The modern enterprise identity landscape relies on a delicate synchronization between Human Resources Information Systems (HRIS) and technical directories. While the industry standard is the “Joiner, Mover, Leaver” (JML) framework, an increasingly dangerous edge case is emerging: the Rescinded Hire.
This situation arises when a future start date is entered into an HR system such as Workday or SAP SuccessFactors, automatically triggering the creation of user accounts and hardware provisioning. If the individual never joins, due to a no-show or withdrawn offer, the expected employment event never materializes.
Instead of formally terminating the record, organizations often delete or retract it, creating a “vanishing act.” The result is a set of active, unmanaged “ghost accounts” in the directory, digital identities with no actual employee attached.
The Mechanics of HRIS “Vanishing Acts”
The challenge is primarily architectural. In a standard termination, the HR system sends a clear “Leaver” event that downstream systems recognize and act upon.
In a rescinded hire, however, the process is often reversed as though it never happened. Because no formal termination signal is sent, downstream identity platforms may misinterpret the absence of data, leaving provisioned accounts active and creating orphaned access.
Technical Definitions and Downstream Impacts
|
HR Action |
Workday Definition |
SuccessFactors Context |
Downstream Provisioning Impact |
|
Rescind |
Reverses a completed process, restoring data to its prior state. |
Cancels a hire after “Manage Pending Hires” is complete. |
Record disappears from API results; leads to orphaned accounts. |
|
Cancel |
Stops an in-progress process before it is finalized. |
Used for declining job offers via “Mass Offer Approval”. |
Usually prevents account creation if the trigger hasn’t fired. |
|
Terminate |
Ends an active work relationship with an effective date. |
Standard “Leaver” process for active employees. |
Triggers a definitive deprovisioning signal (e.g., accountEnabled = False). |
|
Correct |
Modifies attributes without reversing the process. |
Adjusts hire dates or job attributes in Employee Central. |
Updates attributes but typically keeps the account active. |
In Workday, a “Rescind” is a powerful action that can restore a worker’s profile to a null state. If an Identity Governance (IGA) tool is only looking for status changes (like “Active” to “Terminated”), it will miss the deletion because the record simply ceases to exist in the “Active Worker” reports.
Microsoft Entra ID: The Danger of SkipOutOfScopeDeletions
The Microsoft Entra ID provisioning service is often the first downstream recipient of HR data. How it handles missing records is governed by the SkipOutOfScopeDeletions property.
|
Setting Value |
Technical Behavior |
Impact on Rescinded Hires |
|
False (Default) |
Accounts that go out of scope are disabled or soft-deleted. |
Designed to catch rescinded hires and disable their Entra ID accounts. |
|
True |
Accounts that go out of scope are ignored and remain enabled. |
Leaves rescinded hires as orphaned, active accounts indefinitely. |
Many organizations set this to “True” to prevent accidental mass deletions during HR maintenance. However, this creates a permanent backdoor for every rescinded hire. If HR deletes a record, Entra ID notes the user is gone, but the “True” flag forces it to skip the deactivation.
Managing the Lifecycle with Orchestration
To close this gap, organizations must transition from simple batch-syncing to comprehensive identity orchestration. ManageEngine’s IAM suite provides several mechanisms to catch rescinded hires before they become persistent vulnerabilities.
Automated HR-Driven Provisioning and De-provisioning
ManageEngine ADManager Plus integrates directly with HRMS platforms like Workday, SuccessFactors, and BambooHR. By using “Automation Policies,” IT teams can define a sequence of tasks that follow the JML lifecycle. For example, if an HRIS record is deleted or modified to a “rescinded” state, ADManager Plus can automatically identify the discrepancy and execute a de-provisioning policy that disables the AD account, revokes Microsoft 365 licenses, and deletes Exchange mailboxes simultaneously.
Workflow and Approval Layers
To prevent “ghost” accounts, organizations can implement a “Business Workflow” in ADManager Plus. This adds a manual review layer to the automated provisioning process. If a pre-hire’s status is in question, a technician can pause the final activation of the account until the candidate’s physical appearance is confirmed, effectively blocking access for rescinded hires at the doorstep.
Strategic Hardening:
Managing rescinded hires becomes more critical as Microsoft implements new security enforcements through 2026. These changes affect how all identity platforms, including ManageEngine, interact with hybrid environments.
