← Back to Insights
Case Study Managed Services Automation

We automated employee onboarding and offboarding for 4,500 users across 3 continents — without building custom software

An MSP managing infrastructure for pharma, publishing, and education clients was running lifecycle management on manual tickets. Deboarded users had live account access for 24–48 hours after their last day. Here's the system that fixed it.

Christopher Wakare
April 2026
6 min read
US-based client · Anonymised

From the deployment

Managed services provider — 4,500 users across 3 continents — 7 enterprise clients (pharma, publishing, education) — MS Graph + Power Platform

Before

3 full-time staff managing employee lifecycle manually across all 7 clients. Offboarding ran as a 6pm rush — triggered by hand, frequently delayed, with access staying live hours after departure. Overtime. Compliance exposure. Every time.

After

Fully scheduled and automated across all 6 client environments. Offboarding triggers within minutes of the scheduled time. 1 person part-time handles genuine exceptions. No overtime. No missed steps.

3 full-time → 1 part-time. Compliance exposure from delayed offboarding eliminated across 4,500 users.

The problem was not technical. It was operational.

A managed services provider running infrastructure for clients across the US, Asia-Pacific, and Europe — pharma companies, publishers, education institutions — was managing the full employee lifecycle for a combined headcount of 4,500 users.

Every time a client hired someone, the MSP's tech team had to:

  • Receive a ticket from the client's HR team
  • Manually create the user account in Azure AD
  • Allocate the appropriate Microsoft 365 license based on role
  • Add the user to the correct Azure AD groups and Microsoft Teams channels
  • Coordinate with the client's internal HR team for the onboarding process
  • Notify the reporting officer
  • Follow up across all these threads to confirm completion

And then do the entire reverse when someone left.

The tech team was not understaffed. The process was structurally broken. Every onboarding was a multi-ticket, multi-department coordination task that landed on Day 1 — when pressure to have everything ready was highest and the window to fix mistakes was smallest.

The compliance problem

Offboarding was worse than onboarding. When an employee left, licenses weren't deallocated immediately. Deboarded users had live Microsoft 365 access for 24–48 hours after their last day. In regulated industries like pharma, that's not a process inefficiency — it's a compliance exposure.

HR teams were not relieved by any of this. They were the ones tracking whether every step had been completed, chasing ticket status across departments, and managing the experience of a new hire whose laptop wasn't ready or whose reporting officer hadn't been notified. Multiple tickets, multiple departments, manual follow-up — every single hire.

What we built: an MS Graph + Power Platform lifecycle automation

The solution has two parts: a scheduling interface and an automated execution layer.

Part 1 — scheduling via a low-code portal

Client HR teams now submit onboarding and offboarding requests through a low-code portal form — typically 7 to 14 days in advance of the effective date. The form captures employee details, role, department, reporting officer, user group (which determines license tier), and the start or exit date.

The ticket queue is gone. The MSP's tech team is not in the loop for routine cases.

Part 2 — automated execution on the scheduled date

Onboarding workflow — triggers automatically on start date
1
User account created in Azure ADMS Graph API provisions the account with correct attributes and group memberships
2
License allocated by user groupRole and department determine the license tier — no manual SKU selection required
3
Added to Microsoft Teams groupsUser lands in the right channels on Day 1, without any manual additions
4
Reporting officer notifiedAutomated notification with new hire details and access confirmation
5
HR confirmedCompletion confirmation sent — no follow-up tickets required
Offboarding workflow — triggers on exact exit date
1
Licenses deallocated on scheduleMS Graph removes M365 license assignments at the time specified — not when someone closes a ticket
2
Removed from Azure AD groups and TeamsAccount access revoked across all groups simultaneously
3
Deactivated accountAccount deactivated in Azure AD
4
Stakeholders notifiedHR and reporting officer receive offboarding confirmation automatically

The tech stack is Microsoft Graph API for identity and license operations, Power Automate for workflow orchestration, and a low-code portal built on Power Platform for the front-end form. No custom software. No new systems for clients to learn.

The deeper move was connecting disconnected systems — HR's intake form, Azure AD, M365 licensing, mailbox provisioning, and the audit log — into a single orchestrated flow. The portal is the visible surface; the orchestration layer underneath is what removes the manual coordination.

What changed: provisioning latency, license reclamation, audit trail

Days → Hours
Time to full provisioning, from ticket raise to completion
Zero
Manual follow-up required for standard onboarding and offboarding
On-time
License deallocation at exact exit date — no more open access windows

For the tech team: Routine onboarding and offboarding no longer occupies their day. Exceptions — edge cases, role changes mid-process, custom configurations — are the only things that require human attention.

For HR teams: They submit once, in advance, and receive a confirmation when it's done. The overhead of tracking whether the laptop was provisioned, whether the reporting officer was notified, whether the license was active — gone.

For new hires: Day 1 infrastructure is ready. Not later that week.

For compliance: License deallocation happens at the scheduled time. Orphaned accounts and open access windows after offboarding are no longer a risk. This matters most in the pharma segment, where the MSP's clients operate under regulatory environments where access control is an audit point.

What's next: replacing Power Automate with Python

The current implementation uses Power Automate for workflow orchestration. Phase 2, currently being scoped, replaces Power Automate with a Python-based automation framework — keeping the same MS Graph integrations, the same portal experience, and the same functional outcomes, but removing the per-user Power Automate licensing cost entirely.

For an MSP managing 4,500 users across multiple client environments, that licensing delta is significant. The same automation capability at lower per-client cost changes what the MSP can offer and at what margin as managed headcount grows. It also removes dependency on a licensed platform for a workflow that, once built, doesn't need it.

We'll publish a follow-up piece when Phase 2 is scoped and live.

A note on applicability

This was built for an MSP, but the underlying problem — manual, multi-department, Day 1-dependent onboarding with compliance exposure at offboarding — exists in most mid-market operations teams running on Microsoft infrastructure. The architecture is not MSP-specific. If your onboarding still runs on ticket queues, the same approach applies.

See more results from production deployments View all case studies →

The Execution Edge

Monthly. For operations leaders building faster on AI. Real case studies, system blueprints, and tools — no fluff.

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Running a similar process?

If you're an MSP or an enterprise operations team managing user lifecycle manually — we can walk you through what this would look like for your environment in a 60-minute call.

Book a discovery call