This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Lifecycle Workflows help your organization to manage Microsoft Entra users by increasing automation. With Lifecycle Workflows, you can:
Lifecycle Workflows are a Microsoft Entra ID Governance capability. The other capabilities are entitlement management, access reviews,Privileged Identity Management (PIM), and terms of use. Together, they help you address these questions:
Planning your Lifecycle Workflow deployment is essential to make sure you achieve your desired governance strategy for users in your organization.
For more information on deployment plans, see Microsoft Entra deployment plans.
Using this feature requires Microsoft Entra ID Governance or Microsoft Entra Suite licenses. To find the right license for your requirements, see Microsoft Entra ID Governance licensing fundamentals.
Consider your organizational needs to determine the strategy for deploying Lifecycle Workflows in your environment.
When technology projects fail, they typically do so because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, ensure that you're engaging the right stakeholders and that project roles are clear.
For Lifecycle Workflows, you'll likely include representatives from the following teams within your organization:
IT administration manages your IT infrastructure and administers your cloud investments and software as a service (SaaS) apps. This team:
Security Owner ensures that the plan meets the security requirements of your organization. This team:
Compliance manager ensures that the organization follows internal policy and complies with regulations. This team:
HR Representative - Assists with attribute mapping and population in HR provisioning scenarios. This team:
Development teams build and maintain applications for your organization. This team:
Communication is critical to the success of any new business process. Proactively communicate to users how and when their experience will change. Tell them how to gain support if they experience issues.
Lifecycle Workflows support shifting responsibility of manual processes to business owners. Establish clear process and understanding of each team’s responsibilities. Decoupling these processes from the IT department drives more accuracy and automation. This shift is a cultural change in the resource owner's accountability and responsibility. Proactively communicate this change and ensure resource owners are trained and able to use the insights to make good decisions.
This section introduces Lifecycle Workflow concepts you should know before you plan your deployment.
The following information is important information about your organization and the technologies that need to be in place before deploying Lifecycle Workflows. Ensure that you can answer yes to each of the items before attempting to deploy Lifecycle Workflows.
| Item | Description | Documentation |
|---|---|---|
| Inbound Provisioning | You have a process to create user accounts for employees in Microsoft Entra such as HR inbound from Workday or SuccessFactors, or MIM. Alternatively you have a process to create user accounts in Active Directory and those accounts are provisioned to Microsoft Entra ID. |
Workday to Active Directory Workday to Microsoft Entra ID SuccessFactors to Active Directory SuccessFactors to Microsoft Entra ID Microsoft Entra Connect Microsoft Entra Connect cloud sync API-driven inbound provisioning (Public preview) |
| Attribute synchronization | The accounts in Microsoft Entra ID have the employeeHireDate and employeeLeaveDateTime attributes populated. The values might be populated when the accounts are created from an HR system or synchronized from AD using Microsoft Entra Connect or cloud sync. You have extra attributes that are used to determine the scope such as department, populated or the ability to populate, with data. | How to synchronize attributes for Lifecycle Workflows |
Before you begin planning a Lifecycle Workflow deployment, you should become familiar with the parts of workflow and the terminology around Lifecycle Workflows.
The Understanding Lifecycle Workflows document uses the portal to explain the parts of a workflow. The Developer API reference Lifecycle Workflows document uses a Graph example to explain the parts of a workflow.
You can use this document to become familiar with the parts of workflow before deploying them.
The following table provides information that you need to be aware of as you create and deploy Lifecycle workflows.
| Item | Description |
|---|---|
| Workflows | 50 workflow limit per tenant |
| Number of custom tasks | limit of 25 per workflow |
| Value range for offsetInDays | Between -180 and 180 days |
| Workflow execution schedule | Default every 3 hours - can be set to run anywhere from 1 to 24 hours |
| Custom task extensions | Limit of 100 |
| On-demand user limit | You can run an on-demand workflow against a maximum of 10 users |
| Extensibility callback timeout limit | Min 3 minutes - Maximum 5 hours |
The following is additional information you should be aware of.
