Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Deployment scenarios are guidance on how to combine and test Microsoft Security products and services. You can discover how capabilities work together to improve productivity, strengthen security, and more easily meet compliance and regulatory requirements.
The following products and services appear in this guide:
- Microsoft Entra ID Governance
- Lifecycle workflows
- Microsoft Entra
- Microsoft Entra ID
- Microsoft Entra Connect
- Microsoft Entra Cloud Sync
- Azure Logic Apps
- Microsoft Graph
Use this scenario to help determine the need for Microsoft Entra ID Governance to create and grant access for your organization. Learn how you can provision your users effectively, securely, and consistently with employee lifecycle automation.
Timelines
Timelines show approximate delivery stage duration and are based on scenario complexity. Times are estimations and vary depending on the environment.
- HR provisioning - 3 hours
- Software-as-a-Service (SaaS) app provisioning - 1 hour
- Lifecycle workflows - 3 hours
Employee lifecycle automation
To streamline employee identity management, organizations are adopting modern solutions and automation. With identity management systems and technologies, IT staff can overcome limited manual procedures and instead enhance efficiency.
Microsoft Entra ID Governance
With the Microsoft Entra ID Governance solution, organizations improve productivity, strengthen security, and meet compliance and regulatory requirements. Use Microsoft Entra ID Governance to ensure the right people have the right access to the right resources at the right time. Learn more about Microsoft Entra ID Governance use cases and documentation.
Learn more about Microsoft Entra ID.
HR-driven provisioning
HR-driven provisioning creates digital identities based on a human resources (HR) system, which becomes the source of authority. This juncture is the starting point for numerous provisioning processes.
Learn more in the video about HR-driven provisioning with Microsoft Entra ID.
Cloud HR to Microsoft Entra ID
Users are created in Microsoft Entra ID, and other SaaS apps that support user provisioning. When employee records are updated in cloud HR, the user account is updated in Microsoft Entra ID and supporting SaaS apps.
Deploy Workday to Microsoft Entra ID
- Select cloud HR provisioning connector apps.
- Design provisioning topology.
- Configure integration system user in Workday.
- Enable Workday provisioning connector.
- Start Workday and Microsoft Entra ID attribute mapping.
- (Optional) Configure Workday writeback in Azure AD.
- Enable and launch provisioning.
Learn more in the video about HR-driven user provisioning with Workday.
Deploy SuccessFactors to Microsoft Entra ID
- Select cloud HR provisioning connector apps.
- Design provisioning topology.
- Create API user account in SuccessFactors.
- Create API permissions in SuccessFactors.
- Add SuccessFactors inbound connector app.
- Configure SuccessFactors attribute mappings.
- (Optional) Configure attribute write-back from Entra ID to SAP SuccessFactors.
- Enable and Launch provisioning.
Learn more in the video about HR-driven user provisioning with SuccessFactors.
Cloud HR to Active Directory
Use the following video to learn about API-driven inbound provisioning for on-premises Active Directory.
Deploy Workday to Active Directory
- Select cloud HR provisioning connector apps.
- Design provisioning topology.
- Configure integration system user in Workday.
- Provisioning connector app and Provisioning Agent.
- Install and configure on-premises agents.
- Configure connectivity to Workday and Active Directory.
- Configure attribute mappings.
- Enable and launch user provisioning.
Deploy SuccessFactors to Active Directory
- Select cloud HR provisioning connector apps.
- Design provisioning topology.
- Configure integration system user in Workday.
- SuccessFactors inbound provisioning app and agent.
- Install on-premises agents.
- Configure app connectivity to AD.
- Configure attribute mappings.
- Enable and launch user provisioning.
API-driven provisioning
Identity data in Microsoft Entra ID is kept in sync with workforce data managed in systems of record: an HR app, a payroll app, a spreadsheet, SQL tables in a database on-premises, or in the cloud. With application programming interface (API)-driven inbound provisioning, the Microsoft Entra provisioning service supports integration with systems of record.
Learn more:
- FAQ: API-driven inbound provisioning
- Grant access to the inbound provisioning API
- Learn to test provisioning API with Graph Explorer
API-driven provisioning scenarios
IT teams import data extracts with automation. Independent software vendors (ISVs) integrate with Microsoft Entra ID. System integrators build connectors to systems of record. This process is commonly used for sources like flat files, CSV files, SQL staging tables. Integrate automation tools: PowerShell scripts, Azure Logic Apps, and workflows using HTTP calls.
