Talk to an expert

Connect with a Ravenswood expert using the form below.

Data Considerations for HR-Driven Provisioning in Entra ID

HR-driven provisioning is a capability of Entra ID that allows data from Human Resource (HR) systems to be used to create and update accounts in Entra ID or Active Directory. HR-driven provisioning supports directly connecting to cloud HR systems such as Workday and SuccessFactors, or by programmatically pushing the data through an API.

Directly linking account creation, updates, and deletion to HR data can improve the speed of onboarding and offboarding users, reduce errors by eliminating the need for double entry of data, allowing for new employees to be more productive sooner, and reduces security risks by removing employee access on termination. HR data brought into identity systems can be used to control access to applications and reduce permission creep. Structured data from HR also tends to be more reliable and can be used to build clear authorization roles. Automating these processes can improve overall security and contribute significantly to meeting audit requirements around identities.

Linking HR data to identity data is an important step for any organization that wishes to improve its IT operational maturity, but to do it successfully requires understanding how HR departments view and manage their data.

User Onboarding

Partner with Microsoft experts you can trust

If it’s time to take that first step toward leveling up your organization’s security, get in touch with Ravenswood to start the conversation. 

Get in Touch

To onboard a user with HR-driven provisioning, the user must exist in the HR data source first. From an IT perspective the earlier this can happen the better, as it allows more time for other tasks that are downstream from account provisioning to occur, such as application assignment and device provisioning.

On the other hand, many HR departments are reluctant to enter new employees into their HR systems until the employees have shown up to work on their first day. 

This reluctance is born from experience: For example, potential employee might accept an offer and then never show up for work, which can be common in some industries. It also is not uncommon for a user to not be entered in an HR system until just before their first paycheck.

Implementing HR-driven provisioning requires non-trivial changes to existing HR processes to get user data in a timely manner. IT departments attempting to drive these changes should be sympathetic to the workload that they might impose on HR and work with them to find solutions that are acceptable to both groups.

Terminations

While HR- driven provisioning does not operate in real time, it often pulls data frequently enough from HR such that changes that were not intended may become visible briefly before they are reverted in the source system.

One such change that may be reverted is an employee termination; it may be surprising to anyone who has not worked with HR data before to discover that terminations are frequently reversed. These can occur for a variety of reasons, ranging from mistaken data entry, business decisions being reversed, or employees having a change of heart.

Whatever the reason, there are two considerations around reversing terminations that need to be accounted for:

  1. Avoid actions that are not easily reversible (e.g., deleting the user account) on terminations, at least in the immediate time frame (e.g., inside a week).
  2. Provide a mechanism to override the terminated status in the short term so the user can still complete their job tasks.

If you are implementing Lifecycle Workflows, it is generally better to use the “Post-Offboarding of an employee” leaver template to perform actions like stripping group memberships or deleting accounts. This template allows for such hard to reverse actions to occur at an interval after the termination is received.

The default configuration for HR-driven provisioning is to use an attribute map between an HR attribute and the Entra ID AccountEnabled attribute to control if a user is active or not.

Unfortunately, HR-driven provisioning attribute maps do not provide a mechanism to override data flows. Directly re-enabling the user in the target directory may be sufficient if the status can be remediated in the source HR system before the next synchronization of the user. If that is not possible, then disabling the user via Lifecycle Workflows may be a better solution than an attribute map, as there are more options to control the process there.

Preferred Name

Most HR systems primarily care about the legal name of an employee, but often that is not the name that the employee is known by at work.

An employee may prefer to use their second name, a short version of the first name or a “localized” name if their first name is uncommon or hard to pronounce in the local language they are working in.

Employees who change their legal family name because of a change in their marital status may prefer to keep using their previous family name in the workplace.

If the source HR system manages preferred given and family names, then the data can be consumed by HR-driven provisioning either by directly supplying the preferred names instead of the legal names or using the Coalesce function to choose between the preferred and legal variants.

If preferred name support is not present in the source HR system, then you may need to consider only setting name attributes on user creation. This will allow for preferred names to be changed directly in the target system and not be overwritten by the HR data source. Unfortunately, this would not allow other name changes to be sourced from HR but may be a workable compromise for many organizations.

Data Validation

In an HR system, data validation will generally ensure that HR processes work correctly but may not be sufficient to ensure that HR-driven provisioning and other identity automation processes are successful.

