JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and efficiency. When a new employee joins the organization or an existing employee change the job role, if they do not have access to relevant services/tools to start their job, it is just a waste of resource. Also when someone leaves the company, their access permission to data/services should revoke and accounts should be disabled. If not it creates a security risk. As we can see it’s quite important to make sure organizations have robust, practical JML processes in place. If the process has a lot of manual tasks and people dependencies it may not deliver the expected results.
Microsoft Entra lifecycle workflows allow an organization to automate JML process and reduce human errors and people dependencies. Workflow is built upon two pillars – Tasks & Execution conditions.
Task – List of actions that run automatically when a workflow is “triggered”
Execution conditions – Defines the trigger scope of a workflow (impacted users, “what” executes the workflow, and when)
There are many benefits of using lifecycle workflows. Such as,
- Reduce/remove manual tasks of JML process.
- Centralize identity lifecycle tasks/process management. In one portal we can create and manage workflows.
- Measure the success of workflows or identify issues in workflows by using workflow history and audit logs.
- Allows using pre-built templates which cover most common identity management tasks.
- integrate workflows with logic apps to address more complex scenarios.
In this article, I am going to demonstrate how we can create a “joiner” workflow based on a pre-built template. This includes,
1. Create lifecycle workflow using the “Onboard pre-hire employee” pre-built template to automate onboarding tasks of new employees before their first day.
2. Create a new user in Azure AD
3. Assign Manager to user
4. Validate the completed workflow tasks
Pre-requisites
Before we start, we need to make sure the following prerequisites are in place.
1. Azure AD Premium P2 Licences
2. Global Administrator Account
3. Users with employeeHireDate attribute value – This attribute value will use as a trigger condition for the workflow. At the moment this value cannot be set using UI and can only update using MS Graph. In this blog post, I will show how to set up a new user with this attribute. Also, note that a workflow will not trigger when the employee hire date value is prior to the workflow creation date.
4. Office 365 Licences – If the workflow includes tasks to send email notifications to users, make sure the recipients have a valid mailbox in place (prior to the workflow execution)
Once we have the above prerequisites in place, we can go ahead with the configuration tasks.
Create a life cycle workflow
To create this workflow I am going to use the “Onboard pre-hire employee” pre-built template as the baseline. It comes with one automation task (Generate TAP and Send Email) but I will add an additional automation task to the workflow. The list of tasks are as follows,
1. Enable Account – I like to enable the new user account as part of the workflow.
2. Add user to Group – The new user account will be added to an already existing security group called “New Hire”
3. Generate TAP and Send Email – Generate Temporary Access Pass and send it via email to the new user’s manager. Microsoft encourages organizations to use passwordless authentication as traditional authentication methods are weak in security. Temporary Access Pass is a time-limited passcode that can be used by users to log in to https://aka.ms/mysecurityinfo and onboard authentication methods. This code can be single-use or multi-use. Before using this feature, we need to enable Temporary Access Pass policy. For configuration details please follow https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-temporary-access-pass . In this demo environment, I already have this policy configured.
4. Send Welcome Email – Send a welcome email to new user
To set up the workflow,
1. Log in to MS Entra portal https://entra.microsoft.com/
2. Go to Identity Governance | Lifecycle workflows
3. Next click on + Create workflow
4. In the new window, we can see the pre-built templates. For this demo, I am selecting “Onboard pre-hire employee”
5. This will open the template settings. Provides a name for the workflow first and then change the event timing settings for onboarding. This workflow will depend on the employeeHireDate attribute value and we can decide how many days we should run the workflow. To keep it simple I am going to use the default value which is 7 days. Once settings are in place, click on Next: Configure scope to continue.
6. In the next window, we can use expressions to define the user scope for the workflow. Here I am going to run this workflow for new users in “Sales” department.
7. In the workflow task window, we can see “Generate TAP and Send Email” task is already in the list. We can add new tasks by clicking + Add tasks
8. From the list I have added, Enable Account, Add user to Group, and Send Welcome Email tasks. For the groups, I have selected the already existing security group called “New Hire”. I also change the logical order of the tasks.
9. In the final window, select Schedule workflow to run the workflow every 3 hours. Then review the settings and click on Create.
