Hybrid offboarding in Entra ID and Active Directory
Hybrid offboarding removes a user account from both the on-premises Active Directory and Entra ID. The process ensures that all access rights are revoked locally and in the cloud to minimise security risks.
The hybrid approach is particularly relevant for companies that use a combination of on-premise infrastructures and cloud services. In such environments, it is not sufficient to simply disable or delete users in one environment. Consistent measures must be taken in both environments.
With the IDM-Portal, it is possible to individually map and configure the complete offboarding process for companies. User management plays a central role here, as it provides the basis for smooth processing. The whole process can be presented to the end user in such a simple way that they do not need any IT knowledge. They do not need to know what is technically going on in the background and can concentrate solely on the technical offboarding process.
Index
Process of hybrid offboarding
The hybrid offboarding process typically begins by deactivating or removing the user account in the on-premises Active Directory.
Synchronization tools such as Entra ID Connect replicate this action in Entra ID and deactivate or delete the corresponding cloud account.
However, administrators should not rely on this, but should implement a process that ensures that a user account that is no longer needed is disabled both in AD and in Entra ID. A check is therefore necessary in most cases.
There are several steps to consider:
- Deactivating the account in AD: The user account is deactivated in the local Active Directory. This immediately stops access to local resources.
- Synchronisation with Entra ID: The deactivation is transferred to Entra ID via Entra ID Connect. This will disable the user’s cloud account accordingly. Please also read our tech blog about Entra ID Connect.
- Withdrawal of access rights: In both systems, all access rights, group memberships and permissions must be checked and removed.
- Deletion of the account: After a specified retention period, the account can be completely deleted to free up storage space and resources.
- Auditing and documentation: All offboarding steps should be documented and audited to meet compliance requirements.
Differences between AD and Entra ID when offboarding
There are some differences to be aware of in the offboarding process. We have listed some of them in the following table.
|
Feature |
Active Directory (AD) |
Entra ID |
|
Location of data |
On-premises |
Cloud-based |
|
Account deactivation |
Deactivating the user account stops access to local resources. |
Deactivating the synchronized account stops access to cloud resources. |
|
Account deletion |
Deleting the account in AD deletes local resources such as profiles and files. |
Deleting the synchronized account removes the account from the cloud, but some data may remain in backup systems. |
|
Access rights |
Access rights are managed at the file and network level. |
Management of access rights is done at the application level, often in conjunction with conditional access policies. |
|
Group memberships |
AD groups manage local network and file access rights. |
Entra ID groups manage access rights to cloud resources and applications. |
|
Automation |
Typically less automated; often requiring manual processes. |
Higher level of automation through built-in tools and scripting capabilities in the cloud. |
|
Auditing and compliance |
AD offers basic auditing capabilities; external tools are required for advanced analysis. |
Entra ID offers extensive built-in auditing and reporting capabilities, particularly for cloud compliance. |
|
Tool availability |
Traditional tools such as PowerShell and GPOs dominate. |
Modern cloud-based tools and APIs are available. |
Offboarding in AD
Deactivating or deleting user accounts
A typical offboarding process in Active Directory consists of several steps that are performed in the ADUC (Active Directory Users and Computers Console). Due to the complexity of this process, it is recommended that the task be performed by trained administrators. The first step is to disable the user account in a timely manner to prevent the user from continuing to access the network. To do this, the ‘Account Disabled’ attribute is set. It is also important to reset the password of the user account.
Next, all of the user’s permissions and group memberships are reviewed and removed, including removal of the user from all AD groups of which they were a member. In addition, there are various processes for securing personal data of the user as well as securing the mailbox and important emails.
After administrators have ensured that all relevant data has been archived and transferred, the user account is permanently deleted to save storage space and clean up the AD database. Some companies first disable the account for a period of time before permanently deleting it to allow for potential subsequent queries or access to archived data.
It is recommended that you audit the offboarding process to increase traceability and to verify compliance with the defined standards and rules.
