Overview
In today’s rapidly evolving business environment, organizations need efficient and automated solutions for managing user accounts and access to resources. Integrating an HR system with Azure Active Directory (Azure AD) offers a powerful and streamlined approach for handling user provisioning and deprovisioning. By connecting the HR system with Azure AD and potentially on-premises Active Directory, organizations can automate the joiner, mover, and leaver processes, simplifying user account management and enhancing security.
In this overview, I will discuss HR-based provisioning for identities, focusing on the hybrid environment of on-premises Active Directory (AD) and Azure Active Directory (Azure AD).
HR Systems, Active Directory, and Azure Active Directory
In many enterprises, the true system of record for identities is the Human Resources (HR) system. This system contains accurate and up-to-date information about employees, such as their employment status, department, manager, start date, and leave date. Workday is one such HR system, which I will focus on for future examples.
Meanwhile, Active Directory often serves as the IT department’s separate source of truth for technical information about enterprise users. In hybrid environments which include both on-premises and cloud resources, information typically flows from AD to Azure AD using Azure AD Connect, or Azure AD Cloud Sync. The main exception to this is when write-back features are enabled, allowing information changed within the cloud to sync back down to the on-prem environment.
While Active Directory and Azure Active Directory may sound similar, they have some key fundamental differences. AD is associated with LDAP and Kerberos, while Azure AD uses cloud-based protocols like OAuth2, OpenID Connect, and SAML.
Azure AD Connect is a synchronization engine that runs on a Windows virtual machine or physical box, whereas Azure AD Connect Cloud Sync is a Microsoft managed service which runs in the cloud, relying on provisioning agents for communication with domain controllers. It is worth noting that Azure AD Connect is planned to be deprecated in 2024 in favor of Azure AD Cloud Sync.
What if we could combine these two “sources of truth?” Thankfully, we can synchronize HR information in systems like Workday to custom attributes to both on-prem AD and Azure AD in the cloud. This allows Workday to trigger the creation and management of user identities in AD, which then syncs with Azure AD. This allows for a more streamlined and accurate process, eliminating the need for manual user creation and updates, and frees up valuable time for helpdesk employees to respond to user issues.
Dynamic Groups and Employee Lifecycle Management
By linking Workday to dynamic groups and Azure AD lifecycle workflows, we can enable Attribute Based Access Control (ABAC).
Once information has been synced from Workday to Azure AD, we can begin to leverage the power of dynamic groups. Dynamic groups and Azure AD lifecycle workflows can automate processes based on user attributes synced from Workday, such as hire date, leave date, department, or location.
For example, lifecycle workflows can trigger tasks before an employee’s hire date, granting them access to resources or notifying their manager. Similarly, dynamic groups can automatically add or remove users from groups based on changes in their department, job title, or location. These groups can also be used to assign licenses – this means no more manual license reviews, which results in considerable savings to the business.
Conclusion
Integrating an HR system with Active Directory and Azure AD offers a powerful and automated solution for managing user provisioning and deprovisioning in organizations. This allows you to streamline the joiner, mover, and leaver processes, reducing the burden on IT staff and improving overall security.
HR systems, Active Directory, Azure AD, Cloud Sync provisioning agents, dynamic groups, and Azure AD lifecycle workflows all work together to create a comprehensive solution that simplifies user account management and access control.