The Identity Lifecycle Is Your Real Attack Surface

-

Most breaches do not start with a firewall. They start with a forgotten account. Oftentimes, we neglect to acknowledge that identities are the heartbeat of the user and the user can be exploited. Even if they are no longer with the organization. However, the same can also be said about those who still remain. As an organization, it is absolutely crucial that you recognize these phases and take the necessary precautions to prevent them from being used against you.

The Joiner

Welcome to the organization! We understand that you need tools and roles to do your job. Here: take Global Administrator, Admin access to your Entra Connect server, and the keys to your on-premise Exchange server. While we're at it, we will not govern this at all and give you free reign.

Can you identify the issues in this statement? If so, then you'll know that more often than not, this happens in the wild. Not having a proper onboarding process can introduce over-permissions and give way to a whole slew of problems.

The Mover

Congratulations on your promotion! Need access to the Domain Controller? Sure! Full ride to the HR application with SIN numbers? Yup!

Here's another doozy of an issue. Actually, this is the most dangerous phase in the identity lifecycle. Old privileges remain and new ones get added to the mix, making a concoction of roles, with no management.

The Leaver

Thank you for all of your hard work, but unfortunately due to workforce adjustments, your services are no longer required at our organization. Please return your laptop via mail or in-person and collect your things. Oh, don't worry about your account though- you can still login.

The final boss, the leaver. Albeit most organizations think they handle this well, more and more organizations fall behind. This in turn, leaves users (some possibly disgruntled) with the keys to the castle, with very little oversight. Another major risk. Combine this with burnt bridges, and you have a potential administrative nightmare.

Commonalities Between Each?

The common theme with each of these accounts is a few things that can be broken down into brass tacks:

  • Excessive Permissions: Users are given the keys, leaving the whole kingdom vulnerable.

  • Stale Roles: The user may have a new role, but the permissions stay the same.

  • Lack of Oversight: No reviews, no processes, no lifecycle; plenty of problems.

How Attackers Benefit

Attackers can exploit the joiner, mover and leaver in many different ways. Access that is granted "just in case", no ownership of identity cleanup, disconnect between HR and IT, and collaborators with infinite access are some of the many vectors that an attacker can use. These failures persist for a variety of reasons:

  • Identity is seen as a part of the job description, not a system or role in itself.

  • Governance is seen as red tape that slows down agile teams.

  • Tools are aplenty, but processes are bone dry.

  • Leadership does not understand or underestimates the identity risks that are in their environment.

What Can Fix It?

There are a variety of ways to help alleviate these issues. Primarily, the core principles of least privilege apply here and should be treated as more than just a configuration, but as a process engrained in the onboarding, upgrading, and offboarding of a user. Access should also be time-bound, have purpose, and be reviewable. Where possible, automation is better than documentation (document the automations where possible) and can be traced back to the time it happened. Here's some tools that can help:

  • Lifecycle Workflows: Automate the predictable. New hires, department changes, leaves of absence, and terminations all follow patterns. Lifecycle Workflows lets you build those patterns into the identity fabric itself. Instead of relying on someone to remember to remove access, the system does it — consistently, traceably, and without emotion or fatigue.

  • Access Reviews: This is where oversight becomes real. Access Reviews force the business to validate who still needs what. No more “set it and forget it.” No more permissions that outlive their purpose. When done well, reviews become a natural part of the organization’s rhythm, not a quarterly panic.

  • Entitlement Management: Access Packages give structure to chaos. Instead of ad‑hoc permissions granted through emails, tickets, or hallway conversations, you define curated bundles of access with clear owners, expiration dates, and approval flows. It’s governance without friction — and without the guesswork.

  • Privileged Identity Management (PIM): Permanent admin access is a liability. PIM turns privilege into something earned, time‑bound, and auditable. Admins elevate only when needed, and only for as long as required. This single shift dramatically reduces the blast radius of compromised accounts.