Dependencies on free text fields can be problematic as data entry may not be consistent and may contain unexpected characters. For example, if a department field is free text, then employees in the same department could be entered as

  • Production Quality Control
  • Production QC
  • Production, Quality Control

This lack of consistency will break dynamic group calculations based on department values.

Downstream identity systems and processes may also not be able to handle all characters that are valid in an HR system. Unexpected commas in data can break import processes built around CSV files and diacritical marks in names may cause issues in generating usernames in legacy systems. There are solutions to these problems, but they can increase the complexity of the overall implementation.

When taking dependencies on HR sourced data, it is important to work with the HR department so they understand the consequences of the data they enter, and to determine if there are safeguards that can be implemented in the system to ensure problems do not occur.

Unmanaged Users

Not all users of IT systems may be sourced from an HR system that is integrated with HR -driven provisioning. Employees located abroad may be managed by local HR systems, contingent workers may have their own systems, and external consultants may not be managed at all.

Manual management of some accounts may therefore persist even when HR-driven provisioning is implemented. Standards and procedures for managing these accounts need to exist, and consideration be taken for how some accounts can transition between the managed and unmanaged states. For example, contractors could be converted to employees or employees could leave and return as contractors. In such circumstances it may be desirable to maintain the user’s application assignments and permissions.

Unfortunately, it may be up to the IT department to determine if such a transition has occurred, as the groups managing the different classes of users may not otherwise communicate.

Summary

Implementing an Identity Management solution such as HR-driven Provisioning is an important step in advancing the IT operational maturity of an organization.

To be successful it requires the participation of both the IT and HR functions of an organization. As a result, projects in this space are often managed as cross departmental efforts with executive sponsorship at a level that encompasses both disciplines.

It greatly benefits an IT organization undertaking one of these projects to understand and be sympathetic to the impact the implementation will have on HR processes.

If you need assistance in implementing HR-driven provisioning or other Microsoft identity management or security needs, contact the experts at Ravenswood Technology Group.

Partner with Microsoft experts you can trust

If it’s time to take that first step toward leveling up your organization’s security, get in touch with Ravenswood to start the conversation. 

Get in Touch
Picture of David Conners

David Conners

David Conners leverages his 20+ years of experience in identity and security consulting to deliver state-of-the-art solutions for his customers. He is passionate about helping businesses manage data and systems access safely and effectively. David specializes in architecture and development of identity management solutions using the Microsoft stack, with extensive knowledge of Azure.
View All Posts

[RELEVANT BLOG CONTENT]

What You Need to Know About Microsoft PKI

Public key infrastructure (PKI) is the bedrock of modern telecommunications. It is a foundational technology to uniquely identify clients and facilitate their secure transmission and storage of data between public [...]

What is a Pass-the-Hash Attack (PtH)? Mitigation Strategies for CISOs and IT Teams

Today, we’ll explore the signs of a pass-the-hash (PtH) attack and discuss methods to detect and prevent such attacks in your environment. At Ravenswood Technology Group, LLC, we have decades [...]

How to Perform an Active Directory Health Check

There are many components of Microsoft Active Directory Domain Services (AD DS) that can be assessed as part of a health check. Which ones to start with is, of course, [...]

Enabling ​Multifactor Authentication for Break Glass Accounts​ in Azure

By now, you’ve likely heard about Microsoft’s mandate requiring multifactor authentication (MFA) for all accounts accessing Microsoft Entra portals and APIs. If you haven’t already started, it’s time to address [...]

Improving Your PowerShell Scripts with PSScriptAnalyzer

PowerShell plays a significant role as an administrative scripting language. It is used extensively to manage Active Directory, Microsoft Azure, and Windows Server among many things as well as a [...]

Protecting Your Active Directory from Kerberoasting Attacks: A Practical Guide for IT Teams

Although organizations have made strides in the security of their on-premises Active Directory environments, password harvesting methods such as the Kerberoasting attack or AS-REP roasting remain prevalent in cyberattacks. Unfortunately, [...]

Ravenswood Technology Group is based in Chicago, IL but with customers around the world. We help companies, universities, and other organizations with less than 100 employees to over 500,000 build secure, hybrid infrastructure that enable their users to work from anywhere. 

Linkedin Twitter

Expertise

Get in Touch

About Us

AD Health Check
Free Assessment

© Ravenswood Technology Group, LLC

Privacy Settings