Automating Onboarding and Offboarding with Microsoft Entra Lifecycle Workflows
Streamline Identity Management with Automated Provisioning, Access Control, and Secure Deactivation
Managing user accounts manually can be inefficient. In many organisations, IT teams spend time provisioning access for new employees, assigning permissions, and ensuring accounts are correctly deactivated when users leave.
Microsoft Entra Lifecycle Workflows can simplify this by automating onboarding and offboarding tasks, reducing the reliance on manual intervention and improving compliance. Organisations can predefine workflows that trigger automatically when employees join, change roles, or leave the company.
You could even use temporary access pass for the new starter (see this video for more)
Let’s take a look at how to configure Microsoft Entra Lifecycle Workflows for onboarding and offboarding, where they provide the most value, and what prerequisites are required before setting them up.
Don’t forget to check out my YouTube channel > Control Alt Delete Tech Bits here
Licensing Requirements
Microsoft Entra Lifecycle Workflows is available with specific Microsoft Entra ID licensing plans. The required licenses are:
Microsoft Entra ID Governance (formerly Azure AD Identity Governance)
Microsoft Entra ID Suite (Plan 1 or Plan 2)
These licenses are included in some Microsoft 365 E5 plans but are not available with Microsoft 365 E3 unless purchased separately. You must ensure that users who will be managed by Lifecycle Workflows are assigned the correct licenses for automation to work.
Role Requirements
A Microsoft Entra ID Governance license (included in Entra ID Suite) is required for Lifecycle Workflows.
The user configuring workflows must have one of the following roles:
Lifecycle Workflows Administrator
Identity Governance Administrator
Global Administrator (I do not recommend this)
Identity Data Requirements
The employeeHireDate attribute must be populated in Microsoft Entra ID for onboarding workflows to trigger correctly.
Manager attributes should be assigned to user accounts if workflows include manager-based notifications or approvals.
Feature Configuration
User provisioning must be enabled if onboarding workflows involves syncing from an HR system.
Group-based access management should be configured for workflows that assign security or distribution group memberships.
Authentication policies must allow automated sign-in activities if lifecycle tasks involve authentication configuration.
How to Configure Onboarding with Lifecycle Workflows
Enable Lifecycle Workflows
Sign in to Microsoft Entra Admin Center at entra.microsoft.com
In the left-hand menu, go to Identity Governance
Select Lifecycle Workflows
Ensure the feature is enabled for your organisation
Create a New Workflow for Onboarding
In the Lifecycle Workflows section, click Create Workflow
Choose an Onboarding template, such as Onboard Pre-Hire Employee
Provide a name for the workflow, such as New Employee Onboarding
Add Onboarding Tasks
Click Add Task
Choose Assign Microsoft 365 Licenses
Select the appropriate license package for the user
Click Save
Next, add any additional tasks:
Add users to security groups (for automatic access to company applications)
Send a welcome email with login instructions
Provision access to SharePoint, Teams, and other enterprise applications
Configure Workflow Triggers
Set the trigger type to User Creation
Define conditions such as:
Department
Job role
Employee hire date
Click Save and Activate
The workflow is now active and will automatically provision access when a new employee is added to Microsoft Entra ID.
How to Configure Offboarding with Lifecycle Workflows
Create a New Workflow for Offboarding
In the Lifecycle Workflows section, click Create Workflow
Choose an Offboarding template, such as Offboard Employee
Provide a name for the workflow, such as Employee Offboarding
Add Offboarding Tasks
Click Add Task
Choose Revoke Microsoft 365 Licenses
Select Remove user from security groups
Click Save
Next, add additional offboarding tasks:
Disable the user account in Entra ID
Reassign ownership of files and emails
Notify managers and HR of account deactivation
Configure Workflow Triggers
Set the trigger type to Employee Termination Date
Define conditions such as:
Job title
Department
Manager approval required
Click Save
This ensures that when an employee leaves, their access is revoked automatically.
Monitoring and Managing Lifecycle Workflows
Checking Workflow Execution History
In Microsoft Entra Admin Center, go to Identity Governance > Lifecycle Workflows
Click Execution History
Review completed tasks and check for failures
Adjust workflow triggers or conditions if needed
Setting Up Notifications for Workflow Failures
In the Lifecycle Workflows section, click Workflow Alerts
Configure email notifications for workflow failures
Ensure IT admins receive alerts when a workflow is not completed successfully.
Microsoft Entra Lifecycle Workflows provides a secure and automated way to manage user onboarding, role changes, and offboarding. Automating these processes reduces IT workload, improves compliance, and enhances security by ensuring that access is correctly provisioned and revoked when needed.
Organisations looking to improve identity management should implement Lifecycle Workflows to ensure efficient user onboarding and offboarding without manual intervention.
Implementing Microsoft Entra Lifecycle Workflows ensures that user identities are managed securely and efficiently throughout their lifecycle within an organisation. This aligns with ISO/IEC 27002:2022 Control 5.16 – Identity Management, which provides a framework for the comprehensive management of identities, encompassing both human and non-human entities.
ISO/IEC 27002:2022 Control 5.16: Identity Management
ISO/IEC 27002:2022 is an internationally recognised standard providing guidelines for information security controls. Control 5.16 specifically addresses identity management and outlines key practices to help organisations:
Define and manage the full lifecycle of identities, Ensuring that identities are uniquely identifiable and managed from creation through to deactivation.
Assign and regularly review access rights, Granting access based on roles and responsibilities, and conducting periodic reviews to ensure appropriateness.
Implement logging and monitoring, Tracking identity usage and access patterns to detect and respond to unauthorised activities.
Ensure compliance with legal and regulatory requirements, Aligning identity management practices with applicable laws and standards.
Microsoft Entra Lifecycle Workflows complements ISO/IEC 27002:2022 Control 5.16 by providing automated processes that:
Automate identity provisioning and de-provisioning. Streamlining the creation and removal of identities as personnel join or leave the organisation.
Enforce role-based access controls. Assigning permissions based on predefined roles to maintain consistency and security.
Maintain audit trails. Recording identity-related activities to support monitoring and compliance efforts.
By integrating Lifecycle Workflows with an organisation’s adherence to ISO/IEC 27002:2022 Control 5.16, IT and security teams can establish a robust identity governance strategy that mitigates security risks while ensuring compliance with international standards.
For a deeper understanding of ISO/IEC 27002:2022 Control 5.16 and its application to identity lifecycle management, visit:
High Table’s Guide to ISO 27001 Annex A 5.16: Identity Management
This guide covers identity management principles, compliance requirements, and best practices, assisting organisations in strengthening their identity and access management policies.