This chapter covers the identity lifecycle management for joiners, movers, and leavers in Microsoft 365, a critical topic for the MS-102 exam. Understanding how user identities are provisioned, updated, and deprovisioned is essential for maintaining security and compliance. Approximately 10-15% of exam questions touch on identity lifecycle, focusing on automated provisioning, group-based licensing, and lifecycle workflows. You will learn the mechanisms behind automatic user provisioning, the role of Entra ID (Azure AD) Connect, and how to configure lifecycle workflows using Microsoft Entra ID Governance.
Jump to a section
Think of an organization's employee lifecycle as managed by an HR department. When a new employee (Joiner) is hired, HR creates a personnel file, assigns an employee ID, grants building access, sets up payroll, and provisions a laptop and email account. The employee is added to the organizational chart and distribution lists. When an employee changes roles (Mover), HR updates their title, department, manager, and access permissions—revoking old building access and granting new ones, updating payroll codes, and reassigning equipment. When an employee leaves (Leaver), HR terminates the personnel record, revokes all access, recovers equipment, and archives their data. In Microsoft 365, the identity lifecycle mirrors this: Azure AD Connect or cloud HR systems (like Workday) drive automatic provisioning and deprovisioning of user accounts, group memberships, and licenses. Just as HR cannot allow a terminated employee to keep their badge, Microsoft 365 must disable accounts and remove licenses promptly to maintain security and compliance. The Entra ID (Azure AD) provisioning service acts as the automated HR system, synchronizing changes from authoritative sources like on-premises Active Directory or cloud HR platforms.
What is Identity Lifecycle Management?
Identity lifecycle management (ILM) is the process of creating, updating, and deleting digital identities in alignment with an employee's real-world status: hired (joiner), changed role (mover), or terminated (leaver). In Microsoft 365, ILM is primarily handled by Microsoft Entra ID (formerly Azure Active Directory) and its provisioning services. The goal is to automate identity changes to reduce manual effort, prevent security gaps (e.g., orphaned accounts), and ensure compliance with regulatory requirements.
Joiner: Provisioning New Users
When a new employee joins, an identity must be created in Microsoft 365. The source of authority can be: - On-premises Active Directory Domain Services (AD DS) synchronized via Microsoft Entra Connect (or Cloud Sync). - Cloud HR systems like Workday or SAP SuccessFactors that directly provision users into Entra ID. - Manual creation in the Microsoft 365 admin center or via PowerShell.
The provisioning process involves: 1. User creation: A user object is created in Entra ID with attributes like displayName, userPrincipalName (UPN), mail, department, etc. 2. License assignment: Licenses (e.g., Microsoft 365 E5) are assigned, often automatically via group-based licensing. 3. Group membership: The user is added to security groups, distribution groups, or Microsoft 365 groups based on role or department. 4. Access provisioning: Applications and resources (e.g., SharePoint sites, Teams) grant access based on group membership.
Automated provisioning from HR systems uses the Microsoft Entra provisioning service. For Workday, you configure a provisioning app that maps HR attributes to Entra ID attributes. The service runs on a schedule (default every 40 minutes) and creates/updates users based on HR data. It also handles soft-delete (30 days) and hard-delete.
Mover: Updating User Attributes and Access
When an employee changes roles, their identity must reflect new responsibilities. Changes include: - Attribute updates: Department, title, manager, location, etc. - Group membership changes: Removal from old groups, addition to new groups. - License changes: Removal of old licenses, assignment of new ones. - Access revocation: Removal from applications no longer needed.
These changes can be triggered by:
Updates in the authoritative source (HR system or on-prem AD) that sync to Entra ID.
Dynamic group membership rules based on attributes (e.g., department equals 'Sales').
Lifecycle workflows that run automatically on attribute changes (e.g., when department changes, add to a Teams team).
Group-based licensing is key: when a user's attribute changes, dynamic group membership recalculates, and license assignment adjusts accordingly. For example, if a user moves from Sales to Engineering, their department attribute changes, they leave the 'Sales-License' group and join 'Engineering-License' group, which assigns an Engineering-specific license.
