Come On In!

Working with Cloud-Only Accounts

If you exclusively store user accounts in the cloud, you can forget the hybrid aspects, of course, but not the fact that you need to manage the two attributes. The case of EmployeeHireDate is relatively easy, because it can be populated by PowerShell or directly in the properties of a user account. By the way, the latter method is a good choice for executing workflows directly for a test.

The EmployeeLeaveDateTime attribute is not quite as easy to handle; look for it in vain in the properties of a user account in the AAD dashboard if you feel so inclined. To add content to this attribute in Azure, you need to use the Microsoft Graph API [4].

Remove Stumbling Blocks

When planning lifecycle workflows, you have several other aspects to consider. For example, you will not find support for multiple languages yet. Although certainly not a serious drawback, a user account has a preferredLanguage attribute, which makes it difficult to understand why you would not want to take language choices into account and send email in the local language. The Conditional Access Policies and the Terms of Use configuration handle languages more gracefully, displaying the appropriate page to match the choice of language in the browser.

Another notable feature noticed in my lab for this article was Range Rules. In a new workflow, a rule containing the expression Department equals Marketing is created when defining the scope, which is unlikely to be desirable in most cases; unfortunately, it is not easily removed in the Entra preview because an expression is mandatory. You can create a workaround by adding a new expression (e.g., AccountEnabled equals true ) and then removing the other expression with the Department assignment.

Test and Test Again

Lifecycle workflows perform extensive write operations in Azure AD, up to and including removing user accounts, which requires extensive testing before you classify a workflow as production-ready. Although workflows are based on the attribute containing the date on which an employee leaves, careful planning and quality assurance are more important than ever.

Automatic processes can be very efficient, which might lead to undesirable side effects in some cases. In a cloud setup (i.e., when user management resides entirely in Azure), you need to consider whether it makes more sense to disable a user account first rather than delete it immediately. Although deleted accounts initially end up in the recycle bin, it is only an intermediate step, because they are removed permanently after 30 days.

You also need to plan the sequence of tasks carefully, especially in terms of what happens in the event of an error. An error will abruptly terminate the entire workflow; the consequence is that the user account has only partially completed the onboarding process. In a distributed and complex infrastructure, you are unlikely to know every new user. Frequent problems with workflows can quickly become a nuisance.

Lifecycle workflows have two types of logs. The audit logs contain changes to the infrastructure. If you are looking for basic information, this is the place to go (e.g., determining who changed what in a workflow and other management activities). The second log type provides details on individual workflows. To check the logs out, you need to go to Workflow History in the Activity section. Here, you can find out where a workflow terminated and for what reason.