Managing user accounts manually across both on-prem Active Directory and Azure AD can be time-consuming, error-prone, and inefficient—especially in environments with high employee turnover or remote workforces.
Enter PowerShell automation, the IT admin’s best friend. With the right scripts, you can automate user onboarding (provisioning) and secure offboarding (deprovisioning) workflows in both AD and Azure AD, ensuring consistency, speed, and improved security posture.
Why Automate User Lifecycle Management?
Manual processes are risky:
- Typos can lead to misconfigured accounts
- Missed group assignments reduce productivity
- Forgotten deprovisioning becomes a security vulnerability
Automating user provisioning/deprovisioning ensures:
- Standardised account setups
- Timely group and license assignment
- Prompt account disablement and cleanup
- Consistent logging for compliance and auditing
Pre-requisites
To automate both AD and Azure AD tasks, you’ll need:
- Windows PowerShell 5.1+ or PowerShell Core
- Installed modules:
ActiveDirectory(for on-prem AD tasks)AzureADand/orMicrosoft.Graph(for Azure AD tasks)
- Sufficient permissions in both environments
Automating User Provisioning
Step 1: Create a New User in Active Directory
Import-Module ActiveDirectory
New-ADUser -Name "Jane Doe" `
-GivenName "Jane" `
-Surname "Doe" `
-SamAccountName "jdoe" `
-UserPrincipalName "[email protected]" `
-AccountPassword (ConvertTo-SecureString "TempPassword123!" -AsPlainText -Force) `
-Enabled $true `
-Path "OU=Users,DC=domain,DC=com"
Step 2: Add User to Security Groups
Add-ADGroupMember -Identity "Sales Team" -Members "jdoe"
Add-ADGroupMember -Identity "VPN Access" -Members "jdoe"
Step 3: Sync to Azure AD (if Hybrid)
This is typically handled via Azure AD Connect, but you can trigger a sync:
Start-ADSyncSyncCycle -PolicyType Delta
Step 4: Assign Licenses in Azure AD
Using Microsoft Graph:
Connect-MgGraph -Scopes "User.ReadWrite.All"
$user = Get-MgUser -UserId "[email protected]"
$sku = Get-MgSubscribedSku | Where-Object { $_.SkuPartNumber -eq "ENTERPRISEPACK" }
Set-MgUserLicense -UserId $user.Id -AddLicenses @{SkuId = $sku.SkuId} -RemoveLicenses @()
Automating Deprovisioning (Offboarding)
Step 1: Disable the User in Active Directory
Disable-ADAccount -Identity "jdoe"
Step 2: Remove Group Memberships
Get-ADUser -Identity "jdoe" -Properties MemberOf |
Select-Object -ExpandProperty MemberOf |
ForEach-Object { Remove-ADGroupMember -Identity $_ -Members "jdoe" -Confirm:$false }
Step 3: Move to a “Leavers” OU for Archiving
Move-ADObject -Identity "CN=Jane Doe,OU=Users,DC=domain,DC=com" `
-TargetPath "OU=Leavers,DC=domain,DC=com"
Step 4: Revoke Azure AD Sessions and Licenses
# Revoke sign-ins
Revoke-MgUserSignInSession -UserId "[email protected]"
# Remove licenses
$user = Get-MgUser -UserId "[email protected]"
Set-MgUserLicense -UserId $user.Id -AddLicenses @() -RemoveLicenses @($sku.SkuId)
Optional Enhancements
- CSV-driven automation: Loop through a file of new or terminated users
- Logging and email alerts: Send success/failure notifications
- Self-service triggers: Tie into service desk tools like ServiceNow or Power Automate
- Backup user data: Automate OneDrive or mailbox backup before deletion
- Scheduled Tasks: Run scripts at set intervals for hands-off automation
Security Tips
- Use secure password handling: Avoid plaintext passwords in scripts
- Run automation from a service account with least privilege
- Audit logs regularly to monitor success/failures
- Enable MFA on all administrative interfaces
- Integrate with conditional access policies for offboarded users
Conclusion
PowerShell provides a powerful, scriptable way to automate every phase of user account management—from new hire onboarding to secure exit handling. With automation in place, IT departments can reduce human error, respond faster to access requests, and free up time for more strategic tasks. Whether you’re managing a hybrid AD/Azure AD environment or fully cloud-based users, automating provisioning and deprovisioning is a must-have in modern IT operations.
