Provisioning & Automation

Automate AD User Provisioning and Deprovisioning in a Hybrid Environment

May 5, 2026
8 MIn read
Table of Contents
Table of Contents
This is also a heading
This is a heading
About the author

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Right now, getting a new employee fully set up requires three separate teams to each complete their piece in sequence. The Administrative Officer submits the request and updates SAP. The Service Center manually creates the AD account. The Messaging team assigns the Office 365 license and sets up the mailbox. Somewhere in between, a daily sync script pushes certain SAP fields to AD, and AD Connect syncs to Azure every 30 minutes.

Every handoff is a place the process can stall. And that's before you get to the smaller requests — a manager who just needs to add someone to a project group, a CEO who wants to update a group description — that still flow through the same IT queue as a full account creation.

If you're trying to automate AD user provisioning and deprovisioning across a hybrid environment while pushing routine decisions back to the people who actually own them, you need more than a better script. You need a different architecture.

Why Multi-Team Manual Provisioning Keeps Breaking

The tools people suggest in this conversation — Adaxes, GroupID by Imanami, Okta — each solve part of the problem. Adaxes handles on-prem delegation well but gets complicated in hybrid setups. GroupID's bidirectional sync engine is solid for attribute management and group automation in AD. Okta is the right call for SSO and SCIM-supported apps but doesn't reach into on-prem AD or SAP natively without additional configuration.

The pattern is the same across all of them: each tool covers a layer, and you're left stitching the layers together manually or with scripts.

The daily SAP-to-AD sync script is a good example of what that looks like in practice. It works until SAP changes a field, or the script server has a maintenance window, or someone adds a new attribute that wasn't in the original spec. At that point, someone's account is incomplete or the sync is silently wrong, and the Service Center team has to manually reconcile it. The automation exists, but it's brittle and centrally owned by IT.

The self-service problem compounds this. When a manager needs to add one person to a project group, the request goes into the same IT queue as a full onboarding. There's no way to delegate that action safely without either giving the manager direct AD access — which most organizations aren't comfortable with — or keeping it in the queue. Both options are wrong.

How to Automate SAP to Active Directory User Sync Without a Script

The architectural fix is replacing the script layer with a maintained integration between SAP and your identity platform. Zluri connects to SAP as a source of truth using either native integration or its SDK connector, depending on your SAP configuration. When a new worker record is created in SAP with the relevant attributes — department, title, start date — Zluri detects it and uses that event as the trigger for everything downstream.

No daily batch sync. No script to maintain. No gap between when SAP is updated and when the AD account exists.

Zluri's LDAP Agent connects directly to your on-prem Active Directory to handle account creation, group assignment, and OU mapping. The same platform connects natively to Azure AD and Microsoft 365 via API. In a hybrid environment, both directories are addressed in the same playbook run — the on-prem account is created, the Azure AD record is provisioned, and the M365 license is assigned, all as steps in a single automated workflow triggered by the SAP event.

This replaces what currently requires three teams operating in sequence with a single automated chain that runs in minutes, not hours or days.

Self-Service Active Directory Group Management for Managers

The second half of the problem — getting routine decisions out of the IT queue — requires a delegation model that doesn't require giving managers direct directory access.

Zluri's self-service App Catalog and access request module handles this. Employees can browse approved applications and groups and submit a request directly from the Zluri portal or with a /accessrequest Slack command. The request routes automatically to whoever you designate as the owner for that group or application — the department head, the project lead, the manager — rather than landing in an IT queue.

The approver gets a notification in Slack or email. They approve or deny directly from that notification. When they approve, Zluri's provisioning playbook executes the change — adds or removes the user from the specified Azure AD or on-prem AD group — without an IT admin touching anything.

For something as simple as updating a group description or adding one person to a project group, this means the action takes minutes instead of days, and IT is not involved at all. The change is logged, the approver is on record, and the audit trail is clean.

