{"id":46965,"date":"2025-01-06T08:00:42","date_gmt":"2025-01-06T07:00:42","guid":{"rendered":"https:\/\/www.firstware.com\/?p=46965"},"modified":"2025-01-06T09:51:52","modified_gmt":"2025-01-06T08:51:52","slug":"hybrid-offboarding-in-entra-id-and-active-directory","status":"publish","type":"post","link":"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/","title":{"rendered":"Hybrid offboarding in Entra ID and Active Directory"},"content":{"rendered":"<p class=\"absatz\">Hybrid offboarding removes a user account from both the on-premises Active Directory and Entra ID. The <strong>process ensures that all access rights are revoked locally and in the cloud<\/strong> to minimise security risks.<\/p>\n<p class=\"absatz\">The <strong>hybrid approach<\/strong> is particularly relevant for companies that use a <strong>combination of on-premise infrastructures and cloud services<\/strong>. In such environments, it is not sufficient to simply disable or delete users in one environment. <strong>Consistent measures must be taken in both environments.<\/strong><\/p>\n<p>With the IDM-Portal, it is possible to individually map and configure the <strong>complete offboarding process for companies<\/strong>. <strong><a href=\"https:\/\/firstware.com\/en\/identity-management\/user-management\/\">User management<\/a><\/strong> plays a central role here, as it provides the basis for smooth processing. The whole process can be presented to the end user in such a simple way that they do not need any IT knowledge. They do not need to know what is technically going on in the background and can concentrate solely on the technical offboarding process.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Index<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#Process-of-hybrid-offboarding\" >Process of hybrid offboarding<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#Differences-between-AD-and-Entra-ID-when-offboarding\" >Differences between AD and Entra ID when offboarding<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#Offboarding-in-AD\" >Offboarding in AD<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#Deactivating-or-deleting-user-accounts\" >Deactivating or deleting user accounts<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#Weak-points-in-offboarding-in-Active-Directory\" >Weak points in offboarding in Active Directory<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#Offboarding-in-Entra-ID\" >Offboarding in Entra ID<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#Deactivating-or-deleting-user-accounts-2\" >Deactivating or deleting user accounts<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#Weaknesses-in-offboarding-in-Entra-ID\" >Weaknesses in offboarding in Entra ID<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#Offboarding-in-third-party-systems\" >Offboarding in third-party systems<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#Security-risks-of-incomplete-offboarding\" >Security risks of incomplete offboarding<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#Best-Practice-offboarding-in-a-hybrid-IT-environment-with-IDM-Portal\" >Best Practice offboarding in a hybrid IT environment with IDM-Portal<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#Summary\" >Summary<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#More-about-FirstWare-IDM-Portal\" >More about FirstWare IDM-Portal<\/a><\/li><\/ul><\/nav><\/div>\n\n<h2><span class=\"ez-toc-section\" id=\"Process-of-hybrid-offboarding\"><\/span>Process of hybrid offboarding<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The <strong>hybrid offboarding process<\/strong> typically begins by deactivating or removing the user account in the on-premises Active Directory.<\/p>\n<p>Synchronization tools such as Entra ID Connect replicate this action in Entra ID and deactivate or delete the corresponding cloud account.\u00a0<\/p>\n<p><img decoding=\"async\" class=\"imgshadow aligncenter wp-image-46970 size-large\" title=\"Synchronization of AD with Entra ID via Entra Cloud Connect\" src=\"https:\/\/firstware.com\/wp-content\/uploads\/2025\/01\/guest-entra-id-06-en-1024x804.png\" alt=\"Synchronization of AD with Entra ID via Entra Cloud Connect\" width=\"1024\" height=\"804\" srcset=\"https:\/\/www.firstware.com\/wp-content\/uploads\/2025\/01\/guest-entra-id-06-en-1024x804.png 1024w, https:\/\/www.firstware.com\/wp-content\/uploads\/2025\/01\/guest-entra-id-06-en-300x235.png 300w, https:\/\/www.firstware.com\/wp-content\/uploads\/2025\/01\/guest-entra-id-06-en-768x603.png 768w, https:\/\/www.firstware.com\/wp-content\/uploads\/2025\/01\/guest-entra-id-06-en.png 1096w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>However, administrators should not rely on this, but should implement a process that ensures that a user account that is no longer needed is disabled both in AD and in Entra ID. A check is therefore necessary in most cases.