Automate onboarding & offboarding tasks with Microsoft Entra | Identity Lifecycle Management
Vložit
- čas přidán 1. 07. 2024
- When users enter or leave your organization, automate manual steps to onboard and offboard with Microsoft Entra. For onboarding, manage user identities, grant permissions to access necessary information, and provide users with what they need to be productive, such as computer hardware. As people leave the organization, deprovisioning is critical to maintain security and compliance. Lifecycle Workflows in Microsoft Entra ID Governance can help with pre-built templates for common tasks.
Microsoft Entra is a complete identity management platform with everything you knew about Azure Active Directory, along with new capabilities. Identity lifecycle management automation removes many of the manual steps of everyday identity management tasks. With Lifecycle Workflows, users experience more consistency for better job satisfaction and reduced risk. It works with HR systems, like Workday and SuccessFactors, as part of the onboarding and offboarding workflow.
Jeremy Chapman, Director of Microsoft 365, walks through Identity Lifecycle Management automation in Microsoft Entra.
► QUICK LINKS:
00:00 - Introduction
01:28 - Automate employee onboarding
04:19 - Automate employee offboarding
05:41 - Workflow history
06:58 - Built-in change tracking for version history
08:30 - Wrap up
► Link References:
For more on lifecycle workflows, check out aka.ms/ILMDocs
Try it out at entra.microsoft.com
► Unfamiliar with Microsoft Mechanics?
As Microsoft's official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.
• Subscribe to our CZcams: / microsoftmechanicsseries
• Talk with other IT Pros, join us on the Microsoft Tech Community: techcommunity.microsoft.com/t...
• Watch or listen from anywhere, subscribe to our podcast: microsoftmechanics.libsyn.com...
► Keep getting this insider knowledge, join us on social:
• Follow us on Twitter: / msftmechanics
• Share knowledge on LinkedIn: / microsoft-mechanics
• Enjoy us on Instagram: / msftmechanics
• Loosen up with us on TikTok: / msftmechanics
#IdentityManagement #AzureAD #MicrosoftEntra #WorkflowAutomation - Věda a technologie
Great explanation, great feature. Onboarding employees has been one of the pain areas in big organizations as they use reactive systems and not the other way around.
These videos really need to begin with "In this video we'll be discussing a product that requires the following licenses..." Save me the time of watching the whole thing then discovering we're not licensed for it.
They offer trials.
Really expensive
@@angelcastillo8572 yeah and the tools aren't baked yet. Things are so basic.
Sooo... why are distribution groups not included in this? This is a common task for all users associated with onboarding employees.
Seriously I wish the Exchange Online team would get on it, or at least communicate with the public, about their journey to get all Exchange objects into the Graph. Feels like Exchange now, even in the cloud, is like the last to the party to be API/SSO/modern etc.
I'ts a nice feature, but I can't understand why it's so expensive. 6€ per user ? In addition, you need to have Entra P1 license :(
One day, I will be the only one running my company, no more humans... Not even a dashboard will be needed for I will not have eyes nor feelings!
Thanks for this. Brilliant for Admin roles. Is there a way we could leverage PIM to delegate access on behald of another user as a role? E.g. EA on behalf of CEO? (or anything else within Microsoft universe)?
doesnt see to be in canada? anyone else able to see it
I feel what is really needed here is a process that allows you to copy one user to another, you know like on prem was able to do in ADUC?
That way it takes maybe five minutes to create a new user who will be fulfilling the same tasks as another user, and copy all the Role Groups, File Access groups and such instead of the sometimes up to ONE HOUR to copy and ensure all 120+ AAD groups have been successfully mimicked. (and PowerShell isn't capable of this either).
Honestly that's a terrible practice from a security standpoint. You'll end up giving way too much access to someone else. Least Privilege Access. The way you do this is you. have job families defined based on HRIS data. A new account rep comes on board and there is a workflow set up to add this new rep to all of the groups that they need for their role. These group define applications pushed to their machine, file share access, Saas provisioning, yada yada... Then when they leave you reverse the process.
The issue I see with Entra so far is they do not have a lot of these options baked for hybrid related tasks. Creating an on prem user, adding to groups, etc. Hopefully it'll come.
though. the question is, how much of this is accessible with a business premium license? Seems like most videos on 365 are geared towards E3-E5 users.
Is Automate onboarding & offboarding cloud based only for now? What about a Hybrid environment where new account syncs from AD to AAD?
I found that currently Microsoft is working on a writeback for on-prem AD. There are a lot of environments that are either still on-prem and using AD Connect. But the tool is not bidirectional unfortunately as I've learned from them. This would be good for those on-prem groups that are needed as well as a part of onboarding.
An issue with the onboarding flow is that a pre-generated password is created with the user account. Sure you've provided the manager with the TAP and they, than give it to the new hire. But they can't and will not be able to modify their password unless IT manually send/provides one to them separately.
Yes they will, you can make it so it requires password change on first sign-on or the user can change password after sign-in.
Would be good if there was a feature that would add someone into the same groups / teams as someone else
Powershell can do this. Get the groups of one user and recursively add the user to all the groups
Dynamic groups in Entra ID (Azure AD) can automatically assign group/team membership, too. This can be predicated on attributes like location, title, etc. ExtensionAttributes are also pretty useful in this case for adding things not already available to query from.
@@MSFTMechanics Right but not if we are dealing with distribution groups and we want to dynamically assign memberships. Doesn't work and not compatible. Also, even with populating group memberships dynamically you don't have flexibility to also include an additional group as an exception or catch-all group.
Normally this isn't a good recommended security practice...scope this to a role (based on title or job family) and not so much a user as the template. The user may have more rights than you think.
@@OliABraith Actually PowerShell cant do this, not last time I checked just back in June 2023, Distribution Groups, Security Groups, Mail Enabled Security Groups, Office 365 Groups, Microsoft 365 Groups and SharePoint Groups all need to be handled separately and not by the same module. Just finding the SharePoint root programmatically is a headache..
How do I change a users employeeleavedatetime attribute?
You would likely need to define an extension attribute for that.