Entra ID Lifecycle Management: Step-by-Step Deployment Guide

Overview

 Building a comprehensive demo for Entra ID Lifecycle management is not a straightforward configuration. It requires various backend processes. However, once the configuration is complete, customers will experience a smooth setup through the GUI. Most configuration-related articles are available on Microsoft Learn and GitHub, but they often have missing information and there isn't a single article that covers all necessary configurations. Therefore, I decided to compile everything into one document.

What is Entra ID Lifecycle Management 

Entra ID Lifecycle Management is an innovative approach to identity and lifecycle management within organizational environments. This system aims to streamline the processes of user identity creation, maintenance, and deletion while ensuring robust security protocols and compliance with regulatory standards. As organizations grow and evolve, managing user identities and access rights becomes increasingly complex, making effective lifecycle management essential.

Use Cases for Entra ID Lifecycle Management

• Onboarding New Employees
• Managing Access for Contractors and Temporary Workers
• Handling Employee Departures
• Compliance and Audit Reporting

Configuration Step by Step

Product license check

Ensure that your demo tenant is equipped with adequate and unexpired licenses for all Microsoft Governance features:

1. Navigate to Microsoft 365 admin center (https://admin.microsoft.com) as your tenant’s global admin.
2. Go to Billing > Your products.
3. Ensure the following products exist and have an active subscription status:
• Microsoft 365 E5 Trial (this includes Entra ID Premium P1 and P2)
• Microsoft Entra ID Governance Trial

Acquire an Azure subscription 

If you do not have a subscription, you can activate a Pay-as-you-go subscription or use an Azure subscription based on Visual Studio Enterprise/Professional Credits. 

Configure resources for API-driven inbound user provisioning

1.1 Create an Azure Storage account to host the CSV file

First, create an Azure Storage account and update the user data to an Azure file share. Imagine your HR system exports user data in CSV format automatically once. This data will be updated to Azure files, and we can start the process with that information. 

• Sign in to the Azure portal as at least an Application Administrator.
• Search for "Storage accounts" and create a new storage account

• Assign a resource group and give it a name.

• After the storage account is created, go to the resource.
• Click on "File share" menu option and create a new file share.

• Verify that the file share creation is successful.
• Create a CSV file containing all the necessary user information.

• Upload a sample CSV file to the file share using the upload option.
  

1.2. Configure Azure Function CSV2JSON converter

We will use an Azure Function to convert the uploaded CSV file to JSON format and automate user creation. This function requires various configurations, which we will deploy using a JSON script in an Azure custom template.

• Sign in to the Azure portal and Search for Custom Template

• Click Build your own Template in the editor

• Select all the meta data and Delete because we going to copy the JSON File from Github
•  Open the GitHub repository URL -  https://github.com/joelbyford/CSVtoJSONcore/blob/main/DeployTemplates/AzureLinuxWebAppArm.json
• Copy the JSON Code and Past in Azure Template window and click Save

• Select the Same Resource group we use for Storage account Click Review and Create

• Ensure that the deployment of the Azure Function as an App Service is successful.
• Go to the resource group and open the WebApp configuration. Ensure it is in "Running" state. Copy the default domain name associated with the Web App. 

• Run this PowerShell script to test the CSVtoJSON endpoint. Set the correct values for $csvFilePath and $uri, and update the URL with the previously copied Webapp URL

# Step 1: Read the CSV file 

$csvFilePath = "C:\Path-to-CSV-file\hr-user-data.csv" 

$csvContent = Get-Content -Path $csvFilePath

# Step 2: Set up the request 

$uri = "https://az-function-webapp-your-domain/csvtojson" #end of the /csvtojson should not be delete.

$headers = @{ 

     "Content-Type" = "text/csv" 

} 

$body = $csvContent -join "`n"  # Join the CSV lines into a single string

# Step 3: Send the POST request 

$response = Invoke-WebRequest -Uri $uri -Method POST -Headers $headers -Body $body

# Output and format the JSON response 

$response.Content | ConvertFrom-JSON | ConvertTo-JSON

• If the Azure Function deployment is successful, then the last line of the script outputs the JSON version of the CSV file. Save this out put in a notepad. This will required in later configuration. 

