The 5 Risks of Manual User Provisioning

If yours is like many companies, you’re still using manual processes to add employees and remove departing ones from applications during onboarding and offboarding. Using information in a combination of checklists, spreadsheets, and databases, you have to work in multiple directories, applications, and/or other identity systems to give new employees or contractors access to apps. And then do the same when those workers leave your company.

User provisioning and deprovisioning is a necessary step in onboarding and offboarding. But it’s often a time sink—especially for organizations with high turnover. And it costs more than just time and money. Manually managing users creates significant risk to your company.

Here are five risks associated with managing users manually.

1. Hampering employee productivity your employees

Once hired, new employees build their impression of their new company based on the onboarding experience. When onboarding goes badly, it makes a bad impression which can lead to turnover. The Society for Human Resource Management (SHRM) reports that employee turnover can be as high as 50 percent in the first eighteen months.

That’s why modern organizations work to make employees feel welcome and productive from day one. Giving them access to the apps they need has to happen quickly so your new employees can get up and running quickly. It’s one way they know that the company they just joined really is technically adept.

And the job doesn’t stop with new employees. Companies are constantly adding applications and users roles and responsibilities constantly change—causing them to need different applications. Keeping users productive means being able to quickly grant them appropriate access to applications, whenever they need them.

2. Cumbersome and costly compliance efforts

Many organizations have to comply with federal or industry regulations, such as HIPAA (Health Insurance Portability and Accountability Act) or the Sarbanes-Oxley Act (SOX). They require that organizations have documented, internal controls and processes that adequately manage who has access to different types of information. These regulations also require that departing employees be deprovisioned in a timely fashion so former employees can’t access systems.

If you’re managing users manually, you either have very labor-intensive and error-prone processes for controlling and documenting who has access to what – or you have none at all. And do you really know when people are granted or revoked access to applications? Or when their privilege levels change?

Without automated user provisioning and deprovisioning, you may not only have very high costs associated with providing documentation for audits. You may not be able to pass the audit at all. Automated user provisioning and deprovisioning solves this problem by maintaining a detailed record of which applications users have access to and their privilege levels within them. And when users leave the organization, they are effectively revoked access.

3. Difficulty deploying cloud apps on a global scale

If you’re a global organization with a highly distributed Active Directory infrastructure with many forests and domains, deploying cloud applications can be a challenge when you don’t have a consolidated view of all your users.

By connecting all your on-prem Active Directory instances with a centralized cloud directory, you have a single integration point for cloud applications, such as Office 365, G Suite, or Salesforce. This enables you to automatically provision new users from across the world in a timely and consistent manner. It also makes enabling single sign-on (SSO) afterwards equally easy.

4. Overpaying on licenses

Another nightmare for those using manual methods is deprovisioning users in a timely fashion to avoid overpaying on application licenses. Most cloud applications charge an annual fee per active user. If you forget to remove inactive users from any of those applications, you might have to purchase an upgrade in the middle of the subscription term when you in fact could just remove the old users and give the seats to the new users. With automated user deprovisioning, you will always have the maximum headroom in your cloud to allow for new users and hence optimize your investment.

5. Ghost accounts

Which brings us to perhaps the greatest risk: the risk of unauthorized access to accounts from former employees or contractors; either from those individuals themselves or from hackers who have obtained their credentials. Few companies have the right processes in place to ensure that cloud accounts are effectively removed when people leave the company.

Automated user provisioning can sync automatically with Active Directory and/or with HR systems like Workday. When an employee is marked as no longer active, the change is automatically detected and the user deprovisioned from all their cloud accounts. This effectively prevents unauthorized access from those users.


Most organizations that manually manage users either hit a breaking point or are blissfully unaware of the risk. By leveraging automated provisioning and deprovisioning, organizations can save large amounts of money by reducing manual processes at the same time as closing a gaping security hole in their cloud IT footprint.

About the Author

Alicia Townsend

For almost 40 years, Alicia Townsend has been working with technology as both a consultant and a trainer. She has a passion for empowering others to use technology to make their lives easier. As Director of Content and Documentation at OneLogin, Ms. Townsend works with technical writers, trainers and content marketing writers to inspire and empower everyone to take advantage of what OneLogin’s platform has to offer them.

Related Articles