Case Studies

The Problem

When I joined the IAM team, our access provisioning process was a mess. New hires would wait 2-3 weeks for their accounts because everything went through manual tickets. The ServiceNow workflows weren't connected properly to Active Directory, so IT had to manually create accounts in multiple systems. Managers were constantly pinging us asking why their new employees couldn't access anything.

We had about 200-300 access requests sitting in the queue at any given time, and half of them had errors or missing information. Nobody wanted to touch the old workflows because they were held together with duct tape.

What I Did

First thing was mapping out what was actually broken. Turned out the ServiceNow integration with AD was using an outdated API that kept timing out. I rebuilt the connection using REST APIs and added proper error handling.

Then I redesigned the request form to catch common mistakes before submission - stuff like wrong email format or missing department codes. Added automated approvals for standard roles instead of routing everything through managers.

The biggest win was setting up role templates in One Identity. Instead of IT manually granting 15 different permissions for a "Sales Rep", they just assign the Sales Rep role and it provisions everything automatically.

What Changed

• New hire provisioning went from 3 weeks to 2 days average
• Access request tickets dropped by about 40% because the form catches errors upfront
• IT team stopped getting angry emails from managers
• We can actually handle onboarding spikes now without everything breaking
• Offboarding got faster too - when someone leaves, all their access gets revoked automatically instead of lingering for months

Tech Stack

Why We Did This

After a phishing incident where someone's credentials got stolen and used to access internal systems, management finally agreed we needed MFA. Problem was, our authentication was a custom-built mess from 2015 that nobody really understood anymore.

We were already planning to move to Auth0 anyway, so this became the perfect excuse to actually do it. Had to convince everyone that yes, it's worth paying for a proper solution instead of trying to bolt MFA onto our existing spaghetti code.

How We Rolled It Out

Started with IT and security teams as guinea pigs. They found a bunch of issues - authenticator app QR codes not working on older phones, SMS delivery being slow in some countries, that kind of thing. Fixed most of it before going wider.

Rolled out to everyone else in waves. Sales team first (they travel a lot and use public WiFi), then engineering, then everyone else. Made it optional for the first month so people could get used to it, then made it mandatory.

The key was making the enrollment process dead simple. One email with a link, scan QR code, done. If it takes more than 2 minutes, people won't do it.

What Actually Happened

• Got 95% of people enrolled within 3 weeks (the other 5% needed hand-holding)
• Support tickets for "I can't log in" actually went down because people stopped forgetting passwords
• Blocked a few suspicious login attempts from weird locations that would've succeeded before
• Some complaints about the extra step, but most people got used to it
• Had to set up a few hardware tokens for people who refused to use their personal phones

Lessons Learned

SMS backup codes are clutch - saved us when people lost their phones or switched devices. Also learned to exclude service accounts from MFA requirements after breaking a few automated jobs. And testing on actual mobile devices (not just desktop) is critical because that's how most people enroll.

Tech Stack