Microsoft employee transfer and termination
Microsoft, like every other organization, handles employee transfers and terminations as a part of their normal business operation. When an employee changes positions or leaves the company, it is essential to either revoke their access privileges and eligibilities entirely or that are no longer necessary for their new role in a timely manner. To facilitate efficient access changes and revocations, Microsoft uses standardized procedures and automated processes to coordinate the Human Resources Information System (HRIS) with the Identity Management (IDM) system. Automated orchestration between these two systems is essential to maintaining operational consistency, preventing privilege creep, and reducing risks related to insider threats.
Microsoft online services are designed to operate without standing administrative access to production environments, instead using a Just-In-Time (JIT), Just-Enough-Access (JEA) model to provide engineers with the temporary role-based access needed to support their service.
To learn more about how Microsoft implements this access system, see Identity and access management.
Transfer and reassignment
Employee transfers are initiated through a transfer transaction request by the employee's manager. The manager creates a requisition and engages with Global Talent Acquisition for the offer letter process. Once the employee accepts the offer for the new role, HR services completes the transfer in the HR core tools, triggering IDM to set an expiration date for all the employee's eligibilities. The employee must submit a request and receive approval from their new manager to retain their eligibilities. Failure to submit a request or receive manager approval results in the revocation of the transferred employee's eligibilities. For transfers that include specific security implications, system accesses and security group memberships are reevaluated immediately to reflect their new role.
Termination
Microsoft uses clearly defined policies and procedures to promptly revoke physical and logical access to Microsoft systems and resources when an employee is terminated. When an employee gives their notice, the employee's manager enters the termination date into the HRIS. Following the employee's last working day, the HRIS marks the employee as terminated and shares the information to IDM, which removes all service team accounts and eligibilities automatically.
For involuntary terminations, HR works with the employee's manager to follow the appropriate steps to terminate and offboard the employee. Similar to a voluntary termination, the termination information is entered into the HRIS along with any necessary steps such as effective date coordination, access removal, and any other steps relative to transitioning out of role.