Explore access control management during employee transfer and termination
In terms of access control, employee transfers and terminations need to be timely and consistently orchestrated to prevent unauthorized access after their transition. Employees transferring to another team may only need a subset of the eligibilities they currently hold or no eligibilities at all. Terminated employees must have their access disabled in a timely manner after they officially end their employment. Microsoft has well-established procedures and automated workflows to help conduct consistent and accurate transitions for employees and their access.
Transfers
The employee transfer process starts when a request is made by the employee's manager to HR. Requests are logged in the HR information system (HRIS) and Global Talent Acquisition is prompted to provide an offer letter to the employee for their new role. Once the letter is accepted, HR completes the transfer request in the HRIS, triggering IDM to set an expiration date on the employee's active eligibilities. If the employee requires any of the same permissions in their new role, they must submit a request for each and get approval from their new manager. Any requests not approved will allow their eligibilities to expire and be revoked. If the personnel's new role includes any specific security implications, system accesses and security group memberships are reevaluated immediately to reflect their new role.
Terminations
Terminations need to be handled with care, specifically in cases of involuntary termination. For this reason, Microsoft uses clearly defined policies and procedures to revoke physical and logical access at exactly the right moment to help prevent any potential insider related risks.
When an employee provides notice that they're leaving Microsoft, their manager enters the termination date into the HRIS. At the end of the day on the employee's termination date, the HRIS marks the employee as terminated, automatically triggering IDM to disable all service team accounts and revoke all eligibilities and lockbox roles.
Involuntary terminations work similarly with the employee's manager entering their termination date into the HRIS, prompting IDM to remove their access on the specified date. Additionally, urgent requests can be made to disable an employee's account and revoke their eligibilities immediately if they pose a threat to Microsoft or our customers