The following table provides a quick checklist of steps you can use when designing and planning your workflows.
| Step | Description |
|---|---|
| Determine your scenario | Determine what scenario you're addressing with a workflow |
| Determine the execution conditions | Determine who and when the workflow runs |
| Review the tasks | Review and add additional tasks to the workflow |
| Create your workflow | Create your workflow after planning and design. |
| Plan a pilot | Plan to pilot, run, and test your workflow. |
Before building a Lifecycle Workflow in the portal, you should determine which scenario or scenarios you wish to deploy. You can use the following table to see a current list of the available scenarios. These are based on the templates that are available in the portal and list the task associated with each one.
| Scenario | Predefined Tasks |
|---|---|
| Onboard prehire employee | Generate TAP and Send Email |
| Onboard new hire employee | Enable User Account Send Welcome Email Add User To Groups |
| Real-time employee termination | Remove user from all groups Remove user from all Teams Delete User Account |
| Pre-Offboarding of an employee | Remove user from selected groups Remove user from selected Teams |
| Offboard an employee | Disable User Account Remove user from all groups Remove user from all Teams |
| Post-Offboarding of an employee | Remove all licenses for user Remove user from all Teams Delete User Account |
| Real-time employee change | Run a Custom Task Extension |
| Employee group membership changes | Remove access package assignment for user Remove user from selected Teams Send email to notify manager of user move |
| Employee job profile change | Send email to notify manager of user move Remove user from selected groups Remove user from selected Teams Request user access package assignment |
Employee group membership changes
For more information on the built-in templates, see Lifecycle Workflow templates.
Now that you've determined your scenarios, you need to look at what users in your organization the scenarios apply to.
An Execution condition is the part of a workflow that defines the scope of who and the trigger of when a workflow will be performed.
The scope determines who the workflow runs against. This is defined by a rule that will filter users based on a condition. For example, the rule, "rule": "(department eq 'sales')" runs the task only on users who are members of the sales department.
The trigger determines when the workflow runs. This can either be, on-demand, which is immediate, or run on a schedule. Most of the predefined templates in the portal are based to run on a schedule when their trigger is met.
The scope of a workflow uses attributes under the rule section. You can add the following extra conditionals to further refine who the tasks are applied to.
You can also choose from the numerous user attributes as well.
However before selecting an attribute to use in your execution condition, you need to ensure that the attribute is either populated with data or that you can begin populating it with the required data.
Not all of these attributes are populated by default so you should verify with your HR administrator or IT administrators when using HR inbound cloud only provisioning, Microsoft Entra Connect, or cloud sync.
The following is some important information regarding time zones that you should be aware of when designing workflows.
For more information, see How to synchronize attributes for Lifecycle Workflows.
Now that we've determined the scenario and the who and when, you should consider whether the predefined tasks are sufficient or are you going to need extra tasks. The following table has a list of the predefined tasks that are currently in the portal. Use this table to determine if you want to add more tasks.
| Task | Description | Relevant Scenarios |
|---|---|---|
| Add user to groups | Add user to selected groups | Joiner - Leaver - Mover |
| Add user to selected teams | Add user to Teams | Joiner - Leaver - Mover |
| Assign licenses to users | Assign licenses to user | Joiner - Mover |
| Delete User Account | Delete user account in Microsoft Entra ID | Leaver |
| Disable User Account | Disable user account in the directory | Joiner - Leaver |
| Enable User Account | Enable user account in the directory | Joiner - Leaver |
| Generate TAP and Send Email | Generate Temporary Access Pass and send via email to user's manager | Joiner |
| Remove all licenses of user | Remove all licenses assigned to the user | Leaver |
| Remove user from all groups | Remove user from all Microsoft Entra group memberships | Leaver |
| Remove user from all Teams | Remove user from all Teams memberships | Leaver |
| Remove user from selected groups | Remove user from membership of selected Microsoft Entra groups | Joiner - Leaver - Mover |
| Remove user from selected Teams | Remove user from membership of selected Teams | Joiner - Leaver - Mover |
| Run a Custom Task Extension | Run a Custom Task Extension to callout to an external system | Joiner - Leaver - Mover |
| Send email after user's last day | Send offboarding email to user's manager after the last day of work | Leaver |
| Send email before user's last day | Send offboarding email to user's manager before the last day of work | Leaver |
| Send email on user's last day | Send offboarding email to user's manager on the last day of work | Leaver |
| Send Welcome Email | Send welcome email to new hire | Joiner |
| Send onboarding reminder email | Send onboarding reminder email to user’s manager | Joiner |
| Request user access package assignment | Request user assignment to selected access packages | Joiner - Mover |
| Remove access package assignment for user | Remove user assignment from selected access packages | Leaver - Mover |
| Remove all access package assignments for user | Remove all access packages assigned to the user | Leaver |
| Remove selected license assignments from user | Remove select license assignment from user | Leaver - Mover |
| Cancel all pending access package assignment requests for users | Cancel all pending access package assignment requests for users | Leaver |
For more information on tasks, see Lifecycle Workflow tasks.
