User provisioning and de-provisioning are critical identity and access management (IAM) processes that control the creation, modification, and removal of user accounts and their associated privileges. For the Security+ SY0-701 exam, this topic falls under Security Operations (Objective 4.6) and tests your understanding of the identity lifecycle and the risks of incomplete de-provisioning. Mastering this concept is essential for preventing unauthorized access and ensuring compliance with least privilege principles.
Jump to a section
Imagine a large corporate headquarters with thousands of employees. The facility uses a centralized badge system to manage physical access. When a new employee is hired, HR enters their details into the system, creates a badge with their photo and access level, and activates it. The employee can then enter the building, their office, and authorized areas. When the employee leaves the company, HR must immediately deactivate the badge and collect it. If deactivation is delayed, the former employee can still enter the building, potentially stealing equipment or data. This is exactly how user provisioning and de-provisioning works in IT. Provisioning creates user accounts with appropriate permissions based on role. De-provisioning removes access when no longer needed. The key mechanism is the identity lifecycle: create, manage, and delete. If de-provisioning is not automated and timely, accounts remain active, becoming a prime target for attackers. Just as a lost badge can be used by an unauthorized person, an orphaned account can be exploited for lateral movement or data exfiltration. The analogy highlights that the process must be tied to authoritative sources (HR) and executed promptly to minimize risk.
What is User Provisioning and De-provisioning?
User provisioning is the process of creating, maintaining, and managing user identities and their access rights within an organization's IT systems. De-provisioning is the reverse: revoking access and removing accounts when they are no longer needed, such as when an employee leaves or changes roles. These processes are foundational to identity and access management (IAM) and are critical for enforcing the principle of least privilege.
The threat addressed is unauthorized access through orphaned accounts—accounts that remain active after a user's departure. Attackers often target these accounts because they may have elevated privileges and are less likely to be monitored. In the 2021 SolarWinds attack, attackers exploited orphaned accounts to maintain persistence. Proper de-provisioning eliminates this attack vector.
How Provisioning Works Mechanically
Provisioning typically follows a workflow triggered by an authoritative source, such as an HR system. When a new employee is hired, HR enters their details (name, role, department). The provisioning system then:
Creates a user account in the directory service (e.g., Active Directory, LDAP).
Assigns group memberships based on role (e.g., 'Domain Users', 'Finance Department').
Grants access to applications (e.g., email, ERP, CRM) via automated scripts or identity federation.
Enables the account and sets initial password policies.
In a typical Windows environment, the process might use PowerShell cmdlets like:
New-ADUser -Name "John Doe" -SamAccountName "jdoe" -UserPrincipalName "jdoe@company.com" -Enabled $true -AccountPassword (ConvertTo-SecureString "TempPass123!" -AsPlainText -Force)
Add-ADGroupMember -Identity "Finance" -Members "jdoe"For cloud environments, Azure AD or AWS IAM roles are used. Provisioning can be automated via SCIM (System for Cross-domain Identity Management, RFC 7644), which standardizes user schema and REST API endpoints.
How De-provisioning Works Mechanically
De-provisioning is triggered by HR events: termination, resignation, or role change. The process should be immediate and automated to minimize the window of exposure. Steps include:
Disable the account (prevent login) rather than delete immediately—this preserves audit trails.
Revoke all session tokens and active sessions.
Remove group memberships and direct permissions.
Transfer ownership of files and mailboxes to a manager.
After a retention period (e.g., 30 days), delete the account.
In Active Directory, disabling an account is done with:
Disable-ADAccount -Identity "jdoe"In Azure AD, you can block sign-in:
Set-AzureADUser -ObjectId "jdoe@company.com" -AccountEnabled $falseKey Components and Standards
Identity Lifecycle Management (ILM): The end-to-end process from creation to deletion.
Authoritative Source: The system of record (e.g., HR database) that triggers provisioning/de-provisioning.
Role-Based Access Control (RBAC): Assigns permissions based on roles, simplifying provisioning.
SCIM: RFC 7644 for automating user management in cloud apps.
Just-in-Time (JIT) Provisioning: Grants temporary elevated privileges only when needed.
How Attackers Exploit Poor De-provisioning
Attackers look for orphaned accounts—accounts that remain active after a user leaves. They may discover them through: - Password spraying: Trying common passwords against known usernames. - Dumpster diving: Finding old credentials in public breach databases. - Insider threat: A departing employee retains access intentionally.
Once accessed, the attacker can use the account to move laterally, exfiltrate data, or escalate privileges. For example, if a terminated sysadmin's account is not disabled, an attacker who obtains the password can gain domain admin rights.
