How to Automate User Provisioning & Deprovisioning with PowerShell

After more than two decades working across helpdesk, systems administration, and network engineering roles, one problem has never gone away: user account management. Whether it’s a new starter needing access on day one or a departing employee who must be locked out immediately, manual processes always introduce risk.

In smaller environments, manually creating and disabling accounts might seem manageable. But once you introduce hybrid Active Directory, Microsoft 365 licensing, remote workers, and compliance requirements, manual provisioning quickly becomes a liability.

I’ve personally dealt with:

• New starters missing critical group access on their first day
• Ex-employees retaining VPN access for weeks
• Inconsistent licensing causing unnecessary Microsoft 365 spend
• Auditors asking for proof of timely deprovisioning — with none available

PowerShell automation solves these problems by making user lifecycle management repeatable, auditable, and secure.

This guide walks through how to automate user provisioning and deprovisioning using PowerShell in on-prem Active Directory and Azure AD, based on real-world practices that actually scale.

Why Automate User Provisioning and Deprovisioning?

Manual user management introduces several common risks:

• Typos in usernames, email addresses, or UPNs
• Forgotten group memberships
• Inconsistent OU placement
• Delayed account disablement
• Licenses left assigned to former staff

From a security and operational standpoint, automation delivers:

• Standardised account creation
• Consistent group and role assignment
• Immediate access removal during offboarding
• Improved auditability
• Reduced workload for service desks

Automation isn’t about removing admin control — it’s about removing human error.

Prerequisites and Environment Setup

Before automating anything, ensure your environment is correctly prepared.

Required PowerShell Versions

• Windows PowerShell 5.1 (still common on servers)
• PowerShell 7+ (recommended for newer Graph modules)

Required Modules

• ActiveDirectory (on-prem AD)
• Microsoft.Graph (Azure AD / Entra ID)

Note: The older AzureAD module is deprecated. Microsoft Graph is the future and should be used in all new scripts.

Permissions Required

• Domain permissions to create and modify users
• Azure AD / Entra permissions such as:
  • User Administrator
  • License Administrator (or equivalent)
• Hybrid environments require Azure AD Connect configured and healthy

Automating User Provisioning (Onboarding)

Step 1: Creating a User in Active Directory

In most hybrid environments, on-prem AD remains the source of authority. That’s where provisioning should start.

Import-Module ActiveDirectory

$SecurePassword = ConvertTo-SecureString "TempPassword123!" -AsPlainText -Force

New-ADUser `
  -Name "Jane Doe" `
  -GivenName "Jane" `
  -Surname "Doe" `
  -SamAccountName "jdoe" `
  -UserPrincipalName "[email protected]" `
  -AccountPassword $SecurePassword `
  -Enabled $true `
  -Path "OU=Users,DC=domain,DC=com" `
  -ChangePasswordAtLogon $true

Real-World Tip

In production, I never hard-code passwords. Use:

• A random password generator
• Or delegate password setting to a secure onboarding workflow

Hard-coded passwords are acceptable only for demonstration purposes.

Step 2: Assigning Security and Access Groups

Group membership defines what a user can actually do. Automating this ensures consistency across teams.

$Groups = @(
    "Sales Team",
    "VPN Access",
    "M365-Base-License"
)

foreach ($Group in $Groups) {
    Add-ADGroupMember -Identity $Group -Members "jdoe"
}

Why This Matters

I’ve seen environments where two employees with the same job title had completely different access because one was provisioned manually and the other wasn’t. Automation eliminates that inconsistency.

Step 3: Syncing to Azure AD (Hybrid Environments)

Azure AD Connect handles synchronisation, but you can trigger it manually when required.

Start-ADSyncSyncCycle -PolicyType Delta

This ensures the account appears in Azure AD within minutes instead of waiting for the next scheduled sync.

Step 4: Assigning Microsoft 365 Licenses with Microsoft Graph

Licensing is where costs often spiral out of control without automation.

Connect-MgGraph -Scopes "User.ReadWrite.All"

$user = Get-MgUser -UserId "[email protected]"
$sku  = Get-MgSubscribedSku | Where-Object {
    $_.SkuPartNumber -eq "ENTERPRISEPACK"
}

Set-MgUserLicense `
  -UserId $user.Id `
  -AddLicenses @{SkuId = $sku.SkuId} `
  -RemoveLicenses @()

Real-World Insight

Automated licensing:

• Prevents over-licensing
• Ensures users are productive on day one
• Makes finance teams very happy

Automating User Deprovisioning (Offboarding)

Offboarding is where security failures are most expensive.

Step 1: Disable the Active Directory Account Immediately

Disable-ADAccount -Identity "jdoe"

Disabling first prevents access even if later steps fail.

Step 2: Remove Group Memberships

Get-ADUser "jdoe" -Properties MemberOf |
Select-Object -ExpandProperty MemberOf |
ForEach-Object {
    Remove-ADGroupMember -Identity $_ -Members "jdoe" -Confirm:$false
}

This ensures no residual access remains.

Step 3: Move the Account to a Leavers OU

Move-ADObject `
  -Identity "CN=Jane Doe,OU=Users,DC=domain,DC=com" `
  -TargetPath "OU=Leavers,DC=domain,DC=com"

Keeping disabled users in a dedicated OU simplifies:

• Audits
• Reporting
• Cleanup tasks

Step 4: Revoke Azure AD Sessions and Remove Licenses

Revoke-MgUserSignInSession -UserId "[email protected]"

$user = Get-MgUser -UserId "[email protected]"
Set-MgUserLicense `
  -UserId $user.Id `
  -AddLicenses @() `
  -RemoveLicenses @($sku.SkuId)

This immediately terminates active sessions across:

• Microsoft 365
• Teams
• Outlook
• OneDrive

Optional Enhancements That Work in the Real World

Over the years, these additions have proven invaluable:

CSV-Driven Automation

Bulk onboarding and offboarding using HR-provided files.

Logging and Reporting

• Write actions to a log file
• Email success/failure reports to IT ops

Service Desk Integration

Trigger scripts via:

• ServiceNow
• Power Automate
• Freshservice

Data Preservation

Automate:

• OneDrive retention
• Mailbox conversion to shared
• Manager access delegation

Scheduled Tasks

Run nightly checks to:

• Identify stale accounts
• Remove unused licenses
• Flag policy violations

Security Best Practices for Automation

Automation done poorly creates new attack surfaces. Follow these rules:

• Use service accounts with least privilege
• Store secrets securely (not in scripts)
• Enable MFA on all admin identities
• Monitor PowerShell and Azure AD audit logs
• Regularly review automation permissions

Final Thoughts: Automation Is a Force Multiplier

PowerShell-driven user provisioning and deprovisioning isn’t just about speed — it’s about control, consistency, and security.

In every environment I’ve worked in, automation:

• Reduced onboarding issues
• Closed security gaps
• Improved audit outcomes
• Freed IT teams to focus on strategic work

Whether you’re managing a small hybrid environment or a large enterprise tenant, user lifecycle automation is no longer optional — it’s foundational to modern IT operations.

If you’re still handling onboarding and offboarding manually, PowerShell is the most practical place to start.

Figure: Automated user provisioning and deprovisioning workflow in a hybrid Active Directory and Azure AD environment.
This diagram illustrates how HR or service desk triggers initiate to onboard and offboard users, ensuring consistent access control, license management, and audit logging.

Daniel Lutton

From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.