Skip to content

Deprovisioning in Office 365: Your Security Depends on It

3 minute read

dkpurp cloud

You can hardly find a company that doesn’t treat provisioning procedures seriously.

Usually there are lots of steps and protocols to get a new employee going. For Office 365, that includes creating accounts in Active Directory, adding new accounts to all connected systems, putting all the personal data in, assigning licenses, etc.

Despite the fact that most (if not all) companies do treat these provisioning actions very seriously, at the same time often no attention is paid to deprovisioning, i.e. procedures executed when employees leave. This can be a very big mistake, as making sure that deactivated accounts are treated properly is equally (or sometimes even more) important as setting them up in the first place.

How Does Deprovisioning Work?

Basically, deprovisioning is just provisioning in reverse. An employee starts with no account, no access rights, no credentials, no licenses assigned, etc. Once he/she gets a job all that is gained. So when they leave, everything has to go to the initial state — no access, no licenses, no credentials.

This can’t be achieved by just deleting accounts (however sometimes it is an option). Usually companies have policies to keep deprovisioned accounts active for at least some fixed time. This helps to easily restore information if it’s required.

Deprovisioning has to cover all systems that the user had access to, including Office 365. So all the procedures have to be documented as detailed as possible, which means that automating this process might be a very good idea. And if at any point of time a new system is added to the everyday workflow, it should also be added to the deprovisioning procedures list.

Why is Deprovisioning Important?

If you are still wondering why deprovisioning is so important and why should you even bother, there is a very good answer for that. It is a major security risk.

Terminated employees do leave for a reason. It means that any access they used to have to any system has to be terminated as soon as they leave. You can’t know their intentions, so any information from the environment that isn’t available for the public shouldn’t be available for those who are no longer working for the company.

Real-Life Deprovisioning Example

Remember the massive Sony Pictures Entertainment hack back in 2014? The one where a huge amount of personal and company-related data (documents, passwords, home addresses, salaries, social security numbers, etc.) was leaked to the web and caused losses of millions and millions of dollars. The media has linked it to North Korean hackers because of the movie The Interview that was in production at that time. However, the story turned out to be much less poetic.

Cybersecurity experts say that most probably the hack was an “inside job,” caused by a dissatisfied employee who left Sony but wasn’t deprovisioned properly. That meant that he had access to the data that he no longer should’ve been able to reach. And we all know the consequences.

What Should You Do?

Unfortunately, things like that happen every day. They might be less serious than in Sony’s case, but can be still very unpleasant for any company of any size.

So next time an employee leaves your company, make sure that deprovisioning procedures are done properly. This can save you a lot of time, a lot of effort and, possibly, your job.

If you haven’t done it yet, carefully document the steps, create a checklist, and make sure that everybody involved in deprovisioning knows about it and follows it. Automate as much as you can. This will allow you eliminate human errors and save precious time of the IT staff.

If you do everything correctly, your environment will be safe and clean and you will have one less thing to worry about.


Sign up for our newsletter