top of page
Writer's pictureSebastian F. Markdanner

Microsoft Entra Identity Governance Fundamentals: Lifecycle workflows

Updated: Jan 6

Join me as I connect the dots from my previous posts on the fundamental Identity Governance features in Microsoft Entra with Lifecycle Workflows!

A digital landscape features a tree splitting into tech circuits, glowing plant icons, and colorful rings. Text: "Lifecycle Workflows." Microsoft logo.

Managing user lifecycles through Access Reviews, Access Packages, and Privileged Identity Management can be a daunting and time-consuming burden. The larger our organizations grow, the more comprehensive this task becomes.


For us IT admins, governing users often means sacrificing time that could be spent on strategic initiatives. The result? Rushed work, increased errors, and a less-than-ideal experience for users, managers, and IT teams alike.


But here’s the good news: there’s an easier way to streamline these processes, reduce errors, and improve experiences across the board. While third-party and custom-built solutions exist, why not keep it simple and leverage Microsoft Entra’s built-in solution—Lifecycle Workflows?


Let’s dive in to understand what Lifecycle Workflows (LCWs) are and how they can transform identity governance


Table of Content

 

Why should we use Lifecycle Workflows?

IT, HR, Compliance, and Governance teams often share the same challenge: time constraints. Overworked and rushed personnel lead to errors, burnouts, and dissatisfaction—a concern highlighted by a 2011 University of Wisconsin-Madison study (focused on nurses, but the human factor holds true across professions).


Combine this with the fact that a staggering 95% of cybersecurity incidents are caused by human error, and the case for automation becomes crystal clear. LCWs allow us to automate repetitive, error-prone processes while adhering to Zero Trust principles and minimizing privileged access needs.


 

Limitations and requirements

Before diving deeper, let’s address some prerequisites and limitations:


License requirements

You’ll need one of the following licenses:

  • Microsoft Entra Identity Governance

  • Microsoft Entra Suite


Permission requirements

The least-privileged role required to manage LCWs is Lifecycle Workflow Administrator


Service Limits

Key limitations include:

Category

Limit

Number of Workflows

100 per tenant

Number of Tasks

25 per workflow

Number of Custom Task Extensions

100 per tenant

offsetInDays range of triggerAndScopeBasedConditions executionConditions

180 days

Workflow schedule interval in hours

1-24 hours

Number of users per on-demand selection

10

durationBeforeTimeout range of custom task extensions

5 minutes-3 hours


 

Understanding Lifecycle Workflows

Lifecycle Workflows simplify the Joiner-Mover-Leaver (JML) cycle, automating user lifecycle management while ensuring no task is forgotten. Resulting in reduced workloads for HR, IT, Compliance, and Governance teams—and fewer risks associated with human error.


Example Scenarios available through Lifecycle Workflows:

  • Before a New Hire Starts: Send a welcome email to their manager, add the user to relevant groups, and create a Temporary Access Pass for easy first login.

  • During a Role Change: Trigger custom tasks when a user’s department, job title, or group membership changes.

  • On Their Last Day: Notify the manager, remove group memberships, and revoke license assignments.

  • Post-Termination: Automatically delete the user after a specified period.


These automations require the properties employeeHireDate and employeeLeaveDateTime. While only the employeeHireDate can be set directly in the Entra Portal, they can be configured through:


  • HR provisioning (on-premises or SaaS).

  • Custom app solutions (e.g., Azure Logic Apps).

  • Entra Connect or Cloud Sync for linking on-prem AD attributes

  • Microsoft Graph


Automating Employee Data: PowerShell Script

Want to test LCW properties?

This PowerShell script sets or updates the employeeHireDate and employeeLeaveDateTime properties for a user in Microsoft Entra ID.


Script Requirements:

  • Microsoft Graph PowerShell SDK installed.

