Manage temporary employees with Entra ID Governance and Lifecycle workflows

Posted on: February 12, 2024

---

Many companies have requirement to enable temporary employee access to various company resources. Sometimes, this process is handled via ticketing systems and have a long wait times which can be very problematic to the business process.

Access management can span from IT systems to physical building accesses and the need to enable this access can come very urgently.

Let’s look how we can handle this process with Microsoft Entra ID Governance based solution:

Identity Governance has a feature called Lifecycle workflows which we’re going to leverage in this demo:

Lifecycle workflows can be used to automate various tasks related to identity management. In this post, we’re going to use workflows for enabling temporary employee access in this fictional Healthcare organization.

Here is the demo setup:

• Temporary employees are part of the directory, but they are in disabled state
• They might be asked to come to work at very short notice
• They do not have standing access to resources
  • They will get access to confidential IT systems and areas for the duration of their visit
• Few ready-made business roles are defined
• Granting access to these business roles is handled by end users from those business functions and not by any centralized function like IT department or support
• Entra ID Group memberships are synchronized to the on-premises Active Directory groups
  • On-premises systems use these groups for access management

Read more about group synchronization here.

Here you can see a list of different workflows:

If we now focus on one of the workflows, we can see that it does enable Nurse role and access to the Emergency department and its resources:

Workflow itself defines tasks which are executed when the workflow is started:

Now let’s walk through the process of enabling temporary employee:

There is a urgent need to fill in for a sick nurse for half a day. Luckily, a suitable temporary employee is quickly found: Mike Jensen.

In the Active Directory, he is in disabled state:

Manager from the department opens the web application and logs in with their Entra ID account:

They’ll see a list of users which are filtered to show only temporary employees. In this demo users are filtered with this query: startswith(department, 'TempEmployees'). Of course, you could use any custom logic here to find the correct users to display.

Similarly, the list of available workflows is filtered to show only relevant workflows.

User selects the correct workflow and starts it for Mike Jensen:

User could select multiple users and multiple workflows at once, if they would need to e.g., enable access for multiple temporary employees at once.

In the workflow history view, you can see status of the started workflow:

The workflow for Mike Jensen has been Completed successfully:

This means that the temporary employee Mike Jensen has also been enabled in the Active Directory:

It means that they now have access to the resources defined in the workflow e.g., access to the emergency department restricted areas and IT systems.

It’s important to note that the end user who initiated the workflow doesn’t need to have any special permissions for enabling the temporary employees. Web application has rights to starts the workflow processes.

Here is the sequence diagram of the process:

sequenceDiagram actor User User->>+WebApp: Enable temporary employee(s) Note right of WebApp: Use Application permissions WebApp->>+Workflow: Start workflow Note right of Workflow: Tasks are executed Workflow-->>-WebApp: Started WebApp-->>-User: Employee(s) enabled

Let’s look at the tasks in the workflow:

If you want to add a new task to the workflow, you can just click Add task button. It has many built-in tasks but now we’re going to focus on the Custom task extension:

Already implemented custom extensions can be found under lifecycle workflows:

They are implemented as Logic Apps. Let’s quickly check the steps to add new custom task. First, you need to provide a name and description:

Then you can define behavior and authorization related parameters:

Next you can pick the existing Logic App or create a new one:

In your Logic App implementation, you can use other Azure services and leverage those numerous connectors available for Logic Apps. More information about custom task extensions here.

Here is the above example web application code:

JanneMattila/entra-demos

This post was done in collaboration with Timo Hakala.
Credit for the idea and excellent test environment goes to him. Thank you!

I hope you find this useful!