Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Entra ID Lifecycle Workflows

Lifecycle Workflows automate joiner-mover-leaver tasks based on user attribute triggers.

Microsoft Entra ID Lifecycle Workflows automate the joiner-mover-leaver (JML) lifecycle of user accounts: triggered by HR-data changes (start date, last day, role change), they run sequences of tasks — notifications, group changes, account enabling/disabling, manager emails, custom Logic App actions. They're part of Microsoft Entra ID Governance.

The triggers

A workflow runs when its trigger fires:

  • Joiner triggers: N days before / on / after a user's start date.
  • Mover triggers: change of department, manager, jobTitle, country, custom attribute.
  • Leaver triggers: N days before / on / after the user's last day.

Trigger attributes come from Entra ID — most commonly populated by HR-system synchronisation via SCIM inbound (Workday, SAP SuccessFactors, Oracle HCM).

The tasks

A workflow executes one or more tasks in sequence. Built-in tasks include:

  • Send welcome email to manager / user / IT / HR.
  • Add user to groups for role-based access.
  • Remove user from groups.
  • Enable / disable account.
  • Generate temporary access pass (for first-day sign-in without password).
  • Add to / remove from teams.
  • Update manager.
  • Delete user (after a defined grace period).
  • Trigger a Logic App — for custom actions like creating a ticket, posting to Teams, calling external APIs.

Tasks run with admin permissions inside the workflow's execution context, not the user's own permissions.

A worked example

A typical onboarding workflow for a new hire:

  • Trigger: 7 days before start date.
  • Task 1: Send welcome email to the new hire's personal email (notification address from HR system).
  • Task 2: Send notification to the hiring manager with first-day checklist.
  • Task 3: Create a temporary access pass for first sign-in.
  • Task 4: Trigger Logic App that provisions accounts in HR-specific systems (Workday access, training platforms, etc.).
  • Task 5: On start date, add to All Employees group and to [Department] group, which (via group-based licensing) assigns Microsoft 365 E3.

A leaver workflow:

  • Trigger: 14 days before last day.
  • Task 1: Notify manager and IT to prepare offboarding.
  • Trigger: on last day.
  • Task 2: Remove from all groups.
  • Task 3: Disable account.
  • Task 4: Trigger Logic App that revokes access in external SaaS.
  • Trigger: 30 days after last day.
  • Task 5: Delete user (with mailbox converted to shared mailbox via separate process).

Configuration

Workflows are configured in Entra admin center → Identity Governance → Lifecycle Workflows:

  1. Define scope — dynamic membership criteria (which users are subject to the workflow).
  2. Configure trigger — date attribute + offset.
  3. Add tasks — pick from built-in catalogue or add Logic App.
  4. Test in audit mode — see what would happen without acting.
  5. Promote to enforce mode — start running for real.

Operational considerations

  • Scope matching is critical — a wrong scope can run a leaver workflow on someone you didn't mean to.
  • Test thoroughly in audit mode before enforcing.
  • Document every workflow so changes don't have surprising effects.
  • Monitor execution logs — every workflow run is logged with task outcomes.
  • Integrate with HR so attribute data is reliable — Lifecycle Workflows only work as well as the data driving them.

Licensing

Lifecycle Workflows require Microsoft Entra ID Governance licensing (a separate SKU from base Entra ID, often included with Microsoft 365 E5).

For organisations with significant scale and a serious HR-system integration, Lifecycle Workflows are the modern replacement for the PowerShell scripts and ad-hoc tooling that used to handle JML manually.