  • Administrative permissions with the following scopes:

    • User.ReadWrite.All

    • User-LifeCycleInfo.ReadWrite.All


The script requires either a hire date or a leave date (or both), formatted as yyyy-MM-dd (e.g., 2025-03-01).


Employee data powershell script

<#
.SYNOPSIS
    Updates an employee's hire and leave dates in Microsoft Graph using their User Principal Name.

.DESCRIPTION
    This script connects to Microsoft Graph and updates the specified user's hire and leave dates. 
    It performs basic date format validation and updates the user's profile.

.PARAMETER UserPrincipalName
    The User Principal Name (UPN) of the employee whose dates are being updated.
    Required parameter. Example: john.doe@contoso.com

.PARAMETER HireDateInput
    The employee's hire date in 'yyyy-MM-dd' format.
    Required parameter. Example: 2024-01-15

.PARAMETER LeaveDateInput
    The employee's planned leave date in 'yyyy-MM-dd' format.
    Required parameter. Example: 2024-12-31

.EXAMPLE
    .\Update-EmployeeData.ps1 -UserPrincipalName john.doe@contoso.com -HireDateInput 2024-01-15 -LeaveDateInput 2024-12-31
    
    Updates John Doe's hire and leave dates in Microsoft Graph.

.NOTES
    Prerequisites:
    - Microsoft Graph PowerShell SDK must be installed
    - Requires administrative permissions with following scopes:
      * User.ReadWrite.All
      * User-LifeCycleInfo.ReadWrite.All

    Author: Sebastian Flæng Markdanner
    Website: https://chanceofsecurity.com
    Version: 1.3
    Last Updated: 2024-12-15

.LINK
    https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.users/update-mguser
#>

param (
    [Parameter(Mandatory = $true, 
               HelpMessage = "Enter the user's full User Principal Name (UPN)")]
    [ValidateNotNullOrEmpty()]
    [string]$UserPrincipalName,

    [Parameter(Mandatory = $true, 
               HelpMessage = "Enter hire date in yyyy-MM-dd format")]
    [ValidatePattern('^\d{4}-\d{2}-\d{2}$')]
    [string]$HireDateInput,

    [Parameter(Mandatory = $true, 
               HelpMessage = "Enter leave date in yyyy-MM-dd format")]
    [ValidatePattern('^\d{4}-\d{2}-\d{2}$')]
    [string]$LeaveDateInput
)

# Function to validate and format dates
function Format-DateToISO8601 {
    param (
        [string]$DateInput,
        [string]$TimeSuffix
    )
    try {
        # Validate date format
        if (-not ($DateInput -match "^\d{4}-\d{2}-\d{2}$")) {
            throw "Invalid date format: $DateInput. Please use 'yyyy-MM-dd'."
        }
        # Return date in ISO 8601 format
        return "$DateInput$TimeSuffix"
    } catch {
        throw "Error processing date input: $_"
    }
}

# Main script execution block
try {
    # Format the dates
    $EmployeeHireDate = Format-DateToISO8601 -DateInput $HireDateInput -TimeSuffix "T00:00:00Z"
    $EmployeeLeaveDateTime = Format-DateToISO8601 -DateInput $LeaveDateInput -TimeSuffix "T23:59:59Z"

    # Verbose connection status
    Write-Verbose "Connecting to Microsoft Graph with required scopes..."
    
    # Connect to Microsoft Graph with specified scopes
    Connect-MgGraph -Scopes "User.ReadWrite.All", "User-LifeCycleInfo.ReadWrite.All" | Out-Null

    # Update user lifecycle dates
    Update-MgUser -UserId $UserPrincipalName `
                  -EmployeeHireDate $EmployeeHireDate `
                  -EmployeeLeaveDateTime $EmployeeLeaveDateTime

    # Confirm update and retrieve updated user details
    $UpdatedUser = Get-MgUser -UserId $UserPrincipalName -Property EmployeeHireDate,EmployeeLeaveDateTime

    # Output results
    Write-Host "Successfully updated lifecycle dates for $($UserPrincipalName):" -ForegroundColor Green
    Write-Host "Hire Date: $($UpdatedUser.EmployeeHireDate)" -ForegroundColor Cyan
    Write-Host "Leave Date: $($UpdatedUser.EmployeeLeaveDateTime)" -ForegroundColor Cyan
} 
catch {
    # Robust error handling with detailed error message
    Write-Error "Operation failed: $_"
    throw
} 
finally {
    # Always attempt to disconnect, suppressing any disconnection errors
    try { 
        if ((Get-MgContext).AuthType -ne 'None') {
            Disconnect-MgGraph | Out-Null 
        }
    } catch {}
}

Upon execution, if successful, the script provides the following output:

Command prompt showing a PowerShell script executing; lifecycle dates updated for a user. Hire date set to 03/01/2025.OUTPUT: Success.
PowerShell script updates employee lifecycle dates, showing success message. Text includes hire and leave dates. Black background, colored text.

The user properties are then reflected in Microsoft Entra ID under the Properties tab, though only for the employeeHireDate.

User account properties page for Christie Cline. Details include email, job title, hire date (Mar 1, 2025), and department info.

This script ensures lifecycle properties are accurately configured, enabling the seamless functioning of Lifecycle Workflows. Whether you’re testing LCWs, synchronizing data, or automating manual processes, this script simplifies user property updates.


 

Microsoft Entra Lifecycle Workflow capabilities

Microsoft Entra introduces a range of Lifecycle Workflow (LCW) templates to simplify and automate the Joiner-Mover-Leaver (JML) processes. As of writing, there are 10 templates grouped into the three lifecycle stages: Joiner, Mover, and Leaver.


These workflows use employee properties to trigger automated, time-based actions like:



This not only frees up valuable time for HR, IT, and managers but also delivers a seamless user experience for Joiners, Movers, and Leavers.


With Lifecycle Workflows, you can:

  • Create, manage, and delete up to 100 workflows.

  • Schedule workflows or run them on-demand.

  • Customize and configure tasks to meet organizational needs.

  • Add up to 100 custom task extensions per tenant for advanced integrations.


Reporting features

Another key aspect of Lifecycle Workflows is the auditing and reporting capabilities. These include:

  • Lifecycle Workflow-specific logs in the unified audit log for detailed tracking.

  • Versioning, which provides traceability and extended retention of workflow configurations.

  • Lifecycle Workflow history, offering telemetry data on runs, users, and tasks.


History

The History tab provides an overview categorized by Users, Runs, or Tasks, allowing you to quickly switch between these views to monitor workflow status from different perspectives.

Dashboard titled "Onboard pre-hire employee | Workflow history" shows user summary with zero users processed, successful, failed, and tasks.

Opening a specific summary process—such as a Runs record—gives a more detailed view. This includes insights organized per User or Task, helping you pinpoint the status and performance of individual workflow executions.

Task dashboard showing user Christie Cline with a completed task on 12/15/2024 at 11:09 PM. Status shows 1 total task.

Versioning

Versioning provides visibility into which workflow configurations were applied to a specific user. It also enables change tracking and offers a clearer overview of modifications, ensuring better traceability and insights into workflow updates.

Workflow management screen shows "Onboard pre-hire employee" version details, settings, and rules for pre-hire tasks, in a clean interface.

 

How to configure Lifecycle Workflow

Let's take a look at how to configure LCWs. Going to step-by-step for a joiner type, and providing overview of joiner, mover and leaver LCWs.

For demonstration purpose, let's take a look at a few of the Joiner flow templates.


The scenarios

The organization wants to streamline three key processes: onboarding, internal transfers, and offboarding.


For onboarding, when a new hire is pre-registered, their account should be created, and they should be granted access to the onboarding Microsoft Teams team where e-learning materials and the knowledge base are shared.

On their first day, a welcome email should be sent automatically, and their manager should receive a Temporary Access Pass (TAP) for the new hire’s first sign-in. The new employee should also be added to the required groups to ensure access to all necessary resources.


In the Marketing department, employees frequently transfer to other teams, creating a recurring administrative burden. The process of removing access to Marketing resources when an employee leaves the department needs to be automated to save time and ensure accuracy.


For offboarding, management needs a solution for immediate, on-demand termination of an employee’s access without deleting their account. This ensures the account remains intact while access is revoked promptly for security purposes.


Automating these processes reduces manual work, improves consistency, and ensures a smoother experience for all involved..


Step-by-step guide to create a Lifecycle Workflow

To meet management’s requirements, we need to create several workflows. While the specific configurations may vary depending on the workflow type (Joiner, Mover, or Leaver), the overall steps remain consistent:


  1. Access the Lifecycle Workflow as a part of the Identity Governance menu in the Microsoft Entra Portal. Choose Create workflow on the overview page.

    Admin center interface with sidebar menu. "Lifecycle workflows" panel showing workflow status: schedule, enabled, disabled. White background.

  2. Choose the template you want. Selecting Details allows you to preview the template.

    Interface showing a template selection for workflows. The right panel displays a template summary for onboarding pre-hire employees.

  3. On the Basic tap we can configure the following basic information, and trigger for the workflow:

    • Name

    • Description

    • Trigger Details

    Workflow setup screen for onboarding pre-hires, showing sections for name, description, and trigger details. Neutral colors.

    1. The Trigger Details section allows you to modify what activates the workflow, providing flexibility in how it operates. The available trigger types include:

      • Attribute Changes

        • Triggered when a specified attribute on a user is modified.

        • Examples include changes to office location, department, Display Name, UPN, or any other built-in Microsoft Entra attribute.

      • Group Membership Changes

        • Triggered when users are added to or removed from specified groups.

        • Supports monitoring one or multiple groups.

      • Time-Based Attribute

        • Applicable to Joiner and Leaver workflows.

        • This trigger relies on the employeeHireDate (for Joiners) or employeeLeaveDateTime (for Leavers).

        • You can adjust the count of days relative to these dates but cannot modify the property itself.

    Dropdown menu selecting "Time based attribute" for trigger type in workflow settings, with options for attribute, group changes. White background.

  4. The Configure Scope blade defines which users or groups the workflow applies to, based on the trigger type:

    • Attribute Changes: Use rule-based filtering with AND/OR syntax to define users in scope.

    • Group Membership Changes: Specify which groups the workflow monitors for membership changes.

    • Time-Based Attribute: Similar to Attribute Changes, use rule-based filtering with AND/OR logic to determine the target users.

    User interface for workflow scope configuration with rule settings: userType equal to Member and jobTitle not equal to Janitor.

  5. Review tasks menu shows the pre-configured tasks and allows you to add other tasks

    Workflow setup screen titled "Onboard pre-hire employee" showing a task list with one enabled task: "Generate TAP and Send Email."

    1. For a joiner type lifecycle workflow these are the available built-in tasks, which we can add and configure as needed

    Form setup screen with fields "Task name" and "Task description" to add users to teams. Options include team selection and task enabling.

  6. Review and finish the lifecycle workflow

    Screenshot of onboarding workflow settings. Name: Onboard pre-hire employee. Days from event: 2. Rule: userType 'Member'. Schedule enabled.

    1. Now that we’ve covered the steps to create workflows, let’s look at how specific Lifecycle Workflows (LCWs) can address management’s requirements:

      • Automatic generation of TAP, welcome mail to user and group memberships for new hires

        Workflow screen titled "Onboard new hire employee." Shows setup tasks like email and account enabling with schedule and review options.

      • Immediate on-demand employee termination, removing access and disabling the user account.

        Workflow interface for real-time employee termination, detailing tasks like user removal and account disabling. Options include scheduling.