<\/p>\n<p>There are several steps to consider:<\/p>\n<ol>\n<li><strong>Deactivating the account in AD<\/strong>: The user account is deactivated in the local Active Directory. This immediately stops access to local resources.<\/li>\n<li><strong>Synchronisation with Entra ID<\/strong>: The deactivation is transferred to Entra ID via Entra ID Connect. This will disable the user&#8217;s cloud account accordingly. Please also read our tech blog about <a href=\"https:\/\/activedirectoryfaq.com\/2024\/11\/entra-connect-v2-vs-entra-cloud-sync\/\" target=\"\u2018_blank\u2019\" rel=\"\u2018noopener\u2019\">Entra ID Connect<\/a>.<\/li>\n<li><strong>Withdrawal of access rights<\/strong>: In both systems, all access rights, group memberships and permissions must be checked and removed.<\/li>\n<li><strong>Deletion of the account<\/strong>: After a specified retention period, the account can be completely deleted to free up storage space and resources.<\/li>\n<li><strong>Auditing and documentation<\/strong>: All offboarding steps should be documented and audited to meet compliance requirements.<\/li>\n<\/ol>\n<h2><span class=\"ez-toc-section\" id=\"Differences-between-AD-and-Entra-ID-when-offboarding\"><\/span>Differences between AD and Entra ID when offboarding<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>There are some differences to be aware of in the offboarding process. We have listed some of them in the following table.<\/p>\n<table>\n<thead>\n<tr>\n<td>\n<p><strong>Feature<\/strong><\/p>\n<\/td>\n<td>\n<p><strong>Active Directory (AD)<\/strong><\/p>\n<\/td>\n<td>\n<p><strong>Entra ID<\/strong><\/p>\n<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\n<p><strong>Location of data<\/strong><\/p>\n<\/td>\n<td>\n<p>On-premises<\/p>\n<\/td>\n<td>\n<p>Cloud-based<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p><strong>Account deactivation<\/strong><\/p>\n<\/td>\n<td>\n<p>Deactivating the user account stops access to local resources.<\/p>\n<\/td>\n<td>\n<p>Deactivating the synchronized account stops access to cloud resources.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p><strong>Account deletion<\/strong><\/p>\n<\/td>\n<td>\n<p>Deleting the account in AD deletes local resources such as profiles and files.<\/p>\n<\/td>\n<td>\n<p>Deleting the synchronized account removes the account from the cloud, but some data may remain in backup systems.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p><strong>Access rights<\/strong><\/p>\n<\/td>\n<td>\n<p>Access rights are managed at the file and network level.<\/p>\n<\/td>\n<td>\n<p>Management of access rights is done at the application level, often in conjunction with conditional access policies.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p><strong>Group memberships<\/strong><\/p>\n<\/td>\n<td>\n<p>AD groups manage local network and file access rights.<\/p>\n<\/td>\n<td>\n<p>Entra ID groups manage access rights to cloud resources and applications.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p><strong>Automation<\/strong><\/p>\n<\/td>\n<td>\n<p>Typically less automated; often requiring manual processes.<\/p>\n<\/td>\n<td>\n<p>Higher level of automation through built-in tools and scripting capabilities in the cloud.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p><strong>Auditing and compliance<\/strong><\/p>\n<\/td>\n<td>\n<p>AD offers basic auditing capabilities; external tools are required for advanced analysis.<\/p>\n<\/td>\n<td>\n<p>Entra ID offers extensive built-in auditing and reporting capabilities, particularly for cloud compliance.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p><strong>Tool availability<\/strong><\/p>\n<\/td>\n<td>\n<p>Traditional tools such as PowerShell and GPOs dominate.<\/p>\n<\/td>\n<td>\n<p>Modern cloud-based tools and APIs are available.