Funnel overlay image

Blog | 12-minute Read

HR driven provisioning: How to perfect the JML process with Entra ID

Martyn Gill

Senior Architect

Published: 31 January 2023

The Joiner-Mover-Leaver (JML) process is an essential part of an organisation’s HR procedures. However, it can represent a huge headache for your organisation.

With remote working, the adoption of new technologies, and organisations often operating hybrid or multi-cloud IT estates, the process grows ever more complicated.

And, the more complex the process, the more it drains on time and resources.

The solution?

HR driven provisioning, and the automation capabilities of Microsoft Entra ID (formerly Azure AD).

In this article, we’ll show you how to empower your HR department, and streamline your organisation’s on-boarding, mover, and off-boarding processes using Entra ID.

And why it delivers key business benefits, such as:

  • Increased productivity
  • Improved security posture
  • Efficiency savings

Identity Masterclass – Integrating HR & IDM systems (Video)

See how to solve headaches caused by HCM SaaS solutions.

What is HR driven provisioning?

HR driven provisioning is the way in which you create employee identities.

Basically, the way you provide an employee with secure access to the data, apps, and resources they need to do their job.

This can add up to a lot of tasks, such as:

  • Setting up new user accounts
  • Assigning roles and licences
  • Granting and amending permissions
  • Setting up email accounts and calendars
  • Removing and deactivating leaver accounts

Carrying out these tasks requires using information from your human resources management system. You create and manage the identity within your access directory.

Done manually, this can be a major drain on time and fraught with the possibilities of human error.

Automation of access lifecycle in Entra ID

To begin automating the access lifecycle, we start by integrating the Human Capital Management (HCM) service with Entra ID. This integration is what begins the HR driven provisioning capability.

hcm provisioning blog automation access flowchart

This is used to provide the lifecycle of the user accounts and synchronisation of the staff data.

This lifecycle ensures that user accounts are ready to be used on day one, and disables or removes accounts on the user leave date.

Your various staff personas (e.g., employees, contractors, or subcontractors) are automatically provisioned with a user account. They’ll be granted the right level of access from day one.

Accounts can also be easily re-enabled or re-provisioned for returning or rehired staff.


HCM Workday to Azure AD to on-premises flowchart

To see how we can help you begin this process, you can request an HR provisioning assessment from our expert team.

Microsoft are also partnered with Aquera to enable integration with other HCM services using their HR Onboarding Bridge.

Starting the adoption of HR driven provisioning

Whilst integration might be the first logical step, understanding the people, process, and data can provide a successful end-to-end solution for everyone.

This includes:

  • Understanding business processes with user stories
  • Building personas for your staff
  • Setting expectations, roles, and responsibilities for the joint service offering
  • Mapping people data to identity data with the responsible data owners

This creates synergy between HR and IAM, streamlines the processes, reduces friction, and provides a better end-user experience.

hcm provisioning user lifecycle flowchart

Benefits of HR driven provisioning

HR driven provisioning offers the following business benefits for your organisation.

  • Increased productivity: Automate the assignment of user accounts and Microsoft 365 licenses, and provide access to key groups. This gives new hires day one access to all the tools they need to increase productivity.
  • Increased security: Automate changes to access based on the status of employees, or group memberships with data from the cloud HR app. User identities and access to key apps will update automatically when users change roles/get promoted or leave the organisation.
  • Improved compliance and governance: Entra ID supports the use of user provisioning requests. This auditing functionality means you can track who has access to these apps from a single screen.
  • Manage costs: Using automatic provisioning, your organisation can reduces costs by removing duplicated data or human errors that you get with manual provisioning. You also remove the need for inefficient, custom built provisioning solutions from out-of-date legacy technology.
hcm provisioning productivity flowchart

Enhancing user experience with Identity Workflows

Once HR driven provisioning is in-place, Identity Workflows are used to enhance the on-boarding and off-boarding experience.

