Lifecycle Workflows Lifecycle Workflows
Joiner-, Mover- und Leaver-Automatisierung mit Triggern, Built-in Tasks, Custom Extensions, Monitoring und Graph/PowerShell-Referenz. Joiner, mover, and leaver automation with triggers, built-in tasks, custom extensions, monitoring, and Graph/PowerShell reference.
Joiner, Mover, Leaver
Joiner, mover, leaver
Lifecycle Workflows orchestrieren standardisierte Identity-Governance-Abläufe ohne manuelle Einzelschritte. Lifecycle workflows orchestrate standardized identity-governance flows without manual one-off steps.
Zeit- und Ereignistrigger
Time and event triggers
Workflows können auf employeeHireDate, employeeLeaveDateTime, Attributänderungen oder On-Demand-Läufe reagieren. Workflows can react to employeeHireDate, employeeLeaveDateTime, attribute changes, or on-demand runs.
Custom Extensions
Custom extensions
Logic Apps und Azure Functions erweitern den Standardtaskkatalog für Drittsysteme und Spezialprozesse. Logic Apps and Azure Functions extend the built-in task catalog for third-party systems and special processes.
Task-Level Monitoring
Task-level monitoring
Jede Ausführung ist mit Workflow-, Ausführungs- und Taskstatus nachvollziehbar. Every execution is traceable with workflow, run, and task status.
Überblick, Architektur und Trigger Overview, architecture, and triggers
| Baustein Building block | Beschreibung Description | Praxis Practice |
|---|---|---|
| Workflow Template Workflow template | Vordefinierter oder eigener Workflow mit Trigger, Scope und Tasks. Predefined or custom workflow with trigger, scope, and tasks. | Templates beschleunigen Joiner/Mover/Leaver-Szenarien. Templates accelerate joiner/mover/leaver scenarios. |
| Execution Conditions Execution conditions | Regelbasierte Scope-Definition für betroffene Benutzer. Rule-based scope definition for affected users. | Mit HR-Attributen und Abteilungsdaten kombinieren. Combine with HR attributes and department data. |
| Time-based Trigger Time-based trigger | Reagiert auf employeeHireDate oder employeeLeaveDateTime relativ zu einem Datum. Reacts to employeeHireDate or employeeLeaveDateTime relative to a date. | Für Vorab-Lizenzierung oder spätere Löschung ideal. Ideal for pre-licensing or delayed deletion. |
| Attribute-change Trigger Attribute-change trigger | Startet bei Änderungen an definierten Profilattributen. Starts when defined profile attributes change. | Typisch für Mover-Szenarien. Typical for mover scenarios. |
| On-demand On-demand | Manuell angestoßener Workflow für Ausnahmefälle. Manually triggered workflow for exception cases. | Hilfreich für Nacharbeiten und Sonderfälle. Helpful for rework and exceptions. |
Built-in Tasks mit Parametern Built-in tasks with parameters
| Task Task | Wichtige Parameter Key parameters | Wirkung Effect |
|---|---|---|
| Generate TAP Generate TAP | lifetimeInMinutes, isUsableOnce lifetimeInMinutes, isUsableOnce | Erzeugt Temporary Access Pass für Bootstrap oder Recovery. Generates a Temporary Access Pass for bootstrap or recovery. |
| Send welcome email Send welcome email | recipient, template, language recipient, template, language | Informiert neue Mitarbeiter oder Manager. Informs new employees or managers. |
| Add to group Add to group | groupId groupId | Nimmt Benutzer in Sicherheits- oder M365-Gruppen auf. Adds users to security or M365 groups. |
| Add to team Add to team | teamId, role teamId, role | Bindet Benutzer in operative Teams ein. Places users into operational teams. |
| Assign license Assign license | skuId, disabledPlans skuId, disabledPlans | Weist Lizenzen während Joiner-Prozessen zu. Assigns licenses during joiner processes. |