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><span class=\"ez-toc-section\" id=\"Offboarding-in-AD\"><\/span>Offboarding in AD<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Deactivating-or-deleting-user-accounts\"><\/span>Deactivating or deleting user accounts<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>A typical offboarding process in Active Directory consists of several steps that are performed in the ADUC (Active Directory Users and Computers Console). Due to the complexity of this process, it is recommended that the task be performed by trained administrators. The first step is to disable the user account in a timely manner to prevent the user from continuing to access the network. To do this, the \u2018Account Disabled\u2019 attribute is set. It is also important to reset the password of the user account.<\/p>\n<p>Next, all of the user&#8217;s permissions and group memberships are reviewed and removed, including removal of the user from all AD groups of which they were a member. In addition, there are various processes for securing personal data of the user as well as securing the mailbox and important emails.<\/p>\n<p>After administrators have ensured that all relevant data has been archived and transferred, the user account is permanently deleted to save storage space and clean up the AD database. Some companies first disable the account for a period of time before permanently deleting it to allow for potential subsequent queries or access to archived data.<\/p>\n<p>It is recommended that you audit the offboarding process to increase traceability and to verify compliance with the defined standards and rules.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Weak-points-in-offboarding-in-Active-Directory\"><\/span>Weak points in offboarding in Active Directory<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Various weaknesses can arise when <strong>offboarding users in Active Directory<\/strong>.<\/p>\n<p>One of these weaknesses is that <strong>group memberships are not completely removed<\/strong>. This can result in a disabled or deleted account continuing to have permissions, especially in security-relevant groups. This risk can be avoided by thoroughly reviewing and removing all of the user&#8217;s group memberships. Ideally, this should be done using automated scripts to ensure that no membership is overlooked.<\/p>\n<p>Solutions such as the <a href=\"https:\/\/firstware.com\/en\/\">FirstWare IDM-Portal<\/a> help here, as the offboarding process can be automated. Scripts ensure that administrators do not forget anything and that each offboarding process is always carried out correctly and completely.<\/p>\n<p><img decoding=\"async\" class=\"imgshadow aligncenter wp-image-46978 size-full\" title=\"Delete user in IDM-Portal\" src=\"https:\/\/firstware.com\/wp-content\/uploads\/2025\/01\/Delete-user-in-IDM-Portal.gif\" alt=\"Delete user in IDM-Portal\" width=\"832\" height=\"546\" \/><\/p>\n<p><a href=\"#Best Practice offboarding in a hybrid IT environment with IDM-Portal\"><button class=\"ButtonBeratung aligncenter\">Go directly to best practice with the IDM-Portal<\/button><\/a><\/p>\n<p>Another weakness is the <strong>risk of orphaned user accounts<\/strong>, which remain active after an employee has left. These accounts pose a significant security risk as they could be misused by unauthorized individuals. To avoid this risk, regular reviews of inactive user accounts should be carried out. Automated tools can help identify inactive accounts so that administrators can deactivate or delete them in a timely manner.<\/p>\n<p>Another risk arises from the <strong>unsecured management of user data<\/strong>. If user accounts are not properly secured after offboarding, missing backups of personal files or emails can lead to data loss or compliance violations. Therefore, it is crucial to fully back up all relevant data and archive it securely before deleting a user account.<\/p>\n<p>An often-overlooked vulnerability is <strong>remaining delegated rights or administrative privileges<\/strong> granted to a user account. If these rights persist after offboarding, they could be misused by other users or systems. It is therefore necessary to review and remove all delegated rights as part of the offboarding process. If necessary, this should be done using specialized access rights monitoring tools.<\/p>\n<p>Finally, <strong>poor documentation<\/strong> and tracking of the offboarding process can lead to important steps being overlooked. All offboarding steps should therefore be documented in detail and regularly audited to ensure that the process has been completed fully and in accordance with company guidelines.