Edit

Share via


Microsoft Entra ID Governance deployment guide for employee lifecycle automation

Deployment scenarios are guidance on how to combine and test Microsoft Security products and services. You can discover how capabilities work together to improve productivity, strengthen security, and more easily meet compliance and regulatory requirements.

The following products and services appear in this guide:

Use this scenario to help determine the need for Microsoft Entra ID Governance to create and grant access for your organization. Learn how you can provision your users effectively, securely, and consistently with employee lifecycle automation.

Timelines

Timelines show approximate delivery stage duration and are based on scenario complexity. Times are estimations and vary depending on the environment.

  1. HR provisioning - 3 hours
  2. Software-as-a-Service (SaaS) app provisioning - 1 hour
  3. Lifecycle workflows - 3 hours

Employee lifecycle automation

To streamline employee identity management, organizations are adopting modern solutions and automation. With identity management systems and technologies, IT staff can overcome limited manual procedures and instead enhance efficiency.

Microsoft Entra ID Governance

With the Microsoft Entra ID Governance solution, organizations improve productivity, strengthen security, and meet compliance and regulatory requirements. Use Microsoft Entra ID Governance to ensure the right people have the right access to the right resources at the right time. Learn more about Microsoft Entra ID Governance use cases and documentation.

Learn more about Microsoft Entra ID.

HR-driven provisioning

HR-driven provisioning creates digital identities based on a human resources (HR) system, which becomes the source of authority. This juncture is the starting point for numerous provisioning processes.

Learn more in the video about HR-driven provisioning with Microsoft Entra ID.

Cloud HR to Microsoft Entra ID

Users are created in Microsoft Entra ID, and other SaaS apps that support user provisioning. When employee records are updated in cloud HR, the user account is updated in Microsoft Entra ID and supporting SaaS apps.

Deploy Workday to Microsoft Entra ID

  1. Select cloud HR provisioning connector apps.
  2. Design provisioning topology.
  3. Configure integration system user in Workday.
  4. Enable Workday provisioning connector.
  5. Start Workday and Microsoft Entra ID attribute mapping.
  6. (Optional) Configure Workday writeback in Azure AD.
  7. Enable and launch provisioning.

Learn more in the video about HR-driven user provisioning with Workday.

Deploy SuccessFactors to Microsoft Entra ID

  1. Select cloud HR provisioning connector apps.
  2. Design provisioning topology.
  3. Create API user account in SuccessFactors.
  4. Create API permissions in SuccessFactors.
  5. Add SuccessFactors inbound connector app.
  6. Configure SuccessFactors attribute mappings.
  7. (Optional) Configure attribute write-back from Entra ID to SAP SuccessFactors.
  8. Enable and Launch provisioning.

Learn more in the video about HR-driven user provisioning with SuccessFactors.

Cloud HR to Active Directory

Use the following video to learn about API-driven inbound provisioning for on-premises Active Directory.

Deploy Workday to Active Directory

  1. Select cloud HR provisioning connector apps.
  2. Design provisioning topology.
  3. Configure integration system user in Workday.
  4. Provisioning connector app and Provisioning Agent.
  5. Install and configure on-premises agents.
  6. Configure connectivity to Workday and Active Directory.
  7. Configure attribute mappings.
  8. Enable and launch user provisioning.

Deploy SuccessFactors to Active Directory

  1. Select cloud HR provisioning connector apps.
  2. Design provisioning topology.
  3. Configure integration system user in Workday.
  4. SuccessFactors inbound provisioning app and agent.
  5. Install on-premises agents.
  6. Configure app connectivity to AD.
  7. Configure attribute mappings.
  8. Enable and launch user provisioning.

API-driven provisioning

Identity data in Microsoft Entra ID is kept in sync with workforce data managed in systems of record: an HR app, a payroll app, a spreadsheet, SQL tables in a database on-premises, or in the cloud. With application programming interface (API)-driven inbound provisioning, the Microsoft Entra provisioning service supports integration with systems of record.

Learn more:

API-driven provisioning scenarios

IT teams import data extracts with automation. Independent software vendors (ISVs) integrate with Microsoft Entra ID. System integrators build connectors to systems of record. This process is commonly used for sources like flat files, CSV files, SQL staging tables. Integrate automation tools: PowerShell scripts, Azure Logic Apps, and workflows using HTTP calls.

Configure API-driven provisioning

You can learn to configure API-driven inbound provisioning. 

Comparison: Inbound provisioning /bulkUpload API and Microsoft Graph Users API

We recommend noting the differences between the provisioning /bulkUpload API and the Microsoft Graph Users API endpoint: Payload format, operation result, and IT administrators retain control.

