Join me as I connect the dots from my previous posts on the fundamental Identity Governance features in Microsoft Entra with Lifecycle Workflows!
Managing user lifecycles through Access Reviews, Access Packages, and Privileged Identity Management can be a daunting and time-consuming burden. The larger our organizations grow, the more comprehensive this task becomes.
For us IT admins, governing users often means sacrificing time that could be spent on strategic initiatives. The result? Rushed work, increased errors, and a less-than-ideal experience for users, managers, and IT teams alike.
But here’s the good news: there’s an easier way to streamline these processes, reduce errors, and improve experiences across the board. While third-party and custom-built solutions exist, why not keep it simple and leverage Microsoft Entra’s built-in solution—Lifecycle Workflows?
Let’s dive in to understand what Lifecycle Workflows (LCWs) are and how they can transform identity governance
Table of Content
Why should we use Lifecycle Workflows?
IT, HR, Compliance, and Governance teams often share the same challenge: time constraints. Overworked and rushed personnel lead to errors, burnouts, and dissatisfaction—a concern highlighted by a 2011 University of Wisconsin-Madison study (focused on nurses, but the human factor holds true across professions).
Combine this with the fact that a staggering 95% of cybersecurity incidents are caused by human error, and the case for automation becomes crystal clear. LCWs allow us to automate repetitive, error-prone processes while adhering to Zero Trust principles and minimizing privileged access needs.
Limitations and requirements
Before diving deeper, let’s address some prerequisites and limitations:
License requirements
You’ll need one of the following licenses:
Microsoft Entra Identity Governance
Microsoft Entra Suite
Permission requirements
The least-privileged role required to manage LCWs is Lifecycle Workflow Administrator
Service Limits
Key limitations include:
Category | Limit |
Number of Workflows | 100 per tenant |
Number of Tasks | 25 per workflow |
Number of Custom Task Extensions | 100 per tenant |
offsetInDays range of triggerAndScopeBasedConditions executionConditions | 180 days |
Workflow schedule interval in hours | 1-24 hours |
Number of users per on-demand selection | 10 |
durationBeforeTimeout range of custom task extensions | 5 minutes-3 hours |
Understanding Lifecycle Workflows
Lifecycle Workflows simplify the Joiner-Mover-Leaver (JML) cycle, automating user lifecycle management while ensuring no task is forgotten. Resulting in reduced workloads for HR, IT, Compliance, and Governance teams—and fewer risks associated with human error.
Example Scenarios available through Lifecycle Workflows:
Before a New Hire Starts: Send a welcome email to their manager, add the user to relevant groups, and create a Temporary Access Pass for easy first login.
During a Role Change: Trigger custom tasks when a user’s department, job title, or group membership changes.
On Their Last Day: Notify the manager, remove group memberships, and revoke license assignments.
Post-Termination: Automatically delete the user after a specified period.
These automations require the properties employeeHireDate and employeeLeaveDateTime. While only the employeeHireDate can be set directly in the Entra Portal, they can be configured through:
HR provisioning (on-premises or SaaS).
Custom app solutions (e.g., Azure Logic Apps).
Entra Connect or Cloud Sync for linking on-prem AD attributes
Microsoft Graph
Automating Employee Data: PowerShell Script
Want to test LCW properties?
This PowerShell script sets or updates the employeeHireDate and employeeLeaveDateTime properties for a user in Microsoft Entra ID.
Script Requirements:
Microsoft Graph PowerShell SDK installed.
Administrative permissions with the following scopes:
User.ReadWrite.All
User-LifeCycleInfo.ReadWrite.All
The script requires either a hire date or a leave date (or both), formatted as yyyy-MM-dd (e.g., 2025-03-01).
Employee data powershell script
<#
.SYNOPSIS
Updates an employee's hire and leave dates in Microsoft Graph using their User Principal Name.
.DESCRIPTION
This script connects to Microsoft Graph and updates the specified user's hire and leave dates.
It performs basic date format validation and updates the user's profile.