  • Workload Identity Governance: The forgotten frontier. Service principals, managed identities, and automation accounts often have more privilege than humans — and far less oversight. Bringing these identities into the lifecycle is non‑negotiable. Attackers know this. It’s time defenders did too.

A Practical Roadmap

If you want to make real progress, start small but start deliberately.

1. Map Your Identity Flows: Document how people and workloads enter, move through, and exit your environment. Employees, contractors, vendors, service principals, and automation accounts all have lifecycles. Until you understand those flows end‑to‑end, you’re governing shadows.

2. Identify High‑Risk Gaps: Once the map exists, the weak points become obvious. Orphaned accounts, excessive roles, unreviewed access, and unmanaged service principals are the low‑hanging vulnerabilities attackers love. These are the cracks in the perimeter that don’t require a single exploit — just patience.

3. Automate the Predictable: Use Lifecycle Workflows to handle the events you know will happen: onboarding, department changes, leaves of absence, terminations. For everything else — the unpredictable, the messy, the human — Access Reviews keep your environment honest. Automation handles consistency; reviews handle reality.

4. Reduce Standing Privilege: Move administrators into PIM and eliminate permanent access wherever possible. Standing privilege is an attacker’s dream. Just‑in‑time elevation turns it into a controlled, time‑bound exception instead of a constant liability.

5. Measure What Matters Track time‑to‑deprovision, access review completion rates, and privilege reduction over time. Identity security isn’t abstract — it’s measurable. And the things you measure are the things that improve.

Closing Thoughts

Most organizations still treat identity as paperwork. A form to fill out. A ticket to close. A checkbox on someone’s first day.

But identity is not paperwork — it’s your perimeter.

Attackers don’t need to break in when they can simply log in. Your lifecycle determines whether they can.

If you govern it, you shrink your attack surface. If you ignore it, you expand it — one joiner, mover, and leaver at a time.

Until next week folks!


Comments

Post a Comment

Popular posts from this blog

Using Power Automate to Update Contact Information

-
 We've all been there- you have a large organization who has out-of-date contact information. What do you do? You could go around to each department and ask them nicely to update their information, or send out an org-wide email prompting people to do so. However, this is tedious and oftentimes a pointless task. By the time you update one department, you're running to fix another. What if you could put the power back in the department's hands to do so? This is a struggle I faced recently as I was trying to find was I could conjure up some updated contact information for each department. As I did my research, I found that I was not alone in this endeavour as it seems that many IT professionals would love to make this process a little bit less painful. With this in mind, I introduce to you my latest flow! This flow will allow you to encourage users to update their contact information, without the overhead that comes with manual effort. In addition to this, this flow utilizes t...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part One

-
Happy June folks! I come to you with another post, but this time I wanted to change it up and show you something else I have just finished working on. As a SysAdmin, one of the most common issues we run into is managing licenses. Working at a post-secondary institution makes this an even greater challenge, as you have both students, staff and faculty constantly coming as well as going. Managing to keep up with this constant change can introduce great administrative overhead which takes away time from important upkeep of other systems and initiatives. You may also notice this same issue in large corporations or in other government organizations. To help combat this, I wanted to create a flow that can do the following: Get the user and their licenses Determine their last sign-in and the date Conditional to determine if the user is past the "cutoff" date Remove the user from a group where the license is assigned The only problem with doing this is that Power Automate does not ha...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part Two

-
Hello again! Didn't I promise you that I'd be back to wrap this up? Well, here I am to give you the second tidbit of information that you need to get this started. If you haven't already, take a look at my previous post where I go into depth about creating a custom connector in Power Automate to retrieve the latest sign-in and also gather the user's licenses. Now that we have the custom connector ready, we can now get into the meat n' potatoes of this series. In this post, I will show you the flow that makes this possible and how you can use the custom connector you have created to tie it all together! Hope you enjoy. Understanding the Logic Before we can begin creating the flow, we should first understand how the flow will work. I designed this to flow to be triggered manually, but you may want to schedule it or use another trigger. The trigger will depend on your organization's policies, so please adjust accordingly. Once triggered, the flow will use the Entra...
Read more