| Enable account Enable account | none none | Schaltet das Konto frei. Enables the account. |
| Run custom extension Run custom extension | endpoint, timeout, retry endpoint, timeout, retry | Ruft Logic Apps oder Azure Functions an. Calls Logic Apps or Azure Functions. |
| Remove from group Remove from group | groupId groupId | Entfernt Gruppenmitgliedschaften. Removes group membership. |
| Remove from team Remove from team | teamId teamId | Entfernt Benutzer aus Teams. Removes users from Teams. |
| Disable account Disable account | none none | Sperrt Anmeldung beim Leaver-Prozess. Blocks sign-in during leaver workflow. |
| Remove all licenses Remove all licenses | none none | Entzieht alle Lizenzzuweisungen. Removes all license assignments. |
| Revoke sign-in sessions Revoke sign-in sessions | none none | Beendet aktive Sitzungen und Refresh Tokens. Ends active sessions and refresh tokens. |
| Transfer ownership Transfer ownership | managerId or targetUserId managerId or targetUserId | Überträgt Gruppen- oder App-Ownership. Transfers group or app ownership. |
| Remove access Remove access | scope settings scope settings | Sammelt mehrere Offboarding-Schritte. Collects several offboarding actions. |
| Delete user Delete user | delay or direct delete delay or direct delete | Löscht das Konto nach Retention-Fenstern. Deletes the account after retention windows. |
| Send offboarding email Send offboarding email | recipient, template recipient, template | Informiert Manager und Stakeholder über Offboarding. Informs managers and stakeholders about offboarding. |
Custom Task Extensions, Versionierung und Monitoring Custom task extensions, versioning, and monitoring
| Thema Topic | Beschreibung Description | Empfehlung Recommendation |
|---|---|---|
| Logic Apps Integration Logic Apps integration | Nutzt HTTP-basierte Custom Extensions für lineare oder zustandsbehaftete Prozesse. Uses HTTP-based custom extensions for linear or stateful processes. | Ideal für ServiceNow, HR-Systeme und E-Mail-Workflows. Ideal for ServiceNow, HR systems, and email workflows. |
| Azure Functions Azure Functions | Leichtgewichtige Erweiterung für Berechnung, Lookup oder proprietäre APIs. Lightweight extension for calculations, lookups, or proprietary APIs. | Mit Managed Identity absichern. Secure with managed identity. |
| Versioning Versioning | Workflow-Versionen erlauben kontrollierte Änderungen ohne Blindflug. Workflow versions allow controlled changes without flying blind. | Vor Produktivwechsel immer Staging und Simulation nutzen. Use staging and simulation before production cutover. |
| History History | Run-Historie mit Taskstatus, Dauer und Fehlerdetails. Run history with task status, duration, and error details. | Nützlich für Audit und SLA-Messung. Useful for audit and SLA measurement. |
| Insights Insights | Workflow Insights zeigen Erfolgsquote, Latenz und Fehlermuster. Workflow insights show success rate, latency, and failure patterns. | Mit KQL und Workbook ergänzen. Augment with KQL and workbooks. |
JSON
JSON
{
"category": "joiner",
"displayName": "Joiner - Standard Employee",
"isEnabled": true,
"executionConditions": {
"scope": {
"rule": "user.department -in ["Sales","Marketing"]"
},
"trigger": {
"type": "timeBased",
"timeBasedAttribute": "employeeHireDate",
"offsetInDays": -2
}
}
}Graph API, PowerShell und reale Szenarien Graph API, PowerShell, and real scenarios
| API / Cmdlet API / cmdlet | Zweck Purpose | Hinweis Note |
|---|---|---|
| GET /identityGovernance/lifecycleWorkflows/workflows GET /identityGovernance/lifecycleWorkflows/workflows | Listet Workflows und Konfiguration. Lists workflows and configuration. | Für Inventur und Backup des Governance-Designs. For inventory and backup of governance design. |