Defensive Deployment
Defenders implement automated de-provisioning workflows integrated with HR systems. Key practices include: - Immediate account disablement upon termination. - Regular audits of active accounts against HR records. - User access reviews every 90 days. - Separation of duties: The HR team initiates, IT executes.
Tools like Microsoft Identity Manager, Okta, or SailPoint automate these processes. On Linux, you might use:
# Lock a user account
passwd -l username
# Remove the user
userdel -r usernameReal Command/Tool Examples
Windows Active Directory:
# Create user
New-ADUser -Name "Jane Smith" -GivenName Jane -Surname Smith -SamAccountName jsmith -UserPrincipalName jsmith@domain.com -Path "OU=Users,DC=domain,DC=com" -AccountPassword (Read-Host -AsSecureString "Initial Password") -Enabled $true
# Disable user
Disable-ADAccount -Identity jsmith
# Delete user after retention
Remove-ADUser -Identity jsmith -Confirm:$falseLinux/Unix:
# Add user
useradd -m -G developers jdoe
passwd jdoe
# Lock account
usermod -L jdoe
# Delete user and home directory
userdel -r jdoeCloud (AWS IAM):
# Create user
aws iam create-user --user-name jdoe
aws iam attach-user-policy --user-name jdoe --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# Disable access keys
aws iam update-access-key --access-key-id AKIAIOSFODNN7EXAMPLE --status Inactive --user-name jdoe
# Delete user
aws iam delete-user --user-name jdoeCommon Pitfalls
Delayed de-provisioning: Manual processes take days, leaving accounts exposed.
Partial de-provisioning: Only disabling the account in one system but not others (e.g., email, VPN).
Failure to revoke tokens: Even if the account is disabled, active session tokens or API keys may still work.
Account retention: Keeping accounts indefinitely for 'historical purposes' without proper controls.
Exam Focus
SY0-701 tests the concept of the identity lifecycle and the importance of timely de-provisioning. Be prepared to identify scenarios where an attacker exploits an orphaned account. Know that SCIM is the standard for automating provisioning in cloud apps. Understand that RBAC simplifies provisioning by assigning permissions based on roles, not individuals.
1. Initiation from Authoritative Source
The process begins when an authoritative source, typically the HR system, triggers an event such as new hire, termination, or role change. This event is sent to the identity management system via an automated feed (e.g., API, CSV export). For example, when an employee is terminated, HR updates the status in the HRIS (Human Resource Information System). The identity management system polls the HRIS or receives a webhook notification. This step is critical because it ensures that provisioning/de-provisioning is based on accurate, up-to-date information. Without an authoritative source, IT may rely on manual requests, which are error-prone and slow. The exam may test that the HR system is the authoritative source, not the manager's email or a help desk ticket.
2. Account Modification in Directory Service
The identity management system updates the user object in the central directory (e.g., Active Directory, Azure AD, LDAP). For provisioning, this means creating a new account with attributes like username, email, and group memberships. For de-provisioning, the account is disabled (not deleted) to preserve audit trails. The directory service logs the change, which can be reviewed in event logs (e.g., Windows Event ID 4720 for user creation, 4725 for disable). Tools like PowerShell or SCIM commands execute the change. The exam may ask about the importance of disabling vs. deleting: disabling allows recovery and audit, while deletion loses the SID and may break permissions.
3. Propagation to Connected Systems
After the directory is updated, the identity management system propagates changes to all connected applications and services. For provisioning, this includes creating accounts in email, VPN, CRM, ERP, and other SaaS apps. For de-provisioning, it revokes access by disabling accounts or removing group memberships. This propagation can be done via SCIM, custom connectors, or manual scripts. A common failure is when an application is not integrated, leaving an orphaned account. The exam may present a scenario where a terminated employee still has access to a specific application because it was not connected to the provisioning system.
4. Revocation of Active Sessions and Tokens
Even after the account is disabled, active sessions and tokens may remain valid until they expire. To fully de-provision, the system must invalidate all current sessions, refresh tokens, and API keys. This can be done by resetting the password, revoking tokens via the identity provider, or forcing a logout (e.g., using `Revoke-AzureADUserAllRefreshToken` in Azure AD). In a scenario, an attacker could use a stolen session cookie even after account disablement if tokens are not revoked. The exam may test that token revocation is a separate step from account disablement.
