When someone leaves the organisation, whether it's an employee, consultant, supplier, or intern, you expect access to be properly terminated. However, in practice, this is where the greatest security risks often arise. Accounts accidentally remain active, externals are not in the HR system, and guest users in Microsoft 365 are rarely checked.

The result: former employees and suppliers who unintentionally continue to have access to systems, documents, and business-critical data. This issue makes automatic deprovisioning an essential part of modern Identity & Access Management (IAM).

In this blog, you'll read how automatic deprovisioning works, why organisations often forget accounts – especially external ones – and how a platform like Joinly helps to fully automate and secure this process.

What is automatic deprovisioning?

Automatic deprovisioning is the process where digital access is automatically revoked as soon as an employee or external party no longer has a role within the organisation. It is not just about disabling accounts, but also about removing authorisations, roles, licences, group memberships, and access to applications and cloud environments.

Where this used to be manual work, modern IAM software like Joinly ensures that offboarding is consistent, secure, and fully automated.

Why offboarding often goes wrong

Many organisations have reasonably good onboarding processes. But offboarding – correctly closing accounts – is almost always vulnerable. This is due to:

1. Fragmented responsibility

HR, IT, security, managers, and supplier management all play a role. If one link forgets something, access remains active.

2. Externals are not in the HR system

The biggest blind spot. Consultants, freelancers, construction partners, suppliers, implementation parties… They often receive extensive access, but no one registers their 'departure' date.

3. No central overview

Without a central IAM platform, it is impossible to see who has access to which systems.

4. Human errors

Manual offboarding via tickets, emails, or Excel lists works fine until it doesn't.
A forgotten account can lead to data leaks, compliance issues, unnecessary licence costs, and reputational damage.

The forgotten risk: access of suppliers and external accounts

External accounts often pose the greatest danger. They have access because they work on projects, oversee implementations, or manage systems. But once the partnership ends, that access is not always revoked.

This happens because:

• There is no official offboarding for externals.

• Project managers forget to report it.

• Access is granted through separate tools rather than via IT.

• Guest accounts in Microsoft 365 remain and never expire.

• External identities in Entra ID are not cleaned up.

These accounts sometimes have admin rights, datasets, or access to environments that are vulnerable to misuse.

An automatic solution is not a luxury but a necessity.

How Joinly manages automatic deprovisioning

Joinly is designed to automate the entire identity lifecycle management process. One principle is central: the source determines, Joinly executes.

1. HR, procurement, or project registration is the trigger

• For employees, the trigger comes from the HR system (AFAS, YouServe, Personio, Deel, etc.).

• For externals, the trigger comes from the HR system or otherwise the supplier system, contract management, project registration, or a Joinly external portal.

Once an end date is registered, Joinly automatically schedules the offboarding.

2. A fully automated offboarding occurs on the last working day

Joinly revokes all access, for instance:

• Disable AD / Entra ID accounts

• Remove application roles

• Block guest accounts in Microsoft 365

• Terminate cloud access (SaaS apps, CRM, HR tools)

• Revoke VPN and network access

• Release licences

• Remove group memberships

• Block shared mailboxes and Teams access

Everything happens automatically. No manual work, no risks.

3. Complete audit trail for compliance

Joinly logs every step: what was closed when, by which system, and which rights have expired. This is ideal for organisations working with:

• ISO 27001

• NEN 7510

• SOC2

• GDPR requirements

• Internal audits

Scenarios that often go wrong – and how Joinly solves them

Automatic deprovisioning means Joinly also recognises exceptions that are often encountered in practice.

Contract extension

If HR or procurement enters a new end date, Joinly automatically stops the offboarding process.

Collaboration ends immediately

In urgent situations, access can be withdrawn within seconds.

External comes back temporarily

Joinly can safely reactivate the old account with the correct roles.

Employee changes role

Not only offboarding, but also mutations are processed automatically.

Why automatic deprovisioning has a direct business case

The benefits of automatic deprovisioning are not only security-oriented. Organisations see tangible values such as:

• Reduced licence costs through automatic redistribution

• Reduced management burden for IT

• Fewer risks by eliminating forgotten accounts

• Faster audits thanks to complete logging

• Better compliance with GDPR and ISO 27001

Joinly makes IAM scalable, manageable, and reliable.

Automatic deprovisioning belongs to a modern digital organisation

At a time when organisations use dozens to hundreds of cloud applications, manual offboarding is simply not realistic. Employees come and go, externals work for shorter periods on average, and suppliers receive more access than ever.

With Joinly, you ensure that:

• no one retains unnecessary access

• every identity is properly closed

• both internal and external access are fully controlled

• you meet security and compliance requirements

It is not only safer but also more efficient and cost-effective.