(bright music) - Did you know that you can automate
most of the manual steps to onboard and offboard
users as they enter or leave your organization
using Microsoft Entra? How you manage user identities in IT, along with just enough permissions for users to access necessary information, as well as any additional steps needed to provide users with what they need, like hardware, to be
productive is critical to how effectively people
can get up and running. Conversely, as people
leave the organization, deprovisioning is just as critical to maintain security and compliance. That's where Lifecycle Workflows and Microsoft Entra ID Governance can help with its prebuilt
templates for common tasks. Now, if you're not familiar
with Microsoft Entra, it's a complete identity
management platform with everything you knew
about Azure Active Directory, along with a number of new capabilities. Identity lifecycle management automation removes many of the manual steps for your everyday
identity management tasks while helping you to improve
your overall security posture. And it means users don't
need to spend days or weeks hunting down information, requesting access to important documents or getting a work-provided
computer ordered and set up. Instead, with Lifecycle Workflows, not only do you save time, but users experience more consistency, which means better job
satisfaction and reduced risk. And it also works with your HR systems, like Workday and
SuccessFactors and others, as part of the onboarding
and offboarding workflow. So let's look at how Lifecycle Workflows
automate common tasks starting with user onboarding. So here's an example with new users already added
to an HR system, Workday. Now we can see that there are three users who have already been created, and they've also been
added to Microsoft Entra ID formerly known as Azure AD. Now from the Entra portal, you can see Lisa Taylor's profile and all the attributes
were automatically mapped from Workday, including her hire date. So she is in the directory service but doesn't yet have access to what she needs to get her job done. So let's take care of that. In Lifecycle Workflows, I can easily create a custom workflow to run before an employee's start date using one of the prebuilt
workflow templates. Now these automatically detect users that match the conditions
set in the workflow so you can save time. Now I'll choose the pre-hire template, and I'll give it a name, and I can already see that it's set to run seven days before the
employee's hire date. The correct department is already set. So I'll just set the state
attribute for Washington state as an additional scope
to tailor things further. Next, I'll head over to review tasks, and this one is built in to generate a temporary access pass or TAP and send an email with the information Lisa
needs to get started. Now this is important because Lisa might only
have an offer letter from her hiring manager but won't know how to
access work resources. So now I'm going to add a few custom tasks to add her to the right groups
for access to information. And beyond information access, we can also use the
automation to do things like trigger ordering computer
hardware and peripherals. And for that, I'll choose
a custom task extension to integrate with an external system that we use to purchase hardware. For the first group's task, I'll click in, search for marketing. There it is, add the group
and then hit select and save. And with the security
principle of least privilege, she only has access that's needed for her to get her job done and nothing more. Next, I'll configure the second task, which will order the new hardware
using our external system. In this case, we want to create a ServiceNow
ticket to trigger this. So I'll just select my custom extension for ServiceNow hardware procurement. There it is, and hit save. And now I can review all of my parameters. Based on our schedule, the workflow will
automatically run every hour, and matching our conditions, only apply to new marketing
hires who are set to start in the next seven days
in Washington state. Now I just need to hit create to confirm, and the workflow is enabled. So that's an example of the
pre-hire onboarding steps Microsoft Entra can automate to save time while giving users just enough access. Now let's switch gears to
another common scenario, employee offboarding and making sure that access to information
and resources can be revoked automatically, quickly and
consistently to reduce risk. Now using the built in leaver templates, I've already set up real-time separation and post-offboarding workflows based on my company's policies. Now I'll show you a case where an employee is leaving
to join a competitor. For that, I'm going to use the real-time separation
on-demand workflow, which can run instantly in cases where access
revocation timing is critical. Now this workflow will disable an account, removing it also from all Microsoft Teams. I'll choose our user, Vance, and select, which will then kick off the
workflow to run on demand, and then access has been revoked. Now beyond this case, for
all other leaver scenarios, you can establish automated policies to enforce complete access revocation. For example, you might have a
policy in place for managers to complete an offboarding
checklist within 30 days for anyone leaving the organization. Lifecycle Workflows can also help when managers don't complete
offboarding checklists in time and also serve as a failsafe to take the additional steps
for cleaning up access, also removing group memberships,
license assignments, and send an email to
the manager and HR team, and finally, per policy,
delete those accounts. Additionally, as an employee goes through the offboarding process, your company policy or sometimes
a regulatory requirement may stipulate that each
task has been completed and that you have a full
audit log of activities. So with Lifecycle Workflows, you can see a complete
history for each employee, and within the workflow history, you can monitor the progress of workflows, like the one that we just kicked off for real-time separation with Vance. Because these might be multitask workflows running over a longer period of time, you can also drill in to see
the status of individual tasks. So here, I'll check the workflow history to view the details of
previous workflow runs, including the status for our tasks. In fact, the workflow
history is a great way to see a summary of either
onboarding or offboarding runs as employees enter or
leave your organization, then troubleshooting the errors that you might find in the process. Here, we're looking at the
history for onboarding new hires, and you'll see that there's
an issue with two of our runs. So I'll drill into the
first one to find out more. In the user's tab, I can see that one of
the tasks has failed, which has left three remaining
subsequent tasks unprocessed. Now moving into the task
tab from the workflow run, it looks like the welcome email has failed due to a missing or invalid email address. Lifecycle Workflows also
have built-in change tracking with versioning to see changes made as people iterate on their workflows, for example, by adding or removing tasks. So here's a list of eight
workflows in our organization, and you can see which
ones run on a schedule and which ones are enabled. In the right column, you'll also see the number of versions that have been iterated on
until now for each workflow. And it looks like this one for onboarding new hires has
been revised quite a bit. Now when I drill into it, you'll see the complete version
history for the workflow. And if I look into the
most recent version, I can see who created and
modified the latest workflow when it was created and all the workflow details to make sure that there aren't any issues
that need to be corrected. Often, onboarding workflows
will increase their number of tasks over time as you automate more and more
of those manual processes. Version 10, in this case, has fewer tasks than before
with just three tasks. One to enable the account,
then add it to Teams and send a welcome email. If I'm familiar with this workflow, I can compare that with
the previous version. In fact, I'm going to
close out version 10, and then I'm going to look at
version 7 to see its details. And you'll see there are two more tasks to run a custom extension. Remember, that's our
hardware procurement process from before, and generate
a temporary access pass so that new hires have a way to sign into their work resources. Now I can use this information
then to go back to my team and figure out why the change was made and potentially add
those missing tasks back into our new hire workflow. So now you've seen how identity lifecycle
management automation, Microsoft Entra, can automate
a lot of the manual tasks and steps for onboarding
and offboarding users and how it supports troubleshooting and change management
with automated tasks. To learn more, check out aka.ms/ILMDocs, and you can try it out today
at entra.microsoft.com. Keep checking back to Microsoft Mechanics for the latest in tech updates. Hit subscribe, and thank you for watching. (bright music)