Back to glossary

Glossary term

User Deprovisioning

The systematic removal of a user's access rights, accounts, and permissions when they leave or change roles. Effective deprovisioning ensures no orphaned accounts remain and that departing employees cannot access company systems post-departure.

The systematic removal of a user's access rights, accounts, and permissions when they leave or change roles. Effective deprovisioning ensures no orphaned accounts remain and that departing employees cannot access company systems post-departure.

Why Deprovisioning Fails

Deprovisioning is what happens when someone leaves: every door they had access to gets locked. Email suspended, Slack access revoked, SaaS licenses freed, device locked or wiped, VPN credentials invalidated.

When it goes wrong, the consequences are concrete. We found that 83% of ex-employees retain access to company systems after departure, and 91% still have access to company files. That's usually not a policy failure. It's a process failure. Manual offboarding is slow, fragmented across systems, and prone to gaps. Someone processes the HRIS offboarding, closes the email account, and misses the AWS console access. Or the Salesforce login. Or the shared admin credentials that were never formally tracked.

Automated deprovisioning closes those gaps by connecting the offboarding event in the HRIS to every system simultaneously.

What Deprovisioning Covers

Complete deprovisioning has several layers.

  • Identity: disable or delete the SSO account, which cascades access revocation to every connected application.
  • Device: remote lock or wipe company hardware, revoke MDM certificates.
  • SaaS: deprovision application accounts that aren't connected to SSO, reclaim licenses, revoke API tokens.
  • Network: invalidate VPN credentials, remove from access groups.
  • Data: transfer file and email ownership to the manager, archive or close accounts per policy.

The Orphaned Account Problem

Accounts that remain active after an employee departs are orphaned accounts. They represent dormant attack surface. A former employee who retains valid credentials can access systems, sometimes intentionally. Attackers who obtain decommissioned credentials can enter systems that aren't actively monitored because the account appears inactive. Orphaned accounts also hold licenses that could be reallocated.

Graceful vs. Immediate Deprovisioning

Not all departures are identical. Planned departures allow a transition period: the employee retains read access to files while ownership transfers, with full revocation on the last day. Involuntary terminations require immediate revocation. Automated deprovisioning systems handle both workflows without IT manually adjusting the process for each case, the HR classification determines which path fires.

Related terms

Browse adjacent topics in the same workflow area.

IT OffboardingJoiner Mover Leaver (JML)Identity and Access Management (IAM)

Share this term

Copy a direct link for your team or documentation.

Explore more glossary terms

Keep exploring the glossary without leaving the section.

Zero Trust Security

A security model built on the principle that no user, device, or system is trusted by default. Every access request must be verified based on identity, device health, and context, continuously, not just at login.

Zero-Touch Deployment

Automated device setup and configuration requiring minimal or no IT intervention. Devices ship directly to end users and configure themselves upon first boot, connecting to management systems automatically.

Automated Provisioning

The automatic configuration of user accounts, access rights, and software when an employee joins or changes roles. Automated provisioning connects HR data to identity systems to eliminate manual IT setup.

BYOD (Bring Your Own Device)

A policy allowing employees to use personal devices for work. BYOD requires clear security policies, MDM enrollment, and access controls to protect company data on employee-owned hardware.