Leaver: Deprovisioning Users
When an employee leaves, their identity must be disabled or deleted to prevent unauthorized access. The process typically includes: 1. Block sign-in: The user's account is disabled (blocked from sign-in) immediately. 2. License removal: Licenses are reclaimed to reduce costs. 3. Group membership removal: The user is removed from all groups. 4. Access revocation: Access to apps, SharePoint sites, and other resources is removed. 5. Data retention: Mailbox and OneDrive may be placed on hold (litigation hold) or converted to a shared mailbox. 6. Deletion: After a grace period (default 30 days for soft-delete), the user object is permanently deleted.
Automated deprovisioning can be triggered by:
HR system marking employee as terminated (synchronized via provisioning service).
On-prem AD account being disabled or deleted (synced via Entra Connect).
Lifecycle workflows that run on a schedule to check for inactive users.
Entra ID Connect synchronizes the userAccountControl attribute from on-prem AD. When an on-prem user is disabled, the account is disabled in Entra ID as well. However, license removal and group membership changes must be handled separately via group-based licensing or PowerShell scripts.
Key Components and Defaults
Soft-delete: When a user is deleted from the source, Entra ID soft-deletes the user, moving it to the Recycle Bin for 30 days. During this time, the user can be restored. Hard-delete occurs after 30 days.
Provisioning interval: The default interval for cloud HR provisioning is 40 minutes, but can be configured to as low as 10 minutes (premium).
Group-based licensing: License assignment is asynchronous; it may take up to 24 hours to apply when a user is added to a group.
Lifecycle Workflows: A feature of Microsoft Entra ID Governance that allows you to create automated workflows for joiner, mover, leaver scenarios using Power Automate-like triggers and tasks.
Access Reviews: Periodic reviews of group memberships and access to ensure only active users retain access.
Configuration and Verification Commands
PowerShell (Microsoft Graph) examples:
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All", "Group.ReadWrite.All", "Directory.ReadWrite.All"
# Get a user
Get-MgUser -UserId "user@domain.com"
# Update user attributes
Update-MgUser -UserId "user@domain.com" -Department "Engineering" -Title "Senior Engineer"
# Assign license (group-based license is preferred, but direct assignment example)
$license = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphAssignedLicense
$license.SkuId = "c7df2760-2c81-4ef7-b578-5b5392b571df" # E5 SkuId
Set-MgUserLicense -UserId "user@domain.com" -AddLicenses @($license) -RemoveLicenses @()
# Block sign-in
Update-MgUser -UserId "user@domain.com" -AccountEnabled:$false
# Remove user (soft-delete)
Remove-MgUser -UserId "user@domain.com"
# Restore soft-deleted user
Restore-MgUser -UserId "user@domain.com"Entra Admin Center:
Users > All users > Select user > Properties to update attributes.
Groups > All groups > Dynamic group rules to configure membership.
Identity Governance > Lifecycle Workflows to create workflows.
Interaction with Related Technologies
Microsoft Entra Connect: Synchronizes identities from on-prem AD to Entra ID. For joiner/mover/leaver, it syncs attribute changes and account status (enabled/disabled). It does not handle license assignment or group membership changes beyond what is defined in on-prem AD.
Microsoft Entra Cloud Sync: A lightweight alternative to Entra Connect, used when there is no on-prem AD or for simpler scenarios.
Microsoft Entra ID Governance: Provides lifecycle workflows, access reviews, entitlement management, and privileged identity management to automate and govern the identity lifecycle.
Microsoft Graph API: Programmatic access to manage users, groups, and licenses.
Best Practices
Use automated provisioning from an HR system as the authoritative source to reduce manual errors.
Implement group-based licensing to automate license assignment based on role/department.
Use lifecycle workflows to automate common tasks like sending welcome emails, creating Teams, or blocking sign-in on termination.
Perform access reviews regularly to ensure access is appropriate.
Configure a leaver policy that includes blocking sign-in, removing licenses, and converting mailbox to shared or placing litigation hold.
Exam Tips
Know that soft-delete lasts 30 days; hard-delete is permanent.
Understand that group-based licensing is the recommended method for license assignment.
Be aware that lifecycle workflows are part of Microsoft Entra ID Governance and require appropriate licensing (P2).
Remember that provisioning from HR systems (Workday/SuccessFactors) uses the provisioning service and runs on a configurable interval (default 40 min).
The exam may ask about the order of operations: block sign-in first, then remove licenses, then remove group memberships.
