Microsoft Entra Lifecycle Workflows 9 Steps to Securely Automate Onboarding & Offboarding (2025)

Automate onboarding and offboarding with Microsoft Entra Lifecycle Workflows

Microsoft Entra Lifecycle Workflows lets you automate user onboarding, role changes and offboarding so access is provisioned and removed on time, every time. This guide covers prerequisites, setup for onboarding and offboarding, and the checks to keep runs reliable.

Never miss an article and subscribe

This article covers

• Consistent user setup with licence, group and app access applied automatically
• Timely removal of access when people leave or change role
• Clear history of each run for audit and troubleshooting

Prerequisites

• Licensing: Lifecycle Workflows is available with Microsoft Entra ID Governance (also included in some Microsoft Entra Suite/M365 E5 bundles). Licensing changes—confirm in your tenant’s Billing → Licences.
• Roles: Lifecycle Workflows Administrator or Identity Governance Administrator (avoid using Global Administrator).
• Data: employeeHireDate for onboarding; manager where you use manager-based tasks/approvals.
• Provisioning/HR: If you create users from HR, ensure provisioning is enabled and attributes (hire/termination dates, department, job title) flow into Entra ID.

You could even use temporary access pass for the new starter, see the video below.

Onboarding – create your first workflow

1) Enable the feature

Entra admin centre → Identity Governance → Lifecycle Workflows → ensure it’s enabled.

2) Create a workflow from a template

Lifecycle Workflows → Create workflow → template Onboard pre-hire employee (or standard Onboard employee) → name it, e.g. New starter onboarding.

3) Add tasks

Add task and include, for example:

• Assign Microsoft 365 licences (pick a package)
• Add to security groups for app access
• Send welcome email with next steps
• Teams/SharePoint access (via group membership)
• Optional: Create Temporary Access Pass for first sign-in

4) Configure triggers and scope

• Trigger: User creation or Relative to hire date (e.g., run 1 day before employeeHireDate)
• Conditions: department, job role, location, etc.
• Scope: target specific users/groups as needed.

5) Activate and test

Activate → create a test user that meets the conditions → confirm tasks execute in Execution history.

Offboarding – revoke access on time

1) Create from template

Lifecycle Workflows → Create workflow → Offboard employee → name it, e.g. Leaver offboarding.

2) Add tasks

• Revoke Microsoft 365 licences
• Remove from security groups
• Disable account in Entra ID
• Reassign ownership (OneDrive/Exchange/Teams as per policy)
• Notify manager and HR

3) Trigger and conditions

• Trigger: Relative to termination date (e.g., at employeeTerminationDate or same day at a set time)
• Conditions: department, job title, optional manager approval.

4) Monitor

Identity Governance → Lifecycle Workflows → Execution history for status and errors. Configure Workflow alerts → email notifications for failures.

Good practice and gotchas

• Data quality drives automation. Keep employeeHireDate, employeeLeaveDate/termination, manager, department, and jobTitle complete and current.
• Group-based access keeps tasks simple—assign groups in tasks rather than per-app steps where possible.
• TAP for first sign-in. For new starters without credentials, add a Temporary Access Pass task and send instructions.
• Least privilege. Grant the admin the Lifecycle Workflows Administrator role, not Global Administrator.
• Audit regularly. Review Execution history and export results for evidence.

Why automate joiners, movers and leavers

Manual provisioning is slow and error-prone. Automating the user journey with lifecycle workflows ensures access is granted and revoked on time, cuts helpdesk work, and leaves a clear audit trail.

Prerequisites

• Licensing. Available with Microsoft Entra ID Governance (also in selected Microsoft Entra/M365 E5 bundles).
• Roles. Use Lifecycle Workflows Administrator or Identity Governance Administrator (avoid Global Administrator).
• Data. Populate employeeHireDate (onboarding) and a termination date for leavers. Add manager if you’ll send manager notifications.
• Provisioning. If you source from HR, confirm the connection is on and attributes flow into Entra ID.

9 steps to set up onboarding

1. Open Entra admin centre → Identity Governance → Lifecycle Workflows.
2. Enable the feature for your tenant if you haven’t already.
3. Create workflow → choose Onboard pre-hire or Onboard employee.
4. Name and scope the workflow (e.g., Department = “Sales”, Location = “UK”).
5. Add tasks:
   • Assign Microsoft 365 licences
   • Add to security groups for Teams/SharePoint/apps
   • Send welcome email with first-day guidance
   • (Optional) Create Temporary Access Pass for first sign-in
6. Set a trigger: when the user is created, or relative to hire date (e.g., 1 day before).
7. Save and activate the workflow.
8. Test with a pilot user that matches the scope.
9. Review execution history and fix any failed tasks.

Offboarding – tasks that matter

• Revoke Microsoft 365 licences
• Remove group memberships
• Disable the account in Entra ID
• Reassign OneDrive/Exchange/Teams ownership
• Notify manager and HR
• Optional: hold mailbox, export data per policy

Trigger: on or relative to the termination date. Add manager approval if your process requires it.

Monitoring and alerts

Lifecycle Workflows → Execution history shows each run and task result. Turn on Workflow alerts so admins get an email if anything fails. Periodically export history to satisfy audit requests.

Troubleshooting quick wins

• Task failed: licence not assigned. Check licence pool capacity and that the workflow has rights to assign it.
• User didn’t match the scope. Confirm department/job title/location values.
• No run relative to hire date. Verify employeeHireDate is present and in the expected format.
• TAP didn’t create. Ensure Temporary Access Pass is enabled in authentication methods.

FAQs

Do I need HR integration?
No, but it improves accuracy. Without HR, use user-creation triggers and keep hire/termination dates up to date.

Can I run pre-hire steps?
Yes—use the pre-hire template and run a few days before employeeHireDate.

Is Global Administrator required?
No. Assign Lifecycle Workflows Administrator or Identity Governance Administrator.

Feel free to buy me a coffee

Checkout this article Bypass Microsoft Account on Windows 11 (2025) and use a Local Account