Configure API-driven provisioning
You can learn to configure API-driven inbound provisioning.
Comparison: Inbound provisioning /bulkUpload API and Microsoft Graph Users API
We recommend noting the differences between the provisioning /bulkUpload API and the Microsoft Graph Users API endpoint: Payload format, operation result, and IT administrators retain control.
In an FAQ, learn how the new inbound provisioning API differs from Graph Users API.
Deploy API-driven inbound provisioning
- Create an API-driven provisioning app.
- For Active Directory, configure API-driven inbound provisioning app. For Microsoft Entra ID, configure API-driven inbound provisioning app.
- Grant access to inbound provisioning API
- Customize user provisioning attribute mappings
- Sync custom attributes
To learn more, see the following Quickstart guides about API-driven inbound provisioning with:
Outbound app provisioning
You can provision to Software-as-a-Service (SaaS) apps, using a System for Cross-Domain Identity Management (SCIM).
Discover more about SCIM synchronization with Microsoft Entra ID.
Configure provisioning with a SCIM endpoint
SCIM 2.0 is a standardized definition of two endpoints /Users and /Groups.
See more details in the tutorial, develop, and plan provisioning for a SCIM endpoint in Microsoft Entra ID.
Deploy SaaS sample-app provisioning
The Microsoft Entra ID application gallery displays available apps for user provisioning. Select up to four apps for your environment, or choose from these popular apps to enable automatic user provisioning:
(Optional) Provision to on-premises apps
Users and schema defined in the cloud support provisioning from custom schema extensions to app-specific properties.
To learn more, go to app provisioning samples for SCIM-enabled apps.
Lifecycle workflows
Lifecycle workflows are an identity governance feature to manage Microsoft Entra users by automating Joiner, Mover, and Leaver events for employees. Use the feature to schedule tasks for before, during, or after an event. Workflows can run on demand. With built-in tasks, you can generate temporary credentials, send emails, update user attributes, and memberships, and remove licenses.
Learn more in the overview of lifecycle workflow APIs.
Joiner
A Joiner is an individual who needs access. When you onboard new employees, use templates and workflows to make processes more efficient and faster.
Mover
A Mover is an individual moving between boundaries in an organization, for instance, the employee goes from a role in Sales to one in Marketing. The movement might require more, or different, access, and authorization.
Leaver
The Leaver no longer needs access, such as terminated or retiring employees. Effective Leaver workflows reduce the risk of unauthorized data access, after termination. Therefore, handle Leaver personal information in compliance with regulations and policies. Use customizable workflow templates for timely, reliable, and graceful resource-access removal.
Remove application access
Microsoft Entra ID provisioning service keeps source and target systems in sync. Deprovision an account when user access must end.
Unassign the user from one or more applications.
Delete the account from Microsoft Entra ID.
Set the AccountEnabled property to False.
Note
If an application supports the process, you can soft-delete users by default.
Lifecycle workflows custom extensions
Use custom extensions to create workflows using tools like Azure Logic Apps. For workflows, you can enable custom task extensions to call out to external systems. For example, a Joiner workflow with a custom task extension assigns a Microsoft Teams number. Or, when a user becomes a Leaver, a separate workflow grants access to an email account for their manager. You can learn to trigger Logic Apps based on custom task extensions.
Note
To create a logic app resource for hosting, select Consumption. A consumption logic app has one workflow that runs in multitenant Azure Logic Apps.
To learn more, see the App Service Environment overview and Azure Logic Apps documentation.
Deploy lifecycle workflows
- Synchronize attributes
- Prepare user accounts
- Automate prehire tasks for employees
- Automate onboarding new employees
- Automate post-onboarding
- Real-time employee change
- Real-time employee termination
- Employee group membership changes
- Employee job profile change
- Automate preoffboarding
- Automate offboarding
- Automate post-affboarding
- Trigger Logic Apps with custom extensions
Supported tasks and workflows
The table lists tasks and workflow according to Joiner, Mover, Leaver status.