In an FAQ, learn how the new inbound provisioning API differs from Graph Users API.

Deploy API-driven inbound provisioning

  1. Create an API-driven provisioning app.
  2. For Active Directory, configure API-driven inbound provisioning app. For Microsoft Entra ID, configure API-driven inbound provisioning app.
  3. Grant access to inbound provisioning API
  4. Customize user provisioning attribute mappings
  5. Sync custom attributes

To learn more, see the following Quickstart guides about API-driven inbound provisioning with:

Outbound app provisioning

You can provision to Software-as-a-Service (SaaS) apps, using a System for Cross-Domain Identity Management (SCIM).

Discover more about SCIM synchronization with Microsoft Entra ID.

Configure provisioning with a SCIM endpoint

SCIM 2.0 is a standardized definition of two endpoints /Users and /Groups.

See more details in the tutorial, develop, and plan provisioning for a SCIM endpoint in Microsoft Entra ID.

Deploy SaaS sample-app provisioning

The Microsoft Entra ID application gallery displays available apps for user provisioning. Select up to four apps for your environment, or choose from these popular apps to enable automatic user provisioning:

(Optional) Provision to on-premises apps

Users and schema defined in the cloud support provisioning from custom schema extensions to app-specific properties.

To learn more, go to app provisioning samples for SCIM-enabled apps.

Lifecycle workflows

Lifecycle workflows are an identity governance feature to manage Microsoft Entra users by automating Joiner, Mover, and Leaver events for employees. Use the feature to schedule tasks for before, during, or after an event. Workflows can run on demand. With built-in tasks, you can generate temporary credentials, send emails, update user attributes, and memberships, and remove licenses.

Learn more in the overview of lifecycle workflow APIs.

Joiner

A Joiner is an individual who needs access. When you onboard new employees, use templates and workflows to make processes more efficient and faster.

Mover

A Mover is an individual moving between boundaries in an organization, for instance, the employee goes from a role in Sales to one in Marketing. The movement might require more, or different, access, and authorization.

Leaver

The Leaver no longer needs access, such as terminated or retiring employees. Effective Leaver workflows reduce the risk of unauthorized data access, after termination. Therefore, handle Leaver personal information in compliance with regulations and policies. Use customizable workflow templates for timely, reliable, and graceful resource-access removal.

Remove application access

Microsoft Entra ID provisioning service keeps source and target systems in sync. Deprovision an account when user access must end.

  1. Unassign the user from one or more applications.

  2. Delete the account from Microsoft Entra ID.

  3. Set the AccountEnabled property to False.

    Note

    If an application supports the process, you can soft-delete users by default.

Lifecycle workflows custom extensions

Use custom extensions to create workflows using tools like Azure Logic Apps. For workflows, you can enable custom task extensions to call out to external systems. For example, a Joiner workflow with a custom task extension assigns a Microsoft Teams number. Or, when a user becomes a Leaver, a separate workflow grants access to an email account for their manager. You can learn to trigger Logic Apps based on custom task extensions.

Note

To create a logic app resource for hosting, select Consumption. A consumption logic app has one workflow that runs in multitenant Azure Logic Apps.

To learn more, see the App Service Environment overview and Azure Logic Apps documentation.

Deploy lifecycle workflows

  1. Synchronize attributes
  2. Prepare user accounts
  3. Automate prehire tasks for employees
  4. Automate onboarding new employees
  5. Automate post-onboarding
  6. Real-time employee change
  7. Real-time employee termination
  8. Employee group membership changes
  9. Employee job profile change
  10. Automate preoffboarding
  11. Automate offboarding
  12. Automate post-affboarding
  13. Trigger Logic Apps with custom extensions

Supported tasks and workflows

The table lists tasks and workflow according to Joiner, Mover, Leaver status.

Category Tasks and workflows
Joiner Send welcome email to new-hire
Joiner Send onboarding reminder email
Joiner Generate temporary access pass (TAP) and send it by email to the new-hire's manager
Mover Send notification email to manager about a user move
Joiner, Mover Request user access package assignment
Joiner, Mover, Leaver Add user to groups
Joiner, Mover, Leaver Add user to teams
Joiner, Leaver Enable user account
Joiner, Mover, Leaver Run a custom task extension
Leaver Disable user account
Joiner, Mover, Leaver Remove user from groups
Leaver Remove user from all groups
Leaver Remove user from teams
Leaver Remove user from all teams
Leaver, Mover Remove user access package assignments
Leaver Remove all user access package assignments
Leaver Cancel all pending user access package assignment requests
Leaver Remove all user license assignments
Leaver Delete user
Leaver Send email to user's manager before before last day
Leaver Send email to user's manager on last day
Leaver Send email to user's manager after last day

Next steps