-
SyncJacking Protection: Microsoft will block account takeover attempts via “hard match abuse” in Entra Connect. For organizations managing rescinded hires in hybrid setups, this prevents malicious actors from “reclaiming” an orphaned cloud account by remapping it to a new, unauthorized on-premises identifier.
-
MFA Enforcement: Mandatory MFA for the Azure portal will begin. While this reduces the risk of an orphaned account being used for administrative theft, it does not prevent lateral movement within the corporate network if “birthright” permissions (VPN or Slack) remain active.
-
Legacy Auth Deprecation: Throughout 2026, legacy protocols like POP3 and SMTP AUTH will be permanently blocked. This helps ensure that orphaned accounts cannot be accessed via less secure, non-modern authentication methods.
Security Risks: Ghost Accounts and Lateral Movement
Orphaned pre-hire accounts are a high-value target for threat actors because they are unmanned. There is no legitimate user to notice suspicious password resets or unusual login locations.
-
Lateral Movement: An attacker can compromise a low-level account and move laterally to an orphaned account with “birthright” permissions (VPN access, Slack, or MDM enrollment).
-
Compliance Failures: Regulatory frameworks like NIST 800-53 (AC-2) and GDPR require the deactivation of unnecessary accounts. Auditors specifically look for active identities with no matching HR record as a sign of broken governance.
The Physical Gap: Bricking Ghost Hardware
The rescinded hire problem extends into IT Asset Management (ITAM). Hardware is often shipped weeks before a start date. When a hire is rescinded, organizations must recover assets from individuals who have no contractual ties (like a final paycheck) to leverage.
Best Practices for Asset Recovery:
-
MDM Integration: Use the identity status to trigger a remote wipe or “Activation Lock” via Intune or Jamf, rendering the device a “brick”.
-
Pre-Shipped Return Kits: Include a prepaid, branded return box in the initial equipment shipment.
-
Automated Escalation: Use a schedule of notifications that transitions from “onboarding help” to “legal escalation” if equipment is not returned within a set window.
Operational Checklist for IT Leaders
To close the rescinded hire gap, architectural leaders should adopt an Event-Driven Architecture (EDA) model. Rather than waiting for nightly batch syncs, the HR “Rescind” event should emit a real-time signal that triggers a “Kill Switch” across all systems.
-
Configure for Explicit Deletion: Set SkipOutOfScopeDeletions = False in Entra ID.
-
Enable Advanced Aggregation: Use “Aggregate Rescinded Hires” in your IGA tool (e.g., SailPoint).
-
Implement Time-Based Triggers: Use Entra Lifecycle Workflows to monitor for “ghosting” (accounts with X days of zero activity).
-
Enforce RBAC Tiering: Defer high-privilege access until after the first successful login.
-
Automate MDM Locking: Link hardware status directly to the identity lifecycle to automate device remediation.
Effective identity governance requires accounting for the reality that the “Joiner” process does not always end in an active employee. By bridging the gap between HR reversals and IT deprovisioning, enterprises can maintain a true Zero Trust posture.
Frequently Asked Questions (FAQs)
1. What is a “Rescinded Hire” in identity architecture?
A rescinded hire occurs when a future-dated employee record triggers account and asset provisioning, but the individual never joins. Instead of a formal termination, the HR record is often reversed or deleted, leaving active “ghost accounts” ripe for attackers.
2. Why is a rescinded hire different from a normal termination?
A standard termination sends a clear “Leaver” signal to identity systems. A rescind action often removes or reverses the record entirely, meaning no termination event is transmitted, causing downstream systems to miss deprovisioning triggers.
3. What are the downstream impacts of a rescind action?
When a record disappears from HR reports or APIs, identity platforms may leave accounts enabled. This creates orphaned access in Entra ID, Active Directory, SaaS platforms, and even VPN systems.
4. What security risks do ghost accounts introduce?
Ghost accounts are high-value targets because they are unmanned and often retain birthright permissions, ideal for attackers exploiting birthright access like VPN, Slack, or MDM enrollment for lateral movement or privilege escalation without detection.
5. Are there compliance implications?
Yes. Frameworks such as NIST 800-53 (AC-2) require deactivation of unnecessary accounts, NIST 800-53 AC-2 flags these active identities without matching HR records as red flags during audits.
