Automate onboarding & offboarding tasks with Microsoft Entra
Identity Lifecycle Management
When users enter or leave your organization, automate manual steps to onboard and offboard with Microsoft Entra. For onboarding, manage user identities, grant permissions to access necessary information, and provide users with what they need to be productive, such as computer hardware. As people leave the organization, deprovisioning is critical to maintain security and compliance. Lifecycle Workflows in Microsoft Entra ID Governance can help with pre-built templates for common tasks.
Microsoft Entra is a complete identity management platform with everything you knew about Azure Active Directory, along with new capabilities. Identity lifecycle management automation removes many of the manual steps of everyday identity management tasks. With Lifecycle Workflows, users experience more consistency for better job satisfaction and reduced risk. It works with HR systems, like Workday and SuccessFactors, as part of the onboarding and offboarding workflow.
Jeremy Chapman, Director of Microsoft 365, walks through Identity Lifecycle Management automation in Microsoft Entra.
Decrease risk, increase consistency & job satisfaction.
Use Microsoft Entra Lifecycle Workflows — with HR systems like Workday and SuccessFactors — for onboarding and offboarding users with repeatable automation. Watch here.
Automate onboarding tasks with built-in workflow templates.
Get new users into the directory service, provision licenses, send welcome emails, provide access to intranet resources, and trigger computer hardware orders. Check it out.
Revoke Access & Reduce Risk.
Automate real-time separation instantly, on-demand using offboarding workflows powered by Identity Lifecycle Management task sequence automation in Microsoft Entra. See it here.
Watch our video here.
QUICK LINKS:
00:00 — Introduction
01:28 — Automate employee onboarding
04:19 — Automate employee offboarding
05:41 — Workflow history
06:58 — Built-in change tracking for version history
08:30 — Wrap up
Link References:
For more on lifecycle workflows, check out https://aka.ms/ILMDocs
Try it out at https://entra.microsoft.com
Unfamiliar with Microsoft Mechanics?
As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.
- Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries
- Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog
- Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast
Keep getting this insider knowledge, join us on social:
- Follow us on Twitter: https://twitter.com/MSFTMechanics
- Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/
- Enjoy us on Instagram: https://www.instagram.com/msftmechanics/
- Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics
Video Transcript:
-Did you know that you can automate most of the manual steps to onboard and offboard users as they enter or leave your organization using Microsoft Entra? How you manage user identities in IT, along with just enough permissions for users to access necessary information, as well as any additional steps needed to provide users with what they need, like hardware, to be productive is critical to how effectively people can get up and running. Conversely, as people leave the organization, deprovisioning is just as critical to maintain security and compliance. That’s where Lifecycle Workflows and Microsoft Entra ID Governance can help with its prebuilt templates for common tasks. Now, if you’re not familiar with Microsoft Entra, it’s a complete identity management platform with everything you knew about Azure Active Directory, along with a number of new capabilities.
-Identity lifecycle management automation removes many of the manual steps for your everyday identity management tasks while helping you to improve your overall security posture. And it means users don’t need to spend days or weeks hunting down information, requesting access to important documents or getting a work-provided computer ordered and set up. Instead, with Lifecycle Workflows, not only do you save time, but users experience more consistency, which means better job satisfaction and reduced risk. And it also works with your HR systems, like Workday and SuccessFactors and others, as part of the onboarding and offboarding workflow. So let’s look at how Lifecycle Workflows automate common tasks starting with user onboarding.
-So here’s an example with new users already added to an HR system, Workday. Now we can see that there are three users who have already been created, and they’ve also been added to Microsoft Entra ID formerly known as Azure AD. Now from the Entra portal, you can see Lisa Taylor’s profile and all the attributes were automatically mapped from Workday, including her hire date. So she is in the directory service but doesn’t yet have access to what she needs to get her job done. So let’s take care of that. In Lifecycle Workflows, I can easily create a custom workflow to run before an employee’s start date using one of the prebuilt workflow templates. Now these automatically detect users that match the conditions set in the workflow so you can save time. Now I’ll choose the pre-hire template, and I’ll give it a name, and I can already see that it’s set to run seven days before the employee’s hire date. The correct department is already set. So I’ll just set the state attribute for Washington state as an additional scope to tailor things further.