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Offboarding-in-Entra-ID\"><\/span>Offboarding in Entra ID<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Deactivating-or-deleting-user-accounts-2\"><\/span>Deactivating or deleting user accounts<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The technical offboarding process in <strong>Entra ID<\/strong> involves a series of steps that ensure administrators can safely and completely deactivate or delete a user account.<\/p>\n<p>First, <strong>the relevant IT department deactivates the user account in Entra ID<\/strong>, which immediately stops access to all associated cloud services. This is often done by disabling the login function and removing multi-factor authentication (MFA).<\/p>\n<div id=\"attachment_40864\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" aria-describedby=\"caption-attachment-40864\" class=\"wp-image-40864 size-large\" title=\"Authenticating legacy apps in Entra ID\" src=\"https:\/\/firstware.com\/wp-content\/uploads\/2021\/11\/azure-ad-hybrid-01-1024x360.jpg\" alt=\"Authenticating legacy apps in Entra ID\" width=\"1024\" height=\"360\" srcset=\"https:\/\/www.firstware.com\/wp-content\/uploads\/2021\/11\/azure-ad-hybrid-01-1024x360.jpg 1024w, https:\/\/www.firstware.com\/wp-content\/uploads\/2021\/11\/azure-ad-hybrid-01-300x105.jpg 300w, https:\/\/www.firstware.com\/wp-content\/uploads\/2021\/11\/azure-ad-hybrid-01-768x270.jpg 768w, https:\/\/www.firstware.com\/wp-content\/uploads\/2021\/11\/azure-ad-hybrid-01.jpg 1176w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><p id=\"caption-attachment-40864\" class=\"wp-caption-text\">Microsoft also offers comprehensive options for authenticating legacy apps in Entra ID (Screenshot: Microsoft)<\/p><\/div>\n<p><strong>All associated licenses and group memberships are then removed<\/strong> to ensure that the user no longer has access to company resources. After that, companies archive or delete the account completely in accordance with their policies.<\/p>\n<p>The process ends with a <strong>comprehensive audit<\/strong>. This ensures that all steps have been carried out correctly and that no authorizations remain that could pose a security risk. These steps can be supported by automation functions in Entra ID. This makes the process more efficient and less prone to errors.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Weaknesses-in-offboarding-in-Entra-ID\"><\/span>Weaknesses in offboarding in Entra ID<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>There are specific vulnerabilities associated with <strong>offboarding in Entra ID<\/strong> that differ from those in AD and pose additional risks to organizations.<\/p>\n<p>One of the main vulnerabilities is the <strong>potential persistence of cloud-based access rights and app permissions<\/strong>. While deactivating a user account in AD usually immediately removes access to local resources, linked applications or services in Entra ID can continue to grant access rights. This happens if these permissions are not explicitly removed. Users often overlook OAuth-based access, which can remain active even after a user account has been deactivated.<\/p>\n<p>Another risk is the <strong>insufficient control over delegated administrative permissions<\/strong> in the cloud. Unlike in AD, it can be difficult in Entra ID to keep track of all the permissions and roles assigned to a user account, especially in complex hybrid environments. As a result, former employees could continue to have indirect access to sensitive resources.<\/p>\n<p>In addition, <strong>synchronization issues<\/strong> can occur between Entra ID and on-premises AD domains, especially when using Pass-Through Authentication (PTA). These issues prevent changes in AD from being correctly reflected in Entra ID, resulting in outdated or inconsistent user information and permissions.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Offboarding-in-third-party-systems\"><\/span>Offboarding in third-party systems<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Offboarding in third-party systems is just as necessary as in Active Directory or Entra ID. <strong>Many organizations use a variety of applications and platforms that fall outside their primary identity management systems.<\/strong> These third-party systems, such<\/p>\n<ul>\n<li>as SaaS applications,<\/li>\n<li>CRM systems or<\/li>\n<li>collaboration platforms,<\/li>\n<\/ul>\n<p>often manage their own user accounts and access rights. If a user leaves the company, their access rights in these systems may remain in place if offboarding is not carried out properly. This poses a significant security risk as a former employee could continue to have access to sensitive company data. In addition, user accounts that are not deactivated incur unnecessary license costs.