As announced on June 7, 2023, Microsoft Entra ID Governance is now generally available, including one of our newest capabilities: Lifecycle Workflows (LCW). I'm thrilled to share more about the rich set of capabilities in LCW, including enhancements and improvements we’ve made since public preview.
User identity lifecycle is a critical part of an organization’s security posture, and when managed correctly, can have a positive impact on their users’ productivity for Joiners, Movers, and Leavers (JML). The ongoing digital transformation is accelerating the need for good identity lifecycle management. However, IT and security teams face enormous challenges managing the complex, time-consuming, and error-prone manual processes necessary to execute the required onboarding and offboarding tasks for hundreds of employees at once. This is an ever present and complex issue IT admins continue to face with digital transformation across security, governance, and compliance. Taking a closer look at the identity lifecycle challenges we can see that:
At Ignite 2022, we announced the public preview of Lifecycle Workflows, which adds automated, enterprise-grade user lifecycle management capabilities for organizations to modernize their identity lifecycle management and help IT admins address these challenges. Since then, hundreds of organizations across the globe have tried the feature and provided feedback. We’ve updated LCW to help IT pros save even more time, reduce errors, and avoid costly delays using a simple, intuitive experience. Now they can automate and streamline repetitive joiner, mover, and leaver tasks to help new employees and those with role changes to be productive immediately. They can also ensure access is removed as soon as employees leave the organization.
Let’s explore how LCW helps IT Pros automate repetitive tasks in the user lifecycle management process, saving time, reducing risks, and allowing employees to be productive faster.
Normally, onboarding new employees requires the manual generation of several tickets for IT to process and a set of disconnected steps that IT must complete. Often, the result is that the new employee is missing required access to apps, Microsoft Teams group memberships, initial sign-in credentials, and so on. Processing the service tickets, and potentially tracking down erroneous or missing steps, takes significant time and effort for IT admins, while also negatively impacting user productivity.
As the IT admin, you are responsible for managing this process. Using Lifecycle Workflows, you can create a custom workflow in just a few steps that, based on the employee start date, enables the user account, sends a welcome e-mail to the new employee, adds the employee to the marketing group, and creates a ServiceNow ticket using our built-in Logic Apps extensibility.
Let’s look at how to make this happen!
Step 1: Configure a custom workflow using an out-of-the-box workflow template that fits your scenario.
The Woodgrove admin, Lisa, goes to Entra Identity Governance -> Lifecycle Workflows and clicks on Create workflow to choose a built-in workflow template that fits her scenario. In this case, she chooses the Onboard new hire employee workflow template for this Joiner scenario.
From the Basics tab, Lisa customizes the workflow name and sees the trigger event details are already configured to trigger based on the employeeHireDate attribute. With the new Lifecycle Workflows enhancements, if desired, she could have chosen to trigger based on the user creation date instead. Trigger event details can now be customized for up to 180 days, but for this new hire onboarding scenario, the template value is configured to run on the new hire’s first day of work, so no additional changes are needed.
Lisa can optionally customize the workflow further by scoping the workflow to target a subset of users in the Configure Scope tab using the collection of supported Azure Active Directory (Azure AD) user properties, including OnPremises extension attributes and directory extension attributes. This allows Lisa to configure different workflows for users located in the US and Europe, if needed.
Step 2: Customize the tasks to run for the new employee on Day 1.
Because each of the workflow templates have pre-defined tasks for the scenarios, no additional tasks are required. Admins can choose to further customize the workflow by adding additional tasks from the collection of built-in tasks for the appropriate scenario. Admins can also leverage the built-in custom task extension task that enables the extensibility to perform additional actions in Logic Apps, Microsoft’s powerful low code solution.
With the new Lifecycle Workflows enhancements, you can now make access package assignments requests and create customized emails with your own branding including company logo and domain, custom subject, body and language as well as add additional recipients on CC.
To check off all the items on Woodgrove new employee checklist, Lisa adds a task to create a Service Now ticket to request a laptop delivery leveraging an existing Logic App.
Lisa can now customize the welcome email to be sent with the Woodgrove company logo, add a link to the Woodgrove new employee portal, and CC employee onboarding team members for awareness so employees know the email came from Woodgrove.
Lisa clicks on the Review + Create tab to review all the changes, then clicks the Enable Schedule checkbox and clicks Create to save the workflow. The workflow will automatically run based on the tenant schedule and only for the users that were auto-detected to meet the execution conditions.
Step 3: Monitor the workflow status
Every action taken by Lifecycle Workflows, including creation, updates, and processing events, are stored in the audit logs reports. Additionally, Lifecycle Workflows provides the Workflow History feature, a more granular reporting feature that allows you to quickly see what ran for who and whether it was successful. Lisa can navigate to the Workflow History of the selected workflow to check the processing status of a workflow across the user, runs, and task views for troubleshooting and compliance purposes.