Create identity in authoritative source
The identity lifecycle begins when a new employee record is created in the authoritative source—either an on-premises Active Directory, a cloud HR system like Workday, or manually in Microsoft 365. In on-prem AD, a user object is created with attributes such as name, UPN, department, and manager. In Workday, the HR system assigns a worker ID and triggers a provisioning event. The authoritative source must be the single source of truth to avoid conflicts. For cloud HR provisioning, the Workday connector in Entra ID polls for changes every 40 minutes by default. The provisioning service maps HR attributes to Entra ID attributes using a schema defined in the provisioning app.
Synchronize or provision to Entra ID
If the source is on-prem AD, Microsoft Entra Connect (or Cloud Sync) synchronizes the new user to Entra ID. Delta sync runs every 30 seconds by default, so the user appears in Entra ID within minutes. For cloud HR, the provisioning service creates the user in Entra ID directly. The user object is created with a temporary password (if not federated) and is initially disabled until all attributes are fully provisioned. The provisioning service also assigns the user to groups based on mapping rules. In Entra ID, the user is assigned a unique object ID and UPN.
Assign licenses via group-based licensing
Once the user exists in Entra ID, licenses must be assigned. The recommended method is group-based licensing: the user is added to a security group whose members receive a specific license SKU (e.g., Microsoft 365 E5). The group membership can be dynamic based on attributes (e.g., department equals 'Sales') or static (assigned by admin). When the user is added to the group, the license assignment is queued. The licensing service processes the assignment asynchronously; it may take up to 30 minutes but typically completes within minutes. Direct license assignment via PowerShell or admin center is also possible but less scalable. Group-based licensing ensures that when a user changes roles (mover), license changes automatically by updating group membership.
Provision access to applications and resources
After licensing, the user needs access to applications (SaaS apps, on-prem apps via Application Proxy) and resources (SharePoint sites, Teams, OneDrive). Access is typically granted via group membership: the user is added to security groups that are assigned to apps. For example, a dynamic group for 'Sales' users grants access to the CRM application. For SharePoint, the user may be added to site collections via group membership. For Teams, the user is added to teams via group membership. Provisioning can be automated using entitlement management (part of Entra ID Governance) where access packages define the resources a user gets upon joining. The provisioning to apps may be done via System for Cross-domain Identity Management (SCIM) if the app supports it.
Handle mover: update attributes and access
When an employee changes roles, the authoritative source updates attributes (e.g., department, title, manager). The change syncs to Entra ID via the provisioning service or Entra Connect. Dynamic group membership recalculates: the user may leave old groups and join new ones. This triggers license changes (removal of old license, assignment of new one) and access changes (revocation from old apps, grant to new apps). Lifecycle workflows can be configured to run on attribute changes, e.g., when department changes, remove user from old Teams and add to new Teams. The mover process should be automated to avoid manual errors and ensure access is updated promptly.
Handle leaver: block sign-in and remove licenses
When an employee leaves, the authoritative source marks the user as terminated (e.g., in HR system) or the on-prem AD account is disabled. The provisioning service or Entra Connect syncs this change: the user's AccountEnabled property is set to false in Entra ID, blocking sign-in. Immediately after, licenses should be removed to reclaim costs. This can be done automatically via group-based licensing: when the user is removed from the license group (due to attribute change or direct removal), the license is removed. However, if the user is deleted from the source, they are soft-deleted in Entra ID, and licenses are removed at that point. It is best practice to first block sign-in, then remove licenses, then remove group memberships, and finally convert mailbox to shared or place on hold.
Retain or delete user data
After blocking sign-in and removing licenses, the user's data (mailbox, OneDrive, SharePoint) must be handled. For compliance, you may place a litigation hold on the mailbox (which preserves data indefinitely) or convert the mailbox to a shared mailbox (accessible by others). OneDrive can be retained for 30 days (default) or up to 365 days via policy. After the retention period, the soft-deleted user is permanently deleted (hard-delete) after 30 days in Entra ID. On-prem AD deletion also triggers hard-delete after sync. It is important to have a data retention policy that aligns with legal requirements. Access reviews should be conducted to ensure no lingering access.