<\/p>\n<p>To avoid such risks, it is essential that offboarding processes are also consistently and completely implemented in all third-party systems used. Automated identity and access management solutions such as the IDM-Portal can help to centrally control the offboarding process. They ensure that user accounts and authorizations are comprehensively removed from all relevant systems at the same time.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Security-risks-of-incomplete-offboarding\"><\/span>Security risks of incomplete offboarding<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Incomplete or unperformed offboarding in a hybrid environment that includes both Active Directory and Microsoft Entra ID poses significant risks to an organization&#8217;s security and operations.<\/p>\n<p><strong>Unauthorized access to corporate resources<\/strong><\/p>\n<p>One of the biggest risks is that former employees can continue to access company resources without authorization. If administrators do not completely deactivate or delete user accounts, the accounts still retain access rights to files, applications and systems. This can be particularly dangerous if the person has malicious intentions or if the login information falls into the wrong hands. In hybrid environments where AD and Entra ID are integrated, such vulnerabilities could affect not only the local network but also cloud-based services and applications, significantly increasing the risk.<\/p>\n<p><strong>Synchronization risks<\/strong><\/p>\n<p>Hybrid identities, managed in both on-premises AD domains and in the cloud, bring additional challenges. Synchronization issues between the two systems prevent changes in AD from being correctly reflected in Entra ID and vice versa. This could result in outdated permissions remaining in place, potentially allowing unauthorized access.<\/p>\n<p><strong>PTA server as a target for AD and Entra ID access<\/strong><\/p>\n<p>Attackers who gain administrative privileges on a local Pass-Through Authentication (PTA) server could gain access to various AD domains and thus gain access to all user accounts in the connected Entra ID tenant without knowing the actual credentials. This underscores the need to strictly manage hybrid identities and to continuously monitor and update security practices.<\/p>\n<p><strong>Compliance risks due to incomplete offboarding<\/strong><\/p>\n<p>Another risk relates to compliance. Many regulations and standards require that access to systems and data be promptly and completely revoked for employees who have left the company. Incomplete offboarding can therefore lead to serious legal and regulatory consequences, including fines and reputational damage. In hybrid environments, where identity and access management must be carried out across different platforms, the complexity of this requirement increases significantly.<\/p>\n<h2 id=\"Best Practice offboarding in a hybrid IT environment with IDM-Portal\"><span class=\"ez-toc-section\" id=\"Best-Practice-offboarding-in-a-hybrid-IT-environment-with-IDM-Portal\"><\/span>Best Practice offboarding in a hybrid IT environment with IDM-Portal<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>FirstAttribute&#8217;s <a href=\"https:\/\/firstware.com\/en\/\">IDM-Portal<\/a> addresses all the offboarding issues we&#8217;ve described in this post.<\/p>\n<p>It is an<strong> ideal solution for offboarding users, especially in hybrid environments<\/strong>. The IDM-Portal <strong>manages permissions in an automated manner with approval and timing functions<\/strong>, <strong>consistently removing all of a user&#8217;s access rights during offboarding.<\/strong>.<\/p>\n<p><img decoding=\"async\" class=\"imgshadow aligncenter wp-image-46998 size-large\" title=\"FirstWare IDM-Portal - A centralized user interface\" src=\"https:\/\/firstware.com\/wp-content\/uploads\/2025\/01\/IDM-Portal-user-view-1024x485.png\" alt=\"FirstWare IDM-Portal - A centralized user interface\" width=\"1024\" height=\"485\" srcset=\"https:\/\/www.firstware.com\/wp-content\/uploads\/2025\/01\/IDM-Portal-user-view-1024x485.png 1024w, https:\/\/www.firstware.com\/wp-content\/uploads\/2025\/01\/IDM-Portal-user-view-300x142.png 300w, https:\/\/www.firstware.com\/wp-content\/uploads\/2025\/01\/IDM-Portal-user-view-768x364.png 768w, https:\/\/www.firstware.com\/wp-content\/uploads\/2025\/01\/IDM-Portal-user-view-1536x727.png 1536w, https:\/\/www.firstware.com\/wp-content\/uploads\/2025\/01\/IDM-Portal-user-view.png 1772w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>First of all, the tool provides <strong>a central interface for AD and Entra ID<\/strong>, which makes it possible to carry out user and group administration centrally.