write-back decisions for IT. It opens-up new security risks as the permission levels are different with Office 365. And there are dozens of these traps and no single flavor of hybrid implementation, they are all unique.”     

New Security Gaps and Compliance Risks for Hybrid Organizations 

As Bob Bobel, CEO of Cayosoft also points out, while executives may be focused on the security and compliance implications of data residing in the cloudhybrid environments and user management can create new security gaps and compliance risks that IT must address.  

Says Bobel, “It is critical to have a tight deprovisioning processes for employees that leave in an Office 365 environment. You want to avoid becoming the next high-profile data breach. Embarrassing information can leave the organization because an employee left or was terminated and there was a delay in IT closing off access.” 

In addition, IT organizations with hybrid environments improve their compliance posture by defining and reporting on access levels, maintaining proof of control, and automating HR processes where possible. 

PowerShell Scripts, A Step Towards True Automation, But Problematic 

Some organizations turn to PowerShell scripts at the first try at automation.   

PowerShell scripts are problematic in our experience for many reasons. These scripts tend to be buggy and prone to crashing. They are most often written by full-time IT professionals, not professional developers, so the code is often not subject to rigorous testing before going into production. Inevitably the script-writer goes on extended leave or leaves the organization and a problem crops-up that cannot be easily fixed. 

Especially for organizations of larger than 1,000 employees, we find PowerShell scripts are a good internal proof of concept but true automation is the direction to go.               

Automation – An Alternative to PowerShell Scripts and Manually Provisioning 

Automatically creating, updating, and terminating users from HR, ERP, or SIS Data directly cuts out time consuming delays and the mistakes that are the results of manual, error-prone operations.  

Solutions to automatically provision new users can be affordable, quicktodeploy initially, and can be supported by existing staff. 

We examine the full life-cycle of the user in a hybrid environment and how to automate their management in a new webinar, now available on demand.  

Click here to access an on demand version of our new webinar, Mastering Hybrid Active Directory/Office 365 User Provisioning