5. Data Handover and Retention
For departing employees, data such as emails, files, and documents must be transferred to a manager or archived. This step ensures business continuity and compliance with legal holds. The identity management system can trigger a script to forward emails, change file ownership, and export OneDrive/SharePoint data. After a retention period (e.g., 30-90 days), the account can be deleted. The exam may test that data retention policies must be followed before deletion. A common mistake is deleting the account immediately, losing critical data. Proper de-provisioning includes a grace period for data recovery.
6. Audit and Verification
The final step is to verify that de-provisioning was successful. This involves reviewing logs, running reports, and conducting periodic user access reviews. Tools like Microsoft 365 Admin Center or third-party IGA (Identity Governance and Administration) solutions can generate reports of active users vs. HR records. The exam may ask about the importance of auditing to detect orphaned accounts. A common trap is assuming that de-provisioning is complete after disabling the account, but without verification, an overlooked service may still grant access.
Scenario 1: Orphaned Admin Account Leads to Data Breach
A large financial institution terminated a senior database administrator (DBA) but failed to disable his account in the legacy CRM system. The CRM was not connected to the central provisioning system. Six months later, an attacker obtained the DBA's password from a prior data breach and used it to log into the CRM, which still had full administrative privileges. The attacker exported customer records containing PII. The SOC detected unusual data transfer via DLP alerts, but the response was delayed because the account appeared legitimate. The correct response would have been to immediately disable the account and revoke all sessions upon termination. The mistake was relying on manual de-provisioning for the CRM. A common error is assuming that disabling the account in Active Directory automatically propagates to all systems—this is false unless integrations exist.
Scenario 2: Contractor Access Persists After Project Ends
A technology firm hired a contractor for a six-month project. The contractor was given access to the development environment, source code repositories, and a VPN. When the project ended, the manager forgot to notify IT. The contractor's accounts remained active. Two months later, the contractor's VPN credentials were used to access the network from an unrecognized IP. The SOC received an alert for anomalous VPN login (geolocation mismatch). Upon investigation, they found the contractor's account was still enabled. The correct response was to disable the account, terminate the VPN session, and review access logs for any data exfiltration. The mistake was not having an automated de-provisioning trigger linked to the contract end date in the HR system. A common error is assuming that contractors are handled the same as employees—they often have different offboarding procedures.
Scenario 3: Role Change Without Permission Cleanup
An employee was promoted from sales to marketing. The provisioning system added new group memberships for marketing but did not remove the old sales groups. The employee retained access to the sales CRM, which contained sensitive client data. This violates least privilege. The SOC discovered this during a quarterly user access review when comparing group memberships to job roles. The correct response was to remove the sales group membership and audit the employee's activity in the sales CRM. The mistake was assuming that role changes only require adding permissions, not removing old ones. A common error is to focus only on provisioning and neglect de-provisioning for role changes.
Exactly What SY0-701 Tests
Objective 4.6 focuses on the identity lifecycle: provisioning and de-provisioning. The exam expects you to:
Understand that provisioning creates accounts and assigns permissions based on role (RBAC).
Recognize that de-provisioning must be timely and automated to prevent orphaned accounts.
Know that the HR system is the authoritative source for identity events.
Identify that SCIM (System for Cross-domain Identity Management) is the standard for automating user provisioning in cloud applications.
Understand that disabling an account is preferred over deletion initially to preserve audit trails.
Realize that de-provisioning includes revoking tokens and sessions, not just disabling the account.
Common Wrong Answers and Why
"Delete the account immediately upon termination." — This is wrong because immediate deletion loses audit trails and may break file ownership. Disable first, then delete after retention period.
"Provisioning is only for new employees." — Wrong; provisioning also applies to role changes and contractors.
"De-provisioning is the same as revocation." — Wrong; de-provisioning is broader, including account disablement, token revocation, and data handover.
"The manager should manually request de-provisioning." — Wrong; it should be automated from HR to avoid delays.
Specific Terms and Acronyms
SCIM (System for Cross-domain Identity Management) — RFC 7644, standard for provisioning in cloud.
RBAC (Role-Based Access Control) — assigns permissions based on role.
ILM (Identity Lifecycle Management) — the overall process.
JIT (Just-in-Time) provisioning — temporary privilege escalation.
Orphaned account — an account that remains active after a user leaves.
Trick Questions
Scenario: An employee is terminated, and the account is disabled. The attacker still uses a stolen token to access a cloud app. What was missed? Answer: Token revocation.
Scenario: A contractor's account is deleted immediately. What is the risk? Answer: Loss of audit trail and inability to recover data.
Scenario: A user is promoted, and new permissions are added. What security issue arises? Answer: Permission creep—old permissions not removed.