<\/p>\n<p>In addition, it offers comprehensive <strong>automation of processes in all connected directories<\/strong>. The integration of third-party systems enables offboarding to take place simultaneously not only in AD and Entra ID, but also in all other integrated systems, such as CRM or HR applications. This prevents user accounts from remaining active in these systems without being noticed, creating security vulnerabilities.<\/p>\n<p>There is also the option of <strong>time-controlled offboarding<\/strong>. This allows users to execute processes exactly when they are needed. This reduces the workload on administrators and ensures significantly more security.<\/p>\n<p><img decoding=\"async\" class=\"imgshadow aligncenter wp-image-46992 size-full\" title=\"Hybrid offboarding: plan for changes in the IDM-Portal\" src=\"https:\/\/firstware.com\/wp-content\/uploads\/2025\/01\/Schedule-changes-offboarding-IDM-Portal.png\" alt=\"Hybrid offboarding: plan for changes in the IDM-Portal\" width=\"924\" height=\"235\" srcset=\"https:\/\/www.firstware.com\/wp-content\/uploads\/2025\/01\/Schedule-changes-offboarding-IDM-Portal.png 924w, https:\/\/www.firstware.com\/wp-content\/uploads\/2025\/01\/Schedule-changes-offboarding-IDM-Portal-300x76.png 300w, https:\/\/www.firstware.com\/wp-content\/uploads\/2025\/01\/Schedule-changes-offboarding-IDM-Portal-768x195.png 768w\" sizes=\"(max-width: 924px) 100vw, 924px\" \/><\/p>\n<p>Another advantage of the IDM-Portal is the <strong>delegation of user administration<\/strong>. IT administrators and even non-IT employees can efficiently carry out offboarding processes, speeding up the process and reducing the likelihood of human error. In addition, the organization-specific configuration of the interface adapts offboarding to the specific requirements of the company and ensures compliance with compliance guidelines.<\/p>\n<p>Companies that work with partners and external employees should never perform offboarding manually. The dangers are enormous, and the risk of overlooking rights and accounts when an employee leaves increases significantly.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Controlling and automating user management through a central portal is a practical approach to ensuring that onboarding and offboarding are carried out in accordance with company policy. Especially in hybrid environments where multiple directories are in use, it is advisable to use a central offboarding management tool instead of doing it manually in each system.<\/p>\n<p>The use of such tools reduces the risk of human error through automated and scheduled processes. Another advantage is the cost savings, as offboarding is not only more reliable but also faster, reducing the workload on IT staff, who can devote their time to other tasks.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"More-about-FirstWare-IDM-Portal\"><\/span>More about FirstWare IDM-Portal<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><img decoding=\"async\" class=\"alignleft wp-image-36704\" title=\"IDM-Portal Hybrid IAM solution\" src=\"https:\/\/firstware.com\/wp-content\/uploads\/2021\/08\/IDM-Portal-Hybrid-IAM-Loesung-1.png\" alt=\"IDM-Portal Hybrid IAM L\u00f6sung\" width=\"238\" height=\"199\" srcset=\"https:\/\/www.firstware.com\/wp-content\/uploads\/2021\/08\/IDM-Portal-Hybrid-IAM-Loesung-1.png 453w, https:\/\/www.firstware.com\/wp-content\/uploads\/2021\/08\/IDM-Portal-Hybrid-IAM-Loesung-1-300x250.png 300w\" sizes=\"(max-width: 238px) 100vw, 238px\" \/>FirstAttribute&#8217;s<a href=\"https:\/\/firstware.com\/en\/\"> FirstWare IDM-Portal<\/a> is an integrated identity and access management (IAM) solution that enables automated user and authorization management, whether on-premises or in the cloud.<\/p>\n<p>This portal integrates all facets of identity and access management and provides centralized access to identity and directory services.