.PARAMETER UserPrincipalName
The User Principal Name (UPN) of the employee whose dates are being updated.
Required parameter. Example: john.doe@contoso.com
.PARAMETER HireDateInput
The employee's hire date in 'yyyy-MM-dd' format.
Required parameter. Example: 2024-01-15
.PARAMETER LeaveDateInput
The employee's planned leave date in 'yyyy-MM-dd' format.
Required parameter. Example: 2024-12-31
.EXAMPLE
.\Update-EmployeeData.ps1 -UserPrincipalName john.doe@contoso.com -HireDateInput 2024-01-15 -LeaveDateInput 2024-12-31
Updates John Doe's hire and leave dates in Microsoft Graph.
.NOTES
Prerequisites:
- Microsoft Graph PowerShell SDK must be installed
- Requires administrative permissions with following scopes:
* User.ReadWrite.All
* User-LifeCycleInfo.ReadWrite.All
Author: Sebastian Flæng Markdanner
Website: https://chanceofsecurity.com
Version: 1.3
Last Updated: 2024-12-15
.LINK
https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.users/update-mguser
#>
param (
[Parameter(Mandatory = $true,
HelpMessage = "Enter the user's full User Principal Name (UPN)")]
[ValidateNotNullOrEmpty()]
[string]$UserPrincipalName,
[Parameter(Mandatory = $true,
HelpMessage = "Enter hire date in yyyy-MM-dd format")]
[ValidatePattern('^\d{4}-\d{2}-\d{2}$')]
[string]$HireDateInput,
[Parameter(Mandatory = $true,
HelpMessage = "Enter leave date in yyyy-MM-dd format")]
[ValidatePattern('^\d{4}-\d{2}-\d{2}$')]
[string]$LeaveDateInput
)
# Function to validate and format dates
function Format-DateToISO8601 {
param (
[string]$DateInput,
[string]$TimeSuffix
)
try {
# Validate date format
if (-not ($DateInput -match "^\d{4}-\d{2}-\d{2}$")) {
throw "Invalid date format: $DateInput. Please use 'yyyy-MM-dd'."
}
# Return date in ISO 8601 format
return "$DateInput$TimeSuffix"
} catch {
throw "Error processing date input: $_"
}
}
# Main script execution block
try {
# Format the dates
$EmployeeHireDate = Format-DateToISO8601 -DateInput $HireDateInput -TimeSuffix "T00:00:00Z"
$EmployeeLeaveDateTime = Format-DateToISO8601 -DateInput $LeaveDateInput -TimeSuffix "T23:59:59Z"
# Verbose connection status
Write-Verbose "Connecting to Microsoft Graph with required scopes..."
# Connect to Microsoft Graph with specified scopes
Connect-MgGraph -Scopes "User.ReadWrite.All", "User-LifeCycleInfo.ReadWrite.All" | Out-Null
# Update user lifecycle dates
Update-MgUser -UserId $UserPrincipalName `
-EmployeeHireDate $EmployeeHireDate `
-EmployeeLeaveDateTime $EmployeeLeaveDateTime
# Confirm update and retrieve updated user details
$UpdatedUser = Get-MgUser -UserId $UserPrincipalName -Property EmployeeHireDate,EmployeeLeaveDateTime
# Output results
Write-Host "Successfully updated lifecycle dates for $($UserPrincipalName):" -ForegroundColor Green
Write-Host "Hire Date: $($UpdatedUser.EmployeeHireDate)" -ForegroundColor Cyan
Write-Host "Leave Date: $($UpdatedUser.EmployeeLeaveDateTime)" -ForegroundColor Cyan
}
catch {
# Robust error handling with detailed error message
Write-Error "Operation failed: $_"
throw
}
finally {
# Always attempt to disconnect, suppressing any disconnection errors
try {
if ((Get-MgContext).AuthType -ne 'None') {
Disconnect-MgGraph | Out-Null
}
} catch {}
}
Upon execution, if successful, the script provides the following output:
The user properties are then reflected in Microsoft Entra ID under the Properties tab, though only for the employeeHireDate.
