Joiner-leaver for retail: built for churn, not for a 9-to-5 head office

Retail joiner-leaver isn't risky in the same way that a finance hire is risky. The individual access rights are usually narrow: EPOS, scheduling, maybe Teams for a manager. The risk is volume. Multiply a small per-account risk by ten thousand accounts and a six-month average over-retention, and the exposure adds up.

More importantly, the seasonal pattern means a high proportion of active accounts at any moment belong to people who are not currently engaged with the business. That's the population most likely to fall for a phishing email targeted at their old employer, and most likely not to notice if their credentials are stolen.

Manual leaver tickets. Every retailer has had the conversation: HR is supposed to raise a leaver ticket with IT, who disables the account. In practice, the ticket lags by days or weeks because HR is dealing with the next intake. The leaver account stays live for far longer than anyone admits.

Shared accounts at the till. When provisioning can't keep up with hiring, stores improvise. A generic 'till1' login gets shared. Five years later, nobody knows who has the password, and the audit log is meaningless because every action attributes to a shared identity.

The leaver flow. Every retailer's biggest exposure is yesterday's seasonal hire still able to sign in to systems they no longer have a reason to touch. Hook Entra ID into the HR system so a leaver is disabled in minutes, not weeks. The integration is usually called HR-driven provisioning and Microsoft, Workday, SAP SuccessFactors, BambooHR and HiBob all support it directly.

Pair it with a quarterly review of accounts that haven't signed in for 30 days. Anything that hasn't been touched in a month is either a duplicate, a leaver, or a forgotten service account. None of those should be active.

The other half of the problem is the joiner flow. A seasonal hire who can't sign in on day one is a wasted shift. HR-driven provisioning solves the leaver side and also the joiner side: when HR creates the record, Entra ID creates the account, assigns the right group memberships, and applies the right licences automatically.

Combine that with a structured group model and conditional access, and a new starter has the right access in the right minute without anyone in IT touching it.

Shared till accounts are a habit that's hard to break, but modern EPOS systems all support per-user PINs over a shared device login. The device signs in once; staff identify themselves with a PIN, a card or a fingerprint per transaction.

That gives you the audit trail you actually need without slowing the till down. It also means that when a seasonal hire leaves, their PIN is revoked without affecting anyone else.

Multi-factor authentication is harder in retail than in professional services because the staff don't all have company phones. The workable pattern is to require MFA only for the systems that need it (head office, manager tools, anything internet-facing), use shared devices with strong physical controls for the till, and use FIDO2 keys or Windows Hello for users who do need MFA but don't have a phone.

Trying to mandate phone-based MFA for every seasonal hire is a fight you lose. Designing around the population you actually have is a fight you win.

A retail identity setup that's working has near-zero leavers still active after 24 hours, no shared logins at the till, MFA on every head office and manager account, and a clean quarterly review of inactive accounts. The IT team isn't manually processing tickets; the HR system is doing the work.

Once that's in place, the rest of the security posture gets dramatically easier, because the population is finally smaller than the headcount on paper.

A well-run retail identity setup also produces a useful audit trail. Every joiner, every leaver, every access change is logged, attributed and reviewable. When a discrepancy or incident comes up - missing stock, an unusual transaction, an HR investigation - the data is there to answer the question quickly.

Without that trail, the conversation defaults to 'we think it was that person' and the resolution gets slow and uncomfortable. With it, the answer takes minutes and the trust in the wider system stays intact.