-Next, I’ll head over to review tasks, and this one is built in to generate a temporary access pass or TAP and send an email with the information Lisa needs to get started. Now this is important because Lisa might only have an offer letter from her hiring manager but won’t know how to access work resources. So now I’m going to add a few custom tasks to add her to the right groups for access to information. And beyond information access, we can also use the automation to do things like trigger ordering computer hardware and peripherals. And for that, I’ll choose a custom task extension to integrate with an external system that we use to purchase hardware. For the first group’s task, I’ll click in, search for marketing. There it is, add the group and then hit select and save. And with the security principle of least privilege, she only has access that’s needed for her to get her job done and nothing more.
-Next, I’ll configure the second task, which will order the new hardware using our external system. In this case, we want to create a ServiceNow ticket to trigger this. So I’ll just select my custom extension for ServiceNow hardware procurement. There it is, and hit save. And now I can review all of my parameters. Based on our schedule, the workflow will automatically run every hour, and matching our conditions, only apply to new marketing hires who are set to start in the next seven days in Washington state. Now I just need to hit create to confirm, and the workflow is enabled. So that’s an example of the pre-hire onboarding steps Microsoft Entra can automate to save time while giving users just enough access. Now let’s switch gears to another common scenario, employee offboarding and making sure that access to information and resources can be revoked automatically, quickly and consistently to reduce risk. Now using the built in leaver templates, I’ve already set up real-time separation and post-offboarding workflows based on my company’s policies.
-Now I’ll show you a case where an employee is leaving to join a competitor. For that, I’m going to use the real-time separation on-demand workflow, which can run instantly in cases where access revocation timing is critical. Now this workflow will disable an account, removing it also from all Microsoft Teams. I’ll choose our user, Vance, and select, which will then kick off the workflow to run on demand, and then access has been revoked. Now beyond this case, for all other leaver scenarios, you can establish automated policies to enforce complete access revocation. For example, you might have a policy in place for managers to complete an offboarding checklist within 30 days for anyone leaving the organization.
-Lifecycle Workflows can also help when managers don’t complete offboarding checklists in time and also serve as a failsafe to take the additional steps for cleaning up access, also removing group memberships, license assignments, and send an email to the manager and HR team, and finally, per policy, delete those accounts. Additionally, as an employee goes through the offboarding process, your company policy or sometimes a regulatory requirement may stipulate that each task has been completed and that you have a full audit log of activities. So with Lifecycle Workflows, you can see a complete history for each employee, and within the workflow history, you can monitor the progress of workflows, like the one that we just kicked off for real-time separation with Vance. Because these might be multitask workflows running over a longer period of time, you can also drill in to see the status of individual tasks.
-So here, I’ll check the workflow history to view the details of previous workflow runs, including the status for our tasks. In fact, the workflow history is a great way to see a summary of either onboarding or offboarding runs as employees enter or leave your organization, then troubleshooting the errors that you might find in the process. Here, we’re looking at the history for onboarding new hires, and you’ll see that there’s an issue with two of our runs. So I’ll drill into the first one to find out more. In the user’s tab, I can see that one of the tasks has failed, which has left three remaining subsequent tasks unprocessed.
-Now moving into the task tab from the workflow run, it looks like the welcome email has failed due to a missing or invalid email address. Lifecycle Workflows also have built-in change tracking with versioning to see changes made as people iterate on their workflows, for example, by adding or removing tasks. So here’s a list of eight workflows in our organization, and you can see which ones run on a schedule and which ones are enabled. In the right column, you’ll also see the number of versions that have been iterated on until now for each workflow. And it looks like this one for onboarding new hires has been revised quite a bit. Now when I drill into it, you’ll see the complete version history for the workflow.
-And if I look into the most recent version, I can see who created and modified the latest workflow when it was created and all the workflow details to make sure that there aren’t any issues that need to be corrected. Often, onboarding workflows will increase their number of tasks over time as you automate more and more of those manual processes. Version 10, in this case, has fewer tasks than before with just three tasks. One to enable the account, then add it to Teams and send a welcome email. If I’m familiar with this workflow, I can compare that with the previous version. In fact, I’m going to close out version 10, and then I’m going to look at version 7 to see its details. And you’ll see there are two more tasks to run a custom extension. Remember, that’s our hardware procurement process from before, and generate a temporary access pass so that new hires have a way to sign into their work resources. Now I can use this information then to go back to my team and figure out why the change was made and potentially add those missing tasks back into our new hire workflow.
-So now you’ve seen how identity lifecycle management automation, Microsoft Entra, can automate a lot of the manual tasks and steps for onboarding and offboarding users and how it supports troubleshooting and change management with automated tasks. To learn more, check out aka.ms/ILMDocs, and you can try it out today at entra.microsoft.com. Keep checking back to Microsoft Mechanics for the latest in tech updates. Hit subscribe, and thank you for watching.