This script ensures lifecycle properties are accurately configured, enabling the seamless functioning of Lifecycle Workflows. Whether you’re testing LCWs, synchronizing data, or automating manual processes, this script simplifies user property updates.
Microsoft Entra Lifecycle Workflow capabilities
Microsoft Entra introduces a range of Lifecycle Workflow (LCW) templates to simplify and automate the Joiner-Mover-Leaver (JML) processes. As of writing, there are 10 templates grouped into the three lifecycle stages: Joiner, Mover, and Leaver.
These workflows use employee properties to trigger automated, time-based actions like:
Generating Temporary Access Passes (TAPs)
Sending welcome emails
Configuring memberships and access
Integrating custom tasks via Logic Apps for advanced automation like I went through in my Access Packages blog post
This not only frees up valuable time for HR, IT, and managers but also delivers a seamless user experience for Joiners, Movers, and Leavers.
With Lifecycle Workflows, you can:
Create, manage, and delete up to 100 workflows.
Schedule workflows or run them on-demand.
Customize and configure tasks to meet organizational needs.
Add up to 100 custom task extensions per tenant for advanced integrations.
Reporting features
Another key aspect of Lifecycle Workflows is the auditing and reporting capabilities. These include:
Lifecycle Workflow-specific logs in the unified audit log for detailed tracking.
Versioning, which provides traceability and extended retention of workflow configurations.
Lifecycle Workflow history, offering telemetry data on runs, users, and tasks.
History
The History tab provides an overview categorized by Users, Runs, or Tasks, allowing you to quickly switch between these views to monitor workflow status from different perspectives.
Opening a specific summary process—such as a Runs record—gives a more detailed view. This includes insights organized per User or Task, helping you pinpoint the status and performance of individual workflow executions.
Versioning
Versioning provides visibility into which workflow configurations were applied to a specific user. It also enables change tracking and offers a clearer overview of modifications, ensuring better traceability and insights into workflow updates.
How to configure Lifecycle Workflow
Let's take a look at how to configure LCWs. Going to step-by-step for a joiner type, and providing overview of joiner, mover and leaver LCWs.
For demonstration purpose, let's take a look at a few of the Joiner flow templates.
The scenarios
The organization wants to streamline three key processes: onboarding, internal transfers, and offboarding.
For onboarding, when a new hire is pre-registered, their account should be created, and they should be granted access to the onboarding Microsoft Teams team where e-learning materials and the knowledge base are shared.
On their first day, a welcome email should be sent automatically, and their manager should receive a Temporary Access Pass (TAP) for the new hire’s first sign-in. The new employee should also be added to the required groups to ensure access to all necessary resources.
In the Marketing department, employees frequently transfer to other teams, creating a recurring administrative burden. The process of removing access to Marketing resources when an employee leaves the department needs to be automated to save time and ensure accuracy.
For offboarding, management needs a solution for immediate, on-demand termination of an employee’s access without deleting their account. This ensures the account remains intact while access is revoked promptly for security purposes.
Automating these processes reduces manual work, improves consistency, and ensures a smoother experience for all involved..
Step-by-step guide to create a Lifecycle Workflow
To meet management’s requirements, we need to create several workflows. While the specific configurations may vary depending on the workflow type (Joiner, Mover, or Leaver), the overall steps remain consistent:
Access the Lifecycle Workflow as a part of the Identity Governance menu in the Microsoft Entra Portal. Choose Create workflow on the overview page.
Choose the template you want. Selecting Details allows you to preview the template.
On the Basic tap we can configure the following basic information, and trigger for the workflow:
Name
Description
Trigger Details
The Trigger Details section allows you to modify what activates the workflow, providing flexibility in how it operates. The available trigger types include:
Attribute Changes
Triggered when a specified attribute on a user is modified.
Examples include changes to office location, department, Display Name, UPN, or any other built-in Microsoft Entra attribute.
