What is HR-driven provisioning?
HR-driven provisioning is the automated creation of digital identities (e.g. Active Directory user accounts) based on a human resources system.
HR systems typically hold the most accurate data an organization has about its employees. They are often used as a reliable ‘source of truth’ on which to base automated provisioning of directories and other systems that need identity data. They may be used for authorization and authentication decisions, or less critical administrative purposes.
The term “HR-driven” is often used as shorthand to refer to any source of truth, like a student enrolment system, or a temporary staff database.
The term “provisioning” is often used as shorthand for the entire joiner/mover/leaver lifecycle of an employee, or other identity. So it covers the ongoing maintenance of the identities, and de-provisioning, too.
HR-driven provisioning (here’s how Microsoft defines it) can be either on-premises-based or cloud-based. In the Microsoft world, Microsoft Entra ID can be configured to connect to some cloud-based HR systems (notably Workday and Success Factors) and provides an API for other HR systems. Microsoft Entra ID can then be provisioned to Microsoft Entra ID or Active Directory.
Microsoft Identity Manager and new more advanced cloud-based products such as SoftwareIDM’s Identity Panel Suite connect to just about any HR system and use it to provision to Microsoft Entra ID or Active Directory (AD).
It is probably safe to say that most organizations that use Active Directory are hybrid – that is, they are using both on-premises AD and Microsoft Entra ID. In such circumstances, AD can be HR-driven, with Microsoft Entra Connect being used to synchronize AD with Microsoft Entra ID
The benefits of HR-driven provisioning for hybrid AD can include:
- AD and Microsoft Entra ID identity information is consistent with your “source of truth” (e.g. HR system), for example:
- Authentication and authorization decisions are based on reliable data.
- Users provisioned, enabled/disabled, and de-provisioned automatically.
- Licensing and security decisions based on accurate group memberships.
- More administrative control with less effort:
- Reduced duplication of identity data entry.
- Effective enforcement of rules and policies in AD and Microsoft Entra ID.
- Automated handling of the joiner/mover/leaver process.
- Fewer orphaned accounts and rogue permissions.
- Improved Microsoft 365 user experience:
- Same sign-on (same UPN and password) or true single sign-on.
- Seamless access from different devices within the corporate network or in the cloud
Learn how to build an HR-driven provisioning solution for your organization with our step-by-step and end-to-end practical video training.
Find out much more about this training in this webinar recording.