How to automate user provisioning from any HR system

UPDATED NOVEMBER 2023

Microsoft have provided a way to automate user provisioning for some time, albeit limited by your choice of HR software.

Until recently it was a feature available only via integration with the Workday or SAP SuccessFactors Human Capital Management (HCM) systems.

But that restriction no longer exists thanks to the 2023 release of the Microsoft API-driven inbound provisioning tool.

The API allows Microsoft Entra ID to integrate with any HCM or HR systems (or any other system of record). A major step forward in Microsoft’s cloud-first vision for a the future of identity and access management (IAM).

But this is not just about removing limitations. It’s about opening up new ways to improve the onboarding experience, for any organisation, anywhere.

In this blog, we’ll show you how it works, and why it’s unlocking new levels of efficiency, productivity, and security in your joiner-mover-leaver (JML) processes.

Provisioning automation and change at near real time speeds

We all know how important it is to get any changes in the system of record reflected in your IAM solution.

The more the delay, the greater the risk of a former employee retaining access to data they shouldn’t have.

With the API-driven inbound provisioning tool, any changes made in your HR system are pushed to Entra ID instantly.

This is a significant improvement, even in comparison to the Workday and SuccessFactors integrations, where data is pushed every 40 minutes.

Now, you have a process that offers fully automated, near real-time provisioning. Cutting time-consuming manual tasks and the risks associated with delays or human error.

Bulk change facility means more efficient workflows

The need to manage and make changes to multiple user accounts or pieces of data can be a daunting task.

With the API-driven tool, these changes can be made in bulk, in a single process, straight into Entra ID and on-premises Active Directory.

Not only creating faster, more efficient processes, but taking away further risks of human error and inconsistencies that can create vulnerabilities and stop people from doing their jobs.

It also offers scalability, helping remove barriers and support large-scale provisioning in organisations during a period of high-growth.

How the API works

Microsoft’s API-driven inbound provisioning uses, as its data transfer mechanism, SCIM (System for Cross-domain Identity Management).

This is designed to handle different scenarios, including:

How it integrates with different HR systems

To facilitate an automated user provisioning process, HR systems can be integrated in a number of ways, including:

At Kocho, we provide identity services to a large variety of clients. Typically, this will be to integrate the source of authority for people profile data with their identity services. Either through out-of-the-box capabilities, or supportable extensibility options, we can integrate multiple data sources and systems.

This empowers HR to retain authority over the data through the JML processes.

Driving data authority with serverless workflows

Let’s look at how we can use Microsoft and third-party serverless workflows to empower provisioning automation and data authority.

Azure Logic Apps

Azure Logic Apps is Microsoft’s serverless workflow service. It works by automating repeatable tasks with triggers and actions.

The service already has direct integration with Entra ID Governance Access Packages and Identity Workflows.

But we’re taking this one step further, using Azure Logic Apps to provide easy integration with the Inbound Provisioning API.

This means we can provide a standardised method of integration with any source of authority, controlling changes whenever they take place.

The beauty of Azure Logic Apps is it allows us to integrate with anything in the cloud or on-premises. Offering connectors to interface with different services, providing triggers and actions to automate user provisioning in line with your organisation’s processes.

Which eliminates time-sapping manual tasks and drives greater efficiency improvements.

A full list of the Azure Logic App connectors can be found on the Microsoft website.

ServiceNow

ServiceNow is a well-known IT Service Management solution, which can be used for providing self-service request fulfilment.

For some clients this is core to business processes, ensuring all requests are traceable and have been authorised.

We’ve used the out-of-the-box capabilities in ServiceNow as the business interface to the identity lifecycle.

Self Service Account Activation

Supporting new starters with their onboarding is a necessary but often labour intensive job, eating into HR managers and IT Service Desk time.

But, with Self Service Account Activation (SSAA) this task becomes an automated, hands-off process. It allows new starters to activate and sign into their accounts, and change or re-set their passwords from the first day of their employment.

Which means they can hit the ground running, while saving precious time for management and support staff.

Onboarding processes for users and management can be streamlined using things like E-Mail One-Time Passcode with Microsoft Forms, to retrieve temporary sign-in details, and enabling users to set their own credentials.

This provides a secure method to support the onboarding process, automating user provisioning tasks and supporting mover and leaver processes.

The benefits of automating user provisioning and your JML processes

Organisations who automate user provisioning do so to reap the benefits of a more secure, efficient, and productive JML process.

By integrating your source of authority people profile solution with your identity solution, you’re introducing an environment of greater synergy and togetherness between your HR and IT business functions.

Start your journey to greatness

Microsoft have put identity and access at the heart of its drive towards continually improving security and productivity.

The API-driven provisioning tool is a significant innovation in this direction, offering new developments to improve and future-proof the onboarding experience.

It provides a means for organisations to automate user provisioning and streamline the entire JML process. And provides a significant stepping-stone for organisations currently using on-premises solutions like Microsoft Identity Manager (MIM) on their journey to Entra ID and the evergreen benefits of cloud-first identity management.

Key takeaways

Ready to find out more?

As a leading Microsoft partner for more than 20 years, and multiple winner of partner of the year, we’ve a long track record in delivering best-in-class identity management solutions for organisations of all sizes and different sectors.  

Arrange a short call to find out more about how we can help automate user provisioning and streamline your JML processes.

Next steps

Like this? Don’t forget to share.