HR driven provisioning: How to perfect the JML process with Entra ID

With remote working, the adoption of new technologies, and organisations often operating hybrid or multi-cloud IT estates, the process grows ever more complicated.

And, the more complex the process, the more it drains on time and resources.

The solution?

HR driven provisioning, and the automation capabilities of Microsoft Entra ID (formerly Azure AD).

In this article, we’ll show you how to empower your HR department, and streamline your organisation’s on-boarding, mover, and off-boarding processes using Entra ID.

And why it delivers key business benefits, such as:

• Increased productivity
• Improved security posture
• Efficiency savings

What is HR driven provisioning?

HR driven provisioning is the way in which you create employee identities.

Basically, the way you provide an employee with secure access to the data, apps, and resources they need to do their job.

This can add up to a lot of tasks, such as:

• Setting up new user accounts
• Assigning roles and licences
• Granting and amending permissions
• Setting up email accounts and calendars
• Removing and deactivating leaver accounts

Carrying out these tasks requires using information from your human resources management system. You create and manage the identity within your access directory.

Done manually, this can be a major drain on time and fraught with the possibilities of human error.

Automation of access lifecycle in Entra ID

To begin automating the access lifecycle, we start by integrating the Human Capital Management (HCM) service with Entra ID. This integration is what begins the HR driven provisioning capability.

This is used to provide the lifecycle of the user accounts and synchronisation of the staff data.

This lifecycle ensures that user accounts are ready to be used on day one, and disables or removes accounts on the user leave date.

Your various staff personas (e.g., employees, contractors, or subcontractors) are automatically provisioned with a user account. They’ll be granted the right level of access from day one.

Accounts can also be easily re-enabled or re-provisioned for returning or rehired staff.

Organisations who use Workday or SAP SuccessFactors HCMs can benefit from out-of-the-box integration with Azure AD. 

To see how we can help you begin this process, you can request an HR provisioning assessment from our expert team.

Microsoft are also partnered with Aquera to enable integration with other HCM services using their HR Onboarding Bridge.

Starting the adoption of HR driven provisioning

Whilst integration might be the first logical step, understanding the people, process, and data can provide a successful end-to-end solution for everyone.

This includes:

• Understanding business processes with user stories
• Building personas for your staff
• Setting expectations, roles, and responsibilities for the joint service offering
• Mapping people data to identity data with the responsible data owners

This creates synergy between HR and IAM, streamlines the processes, reduces friction, and provides a better end-user experience.

Benefits of HR driven provisioning

HR driven provisioning offers the following business benefits for your organisation.

• Increased productivity: Automate the assignment of user accounts and Microsoft 365 licenses, and provide access to key groups. This gives new hires day one access to all the tools they need to increase productivity.
• Increased security: Automate changes to access based on the status of employees, or group memberships with data from the cloud HR app. User identities and access to key apps will update automatically when users change roles/get promoted or leave the organisation.
• Improved compliance and governance: Entra ID supports the use of audit logs for apps of both source, and target systems that make user provisioning requests. This auditing functionality means you can track who has access to these apps from a single screen.
• Manage costs: Using automatic provisioning, your organisation can reduces costs by removing duplicated data or human errors that you get with manual provisioning. You also remove the need for inefficient, custom built provisioning solutions from out-of-date legacy technology.

Enhancing user experience with Identity Workflows

Once HR driven provisioning is in-place, Identity Workflows are used to enhance the on-boarding and off-boarding experience.

This is accomplished by:

• Extending the lifecycle process by automating on/off-boarding tasks
• Creating and managing in one place (i.e. centralising processes)
• Enabling scalability for organisation growth
• Reducing and potentially removing manual tasks
• Extensibility with Azure Logic App integration
• Lifecycle beyond attributes, ‘X’ days before the start-date
• Tasks, triggers (when), and scope (who) for each workflow

Some examples of on/off-boarding tasks include:

• New starter emails
• Generating temporary access passes and sending them to the line manager
• Automatically adding/removing (for leavers) from groups and Teams
• Extensibility with your own custom workflow using Azure Logic Apps

This reduces the need for new starters to visit the service desk on day one to setup their account.

Role-based access can then be provided using dynamic groups. This is criteria-based using data and logic to automatically generate the group membership.

For example, this can use data from your HCM (like department or location). When staff records are updated, the group membership updates automatically, providing up-to-date access to resources based on HR data.

Self-service access to entitlements with access packages

You can create access lifecycles with ease through the self-service tools available within Entra ID’s entitlement management.

This includes features such as: 

• Access package of resources, including groups, Teams, applications, and SharePoint sites
• Lifecycle with expiration and ability to extend access, which provides time-based access
• Extensibility with Azure Logic App integration for custom workflows
• Automatic assignment and dynamic entitlement using groups
• Customisation of the request fulfilment questions for approval
• Many approval options with auto-approval and multistep approvals
• Lifecycle for your contingent workers Guest User accounts
• Reduce and potentially remove manual access provisioning and deprovisioning tasks

Resources are grouped together into catalogues and made available for use in access packages, which can include multiple resources.

Entitlements are then configured by specifying who can request the access package, which can also be a dynamic group. This enables HR data to be used to grant entitlements to access resources, enabling staff to request access as and when required.

Entitlement management can also be used to manage the account lifecycle and access for third-party business-to-business (B2B) Guest User accounts.

Why is this important?

Well, it allows you to automate third party access when collaborating in Teams, SharePoint, and similar applications. When the access is no longer required, the system removes the permission. 

This same portal is also used for access approvals as well as recertification.

Recertification of access using identity governance

Recertifying access to resources with identity governance ensures that the right access is granted to the authorised users. This is especially important when organisations and staff continually change.

By using regular recertification, you can easily validate access for staff, third parties, and applications. All of this can be done with identity governance access reviews.

This includes:

• Access reviews using the my access web portal with recommendations
• Frequency and duration of review cycles
• Automatically apply results and take actions
• Integrates directly with access packages, groups, Teams and more

Access reviews lets the owners of data and applications confirm that access to their resources have been authorised, as well as providing evidence for compliance.

This helps to prevent unauthorised access from being granted to business data, which could be misused or potentially leaked.

End-to-end automated access lifecycle

Conclusion

The joiner-mover-leaver process is crucial, but has always presented a large amount of potential friction for an organisation.

In today’s world, this is truer than ever.

Remote working and hybrid IT estates that can exist across multiple cloud platforms make this even more complex.

By integrating your human capital management with Entra ID, your users will have the correct access to what they need to do their jobs. All at the correct time and securely.

Your HR department becomes the ‘single source of truth’ for the provisioning of roles, responsibilities, and access within your organisation. They have the most accurate and up to date information about all of the users and employees in the business.

Automating these processes is a huge saver when it comes to JML management. Not only does it reduce manual admin, it also cuts out time wasted by duplicate or incorrect data entry. Significantly saving you time and strengthening your security posture.

Best of all, users and employees will have the correct access to data and tools to do their job or collaborate with the correct people and groups from day one.

Drastically improving company efficiency.

Key takeaways

Next steps