Azure AD Provisioning Automation Across the Full Lifecycle

Provisioning is only half of the lifecycle problem. The deprovisioning side — removing a user from all the right places when they leave — is where most multi-team processes fall apart.

When an employee departs and their SAP record is updated, Zluri detects that change and triggers an offboarding playbook. The playbook revokes access across every connected application, removes the user from AD and Azure AD groups, reclaims the M365 license, and disables the account. Every step is logged.

For applications that don't have a direct API integration, the playbook generates a Manual Task assigned to the relevant owner with a tracked deadline. Nothing completes silently and nothing gets missed because it wasn't on someone's checklist.

Access certification campaigns add a third layer: on a schedule you define, managers are prompted to review their team members' access to specific groups and applications. A manager who sees that someone no longer needs access to a project group clicks Revoke, and Zluri executes the removal. This shifts the burden of deciding who belongs in a group from IT to the people who actually know.

A Note on SAP and Hybrid Setup

Zluri has native connectors for Azure AD and Microsoft 365. For on-prem Active Directory, the lightweight LDAP Agent handles discovery, syncing, and write-back without requiring changes to your existing AD infrastructure. SAP connectivity runs through Zluri's Integration SDK if a pre-built connector isn't available for your specific SAP configuration. Scope the SAP integration as an initial setup task — once it's configured, the source-of-truth trigger runs automatically and the daily sync script becomes redundant.

Frequently Asked Questions

How do you automate user provisioning in a hybrid Active Directory and Azure AD environment?

An IGA platform with connectors to both on-prem AD and Azure AD can trigger account creation, group assignment, and license allocation from a single HR or ERP source-of-truth event. Zluri uses an LDAP Agent for on-prem AD and native API integration for Azure AD and M365, so both directories are addressed in the same automated playbook run.

How do you replace a daily SAP-to-AD sync script with a managed integration?

Zluri connects to SAP as a source of truth and detects new or changed worker records without a batch sync job. When a record is created or updated, Zluri triggers downstream provisioning automatically. This eliminates the script maintenance burden and closes the gap between SAP updates and account availability.

How do you delegate AD group management to managers without giving them directory access?

A self-service request model lets managers approve or deny group membership changes through Slack or email without direct AD access. Zluri routes requests to the designated group owner, who approves from a notification, and the platform executes the change automatically with a full audit log.

What is the difference between provisioning and access certification in IGA?

Provisioning creates and manages access as part of the joiner/mover/leaver lifecycle. Access certification is a periodic review process where managers confirm that existing access is still appropriate. Both are necessary for compliance — provisioning ensures people get the right access at the right time, certification ensures that access doesn't accumulate beyond what's needed.

See How Zluri Connects to Your SAP, On-Prem AD, and Azure AD Environment

See how Zluri connects to your SAP, on-prem AD, and Azure AD environment and maps to your current provisioning workflow — book a walkthrough specific to your hybrid setup, not a generic product overview.

Take the First Step Towards Effortless Access Control

Experience the power of Zluri’s platform firsthand to boost your organization’s efficiency and security.

Book a demo →

Related Blogs

May 6, 2026
May 6, 2026

Building an IGA Portfolio With MidPoint: What to Document on GitHub

May 6, 2026
May 6, 2026

Entra ID for IGA: What It Actually Covers and Where It Falls Short

May 6, 2026
May 6, 2026

Identity Dark Matter: How to Find What Entra ID Can't See in Your Hybrid Environment

691, S Milipitas Blvd,
St 217 Milpitas 95035
Platform
AICPA SOC 2ISO 27701 CertifiedGDPRISO 27001 certifiedPCI DSSNLST
Recognition
GartnerG2FORRESTERAWS ReviewedGIGAOMCYBER_150
© 2026 Zluri, All Rights Reserved
MSA T&C
  -  
Responsible Disclosure Policy
  -  
Terms & Conditions
  -  
Privacy Policy
  -  
Disclaimer
  -  
Terms of Service
  -  
Zluri AI Terms