(De-) provisioning
User accounts are set up and group memberships are assigned. In addition, accounts for other applications and access to them must be created - regardless of whether for Exchange, SharePoint Online, Office 365 or countless other cloud applications provided via A(zure) A(ctive) D(irectory).
This issue becomes more critical during deprovisioning. For example, new authorisations might be issued as a result of cover for people on annual leave. It is not easy to comply with and withdraw these authorisations at the appropriate time without turning to tools. Situations become completely uncontrollable when employees leave the company.
Inconsistencies
If user administration features manual processes, administrators must pay close attention to intricacies and processes - particularly in the event of a hybrid construction made from Microsoft's Active Directory (AD) and Azure Active Directory (AAD).
Careless mistakes often happen, particularly in the case of urgent enquiries. For example, the wrong group memberships could be assigned in the AD and AAD, as required for a particular function in the company to be performed.
Processes such those for as obtaining approval for authorisations from the responsible officer for the particular business area in question are not complied with. There can be no guarantee that the same procedure will be followed for recurring tasks.
Synchronisation
The two systems have different user administration systems, and administrators must work with different user interfaces.
Errors are also likely to arise during the complex process of ensuring that user information is consistent. Errors in user administration on the local side often have a direct impact on the cloud. Native resources in the Active Directory (ADUC) do not offer the functionalities required to ensure data integrity or compliance with administrative policies.
These three factors make hybrid user management a risky endeavour if additional tools are not brought into play. As a result, companies should consider making their user administration "watertight". Similarly, it is essential to restrict administrators to their area of responsibility to avoid errors and ensure compliance.