<\/p>\n<p><a href=\"https:\/\/firstware.com\/en\/contact\/\" target=\"_blank\" rel=\"noopener\"><button class=\"ButtonBeratung aligncenter\">Contact us now<\/button><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hybrid offboarding removes a user account from both the on-premises Active Directory and Entra ID. The process ensures that all [&hellip;]<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[],"tags":[1989,1990],"class_list":["post-46965","post","type-post","status-publish","format-standard","hentry","tag-hybrid-offboarding","tag-offboarding"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Hybrid offboarding in Entra ID and Active Directory - FirstWare IDM-Portal<\/title>\n<meta name=\"description\" content=\"Hybrid offboarding removes access rights locally and in Entra when a user is deleted. Our IAM-solution IDM-Portal handles the entire process.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hybrid offboarding in Entra ID and Active Directory - FirstWare IDM-Portal\" \/>\n<meta property=\"og:description\" content=\"Hybrid offboarding removes access rights locally and in Entra when a user is deleted. Our IAM-solution IDM-Portal handles the entire process.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/\" \/>\n<meta property=\"og:site_name\" content=\"FirstWare IDM-Portal\" \/>\n<meta property=\"og:image\" content=\"https:\/\/firstware.com\/wp-content\/uploads\/2025\/01\/guest-entra-id-06-en-1024x804.png\" \/>\n<meta name=\"author\" content=\"Sophia Tunui\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sophia Tunui\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/hybrid-offboarding-in-entra-id-and-active-directory\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/hybrid-offboarding-in-entra-id-and-active-directory\\\/\"},\"author\":{\"name\":\"Sophia Tunui\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#\\\/schema\\\/person\\\/e7504910be78b9b066298168ab6e839e\"},\"headline\":\"Hybrid offboarding in Entra ID and Active Directory\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/hybrid-offboarding-in-entra-id-and-active-directory\\\/\"},\"wordCount\":2404,\"publisher\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/hybrid-offboarding-in-entra-id-and-active-directory\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/firstware.com\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/guest-entra-id-06-en-1024x804.png\",\"keywords\":[\"hybrid offboarding\",\"offboarding\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/hybrid-offboarding-in-entra-id-and-active-directory\\\/\",\"url\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/hybrid-offboarding-in-entra-id-and-active-directory\\\/\",\"name\":\"Hybrid offboarding in Entra ID and Active Directory - FirstWare IDM-Portal\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/hybrid-offboarding-in-entra-id-and-active-directory\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/hybrid-offboarding-in-entra-id-and-active-directory\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/firstware.com\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/guest-entra-id-06-en-1024x804.png\",\"description\":\"Hybrid offboarding removes access rights locally and in Entra when a user is deleted. Our IAM-solution IDM-Portal handles the entire process.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/hybrid-offboarding-in-entra-id-and-active-directory\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/hybrid-offboarding-in-entra-id-and-active-directory\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/hybrid-offboarding-in-entra-id-and-active-directory\\\/#primaryimage\",\"url\":\"https:\\\/\\\/firstware.com\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/guest-entra-id-06-en-1024x804.png\",\"contentUrl\":\"https:\\\/\\\/firstware.com\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/guest-entra-id-06-en-1024x804.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/hybrid-offboarding-in-entra-id-and-active-directory\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Hybrid offboarding in Entra ID and Active Directory\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/\",\"name\":\"FirstWare IDM-Portal\",\"description\":\"Identity and Autorization Management in M365 and Active Directory\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#organization\",\"name\":\"FirstWare IDM-Portal\",\"url\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.firstware.com\\\/wp-content\\\/uploads\\\/2019\\\/06\\\/IDM-Portal.ico\",\"contentUrl\":\"https:\\\/\\\/www.firstware.com\\\/wp-content\\\/uploads\\\/2019\\\/06\\\/IDM-Portal.ico\",\"width\":1,\"height\":1,\"caption\":\"FirstWare IDM-Portal\"},\"image\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#\\\/schema\\\/person\\\/e7504910be78b9b066298168ab6e839e\",\"name\":\"Sophia Tunui\",\"sameAs\":[\"http:\\\/\\\/firstattribute.com\"],\"url\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/author\\\/sophia-tunui\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Hybrid offboarding in Entra ID and Active Directory - FirstWare IDM-Portal","description":"Hybrid offboarding removes access rights locally and in Entra when a user is deleted. Our IAM-solution IDM-Portal handles the entire process.