Security Groups in SharePoint What happens when someone leaves?

SharePoint 2013 doesn’t have dynamic security groups. It is based on the AD groups already in the organization. The users cannot be created in SharePoint only existing users in the organization can be added. The same happens in Office 365, you need to add the user for the entire organization either as a guest (free account), contact or organizational user.

This is from the Office 365 main menu and not internally to SharePoint

The users are added in this screen according to the different groups:

Now, the users can be added into specific groups or sites in SharePoint or any other Office 365 application. If a user deleted from here, and no longer exist as a user in the organization, he will disappear from the sites and groups preventing be ghost users in a SharePoint site. (At least according to what I have seen, I am sure there are some exceptions perhaps someone can comment?)

So What happens on premise? SharePoint 2013? Someone leaves the organization and than what?

Back in Share Point 2010 and before the so called “Ghost users” were very common phenomena especially when cutting the sites permissions from the main site which was easily done but extremely hard to govern.

There are 3rd party tools, based usually on Power-Shell commands that creates the dynamic groups ability in SharePoint. Those solutions are sometimes necessary when the organizational AD is poorly managed, the 2 teams (SharePoint and Active Directory) don’t have the best internal communication between them or the governance policy was defined separately. In smaller organizations, sometimes a delete Power-Shell function is used when someone leaves brutally deleting all the permissions by site collection. Not dynamic or efficient but works and leaves no tails of orphaned users. Remove-SPUser . Same can be applied for adding one.

The other way is to use the AZUE AD dynamic groups, which is very efficient for hybrid SP solutions (partially in the cloud and partially on premise). You still need to manage the users in AD and the groups.