L16. Lifecycle Workflows: Joiner, Mover and Leaver Automation

What Are Lifecycle Workflows?

Lifecycle workflows automate repetitive identity management tasks tied to employee lifecycle events: joining the organization, changing roles, and leaving. Instead of manually provisioning and deprovisioning access, workflows trigger automatically based on user attribute changes or time-based conditions. Licensing: Entra ID Governance add-on or Entra ID P2 with Governance features.

Workflow Categories

Joiner Workflows

Triggered when a new employee starts (or before their start date):

• Generate a temporary access pass for day-one sign-in
• Send a welcome email
• Add the user to required groups
• Assign access packages
• Trigger custom Logic App tasks (create mailbox, provision accounts)

Mover Workflows

Triggered when an employee changes roles or departments:

• Remove old group memberships
• Assign new groups based on updated department
• Update access packages
• Notify the new manager

Leaver Workflows

Triggered when an employee departs:

• Remove all group memberships
• Remove access package assignments
• Revoke active sessions (force sign-out)
• Disable the user account
• Delete the user account (after retention period)

Trigger Conditions

Workflows use execution conditions to determine when to fire:

Exam tip: Time-based triggers rely on the employeeHireDate and employeeLeaveDateTime attributes in Entra ID. These attributes must be populated (via HR sync or manual entry) for the workflows to fire. If these attributes are empty, time-based workflows will not execute.

Workflow Tasks

Each workflow contains a sequence of tasks. Available built-in tasks include:

• Generate TAP and send email: Creates a temporary access pass and emails it to the user or manager
• Send welcome email: Sends a customizable onboarding email
• Add user to groups: Adds the user to specified security or Microsoft 365 groups
• Assign access packages: Provisions bundled access through entitlement management
• Remove user from groups: Strips group memberships
• Remove access packages: Revokes entitlement assignments
• Disable user account: Blocks sign-in
• Delete user account: Moves account to soft-deleted state
• Custom task extension: Triggers a Logic App for custom automation

Exam tip: The "Generate TAP" task is a common joiner workflow task. A Temporary Access Pass (TAP) is a time-limited passcode that allows new employees to sign in and register their own authentication methods (like the Authenticator app) on day one, even before they have a password.

Scope and Filters

Workflows use scoping rules to determine which users are in scope:

• Scope type: Specific users, all members, or rule-based filter
• Rule expressions: Filter by department, job title, company name, or any user attribute

Example scope rule:

(user.department -eq "Engineering") -and (user.employeeType -eq "FTE")

Monitoring and Troubleshooting

Workflow execution history is available in the Entra admin center:

• Workflow runs: Shows each execution with status (completed, failed, canceled)
• Task processing results: Shows the result of each individual task within a workflow
• User processing results: Shows which users were processed and the outcome

Review failed tasks to identify issues like missing attributes, permission errors, or Logic App failures.