Manage user accounts with MS Entra lifecycle workflows
Come On In!
Zero trust means testing everything you want to allow into an environment in which, initially, nothing is allowed. It is a very important aspect of the modern IT world. Protecting hybrid infrastructures, in particular, is more critical than ever, starting with security for data centers and extending to securing user devices.
Somewhere in between sits a very important building block of the zero trust puzzle: identity and access. A strategy for responsible and up-to-date use of identities is more important than ever and not always easy in a world where, for decades, directory services exclusively stored user accounts and everything that went with them on domain controllers (DCs). These DCs continue to perform their duties in well-protected zones behind firewalls.
In the public cloud, hybrid setups with Azure Active Directory (AAD) are no longer unusual. You need to keep an eye on the local directory data and include Azure AD in your scope of activities. AAD offers new functions that are only a dream for admins of a local AD.
Unfortunately, it is not always easy to work with this toolbox. Many of the features reside on AAD dashboards, and various tools reside in separate areas on the Azure portal, such as Identity Protection (IdP) or Privileged Identity Management (PIM). Microsoft Entra [1] combines these functions, seeing itself as a toolbox that bundles previous technologies on a portal, while adding new features. In this article, I open up the toolbox and look at the options available for automating the user account lifecycle. Note, however, that only the Public Preview was available for review at the time of writing. Because hybrid is an important topic, I also take a look at the requirements in terms of interaction with the on-site infrastructure to ensure smooth operations.
Identity Lifecycle
The heart of an IT infrastructure is the user accounts, and one important aspect is the overhead when user accounts are created or removed. Employees join the company, they leave, and they take on new roles, which means you need to handle a great deal of routine directory service work, and this work is very much suitable for automation. Adding and removing users from groups, authorizing, assigning licenses, and emailing line managers or the employee in question are just a few of the tasks involved. Microsoft's answer to these routine tasks is lifecycle workflows from the Entra family.
The scope of this relatively new feature is currently limited to Joiner and Leaver functions. In other words, actions occur when user accounts are added to Azure AD or are due to be removed in the foreseeable future. At the time of review, no Mover actions resided in the current Public Preview version of lifecycle workflows. It was not possible, then, to design an automatic response when people moved from department A to department B. However, I suspect it should only be a matter of time until Microsoft implements this feature.
To access the Entra admin center, go to Identity Governance | Lifecycle workflows (Figure 1). A first look reveals an intuitive dashboard that lets you get started quickly with a few simple steps. If you want to take a deeper look under the hood, though, you definitely need the well-sorted collection of documentation [2] to get started.
Triggering Workflows
Basic operations relate exclusively to user accounts in Azure AD. The Lifecycle workflows option does not provide direct connectors (e.g., to Active Directory Domain Services) or to other HR services (e.g., Workday) that provision identities to AAD. The required triggers are linked to the AAD user account. This setup is not a restriction, but an advantage; functional diversity is retained, and existing on-premises user management processes, for example, can remain in place. For this to happen, user accounts in Azure AD have two attributes: EmployeeHireDate and EmployeeLeaveDateTime .
Neither of these attributes is automatically populated; you need to do this when creating accounts, because the triggers for workflows are based on the timestamps of these attributes. A hybrid landscape, especially, presents challenges where user accounts have local origins. For now, I'll stick to identities in Azure AD.
If you want to create a new workflow, the system prompts you to choose from the predefined templates. More specifically, these are Joiner and Leaver templates. Custom templates are not supported; except during a trial phase, adding new scenarios regularly is probably less than useful.
Creating Workflows
The two Joiner workflow templates (Figure 2) cover two types of requirements: one for activities that carry on for a fixed period of time before an employee starts working and one for workflows that start immediately. A Leaver process is more multilayered; four Leaver templates are included for creating workflows. The names of these templates also speak for themselves and suggest the tasks for which they are suited. Even in the preview version of Entra I found a comprehensive selection of settings for individual workflows (Figure 3).
After selecting the template, you need to define the general parameters. The most important of these is the trigger, the details of which currently let you specify a period of time in days before or after the trigger time. A scope can be configured in the wizard, but this is optional. If you decide to use a scope, you have the same flexibility at this point that you might recognize from managing dynamic groups.
That is, expressions can be used to create rules that provide a subset of user accounts. Several logically linked expressions let you narrow down the set of identities for the workflow based on the user attributes – Location and Department are examples of typical filter attributes. However, you can work with a variety of user information, and extensive internal scenarios can be mapped by having several workflows serve different target groups.
Each template comes with a list of predefined tasks. If you expand the list by adding another task, it is added to the list of tasks to be processed as an additional step. Once there, it can still be edited, depending on what the task is. Maybe you want to send a welcome email, add a user account to defined groups at a given time, or notify a manager that the new employee's account is ready. In this context, a temporary access pass (TAP) can be mailed directly to the manager, who, in turn, can pass on this one-time password to the employee for an initial login. The list of predefined tasks is not too long, but it should cover most requirements for user onboarding or offboarding processes.
Buy this article as PDF
(incl. VAT)