Provisioning and Deprovisioning

Identity and access management (IAM) involves managing access to your organization's apps, services, and devices. Two crucial parts of IAM are provisioning and deprovisioning (sometimes referred to as onboarding and offboarding), which in the simplest terms are the processes to give and revoke access.

What are provisioning and deprovisioning?

Explaining these terms using just the word “access” is a little simplistic, so we’ve expanded on the topic and provided some examples.


Provisioning ensures user accounts are given proper access across an organization’s applications and systems simultaneously. Provisioning workflows might involve account creations and deletions, updates, and changes in access.


Deprovisioning is provisioning in reverse, where access is withdrawn across an organization’s applications and systems simultaneously. Deprovisioning can be limited in certain situations, but always includes removing access or deleting user accounts, depending on the circumstances.

Examples of provisioning and deprovisioning

Common triggers for the provisioning workflow might be a new hire or the promotion or transfer of a current employee. The new hire will not have access to any of the organization’s resources; the current employee may have incorrect or no access to the resources necessary for their new role. The provisioning workflow will give these employees the access they need.

The deprovisioning workflow is triggered when an employee resigns, is terminated, or assumes a new role. In the latter case, the employee may no longer need access to certain services and applications and will lose access while being provisioned for their new role. However, deprovisioning is especially important if an employee leaves the organization altogether.

Security issues with provisioning and deprovisioning

Before the adoption of cloud storage and computing, provisioning and deprovisioning was often an afterthought. The user was provisioned for their new role at the time of hire, their access modified as necessary while employed, and they were deprovisioned when they left.

Most organizations kept their sensitive data behind their firewalls. With little access from the outside, there wasn’t a pressing need to worry about closely managing access beyond specific instances where work extended beyond the firewall. Most access occurred within the organization, controlled by the IT department.

That’s no longer the case. Many organizations depend on cloud-based services. The workforce is increasingly working from places—and devices—that aren’t within the walled garden of their organization’s internal network.

Networks that weren’t built for external access are suddenly being accessed regularly by BYOD devices and from locations the company had no control over. This creates a struggle as companies scramble to deploy appropriate security measures. Our laissez-faire attitude on provisioning and deprovisioning is coming back to haunt us.

Previous research has shown that four out of five departing employees take sensitive company information with them, and 83% of respondents to a survey admitted accessing accounts from their previous employer. One out of every five organizations has been a victim of a hack by an ex-employee. Those aren’t small numbers.

Better access management with Beyond Identity

Modern cyber threats require organizations to take IAM seriously, especially their provisioning and deprovisioning workflows. Our current interconnected workforce opens many new avenues for cybercriminals to exploit.

Beyond Identity is a great solution to help automate your IAM processes and ensure you’re not leaving the door open to attack through poor provisioning and deprovisioning practices. Here’s how we can help.

Automatic provisioning with SCIM

System for Cross-domain Identity Management (SCIM) is an open-source standard for automated user provisioning. With SCIM, you can automatically sync users from your mastered directory to Beyond Identity’s directory for easy user lifecycle management. Numerous services and applications, including Azure, ZScaler, Dropbox, and others support SCIM. This makes deprovisioning simple, with no manual lift needed from IT teams.

If needed, IT and security teams can log into the admin portal and quickly remove users and devices and their access to cloud-based applications is immediately revoked.

User self-enrollment

With Beyond Identity, we’ve empowered users to enroll themselves, taking the pressure to provision users manually off of IT departments. Organizations can choose between an email invite or directly through their SSO platform. These processes automatically provision users with the correct access.

User self-service and recovery

IAM requires support and Beyond Identity’s platform allows your workforce to add, manage, and remove their credentials from their own devices. If they lose a device or purchase a new one, they can handle those issues without needing to call the help desk.

Most importantly, it’s passwordless

Beyond Identity not only revolutionizes your IAM strategy, it removes the single biggest threat to your organization—the password. Our platform uses secure cryptographic credentials that are tied to the user and to the device.

This provides certainty of identity that no other traditional, password-based authentication platform can provide. That, along with features that allow the user to self-enroll, will solve your provisioning and deprovisioning issues and eliminate the risk of password-based attacks. Get a free demo to see for yourself.

Stop detecting threats. Start preventing them.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.