• Again To to the webapp and go to CORS, allowed the origins in asterisk (*) So Logic apps can invoke the Azure Function and Save the configuration. 

1.3 Configure API-driven inbound user provisioning

In there we going to Provision an Enterprise application we used for user provisioning.

Prerequisites

To complete the steps in this tutorial, you need access to Microsoft Entra admin center with the following roles:

• Application Administrator (if you're configuring inbound user provisioning to Microsoft Entra ID) OR
• Application Administrator + Hybrid Identity Administrator (if you're configuring inbound user provisioning to on-premises Active Directory)

If you're configuring inbound user provisioning to on-premises Active Directory, you need access to a Windows Server where you can install the provisioning agent for connecting to your Active Directory domain controller.

• Log in to the Microsoft Entra admin center as at least an Application Administrator.
• Browse to Identity > Applications > Enterprise applications.
• Click on New application to create a new provisioning application.
• Enter API-driven in the search field, then select the application for your setup:

• API-driven provisioning to on-premises Active Directory: Select this app if you're provisioning hybrid identities (identities that need both on-premises AD and Microsoft Entra account) from your system of record. Once these accounts are provisioned in on-premises AD, they are automatically synchronized to your Microsoft Entra tenant using Microsoft Entra Connect Sync or Microsoft Entra Connect cloud sync.
• API-driven provisioning to Microsoft Entra ID: Select this app if you're provisioning cloud-only identities (identities that don't require on-premises AD accounts and only need Microsoft Entra account) from your system of record.
• Select the app and click Create
• Once the application creation is successful, go to the Provisioning blade and click on Get started.
• Switch the Provisioning Mode from Manual to Automatic.

Note - if you need to integrate with On-prem AD follow this link 

Now we  will we create the logic app to run user provisioning by importing the CSV file and pushing it to Entra ID using the API.

• Click here to deploy the Azure Resource Manager template for the CSV2SCIMBulkUpload Logic Apps workflow.
• Under instance details, update the highlighted items, copy-pasting values from the previous steps. This is a very important stage. if you missed any of these mention parameters you will have have many issues.

1. Selected the same Resource group you have used previously
2. Updated the website URL we used on previous PowerShell or go to the app services and copy the site URL 

3. Go the Enterprise apps, find the "API-driven provisioning to Microsoft Entra ID" and select provisioning. after that click View technical information. copy and past the Provisioning API Endpoint.

4. Go to the Storage account you created previously and go to the Access keys. then copy the storage account name.

5. then copy the access key from the same window

• Click on "Review and Create" option to start the deployment.

1.5 Configure system assigned managed identity

• Sign in to the Azure portal and Search for  Logic Apps
• select the Logic app which starting with CSV2SCIMBulkUpload
• Visit the Settings -> Identity blade of your Logic Apps workflow.
• Enable System assigned managed identity.

• You'll get a prompt to confirm the use of the managed identity. Click on Yes.

1.6 Grant the managed identity permissions to perform bulk upload

After you've configured API-driven inbound provisioning app, you need to grant access permissions so that API clients can send requests to the provisioning /bulkUpload API and query the provisioning logs API.

Depending on how your API client authenticates with Microsoft Entra ID, you can select between two configuration options:

• Configure a service principal: Follow these instructions if your API client plans to use a service principal of a Microsoft Entra registered app and authenticate using OAuth client credentials grant flow.
• Configure a managed identity: Follow these instructions if your API client plans to use a Microsoft Entra managed identity.

If you wish to configure Service principal please follow these steps in the article - Link

for my Demo I'm going to use the managed identity

Configure a managed identity:

• Run the following PowerShell script. Note that if your logic app is different from "CSV2SCIMBulkUpload" and has a different name, replace the display name in the script with the correct name.