If you're using a group or team task, the workflow needs you to specify the group or groups. In the following screenshot, you see the yellow triangle on the task indicating that it's missing information.
By selecting the task, you're presented with a navigation bar to add or remove groups. Select the "x groups selected" link to add groups.
Lifecycle Workflows allow you to create workflows that can be triggered based on joiner, mover, or leaver scenarios. While Lifecycle Workflows provide several built-in tasks to automate common scenarios throughout the lifecycle of users, eventually you could reach the limits of these built-in tasks. With the extensibility feature, you're able to utilize the concept of custom task extensions to call-out to external systems as part of a Lifecycle Workflow.
The scenarios for how a custom task extension interacts with Lifecycle Workflows can be one of three ways:
Now that you have design and planned your workflow, you can create it in the portal. For detailed information on creating a workflow, see Create a Lifecycle workflow.
We encourage customers to initially pilot Lifecycle Workflows with a small group of users or a single test user. Piloting can help you adjust processes and communications as needed. It can help you increase users' and reviewers' ability to meet security and compliance requirements.
In your pilot, we recommend that you:
For more information, see Best practices for a pilot..
Once you've created a workflow, you should test it by running the workflow on-demand.
Using the on-demand feature allows you to test and evaluate whether the Lifecycle Workflow is working as intended.
Once you have completed testing, you can either rework the Lifecycle Workflow or get ready for a broader distribution.
You can also get more information from the audit logs. These logs can be accessed in the portal under Microsoft Entra ID/monitoring. For more information, see Audit logs in Microsoft Entra ID and Lifecycle workflow history.
| Stage | Description |
|---|---|
| Determine the scenario | A prehire workflow that sends email to new manager. |
| Determine the execution conditions | The workflow runs on new employees in the sales department, two (2) days before the employeeHireDate. |
| Review the tasks. | We use the predefined tasks in the workflow. No extra tasks are added. |
| Create the workflow in the portal | Use the predefined template for new hire in the portal. |
| Enable and test the workflow | Use the on-demand feature to test the workflow on one user. |
| Review the test results | Review the test results and ensure the Lifecycle Workflow is working as intended. |
| Roll out the workflow to a broader audience | Communicate with stakeholders, letting them know that is going live and that HR will no longer need to send an email to the hiring manager. |
Learn about the following related technologies:
Training
Learning path
Solution Architect: Design Microsoft Power Platform solutions - Training
Learn how a solution architect designs solutions.
Certification
Microsoft Certified: Power Automate RPA Developer Associate - Certifications
Demonstrate how to improve and automate workflows with Microsoft Power Automate RPA developer.
Documentation
What are lifecycle workflows? - Microsoft Entra ID Governance
Get an overview of the lifecycle workflow feature of Microsoft Entra ID.
Understanding lifecycle workflows - Microsoft Entra ID Governance
Describes an overview of Lifecycle workflows and the various parts.
Create a lifecycle workflow - Microsoft Entra ID - Microsoft Entra ID Governance
This article guides you in creating a lifecycle workflow.