What is Identity Lifecycle and why is Identity governance administration (IGA) an important component of Identity and Access Management (IAM)? IAM enables the secure and efficient management of digital identities while Identity Lifecycle strikes a balance between security and employee productivity by addressing key issues such as user access and visibility. With its capability to perform a range of tasks across both cloud and on-premises users, Identity Governance provides organizations with the means to ensure proper management of digital identities through:
- Identity lifecycle management
- Access lifecycle management
- Privileged access for administrators
This is the first of three blog posts that will delve into the three features of IGA, beginning with Identity Lifecycle
Identity lifecycle
An identity lifecycle refers to the entire process that begins when a user’s digital identity is created and assigned access to resources, and continues with authentication of that identity, updates to credentials and attributes, ending when that identity is retired. The process includes stages such as creation, verification, authentication, authorization, management, and retirement.
An example of the identity lifecycle is demonstrated through Kari, who joins a company and leaves after 3 years.
- Onboarding: When Kari is hired by Company X, a new user account is created for her. The user is authenticated and authorized. The IT department adds her to the relevant security groups, grants her access to resources, and enables her account.
- User Administration: Throughout Kari’s employment, her account information and access to resources may need to be updated, such as when she changes departments.
- Retiring: When Kari leaves the company, her user account and associated access are revoked, and she must turn in all company resources.
Identity lifecycle management
Managing digital identities can be a challenging task. In smaller organizations, maintaining identities for users can be done manually, where an administrator creates an account for a new employee and assigns the necessary permissions. With larger organizations, this can be quite a task and i would recommend leveraging automation to manage identities more efficiently at scale.
Managing digital identities can be a complex task. In smaller organizations, digital identities can be managed manually by an administrator who creates an account for a new employee and assigns the necessary permissions. However, for larger organizations, this can be challenging. Therefore, it is recommended to leverage automation to manage identities more efficiently at scale.
Lifecycle Workflows is a Governance feature that enables administrators to manage Azure AD users by automating these three basic lifecycle processes:
- Joiner -Onboarding a new employee joining a company.
- Mover – An employee moving between departments in the same company.
- Leaver – Offboarding an employee when they leave the company. Either willingly or after termination.
Workflows are made up of Tasks and Execution conditions that contain specific processes that run automatically against users as they move through their lifecycle. Lifecycle Workflows come with many pre-configured templates (though users can also create custom tasks), designed to automate common lifecycle management scenarios. These built-in tasks can be utilized to create customized workflows that meet your organization’s needs. Tasks are also categorized based on the Joiner-Mover-Leaver model, making it easy to place them into workflows according to need.”
Use case- joiner- onboard a new employee using a template in the Azure portal.
Log in to the Azure portal–>Navigate to Azure Active Directory –>Go to Identity Governance –> In the left menu, select Lifecycle Workflows –> On the Workflows screen, choose the desired workflow template.
You should have the right permissions and roles to be able to create a workflow, i.e you should either have the role Global administrator or Lifecycle workflows administrator.
We will attempt to onboard a new hire Kari who just joined the company using the template “Onboard new hire employee.”
Configure scope:
- Department for our new employee Kari
- UserPricipalName
- Job title
Please note that you can add up to 5 expressions and can view or edit the rule syntax text.
Tasks:
- Send Kari a welcome message.
- Create a Microsoft Azure Active Directory (AD) account for Kari.
- Assign Kari to the appropriate security groups based on their role and responsibilities.
- Generate Temporary Access Pass and send via email to user’s manager.
Review your configured scope and tasks before creating your workflow.
Enable workflow schedule
By default, the scheduled interval at which the Lifecycle Workflow runs is set to 3 hours. This interval cannot be altered in the user interface (UI), but you can use Microsoft Graph to modify it, if you wish to change the schedule to run between 1-24 hours.
Please note that this is a tenant setting and will apply to all workflows created within the tenant.
By design, newly created workflows are initially disabled to facilitate testing among a smaller audience. For further details on testing workflows prior to wider implementation, refer to run on demand workflow.
1 thought on “Identity lifecycle”