Another important identity lifecycle scenario is employee offboarding. There can be many different reasons why an employee needs to be offboarded e.g., retirement, separation, or leaving to join a competitor. Regardless of the offboarding reason, it’s important for IT admins to ensure these accounts are no longer active and all resource access is removed from the former employee in a timely manner to reduce security risks.
Whether the offboarding process is planned weeks in advanced, needs to happen in real-time, or is part of access clean up after the employee leaves, Lifecycle Workflows provides flexible options to automate the process with built-in leaver workflow templates for processing the separation in the timeframe that fits your needs.
Vance, an IT admin for Tailspinonline, is responsible for managing the offboarding processes. Using built-in leaver templates in Lifecycle Workflows, he can save time by pre-configuring pre-offboarding, real-time separation, and post-offboarding workflows, based on his company's policies. In this case, Vance needs to quickly offboard an employee who is leaving for a competitor, so he will immediately block the employee’s access by disabling the user account and remove them from all Azure AD groups and Microsoft Teams.
Let’s look at how to make this happen!
Step 1: Configure a custom workflow using an out-of-the-box workflow template that fits your scenario.
Vance goes to Entra Identity Governance -> Lifecycle Workflows and clicks on Create workflow to choose a built-in workflow template that fits the scenario. In this case, he chooses the Real-time employee termination workflow template for this Leaver scenario.
From the Basics tab, Vance customizes the workflow name and sees the trigger event details are already configured to trigger on demand, so no changes needed. This template offers the IT admins like Vance, the flexibility of choosing to run the workflow immediately, for the users they select or configure it now and run it later.
For other offboarding scenarios, he can choose from other pre-defined workflow templates to trigger based on the employeeLeaveDateTime attribute, populated from HR systems and treated with sensitivity.
Step 2: Customize the tasks to run for the employee in real time.
Because each of the workflow templates have pre-defined tasks for the scenarios, no additional tasks are required. However, admins can choose to customize the list of tasks to fit their needs. In this case, Vance sees that template already has pre-defined tasks to remove the user from all groups and Teams and delete the user account. Per the company policy, the account will be deleted later as part of the post-offboarding process, so he can quickly remove the delete user account task. Then, he adds a task to disable the user account to ensure the employee is blocked from signing in.
This template offers IT admins like Vance, the flexibility of choosing to select users now and run the workflow immediately or create it now and select users to run it later. From the Select users tab, Vance selects the user and clicks on the Review + Create tab to review all the changes, then clicks Create to save the workflow. The workflow will immediately start processing the users that Vance selected.
Step 3: Monitor the workflow status.
Vance can now navigate to the Workflow History of the selected workflow to monitor the progress and see that the separation is already being processed. He can optionally choose to drill in further on the status of the individual tasks to check for issues.
By using the real-time leaver template, Vance automated the offboarding process so that access is removed upon an employee’s departure, reviewed the history of the workflow so that he can ensure that each task in the offboarding process was completed successfully, and helped the organization safeguard its critical data.
With the new Lifecycle Workflows enhancements, we’ve made updates and improvements for more granular workflow execution auditing, and at any time, you can navigate to Lifecycle Workflows Audit Logs or Entra Identity Governance Audit Logs and check the workflow execution info and other workflow management activities.
We got some great feedback from customers and partners like you during the previews:
“With Lifecycle workflows, Microsoft’s Entra platform adds a so far missing core Identity Governance component, to solve client’s requirement around automated JML (Joiner, Mover and Leaver) use cases. This will be a significant step forward to use Entra as the central Identity system within a client’s estate.”
- Erik Siebler (IAM Lead, DXC)
"We were able to see the product vision of Lifecycle workflow and how this could help us to move our current Join, Move, Leave workflows from our current legacy IAM platform to Cloud native IAM solution. We already have moved a few of our workflows to Lifecycle Workflows for onboarding of our store and back office employees that include O365 licenses, SMS and Email notification to managers."
- Maqsood Ali Bhatti (IAM Lead, Elkjøp Nordic AS)
"With Lifecycle Workflows we finally can support the business of ourselves and our customers with an automated joiner and leaver process. This powerful and amazing feature helps us and our customers stay in control of the lifecycle of accounts in Azure AD and makes sure accounts are provisioned and deprovisioned automatically."
- Pim Jacobs (Principal Consultant, InSpark)
"Every customer is struggling with identity next management, we use logic apps, we use automation for hybrid workers and it's really cool that Lifecycle Workflows integrates perfectly with many different Azure services, and that's the very positive thing that you're already familiar with them even if you haven't used them before. And at every customer there is a massive mess with user accounts and with Lifecycle Workflows you can easily start building your identity workflows since there's definitely a lot less steps than ordering a third party identity and access management solution. This feature can be very important for us in the future."
- Nicola Alig (IAM Lead, BaseVision)
We’re excited about the new capabilities and we'd love for you to try them out! Current Microsoft Entra ID Premium customers have two ways to use the new capabilities:
Joseph Dadzie
Partner Director of Product Management
LinkedIn: @joedadzie
Twitter: @joe_dadzie
Learn more about Microsoft Entra:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.