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/","og_locale":"en_US","og_type":"article","og_title":"Hybrid offboarding in Entra ID and Active Directory - FirstWare IDM-Portal","og_description":"Hybrid offboarding removes access rights locally and in Entra when a user is deleted. Our IAM-solution IDM-Portal handles the entire process.","og_url":"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/","og_site_name":"FirstWare IDM-Portal","og_image":[{"url":"https:\/\/firstware.com\/wp-content\/uploads\/2025\/01\/guest-entra-id-06-en-1024x804.png","type":"","width":"","height":""}],"author":"Sophia Tunui","twitter_misc":{"Written by":"Sophia Tunui","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#article","isPartOf":{"@id":"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/"},"author":{"name":"Sophia Tunui","@id":"https:\/\/www.firstware.com\/en\/#\/schema\/person\/e7504910be78b9b066298168ab6e839e"},"headline":"Hybrid offboarding in Entra ID and Active Directory","mainEntityOfPage":{"@id":"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/"},"wordCount":2404,"publisher":{"@id":"https:\/\/www.firstware.com\/en\/#organization"},"image":{"@id":"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#primaryimage"},"thumbnailUrl":"https:\/\/firstware.com\/wp-content\/uploads\/2025\/01\/guest-entra-id-06-en-1024x804.png","keywords":["hybrid offboarding","offboarding"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/","url":"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/","name":"Hybrid offboarding in Entra ID and Active Directory - FirstWare IDM-Portal","isPartOf":{"@id":"https:\/\/www.firstware.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#primaryimage"},"image":{"@id":"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#primaryimage"},"thumbnailUrl":"https:\/\/firstware.com\/wp-content\/uploads\/2025\/01\/guest-entra-id-06-en-1024x804.png","description":"Hybrid offboarding removes access rights locally and in Entra when a user is deleted. Our IAM-solution IDM-Portal handles the entire process.","breadcrumb":{"@id":"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#primaryimage","url":"https:\/\/firstware.com\/wp-content\/uploads\/2025\/01\/guest-entra-id-06-en-1024x804.png","contentUrl":"https:\/\/firstware.com\/wp-content\/uploads\/2025\/01\/guest-entra-id-06-en-1024x804.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.firstware.com\/en\/blog\/hybrid-offboarding-in-entra-id-and-active-directory\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/www.firstware.com\/en\/"},{"@type":"ListItem","position":2,"name":"Hybrid offboarding in Entra ID and Active Directory"}]},{"@type":"WebSite","@id":"https:\/\/www.firstware.com\/en\/#website","url":"https:\/\/www.firstware.com\/en\/","name":"FirstWare IDM-Portal","description":"Identity and Autorization Management in M365 and Active Directory","publisher":{"@id":"https:\/\/www.firstware.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.firstware.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.firstware.com\/en\/#organization","name":"FirstWare IDM-Portal","url":"https:\/\/www.firstware.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.firstware.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.firstware.com\/wp-content\/uploads\/2019\/06\/IDM-Portal.ico","contentUrl":"https:\/\/www.firstware.com\/wp-content\/uploads\/2019\/06\/IDM-Portal.ico","width":1,"height":1,"caption":"FirstWare IDM-Portal"},"image":{"@id":"https:\/\/www.firstware.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.firstware.com\/en\/#\/schema\/person\/e7504910be78b9b066298168ab6e839e","name":"Sophia Tunui","sameAs":["http:\/\/firstattribute.com"],"url":"https:\/\/www.firstware.com\/en\/blog\/author\/sophia-tunui\/"}]}},"_links":{"self":[{"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/posts\/46965","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/comments?post=46965"}],"version-history":[{"count":0,"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/posts\/46965\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/media?parent=46965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/categories?post=46965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/tags?post=46965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}