| POST /identityGovernance/lifecycleWorkflows/workflows POST /identityGovernance/lifecycleWorkflows/workflows | Erstellt einen Workflow. Creates a workflow. | Beta/Versionen der API je nach Featurestand prüfen. Validate beta/version behavior per feature set. |
| GET /identityGovernance/lifecycleWorkflows/workflows/{id}/runs GET /identityGovernance/lifecycleWorkflows/workflows/{id}/runs | Liest Ausführungen und Fehler. Reads executions and failures. | Zentrale Quelle für Betrieb und Audit. Central source for operations and audit. |
| Invoke-MgGraphRequest Invoke-MgGraphRequest | Graph PowerShell für Konfiguration und Monitoring. Graph PowerShell for configuration and monitoring. | Pragmatischer Weg bis dedizierte Cmdlets alle Features abdecken. Pragmatic route until dedicated cmdlets cover all features. |
PowerShell
PowerShell
Connect-MgGraph -Scopes "LifecycleWorkflows.ReadWrite.All"
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/identityGovernance/lifecycleWorkflows/workflows"
JSON
JSON
{
"scenario": "Leaver",
"steps": [
"Disable account on leave date",
"Revoke sign-in sessions",
"Remove from privileged groups",
"Transfer ownership to manager",
"Remove licenses after 7 days",
"Delete user after retention window"
]
}Betriebscheckliste Operational checklist
| Checkpunkt Checkpoint | Erwarteter Zustand Expected state | Bewertung Assessment |
|---|---|---|
| HR-Attribute gepflegt HR attributes maintained | employeeHireDate, employeeLeaveDateTime und Manager stimmen. employeeHireDate, employeeLeaveDateTime, and manager are correct. | Ja/Nein Yes/No |
| Joiner Pilot Joiner pilot | Lizenzierung, Gruppen und TAP getestet. Licensing, groups, and TAP tested. | Ja/Nein Yes/No |
| Mover Trigger Mover trigger | Abteilungs- oder Standortwechsel erzeugen erwartete Tasks. Department or location changes create expected tasks. | Ja/Nein Yes/No |
| Leaver Delay Leaver delay | Disable, revoke, remove license und delete zeitlich abgestimmt. Disable, revoke, remove license, and delete are time-aligned. | Ja/Nein Yes/No |
| Custom Extensions abgesichert Custom extensions secured | Logic App/Function nutzt Managed Identity und Input Validation. Logic App/Function uses managed identity and input validation. | Ja/Nein Yes/No |
| Run-History überwacht Run history monitored | Fehler und Retries landen im Operations-Board. Failures and retries reach the operations board. | Ja/Nein Yes/No |
| Versionierung genutzt Versioning used | Änderungen nicht direkt ungeprüft in Produktion. Changes are not pushed untested directly to production. | Ja/Nein Yes/No |
| Rollback definiert Rollback defined | Fehlgeschlagene Joiner/Leaver-Schritte haben Gegenmaßnahmen. Failed joiner/leaver steps have corrective actions. | Ja/Nein Yes/No |
Glossar & Schnellreferenz Glossary & quick reference
| Begriff Term | Definition Definition |
|---|---|
| Joiner Joiner | Workflow für Neueintritt. Workflow for onboarding. |
| Mover Mover | Workflow für Rollen- oder Bereichswechsel. Workflow for role or department changes. |
| Leaver Leaver | Workflow für Offboarding. Workflow for offboarding. |
| Execution Conditions Execution Conditions | Scope und Triggerdefinition. Scope and trigger definition. |
| Custom Extension Custom Extension | Extern aufgerufene Logik. Externally invoked logic. |
| Run History Run History | Historie einzelner Ausführungen. History of individual executions. |
| Task Processing Result Task Processing Result | Status einer einzelnen Task. Status of a single task. |
| On-demand On-demand | Manuell gestarteter Workflow. Manually started workflow. |