This is accomplished by:

  • Extending the lifecycle process by automating on/off-boarding tasks
  • Creating and managing in one place (i.e. centralising processes)
  • Enabling scalability for organisation growth
  • Reducing and potentially removing manual tasks
  • Extensibility with Azure Logic App integration
  • Lifecycle beyond attributes, ‘X’ days before the start-date
  • Tasks, triggers (when), and scope (who) for each workflow

Some examples of on/off-boarding tasks include:

  • New starter emails
  • Generating temporary access passes and sending them to the line manager
  • Automatically adding/removing (for leavers) from groups and Teams
  • Extensibility with your own custom workflow using Azure Logic Apps

This reduces the need for new starters to visit the service desk on day one to setup their account.

Role-based access can then be provided using dynamic groups. This is criteria-based using data and logic to automatically generate the group membership.

For example, this can use data from your HCM (like department or location). When staff records are updated, the group membership updates automatically, providing up-to-date access to resources based on HR data.

Self-service access to entitlements with access packages

  • Access package of resources, including groups, Teams, applications, and SharePoint sites
  • Lifecycle with expiration and ability to extend access, which provides time-based access
  • Extensibility with Azure Logic App integration for custom workflows
  • Automatic assignment and dynamic entitlement using groups
  • Customisation of the request fulfilment questions for approval
  • Many approval options with auto-approval and multistep approvals
  • Lifecycle for your contingent workers Guest User accounts
  • Reduce and potentially remove manual access provisioning and deprovisioning tasks

Resources are grouped together into catalogues and made available for use in access packages, which can include multiple resources.

Entitlements are then configured by specifying who can request the access package, which can also be a dynamic group. This enables HR data to be used to grant entitlements to access resources, enabling staff to request access as and when required.

HCM external user workflow flowchart

Entitlement management can also be used to manage the account lifecycle and access for third-party business-to-business (B2B) Guest User accounts.

This same portal is also used for access approvals as well as recertification.

Recertification of access using identity governance

Recertifying access to resources with identity governance ensures that the right access is granted to the authorised users. This is especially important when organisations and staff continually change.

By using regular recertification, you can easily validate access for staff, third parties, and applications. All of this can be done with identity governance access reviews.

This includes:

  • Access reviews using the my access web portal with recommendations
  • Frequency and duration of review cycles
  • Automatically apply results and take actions
  • Integrates directly with access packages, groups, Teams and more

Access reviews lets the owners of data and applications confirm that access to their resources have been authorised, as well as providing evidence for compliance.

This helps to prevent unauthorised access from being granted to business data, which could be misused or potentially leaked.

End-to-end automated access lifecycle

hcm provisioning end-to-end lifecycle flowchart


The joiner-mover-leaver process is crucial, but has always presented a large amount of potential friction for an organisation.

In today’s world, this is truer than ever.

Remote working and hybrid IT estates that can exist across multiple cloud platforms make this even more complex.

By integrating your human capital management with Entra ID, your users will have the correct access to what they need to do their jobs. All at the correct time and securely.

Your HR department becomes the ‘single source of truth’ for the provisioning of roles, responsibilities, and access within your organisation. They have the most accurate and up to date information about all of the users and employees in the business.

Best of all, users and employees will have the correct access to data and tools to do their job or collaborate with the correct people and groups from day one.

Drastically improving company efficiency.

Key takeaways

  • You can sidestep these headaches with HR driven provisioning, which you can enable by integrating Human Capital Management with Entra ID.

  • With HR driven provisioning, your HR department becomes your single source of truth for your employees, and becomes the base for automating processes.

  • By automating your provisioning capabilities with HCM and Entra ID, your processes become more efficient, streamlined, and secure.

  • Your employees will have the correct level of access to data and tools at every stage of their employment with your organisation. All the way until they leave.


Identity Masterclass – Integrating HR & IDM systems (Video)

Watch now if you want to:

  • Properly integrate HCM systems
  • Ensure governance & compliance
tag icon

Great emails start here

Sign up for free resources and exclusive invites

Subscribe to the Kocho mailing list if you want:

  • Demos of the latest Microsoft tech
  • Invites to exclusive events and webinars
  • Resources that make your job easier
Butterfly overlay image


Martyn Gill

Martyn Gill is a Senior Architect for Kocho. He loves providing the latest visionary, best-in-breed solutions to our client’s business problems, across multiple disciplines with technologies from our partners.

Butterfly overlay image

Got a question? Need more information?

Our expert team is here to help.