Group Membership Changes
Triggered when users are added to or removed from specified groups.
Supports monitoring one or multiple groups.
Time-Based Attribute
Applicable to Joiner and Leaver workflows.
This trigger relies on the employeeHireDate (for Joiners) or employeeLeaveDateTime (for Leavers).
You can adjust the count of days relative to these dates but cannot modify the property itself.
The Configure Scope blade defines which users or groups the workflow applies to, based on the trigger type:
Attribute Changes: Use rule-based filtering with AND/ORÂ syntax to define users in scope.
Group Membership Changes: Specify which groups the workflow monitors for membership changes.
Time-Based Attribute: Similar to Attribute Changes, use rule-based filtering with AND/ORÂ logic to determine the target users.
Review tasks menu shows the pre-configured tasks and allows you to add other tasks
For a joiner type lifecycle workflow these are the available built-in tasks, which we can add and configure as needed
Review and finish the lifecycle workflow
Now that we’ve covered the steps to create workflows, let’s look at how specific Lifecycle Workflows (LCWs) can address management’s requirements:
Automatic generation of TAP, welcome mail to user and group memberships for new hires
Immediate on-demand employee termination, removing access and disabling the user account.
Marketing internal position change, removing access to marketing resources.
Lifecycle Workflow post-creation
Once the workflows are created, they can be managed, updated, or run outside their scheduled intervals. The dashboard provides an overview of all configured workflows and their schedules.
The default schedule is set to 3 hours, with most workflows following this schedule. However, workflows like the on-demand termination flow can be run manually as needed.
To update the schedule or make changes to the workflows:
Navigate to Workflow Settings in the left-hand menu.
Alternatively, select View Workflow Settings directly from the feed.
From here, we can:
Adjust the schedule frequency.
Configure the automated email domain used for lifecycle workflows.
Enable or disable the use of the company-branded banner for emails, as defined in your organization’s branding settings.
Running workflows on-demand
For scenarios requiring immediate action, workflows can be executed manually outside of their schedule. To run a workflow on-demand:
Navigate to Workflows in the menu, access the wanted workflow and choosing Run on demand
Select users and run the workflow
The manual execution is logged in the workflow history, providing admins with full visibility of runs, users, and tasks.
User experience
The user and manager experience depends on the configured workflow. For example:
Manager Notifications: When a Temporary Access Pass (TAP)Â is generated, the manager receives an email with instructions to share the TAP with the user.
Welcome Emails: New hires receive an automated welcome email containing onboarding details and links to relevant resources.
These automated workflows provide a streamlined and consistent experience for all parties involved, whether it’s onboarding, internal transfers, or offboarding. By reducing manual effort, these processes become easier to manage and less error-prone, freeing up time for IT, HR, and managers.
Conclusion: Automating Success with Lifecycle Workflows
Microsoft Entra Lifecycle Workflows (LCWs) empower organizations to automate and streamline identity governance processes in the Joiner-Mover-Leaver lifecycle. From onboarding emails to secure offboarding workflows, LCWs reduce human error, save time, and enhance user experiences—all while supporting Zero Trust principles.
With customizable templates, robust auditing, and the flexibility of custom task extensions, LCWs make it easier for IT, HR, and Compliance teams to focus on strategic priorities rather than tedious manual tasks.
Key Takeaways:
Automate processes to save time and reduce errors.
Enhance workflows with customizable templates and auditing tools.
Simplify lifecycle management while adhering to Zero Trust principles.
Oh, and here’s a quick joke for the road:
Why did the computer catch a cold?
It had too many windows open! 😎
As the holiday season approaches, I wish you a Merry Christmas and a Happy New Year! 🎄✨ May your workflows run smoothly, and your holidays be filled with peace and joy.
Ready to embrace automation? Start exploring Microsoft Entra Lifecycle Workflows today and transform your approach to identity management. Feel free to share your experiences or questions in the comments—I’d love to hear from you!
Stay secure, and I’ll see you in the next post! 😊
Comments