Can someone please give some details on what the AD user creation through the workflow does? We're only in PROD in a highly confidential user data info. as well as SharePoint is external facing. So I cannot risk doing some testing in PROD AD and PROD SharePoint before knowing all the risks/security areas.
Does the action create the user in a disabled state or enabled account? what about the access, does it automatically grants the access to all areas or the permissions/groups would be a different thing?
I'm not super aware of how AD works general, so the more details the better..
The Create AD User will create an entry in Active Directory and it will be active immediately. It also optionally autogenerates a password for the user. It will not add them to any groups or assign different permissions. There are other actions that you can use to add the newly created person to groups (e.g. Add user to AD Group, set item permissions).
There's more info in the help documentation.
For testing purposes you could create a new Organizational Unit (OU) for testing. Then make sure that no Group policies (GPO) or other automation are active on the new OU.
I have used this approach on several projects in the past.
End result: We will keep the newly created users in the test OU (new OU) that has no permissions, then manually someone will go in there and place it in the correct OU based on position/department/status. There is too many rules to think of to just to place the user in the correct OU and also trying to mitigate any security concerns for now.
we set an Expiry date (past date) on the account that is created. This way the user account is active but expired. This was needed in our case, as we provision different access based on that account. The user, even if they want to connect will not be able to connect as its an expired account.
Once we have set all in place, we set the account back to 'Not Expire'.
Also, we create the users in a New OU as Fredrik Andersen have mentioned.
Many ways, what works out best for your scenario should be considered.