Weak points in offboarding in Active Directory
Various weaknesses can arise when offboarding users in Active Directory.
One of these weaknesses is that group memberships are not completely removed. This can result in a disabled or deleted account continuing to have permissions, especially in security-relevant groups. This risk can be avoided by thoroughly reviewing and removing all of the user’s group memberships. Ideally, this should be done using automated scripts to ensure that no membership is overlooked.
Solutions such as the FirstWare IDM-Portal help here, as the offboarding process can be automated. Scripts ensure that administrators do not forget anything and that each offboarding process is always carried out correctly and completely.
Another weakness is the risk of orphaned user accounts, which remain active after an employee has left. These accounts pose a significant security risk as they could be misused by unauthorized individuals. To avoid this risk, regular reviews of inactive user accounts should be carried out. Automated tools can help identify inactive accounts so that administrators can deactivate or delete them in a timely manner.
Another risk arises from the unsecured management of user data. If user accounts are not properly secured after offboarding, missing backups of personal files or emails can lead to data loss or compliance violations. Therefore, it is crucial to fully back up all relevant data and archive it securely before deleting a user account.
An often-overlooked vulnerability is remaining delegated rights or administrative privileges granted to a user account. If these rights persist after offboarding, they could be misused by other users or systems. It is therefore necessary to review and remove all delegated rights as part of the offboarding process. If necessary, this should be done using specialized access rights monitoring tools.
Finally, poor documentation and tracking of the offboarding process can lead to important steps being overlooked. All offboarding steps should therefore be documented in detail and regularly audited to ensure that the process has been completed fully and in accordance with company guidelines.
Offboarding in Entra ID
Deactivating or deleting user accounts
The technical offboarding process in Entra ID involves a series of steps that ensure administrators can safely and completely deactivate or delete a user account.
First, the relevant IT department deactivates the user account in Entra ID, which immediately stops access to all associated cloud services. This is often done by disabling the login function and removing multi-factor authentication (MFA).
Microsoft also offers comprehensive options for authenticating legacy apps in Entra ID (Screenshot: Microsoft)
All associated licenses and group memberships are then removed to ensure that the user no longer has access to company resources. After that, companies archive or delete the account completely in accordance with their policies.
The process ends with a comprehensive audit. This ensures that all steps have been carried out correctly and that no authorizations remain that could pose a security risk. These steps can be supported by automation functions in Entra ID. This makes the process more efficient and less prone to errors.
Weaknesses in offboarding in Entra ID
There are specific vulnerabilities associated with offboarding in Entra ID that differ from those in AD and pose additional risks to organizations.
One of the main vulnerabilities is the potential persistence of cloud-based access rights and app permissions. While deactivating a user account in AD usually immediately removes access to local resources, linked applications or services in Entra ID can continue to grant access rights. This happens if these permissions are not explicitly removed. Users often overlook OAuth-based access, which can remain active even after a user account has been deactivated.
Another risk is the insufficient control over delegated administrative permissions in the cloud. Unlike in AD, it can be difficult in Entra ID to keep track of all the permissions and roles assigned to a user account, especially in complex hybrid environments. As a result, former employees could continue to have indirect access to sensitive resources.
In addition, synchronization issues can occur between Entra ID and on-premises AD domains, especially when using Pass-Through Authentication (PTA). These issues prevent changes in AD from being correctly reflected in Entra ID, resulting in outdated or inconsistent user information and permissions.
Offboarding in third-party systems
Offboarding in third-party systems is just as necessary as in Active Directory or Entra ID. Many organizations use a variety of applications and platforms that fall outside their primary identity management systems. These third-party systems, such
- as SaaS applications,
- CRM systems or
- collaboration platforms,
often manage their own user accounts and access rights. If a user leaves the company, their access rights in these systems may remain in place if offboarding is not carried out properly. This poses a significant security risk as a former employee could continue to have access to sensitive company data. In addition, user accounts that are not deactivated incur unnecessary license costs.
