TLDR;

Microsoft Entra ID, previously Azure AD, has introduced a new feature called Lifecycle Management. This tool automates user lifecycle management tasks, allows customization of workflow templates, and integrates with external systems. It also provides audit logs, workflow history, and reporting features for monitoring and troubleshooting.

When combined with Access Packages, Lifecycle Workflows (LCW) can significantly enhance security. It ensures accurate assignment of necessary group memberships, licenses, and other custom elements. It also revokes permissions based on package specifications and provides options for removing a user from Entra ID groups, revoking licenses, and deleting user accounts when a user is transitioning or leaving the organization.

To get started with LCW, you need the Microsoft Entra ID Governance license and the Identity Governance Administrator role in Entra ID. The blog provides a step-by-step guide on how to deploy your first workflow and navigate through the Lifecycle Workflow. It also explains how to configure the workflow and tasks, add a new user, and verify the workflow through logs.

Introduction

Microsoft Entra ID, formerly known as Azure AD, is continually evolving with the addition of numerous features. One of the latest advancements to reach General Availability is the Lifecycle Management feature. 

Why should you use it?

• Automate user lifecycle management: LCW allows you to automate tasks such as creating, updating, or deleting user accounts based on triggers such as hiring, promotion, or termination events.
• Customize workflow templates: LCW provides built-in templates for common scenarios, such as onboarding or offboarding employees, and allows you to customize them according to your organization’s needs and preferences.
• Integrate with external systems: LCW supports integration with various external systems, such as HR, ITSM, or CRM, through connectors, APIs, or PowerShell scripts, to enable data exchange and synchronization across different platforms.
• Monitor and troubleshoot workflows: LCW provides audit logs, workflow history, and reporting features, to help you track and analyze the workflow execution and performance, and identify and resolve any issues or errors.
• Easy to use: Getting started with LCW is extremely easy. It only takes a few minutes to get started with the most basic functionality and if you integrate it with any external systems the possibilities are huge for what type of automation you can build.

Security enhancement

One of the biggest security risks is the misuse of user profiles. Lifecycle Workflows (LCW) can help prevent this by automatically managing the duration and access level of user accounts. LCW can also ensure that users are correctly assigned to Entra ID groups based on predefined rules and policies. This feature can significantly streamline the process of assigning correct permissions. By associating users with Entra ID groups that have pre-configured access packages, we can ensure that users can effortlessly request the permissions they are eligible for. This not only enhances security but also improves the user experience by simplifying the process of permission management.

Access Packages + LCW

Using both Access Packages and Lifecycle Workflows (LCW), enables you to significantly enhance the security posture. This combination ensures that users are accurately assigned necessary group memberships, licenses, and any other custom elements you wish to include. Access Packages play a crucial role in maintaining security by automatically revoking permissions based on the package specifications, thereby mitigating potential threats from unauthorized users. Furthermore, LCW steps in when a user is transitioning or leaving the organization, offering options for removing the user from Entra ID groups, revoking licenses, and deleting the user account. This comprehensive approach provides a robust security framework while simplifying user lifecycle management.

For more information about access packages see my previous blog.

How to get started

• Correct License: Microsoft Entra ID Governance
• Entra ID role: Identity Governance Administrator
• More information
• Blog from Microsoft

How to deploy your first workflow

• Navigate to Lifecycle Workflow

• Create new workflow
• Choose a teamplate (for this example I’m using the )
• Configure the workflow

• Configure the tasks that should be executed in this workflow

• I created a flow that should add a user to the Entra ID group Marvel when the department was set to Marvel.
• Add a new User

• Verify the workflow by looking into the logs
  • As you can see from the logs it failed and stopped the flow. This is because the parameter Continue workflow execution on error is by default turned off. Turning this on will ensures that the workflow continues even though one of the tasks failed. Looking into this error it is because the user don’t have an email.
  • By enabling the parameter Continue workflow execution on error we can ensure that the user it added to a group even though it has no email.

• The result is that the user is added to the Marvel Entra ID group

Good to know

To set the end date for employees (employeeLeaveDateTime), it’s necessary to use the Microsoft Graph API, which requires delegated permissions. For more information on this process, please refer to the provided resources.. More information can be found here.

Summary

The blog post introduces Microsoft Entra ID’s Lifecycle Management feature, which automates user lifecycle management tasks and enhances security. It provides customizable workflow templates, integrates with external systems, and offers monitoring tools. When combined with Access Packages, it improves security by managing user profiles and streamlining permission assignments. The post also guides on deploying a workflow, creating and configuring it, adding a new user, and the importance of the ‘Continue workflow execution on error’ parameter.