Deprovisioning

Execution of the Kill Signal

Deprovisioning is the single most critical security event in the identity lifecycle. While onboarding is about productivity, deprovisioning is about risk mitigation. It is the coordinated, automated, and absolute removal of access rights and digital artifacts across every application and system in the enterprise. A failed deprovisioning event leaves “Orphaned Accounts”—active identities with no owner—which are the primary targets for lateral movement and industrial espionage.

DEPROV

Access Revocation

Core Mission

Absolute Zero Trust. Ensuring that the moment an individual's relationship with the organization ends, their ability to authenticate or access any data is terminated within seconds, across the entire fleet.

Like a Universal Off-Switch: Imagine a building with a thousand light switches. When the shift ends, instead of walking to every room and manually flipping every switch, you hit a single "Master Breaker" at the front door. Deprovisioning is that Master Breaker—one signal from the HR system that ripples through the entire digital building, turning off every light, locking every door, and disabling every keycard simultaneously.

Termination / Insider Threat / Compliance

Deprovisioning Strategies

The speed and method of deprovisioning depend on the nature of the departure and the criticality of the systems involved.

Strategic Termination Matrix

Strategy	Mechanism	Trigger	Strategic Goal
Emergency	Scripted API “Kill-All”.	Security Incident / Instant Term.	Stop damage immediately.
Scheduled	Automated JML Queue.	End of business day / Resignation.	Orderly transition.
Graceful	Scheduled permission decay.	Contractor end-date / Retirement.	Knowledge transfer.
Detective	”Zombie account” scanners.	Inactivity / Failed login.	Cleanup of missed access.

The Termination Sequence

Secure offboarding is an orchestrated series of events designed to prevent data exfiltration and ensure auditability.

1

Lock (Authentication)

The primary identity in the directory (Entra ID, Okta, etc.) is disabled. All active browser sessions and refresh tokens are revoked across the SSO ecosystem.

2

Revoke (Authorization)

Downstream provisioning signals (SCIM, API) are sent to SaaS and internal apps to disable or delete local accounts and strip granular permissions.

3

Reclaim & Audit

Software licenses are reclaimed for the pool. A final "Termination Report" is generated, providing evidentiary proof of 100% access removal for compliance.

---

Technical Deprovisioning Guides

Master the patterns for absolute access revocation and orphan account prevention.

Lifecycle Management

Integrating deprovisioning triggers into the broader Joiner-Mover-Leaver (JML) orchestration.

SCIM Termination

Using the SCIM 2.0 protocol to automate the "Leaver" signal to hundreds of SaaS applications.

Orphan Discovery

Using periodic reviews to find and kill accounts that were missed by automated deprovisioning.

Emergency Lockouts

Designing the "Big Red Button" for immediate, ecosystem-wide account suspension during a breach.

Next Steps

• Explore Data Preservation Patterns for legal holds and mailbox transfers.
• Review Asset Recovery for reclaiming physical hardware during the offboarding flow.
• Check Rehire Logic for handling account reactivation vs new creation.