HR-driven provisioning is the automated creation of digital identities (eg Active Directory user accounts) based on a human resources system.
HR systems typically hold the most accurate data an organization has about their employees. They are often used as a reliable ‘source of truth’ on which to base automated provisioning of directories and other systems that need identity data. They may be used for authorization and authentication decisions, or for less critical administrative purposes.
The term “HR-driven” is often used as shorthand to refer to any source of truth, like a student enrolment system, or a temporary staff database.
The term “provisioning” is often used as shorthand for the entire joiner/mover/leaver lifecycle of an employee, or other identity. So it covers the ongoing maintenance of the identities, and deprovisioning, too.
HR-driven provisioning (and here’s how Microsoft define it) can be either on-premises based or cloud-based. In the Microsoft world, Azure AD can be configured to connect to some cloud-based HR systems (notably Workday and Success Factors), while Microsoft Identity Manager has been, for almost two decades, the workhorse that connects to just about any HR system and uses it to provision Active Directory (AD). It is probably safe to say that most organizations that use Active Directory are hybrid – that is, they are using both on-premises AD and Azure AD. In such circumstances, AD can be HR-driven, with Azure AD Connect being used to synchronize AD with Azure AD.
The benefits of HR-driven provisioning for hybrid AD can include:
- AD and Azure AD identity information is consistent with your source of truth (eg HR system), for example:
- Authentication and authorization decisions are based on reliable data
- Users provisioned, enabled/disabled, deprovisioned automatically
- Licensing and security decisions based on accurate group memberships
- More administrative control with less effort:
- Reduced duplication of identity data entry
- Effective enforcement of rules and policies in AD and Azure AD
- Automated handling of the joiner/mover/leaver process
- Fewer orphaned accounts and rogue permissions
- Improved Office 365 user experience:
- Same sign-on (same UPN and password) or true single sign-on
- Seamless access from different devices within the corporate network or in the cloud
Learn how to build an HR-driven provisioning solution for your AD and Azure AD with our step-by-step and end-to-end practical video training.
Find out much more about this training in this webinar recording.
Updated June 2022