Picture this: a new hire shows up on their first day, but the PC is not set up, there is no mailbox, and the folders they need are locked. Or worse — an employee who left six months ago still has an active account and can log into corporate email. These two pictures are two sides of the same problem: an unmanaged employee IT lifecycle — the joiner, mover, and leaver process. ONYX builds this on top of centralized identity so that every step is controlled and auditable.
The problem: scattered accounts, access left open
When accounts live in separate applications instead of one central system, control is lost. An employee's email is in one place, their file-server access in another, their VPN account somewhere else entirely. The result:
- A new hire cannot start work on day one and waits for IT.
- When someone changes role, old access is never revoked — they keep "carrying" accumulated permissions.
- Closing every login for a departing employee gets forgotten, because no one fully knows what was opened where.
That last point is not just an HR matter — it is a direct security risk. An active account belonging to a former employee is a potential breach channel.
The fix: centralized identity
With Active Directory and Microsoft 365, all of an employee's access — PC login, email, files, applications — is managed from a single account. This turns the three stages of the lifecycle into a controlled process.
Joiner — the new hire
The account is created once, added to the right groups, and all access opens automatically. On day one the employee logs into their PC with their own account and finds email, folders, and applications ready. ONYX typically sets up standard templates so that the exact permissions each new role needs are defined in advance.
Mover — a change of role
When an employee moves to a different department or role, their group membership changes: old permissions come off, new ones go on. In a central system this is a single operation — there is no need to "fix" individual applications one by one.
Leaver — departure
When one account is disabled, all of that employee's access closes at the same moment: PC, email, files, VPN. Because it is managed from one point, the risk of "forgetting some login" disappears. This is the foundation of offboarding security.
Lifecycle security rules
ONYX applies these principles at its clients:
Single source
All accounts are managed from central identity, not scattered local logins.
Least privilege
Each employee gets access only to the resources their job needs, nothing extra.
Same-day closure
The account is disabled on the day of departure — any delay is a security gap.
Auditable process
Who was granted or revoked which access and when — all of it is recorded.
How ONYX sets this up
This is ONYX's real work, not theoretical advice:
- For MobilGroup, ONYX deployed a domain (Active Directory) and mail for 120 users across 5 branches — all accounts managed centrally.
- For Aselsan Azerbaijan, an Active Directory plus file and mail server was set up — a single, centralized identity.
In both cases the outcome is the same: accounts are managed from one place, a new hire starts quickly, and a departing employee's access is closed. Microsoft 365 and Active Directory deployment is part of ONYX's managed IT services; for broader infrastructure work, see our business solutions.
Take control of your employee accounts
Let us turn onboarding and offboarding into a process managed through centralized identity. Get in touch and we will assess your current setup.