Auto provisioning is the process of automating the creation, maintenance, and removal of user identities in software applications based on business rules.
It can help increase productivity, security, compliance, and reduce costs by avoiding manual or custom provisioning methods.
Instead of creating user accounts and setting account attributes in multiple systems, with auto-provisioning you create an account in the source system (sometimes called the authoritative source) and business rules propagate the account to other systems, assigning the user the appropriate permissions based on their group membership in the source system.
When a user is modified in the source system, the appropriate attribute and permission changes are propagated to the target system(s).
When a user is deleted, perhaps because they have left your organization, their accounts and access are removed from all associated systems.
Auto provisioning in Microsoft Teams
The concept of auto provisioning in Microsoft Teams sounds great on paper. But is it really something you want to introduce into your business?
In this blog post, I’m going to evaluate whether auto provisioning is the right option for your business. Specifically, if you’re using Microsoft Teams.
Why bother with Teams auto provisioning in the first place?
Think about all the minor changes you make to a user during the course of a year. People join your company; people leave; people change roles and departments. All these changes add up. For most medium or large companies there are tens of thousands, perhaps even hundreds of thousands of changes, every year.
When a user is set up in Teams, they need to be assigned the correct policies. Policies control what a specific user is allowed to do within Teams. Policies can be assigned to individuals or groups of users.
There are lots of policies that can be assigned, divided into five core Microsoft Teams policy groups:
- Policy package: Policy packages are designed around a user role and include predefined policies and policy settings that support the collaboration and communication activities that are typical for that role. Some examples of policy packages might include a “Frontline worker” package, and “Healthcare (Clinical worker)” package, or a “Knowledge worker (Business Voice)” package.
- Meeting policy: Meeting policies cover general meeting settings, audio and video settings, content sharing features, and the participant and guest experience. Some examples of meeting settings that can be set as defaults include automatic meeting recordings for certain types of meetings, restricting chat and attendee camera and audio, or using the Q&A feature for presentation-style meetings.
- Voice and calling policy: Voice and calling policies control the calling features in Microsoft Teams such as emergency calling, caller ID, and routing.
- App policy: App policies control the apps that are available to users in Microsoft Teams. For example, an app setup policy can allow you to enable users to upload custom apps, install apps on behalf of your users, and pin apps to the Teams app bar.
- Messaging policy: Messaging policies control the messaging features in Microsoft Teams such as chat and channel messages.
Beyond regular employee updates, major projects like migrating users from one system to another or the onboarding and off-boarding of interns each work term can increase the number of manual changes that need to be processed.
Auto provisioning offers the opportunity to streamline your business processes and reduce or eliminate common problems associated with manual provisioning in Teams.
Common problems with manual provisioning in Microsoft Teams
Manual provisioning in Microsoft Teams works; it is what many organizations do. However, manual provisioning for Teams can often cause problems:
Problem 1: It is time-consuming
An administrator must update a user’s account when someone joins, leaves, or changes roles within your organization.
This requires someone (perhaps the HR department) to notify an administrator of all changes on a timely basis and then an administrator to login into the Teams Admin Center (TAC), navigate to the appropriate screens and enter the required information.
Unfortunately, not all policies can be assigned through the TAC. This means configuring users may require both TAC access and PowerShell scripting. The PowerShell module for Teams is a set of cmdlets that can help manage Teams administrative workload.
However, as PowerShell evolves, changes sometimes break previously functional scripts, requiring debugging time.
The additional time associated with manual Teams provisioning may translate into more staff cost for your organization. At a minimum, manual provisioning ties up senior IT resources preventing them from working on higher-value projects.
Problem 2: It is subject to errors and inconsistencies
Beyond being time-consuming, provisioning hundreds of users is boring. This repetitive, boring work often leads to inconsistencies and errors. Our minds don’t remain switched on if they’re not being challenged or pleased.
Even using PowerShell scripts requires transcribing or cutting and pasting data from one list into another, typically from one spreadsheet to another.
While vastly better than doing each update manually, this process still involves manual steps that are subject to error. The difference with scripted updates is that if you make an error, this error typically has larger ramifications, as it impacts many users.
Scripting can improve consistency; but, depending on how often batches of users are updated, different script templates may be used, or PowerShell cmdlets may have been updated, potentially resulting in differing assigned permissions within Teams.
However, introduced, inconsistent policy assignment in Teams impacts user experience, with one user inexplicably unable to access Teams features a colleague can access. This increases the complexity of providing end user support, creates general confusion, can diminish trust in and adoption of Teams, and decreases user satisfaction.
Problem 3: It opens security vulnerabilities
Manual provisioning often requires more IT staff to have elevated administrative access within the TAC. This can lead to security issues through intentional or unintentional actions.
And while the TAC logs many operations, not all operations are logged, and the compliance logging capabilities within Office 365 and Teams may require additional licensing (Purview).
Also, the delays inherent in a manual de-provisioning process often leave accounts and permissions active for a period after a user has left the organization or changed roles. This opens potential security backdoors.
The disadvantage of auto provisioning in Microsoft Teams
Okay, so if auto provisioning is solving all these problems, there must be a catch, right?
If you’re a small business, say under 200 users, then investing time into automation might be counterproductive.
Automation also requires an initial investment of time to set up and test. If you are busy every day “fighting fires” then you will not be able to find the time needed to research, plan, implement, and test an auto provisioning solution.
Setting up auto provisioning can also require additional licenses (Microsoft or third-party) and may require outside expertise.
Auto provisioning for many organizations will provide a positive return on investment; but if you have no dollars to invest (i.e., no budget), then you will need to stick with the status quo and forego future returns.
The bottom line on auto provisioning
When properly implemented, auto provisioning for Microsoft Teams means a faster, more consistent, more secure process, that will improve the overall end-user Teams experience.
Provided your organization has over ~200 users and is willing to invest some time and budget in the short term to deliver significantly better future results, auto provisioning becomes an easy decision.