I've discovered over 30 active accounts belonging to employees who left the company 3 to 6 months ago. We're a company of about 300 people, using over 20 different business applications—mainly SaaS platforms like Salesforce and Okta, along with some legacy on-premises systems. The issue we're facing is that our HR system doesn't communicate with IT. Usually, we only find out someone has left when their manager mentions it or during our quarterly reviews, which means accounts can stay active for months without us knowing.
We've tried several methods, including:
- Monthly termination reports from HR, but they are often 2-3 weeks outdated.
- Quarterly reviews with app owners, though they often don't respond until we follow up.
- Checking login activity reports from our major SaaS applications, but 40% of our apps lack sufficient reporting features.
Our recent SOC 2 audit highlighted this as a significant issue, as the auditors expect proof of timely deprovisioning, and we currently can't provide it. For anyone who's managed to solve this problem without investing in a full IGA system, what strategies or solutions worked for you? Is there a reasonable approach between being stuck in "manual hell" and purchasing an expensive, full-scale tool?
5 Answers
It's really important to hold the HR team accountable. If they're not communicating employee statuses, it's crucial to address that. You might even consider putting methods in place to ensure better communication about hires and departures.
You already have a capabilities-rich tool that might help—look into Okta. You could integrate it with your HR system, and if there's no ready-made integration, consider creating a scheduled task using APIs. Also, try to connect as many of your SaaS applications to Okta as possible; it can streamline the management of orphan accounts.
As an international company ourselves, we found a workaround by giving the HR department access to Azure AD, allowing them to disable accounts as soon as they know someone has left. This could be something to consider for your setup.
You've pointed out the biggest issue: the lack of communication between HR and IT. Establishing a clear onboarding and offboarding notification process would really help. When people give notice, HR should notify IT right away. If you have an HRIS system, it likely can send out notifications for hiring and terminations. Once that's set up, you can focus on automating the account expirations and streamlining those tasks.
Using PowerShell might be a good approach! It can help automate some of the processes and tackle the reporting that you’re missing out on with your current systems.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures