Automate onboarding & offboarding tasks with Microsoft Entra | Identity Lifecycle Management

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
(bright music) - Did you know that you can automate most of the manual steps to onboard and offboard users as they enter or leave your organization using Microsoft Entra? How you manage user identities in IT, along with just enough permissions for users to access necessary information, as well as any additional steps needed to provide users with what they need, like hardware, to be productive is critical to how effectively people can get up and running. Conversely, as people leave the organization, deprovisioning is just as critical to maintain security and compliance. That's where Lifecycle Workflows and Microsoft Entra ID Governance can help with its prebuilt templates for common tasks. Now, if you're not familiar with Microsoft Entra, it's a complete identity management platform with everything you knew about Azure Active Directory, along with a number of new capabilities. Identity lifecycle management automation removes many of the manual steps for your everyday identity management tasks while helping you to improve your overall security posture. And it means users don't need to spend days or weeks hunting down information, requesting access to important documents or getting a work-provided computer ordered and set up. Instead, with Lifecycle Workflows, not only do you save time, but users experience more consistency, which means better job satisfaction and reduced risk. And it also works with your HR systems, like Workday and SuccessFactors and others, as part of the onboarding and offboarding workflow. So let's look at how Lifecycle Workflows automate common tasks starting with user onboarding. So here's an example with new users already added to an HR system, Workday. Now we can see that there are three users who have already been created, and they've also been added to Microsoft Entra ID formerly known as Azure AD. Now from the Entra portal, you can see Lisa Taylor's profile and all the attributes were automatically mapped from Workday, including her hire date. So she is in the directory service but doesn't yet have access to what she needs to get her job done. So let's take care of that. In Lifecycle Workflows, I can easily create a custom workflow to run before an employee's start date using one of the prebuilt workflow templates. Now these automatically detect users that match the conditions set in the workflow so you can save time. Now I'll choose the pre-hire template, and I'll give it a name, and I can already see that it's set to run seven days before the employee's hire date. The correct department is already set. So I'll just set the state attribute for Washington state as an additional scope to tailor things further. Next, I'll head over to review tasks, and this one is built in to generate a temporary access pass or TAP and send an email with the information Lisa needs to get started. Now this is important because Lisa might only have an offer letter from her hiring manager but won't know how to access work resources. So now I'm going to add a few custom tasks to add her to the right groups for access to information. And beyond information access, we can also use the automation to do things like trigger ordering computer hardware and peripherals. And for that, I'll choose a custom task extension to integrate with an external system that we use to purchase hardware. For the first group's task, I'll click in, search for marketing. There it is, add the group and then hit select and save. And with the security principle of least privilege, she only has access that's needed for her to get her job done and nothing more. Next, I'll configure the second task, which will order the new hardware using our external system. In this case, we want to create a ServiceNow ticket to trigger this. So I'll just select my custom extension for ServiceNow hardware procurement. There it is, and hit save. And now I can review all of my parameters. Based on our schedule, the workflow will automatically run every hour, and matching our conditions, only apply to new marketing hires who are set to start in the next seven days in Washington state. Now I just need to hit create to confirm, and the workflow is enabled. So that's an example of the pre-hire onboarding steps Microsoft Entra can automate to save time while giving users just enough access. Now let's switch gears to another common scenario, employee offboarding and making sure that access to information and resources can be revoked automatically, quickly and consistently to reduce risk. Now using the built in leaver templates, I've already set up real-time separation and post-offboarding workflows based on my company's policies. Now I'll show you a case where an employee is leaving to join a competitor. For that, I'm going to use the real-time separation on-demand workflow, which can run instantly in cases where access revocation timing is critical. Now this workflow will disable an account, removing it also from all Microsoft Teams. I'll choose our user, Vance, and select, which will then kick off the workflow to run on demand, and then access has been revoked. Now beyond this case, for all other leaver scenarios, you can establish automated policies to enforce complete access revocation. For example, you might have a policy in place for managers to complete an offboarding checklist within 30 days for anyone leaving the organization. Lifecycle Workflows can also help when managers don't complete offboarding checklists in time and also serve as a failsafe to take the additional steps for cleaning up access, also removing group memberships, license assignments, and send an email to the manager and HR team, and finally, per policy, delete those accounts. Additionally, as an employee goes through the offboarding process, your company policy or sometimes a regulatory requirement may stipulate that each task has been completed and that you have a full audit log of activities. So with Lifecycle Workflows, you can see a complete history for each employee, and within the workflow history, you can monitor the progress of workflows, like the one that we just kicked off for real-time separation with Vance. Because these might be multitask workflows running over a longer period of time, you can also drill in to see the status of individual tasks. So here, I'll check the workflow history to view the details of previous workflow runs, including the status for our tasks. In fact, the workflow history is a great way to see a summary of either onboarding or offboarding runs as employees enter or leave your organization, then troubleshooting the errors that you might find in the process. Here, we're looking at the history for onboarding new hires, and you'll see that there's an issue with two of our runs. So I'll drill into the first one to find out more. In the user's tab, I can see that one of the tasks has failed, which has left three remaining subsequent tasks unprocessed. Now moving into the task tab from the workflow run, it looks like the welcome email has failed due to a missing or invalid email address. Lifecycle Workflows also have built-in change tracking with versioning to see changes made as people iterate on their workflows, for example, by adding or removing tasks. So here's a list of eight workflows in our organization, and you can see which ones run on a schedule and which ones are enabled. In the right column, you'll also see the number of versions that have been iterated on until now for each workflow. And it looks like this one for onboarding new hires has been revised quite a bit. Now when I drill into it, you'll see the complete version history for the workflow. And if I look into the most recent version, I can see who created and modified the latest workflow when it was created and all the workflow details to make sure that there aren't any issues that need to be corrected. Often, onboarding workflows will increase their number of tasks over time as you automate more and more of those manual processes. Version 10, in this case, has fewer tasks than before with just three tasks. One to enable the account, then add it to Teams and send a welcome email. If I'm familiar with this workflow, I can compare that with the previous version. In fact, I'm going to close out version 10, and then I'm going to look at version 7 to see its details. And you'll see there are two more tasks to run a custom extension. Remember, that's our hardware procurement process from before, and generate a temporary access pass so that new hires have a way to sign into their work resources. Now I can use this information then to go back to my team and figure out why the change was made and potentially add those missing tasks back into our new hire workflow. So now you've seen how identity lifecycle management automation, Microsoft Entra, can automate a lot of the manual tasks and steps for onboarding and offboarding users and how it supports troubleshooting and change management with automated tasks. To learn more, check out aka.ms/ILMDocs, and you can try it out today at entra.microsoft.com. Keep checking back to Microsoft Mechanics for the latest in tech updates. Hit subscribe, and thank you for watching. (bright music)
Info
Channel: Microsoft Mechanics
Views: 42,144
Rating: undefined out of 5
Keywords: identity and access management, identity management, zero trust, microsoft teams, Identity Workflows, identity governance, security, identity, identity governance azure, microsoft security, data privacy, identity lifecycle, Microsoft Entra, User onboarding, User offboarding, business security, device security, security software, cybersecurity, data management, data governance, azure ad, enterprise security, azure active directory, identity infrastructure, Microsoft Entra ID
Id: BGE5FUHd-Uc
Channel Id: undefined
Length: 9min 5sec (545 seconds)
Published: Tue Jul 11 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.