To avoid such risks, it is essential that offboarding processes are also consistently and completely implemented in all third-party systems used. Automated identity and access management solutions such as the IDM-Portal can help to centrally control the offboarding process. They ensure that user accounts and authorizations are comprehensively removed from all relevant systems at the same time.
Security risks of incomplete offboarding
Incomplete or unperformed offboarding in a hybrid environment that includes both Active Directory and Microsoft Entra ID poses significant risks to an organization’s security and operations.
Unauthorized access to corporate resources
One of the biggest risks is that former employees can continue to access company resources without authorization. If administrators do not completely deactivate or delete user accounts, the accounts still retain access rights to files, applications and systems. This can be particularly dangerous if the person has malicious intentions or if the login information falls into the wrong hands. In hybrid environments where AD and Entra ID are integrated, such vulnerabilities could affect not only the local network but also cloud-based services and applications, significantly increasing the risk.
Synchronization risks
Hybrid identities, managed in both on-premises AD domains and in the cloud, bring additional challenges. Synchronization issues between the two systems prevent changes in AD from being correctly reflected in Entra ID and vice versa. This could result in outdated permissions remaining in place, potentially allowing unauthorized access.
PTA server as a target for AD and Entra ID access
Attackers who gain administrative privileges on a local Pass-Through Authentication (PTA) server could gain access to various AD domains and thus gain access to all user accounts in the connected Entra ID tenant without knowing the actual credentials. This underscores the need to strictly manage hybrid identities and to continuously monitor and update security practices.
Compliance risks due to incomplete offboarding
Another risk relates to compliance. Many regulations and standards require that access to systems and data be promptly and completely revoked for employees who have left the company. Incomplete offboarding can therefore lead to serious legal and regulatory consequences, including fines and reputational damage. In hybrid environments, where identity and access management must be carried out across different platforms, the complexity of this requirement increases significantly.
Best Practice offboarding in a hybrid IT environment with IDM-Portal
FirstAttribute’s IDM-Portal addresses all the offboarding issues we’ve described in this post.
It is an ideal solution for offboarding users, especially in hybrid environments. The IDM-Portal manages permissions in an automated manner with approval and timing functions, consistently removing all of a user’s access rights during offboarding..
First of all, the tool provides a central interface for AD and Entra ID, which makes it possible to carry out user and group administration centrally.
In addition, it offers comprehensive automation of processes in all connected directories. The integration of third-party systems enables offboarding to take place simultaneously not only in AD and Entra ID, but also in all other integrated systems, such as CRM or HR applications. This prevents user accounts from remaining active in these systems without being noticed, creating security vulnerabilities.
There is also the option of time-controlled offboarding. This allows users to execute processes exactly when they are needed. This reduces the workload on administrators and ensures significantly more security.
Another advantage of the IDM-Portal is the delegation of user administration. IT administrators and even non-IT employees can efficiently carry out offboarding processes, speeding up the process and reducing the likelihood of human error. In addition, the organization-specific configuration of the interface adapts offboarding to the specific requirements of the company and ensures compliance with compliance guidelines.
Companies that work with partners and external employees should never perform offboarding manually. The dangers are enormous, and the risk of overlooking rights and accounts when an employee leaves increases significantly.
Summary
Controlling and automating user management through a central portal is a practical approach to ensuring that onboarding and offboarding are carried out in accordance with company policy. Especially in hybrid environments where multiple directories are in use, it is advisable to use a central offboarding management tool instead of doing it manually in each system.
The use of such tools reduces the risk of human error through automated and scheduled processes. Another advantage is the cost savings, as offboarding is not only more reliable but also faster, reducing the workload on IT staff, who can devote their time to other tasks.
More about FirstWare IDM-Portal
FirstAttribute’s FirstWare IDM-Portal is an integrated identity and access management (IAM) solution that enables automated user and authorization management, whether on-premises or in the cloud.
This portal integrates all facets of identity and access management and provides centralized access to identity and directory services.