Install-Module Microsoft.Graph -Scope CurrentUser

Connect-MgGraph -Scopes "Application.Read.All","AppRoleAssignment.ReadWrite.All,RoleManagement.ReadWrite.Directory"

$graphApp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

$PermissionName = "SynchronizationData-User.Upload"

$AppRole = $graphApp.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}

$managedID = Get-MgServicePrincipal -Filter "DisplayName eq 'CSV2SCIMBulkUpload'"

New-MgServicePrincipalAppRoleAssignment -PrincipalId $managedID.Id -ServicePrincipalId $managedID.Id -ResourceId $graphApp.Id -AppRoleId $AppRole.Id

$PermissionName = "AuditLog.Read.All"

$AppRole = $graphApp.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}

$managedID = Get-MgServicePrincipal -Filter "DisplayName eq 'CSV2SCIMBulkUpload'"

New-MgServicePrincipalAppRoleAssignment -PrincipalId $managedID.Id -ServicePrincipalId $managedID.Id -ResourceId $graphApp.Id -AppRoleId $AppRole.Id

• Sign in to the Azure portal and Go to Enterprise Applications. 
• Remove the Application type filter to see all service principals.

• Search for Logic app name in Enterprise applications
•  Click on the Permissions blade under Security. Ensure the permission is set

1.7 Final review and adjust the logic app workflow steps

• Sign in to the Azure portal and Search for Logic app
• Open the CSV2SCIMBulkUpload Logic App in the designer view.

• Open the "Get file content using path" step and correct it to browse to the Azure File Storage in your tenant. check the connection status as well. if did not connect. need to authorized it. 

•  Verify that "Convert CSV to JSON" step is pointing to the right Azure Function Web App instance. these thing will change if you did not follow the 1.4 step in this document. 

• If your CSV file content / headers is different, then update the "Parse JSON" step with the JSON output that you can retrieve from your API call to the Azure Function. Use PowerShell output from 1.2 steps in this article. 

1.2 we used this PowerShell to test the web app

• copy the output and click Done

• expand the For Each and expand the Conditions then expand the Ture. 
• In the step "Send SCIMBulkPayload to API endpoint" ensure you are using the right API endpoint and authentication mechanism.

• Cross check the "URL" with the 1.4 Configure your Azure Logic Apps workflow.

Run trigger and test your Logic Apps workflow

• Sign in to the Azure portal and Search for Logic app
• Open the CSV2SCIMBulkUpload Logic App

Click the "Run" to manually execute the workflow.

• After the execution is complete. click the Runs History and open the app.
• In the final iteration, you should see the Logic Apps upload data to the  API-driven provisioning to Microsoft Entra ID endpoint. Look for 202 Accept status code. 

• Now you can verify from from the API-driven provisioning to Microsoft Entra ID go to provisioning. you can view the logs.

All the configuration is now completed. You can go to Entra ID and Lifecycle Workflows to create your onboarding and offboarding workflows.

2. Create Lifecycle workflows from Entra ID 

• Navigate to Microsoft Entra admin center (https://entra.microsoft.com) as your tenant’s global admin.
• Go to Identity governance > Lifecycle workflows.
• Select + Create workflow.

• Complete the workflow setup for onboarding new sales employees on the day of their hire, as follows:
• Choose a template: select Onboard new hire employee
• Basics > Workflow details > Name: rename to Onboard new sales employee
• Trigger details: leave the defaults as-is (i.e. time-based attribute, 0 days of employeeHireDate attribute).
• Configure scope: change Rule > department equal to Sales. This can be change base on your requirement.the conditions used to determine the user scope for executing a workflow.
• Workflow tasks > Add users to groups > Select group, then select required groups

• Schedule workflow > select Enable schedule.
• Create additional workflows similarly for the following activities.

Reference Links:

• API-driven inbound provisioning with Azure Logic Apps
• Grant access to the inbound provisioning API
• Configure API-driven inbound provisioning app
• Grant access to the inbound provisioning API
• Github: joelbyford / CSVtoJSONcore
  
• Github: MicrosoftDocs / entra-docs Public
• API-driven inbound provisioning with PowerShell script