Decision Rule for Scenario Questions
On scenario questions, ask: "Is the identity lifecycle complete?" If the scenario involves termination, look for missing steps: disable account? revoke tokens? remove group memberships? data transfer? If the scenario involves role change, look for removal of old permissions. Always choose the answer that emphasizes automation and authoritative source (HR).
User provisioning creates accounts and assigns permissions based on role (RBAC).
De-provisioning must be automated and triggered by HR events to prevent orphaned accounts.
Disable accounts first, then delete after a retention period to preserve audit trails.
Token revocation is a separate step from account disablement; both are needed.
SCIM (RFC 7644) is the standard for automating provisioning in cloud applications.
Least privilege requires removing old permissions during role changes (permission creep).
Orphaned accounts are a common attack vector; regular audits help detect them.
These come up on the exam all the time. Here's how to tell them apart.
Provisioning
Creates user accounts and assigns permissions
Triggered by hire or role change
Adds group memberships
Enables access to systems
Often automated via SCIM
De-provisioning
Removes user accounts and revokes permissions
Triggered by termination or role change
Removes group memberships
Disables access to systems
Should be automated and immediate
Mistake
De-provisioning only means deleting the account.
Correct
De-provisioning is a multi-step process: disable account, revoke tokens, remove group memberships, transfer data, and after retention, delete. Immediate deletion is not recommended.
Mistake
Provisioning only applies to new employees.
Correct
Provisioning also applies to role changes, contractors, and temporary workers. Any change in access rights is part of provisioning.
Mistake
Disabling an account is sufficient to prevent access.
Correct
Disabling prevents new logins, but active sessions and tokens may still be valid. Token revocation is required to fully terminate access.
Mistake
Manually de-provisioning is acceptable if it's done quickly.
Correct
Manual processes are error-prone and slow. Automated de-provisioning triggered by HR events is necessary to minimize the window of exposure.
Mistake
Orphaned accounts are not a real threat if passwords are complex.
Correct
Attackers can obtain passwords through phishing, data breaches, or password spraying. Orphaned accounts are a prime target because they are often unmonitored.
Provisioning is the process of creating user accounts and granting access rights, typically when a new employee is hired or changes roles. De-provisioning is the reverse: revoking access and removing accounts when they are no longer needed, such as when an employee leaves. Both are part of the identity lifecycle. For the exam, remember that provisioning adds access, de-provisioning removes it, and both should be automated from an authoritative source like HR. A common scenario question will test whether you know to disable before deleting and to revoke tokens.
Disabling an account preserves the security identifier (SID) and audit trail. If you delete immediately, you lose the ability to trace past actions, and file ownership may break. A retention period (e.g., 30 days) allows for data recovery and investigation. After that, the account can be safely deleted. On the exam, if a question asks about the first step in de-provisioning, the correct answer is usually 'disable the account' not 'delete'.
SCIM (System for Cross-domain Identity Management) is an open standard (RFC 7644) for automating the exchange of user identity information between systems. It defines a REST API and a schema for creating, updating, and deleting users. SCIM is commonly used to provision users in cloud applications (e.g., Office 365, Salesforce). For the exam, know that SCIM automates provisioning and de-provisioning in cloud environments, reducing manual effort and errors.
An orphaned account is a user account that remains active after the user has left the organization or no longer needs access. It is dangerous because it may have elevated privileges and is often unmonitored, making it a prime target for attackers. Attackers can use orphaned accounts to move laterally, exfiltrate data, or escalate privileges. The exam may present a scenario where an attacker exploits an orphaned account; the correct response is to disable it and investigate.
RBAC simplifies provisioning by assigning permissions to roles rather than individuals. When a user is provisioned, they are assigned to one or more roles, and they inherit the permissions of those roles. This makes it easy to grant consistent access based on job function. When a user changes roles, you only need to update their role memberships. For the exam, understand that RBAC supports the principle of least privilege by ensuring users have only the permissions needed for their role.
De-provisioning is the broader process of removing a user's access across all systems, including disabling the account, revoking tokens, and transferring data. Revocation specifically refers to invalidating authentication tokens or sessions. De-provisioning includes revocation but also covers account disablement and data handover. On the exam, a question might ask: 'After disabling the account, what additional step is needed?' The answer is token revocation.
Just-in-time (JIT) provisioning is a security practice where users are granted elevated privileges only for the duration needed to perform a specific task. Instead of having permanent administrative rights, users request temporary access, which is automatically granted and then revoked. This reduces the risk of standing privileges being abused. For the exam, JIT is a control to enforce least privilege and is often implemented with tools like Azure AD Privileged Identity Management (PIM).
You've just covered User Provisioning and De-provisioning — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?