      • Marketing internal position change, removing access to marketing resources.

        Workflow configuration screen for employee job profile changes. Shows options for tasks, rules, and scheduling with checkboxes enabled.

Lifecycle Workflow post-creation

Once the workflows are created, they can be managed, updated, or run outside their scheduled intervals. The dashboard provides an overview of all configured workflows and their schedules.

Lifecycle workflows dashboard showing workflow schedule, enabled/disabled schedules, and deleted workflows. Includes navigation menu.

The default schedule is set to 3 hours, with most workflows following this schedule. However, workflows like the on-demand termination flow can be run manually as needed.


To update the schedule or make changes to the workflows:

  • Navigate to Workflow Settings in the left-hand menu.

  • Alternatively, select View Workflow Settings directly from the feed.

Lifecycle workflows dashboard with options for settings, schedule insights, and quick actions. "View workflow settings" highlighted.

From here, we can:

  • Adjust the schedule frequency.

  • Configure the automated email domain used for lifecycle workflows.

  • Enable or disable the use of the company-branded banner for emails, as defined in your organization’s branding settings.

Settings menu for workflow configuration with a 3-hour schedule slider and email domain set to microsoft.com. Options to use company logo.

Running workflows on-demand

For scenarios requiring immediate action, workflows can be executed manually outside of their schedule. To run a workflow on-demand:


  1. Navigate to Workflows in the menu, access the wanted workflow and choosing Run on demand

    Dashboard titled "Onboard pre-hire employee" showing workflow overview, basic info, and user tasks. Features quick action buttons below.

  2. Select users and run the workflow

    Workflow screen for onboarding pre-hires with user selection. Options to configure immediate workflow execution. User details visible below.

  3. The manual execution is logged in the workflow history, providing admins with full visibility of runs, users, and tasks.

    Workflow history page shows user onboarding summary. Two users processed, tasks successful. Details include timestamps and status.

User experience

The user and manager experience depends on the configured workflow. For example:

  • Manager Notifications: When a Temporary Access Pass (TAP) is generated, the manager receives an email with instructions to share the TAP with the user.

Email notification from Contoso about new team member LCW Test joining on Dec 15, 2024. Temporary password: w6H4FHPk.

  • Welcome Emails: New hires receive an automated welcome email containing onboarding details and links to relevant resources.

Email screenshot from Contoso welcoming LCW Test to the team. Mentions onboarding, My Apps portal, and contact manager Miriam Graham.

These automated workflows provide a streamlined and consistent experience for all parties involved, whether it’s onboarding, internal transfers, or offboarding. By reducing manual effort, these processes become easier to manage and less error-prone, freeing up time for IT, HR, and managers.


 

Conclusion: Automating Success with Lifecycle Workflows

Microsoft Entra Lifecycle Workflows (LCWs) empower organizations to automate and streamline identity governance processes in the Joiner-Mover-Leaver lifecycle. From onboarding emails to secure offboarding workflows, LCWs reduce human error, save time, and enhance user experiences—all while supporting Zero Trust principles.


With customizable templates, robust auditing, and the flexibility of custom task extensions, LCWs make it easier for IT, HR, and Compliance teams to focus on strategic priorities rather than tedious manual tasks.


Key Takeaways:

  • Automate processes to save time and reduce errors.

  • Enhance workflows with customizable templates and auditing tools.

  • Simplify lifecycle management while adhering to Zero Trust principles.


Oh, and here’s a quick joke for the road:


Why did the computer catch a cold?

It had too many windows open! 😎


As the holiday season approaches, I wish you a Merry Christmas and a Happy New Year! 🎄✨ May your workflows run smoothly, and your holidays be filled with peace and joy.


Ready to embrace automation? Start exploring Microsoft Entra Lifecycle Workflows today and transform your approach to identity management. Feel free to share your experiences or questions in the comments—I’d love to hear from you!


Stay secure, and I’ll see you in the next post! 😊

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page