Threatscape Cyber Security Logo
Contact

Identity Lifecycle Workflows in Entra: Joiners, Movers, Leavers Done Right

Joiner, Mover, Leaver Workflows in Entra | ThreatCast Podcast

As heard on ThreatCast by Threatscape, with host Ru Campbell and guest Matt Levy

In this episode of ThreatCast, Ru Campbell sits down with Matt Levy to explore the complex world of identity lifecycle management within Microsoft Entra. With hybrid environments and human-driven processes leaving identity provisioning vulnerable to error, organisations are under increasing pressure to ensure their Joiner–Mover–Leaver (JML) workflows are secure, automated, and scalable.

Together, they demystify Entra ID Governance, dissect the gaps left by even top-tier E5 licensing, and reveal the hidden triggers and critical attributes that power Microsoft’s identity lifecycle workflows.

Spotify

 

Identity: The Front Door to Everything

Matt Levy opens the conversation with a hard truth learned from responding to cloud security incidents. Identity is the front door to the business. From Microsoft 365 to Azure, attackers target identity providers relentlessly. If that front door is poorly governed, unstructured, unsynchronised, or inconsistently managed, organisations are leaving themselves wide open.

In modern enterprises, identity provisioning is no longer just a manual IT task. It begins with the source of authority, typically an HR system rather than Active Directory. Yet many businesses, even large ones, still depend on manual processes or sprawling PowerShell scripts to handle provisioning. These approaches are fragile, slow, and often incomplete.

Beyond E5: When Identity Governance Becomes Critical

While the Entra ID P2 licence includes basic identity governance features, organisations seeking to implement full lifecycle workflows, such as pre-boarding, onboarding, departmental changes, and terminations, will quickly find themselves constrained.

The Entra ID Governance add-on SKU unlocks:

  • Advanced Joiner, Mover, Leaver workflows

  • Custom triggers based on time or attributes

  • Integration with Logic Apps and Azure Functions

  • Access packages and entitlement management

  • Real-time termination capabilities

As Matt explains, the difference lies not in how accounts are provisioned but in what happens after that. With identity governance, automation can handle not just creation but enablement, access assignment, onboarding communications, and even time-sensitive deactivation.

Templates, Triggers, and Key Attributes

Microsoft provides prebuilt templates for common scenarios. A highlight is the “Onboard Pre-Hire Employee” workflow, which can trigger identity creation seven days before an employee’s start date. These templates use critical attributes like employeeHireDate and employeeLeaveDateTime. The latter is hidden from the UI but essential for secure deprovisioning.

Notably:

  • Workflows can create disabled accounts in advance, reducing risk before start dates

  • Time-based triggers can fine-tune when an account is activated or revoked

  • A “real-time employee termination” option allows on-demand execution of workflows that disable accounts, revoke tokens, and remove group access

Crucially, some of these attributes must be set via Microsoft Graph, not the UI, and must be populated during provisioning. This is an early “gotcha” for those experimenting manually.

Hybrid Flexibility Without Sacrificing Control

Many organisations are still hybrid, relying on Active Directory for legacy applications. Fortunately, Entra ID Governance supports hybrid provisioning models, allowing attributes to be mapped to on-premises AD and synchronised via Entra Connect. Through API-based inbound provisioning, even a CSV file can be used to simulate integration with a cloud HR system.

Matt describes a proof-of-concept where:

  • A CSV is uploaded to Azure via SFTP

  • A Logic App transforms it to JSON

  • The JSON payload is sent to Entra’s provisioning API

  • Custom mapping populates attributes like employeeHireDate

  • Entra provisions users either in AD, Entra ID, or both, based on rules

Advanced setups can even create multiple accounts per person. For example, a standard user account and a cloud-only admin account. This demonstrates the extensibility of the platform.

Common Pitfalls and What to Watch For

Despite the flexibility, there are several caveats:

  • Workflows rely on populated attributes. Without these, triggers will not function

  • Provisioning must be configured before using lifecycle workflows

  • Time zones and UTC considerations must be accounted for when scheduling actions

  • UI limitations mean some key fields, such as leave date times, remain hidden

Matt summarises it best. If the data is wrong, the workflow will be wrong. Inaccurate hire dates or missing attributes lead to failed onboarding, access delays, or worse, premature deprovisioning.

Governance as Risk Reduction, Not Just Automation

Ru poses a final question. When does it make sense to invest in the Governance SKU? For Matt, it often comes down to risk tolerance. While some companies rely on a single PowerShell expert and hand-stitched scripts, others recognise the fragility in that model.

 

Governance offers not just automation, but resilience, consistency, and security. It is not about replacing people. It is about removing single points of failure and ensuring that identity is managed with the same maturity as any other critical system.

Ebook

A Beginner's Guide to The NIS2 Directive

Download

You may also be interested in these:

Recent Podcasts

Recent Blogs

Follow Us

Linkedin-in Twitter

About Us

Our Expertise

Knowledge Hub

Connect

Join our mail list for Threatscape News and Event updates

Subscribe
Read our privacy policy for details on use and storage of your personal data.
Threatscape Cyber Security Logo

© 2025 Threatscape. All rights Reserved.

welcome

JOIN OUR nEWSLETTER

Contact Us