In a large enterprise with 50,000 employees, identity lifecycle management is critical. A common scenario is using Workday as the HR system to automatically provision users into Microsoft 365. The company configures the Workday provisioning app in Microsoft Entra ID to map attributes like employee ID, department, and cost center. When a new employee is hired in Workday, within 40 minutes (or less if the interval is reduced), a user account is created in Entra ID, assigned to dynamic groups based on department (e.g., 'All Sales' group), and receives the appropriate license (e.g., Microsoft 365 E5 for sales, E3 for others). The user is also added to relevant Teams and SharePoint sites via group membership. This automation reduces IT workload and ensures new hires have access on day one.
Another scenario: a company with on-premises Active Directory uses Microsoft Entra Connect to sync identities. When an employee moves from Marketing to IT, the IT admin updates the department attribute in on-prem AD. The change syncs to Entra ID within 30 seconds (delta sync). Dynamic group membership recalculates: the user leaves the 'Marketing-License' group and joins 'IT-License' group, automatically changing their license from E3 to E5 (if IT requires E5). Also, the user is removed from the Marketing Teams and added to the IT Teams via a lifecycle workflow that triggers on department change. This seamless transition prevents access to old resources and grants new ones without manual intervention.
A common misconfiguration is not setting up proper deprovisioning. For example, when a user leaves, if the on-prem AD account is not disabled or deleted, the user remains enabled in Entra ID, posing a security risk. To mitigate, companies often use a script or lifecycle workflow that checks for users who have been inactive for 90 days and automatically disables them. Additionally, without proper license removal, costs can escalate. A company with 1,000 leavers per year could save $240,000 annually by automatically removing unused licenses (assuming $20/user/month for E3). Performance considerations: the provisioning service can handle thousands of changes per day, but the default 40-minute interval may be too slow for some organizations; they can reduce it to 10 minutes with premium licensing. Misconfiguration of mapping rules can cause attribute mismatches, leading to provisioning failures. Regular monitoring via provisioning logs in Entra ID is essential to catch errors early.
The MS-102 exam tests identity lifecycle management under objective 2.1 'Manage identities in Microsoft Entra ID'. Key areas include:
Understanding the difference between soft-delete (30 days) and hard-delete.
Knowing that group-based licensing is the recommended method for automatic license assignment.
Recognizing that lifecycle workflows are part of Microsoft Entra ID Governance (requires P2 licenses).
Understanding the provisioning interval default (40 minutes) and that it can be changed.
Knowing that Entra Connect synchronizes account status (enabled/disabled) but does not handle license assignment.
Common wrong answers: 1. 'Licenses are automatically removed when a user is disabled.' Reality: Disabling a user does not remove licenses; you must explicitly remove them or use group-based licensing. 2. 'Soft-deleted users are permanently deleted after 30 days.' Reality: They are permanently deleted after 30 days unless restored; they are not automatically hard-deleted when the source is deleted. 3. 'Provisioning from HR systems runs every 10 minutes by default.' Reality: Default is 40 minutes; 10 minutes is a configurable option. 4. 'Lifecycle workflows are available in all Microsoft 365 plans.' Reality: They require Microsoft Entra ID Governance (P2) licenses.
Specific numbers and terms:
Soft-delete retention: 30 days.
Provisioning interval default: 40 minutes.
Delta sync interval for Entra Connect: 30 seconds.
Group-based licensing processing time: up to 30 minutes.
The term 'authoritative source' is frequently used.
'UserAccountControl' attribute for account status.
Edge cases:
When a user is restored from soft-delete within 30 days, group memberships and licenses are not automatically restored; they must be reassigned.
If a user is deleted from on-prem AD but the sync hasn't run, the user remains in Entra ID temporarily.
For federated users, blocking sign-in in Entra ID may not prevent access if the federation provider allows it; you must disable the account in the identity provider.
How to eliminate wrong answers: Focus on the mechanism. For example, if a question asks about removing licenses on termination, any answer that says 'licenses are automatically removed when you disable the user' is wrong because disabling does not affect licenses. Look for answers that involve group-based licensing or explicit license removal.
Soft-delete retention period is 30 days; after that, the user is hard-deleted.
Group-based licensing is the recommended method for automatic license assignment and removal.
The default provisioning interval for cloud HR (Workday/SuccessFactors) is 40 minutes.
Delta sync for Microsoft Entra Connect runs every 30 seconds.
Lifecycle workflows require Microsoft Entra ID Governance (Azure AD P2 licenses).
Block sign-in (disable account) before removing licenses to prevent access during removal.
Disabling a user does not remove licenses; explicit removal is required.
When a user is restored from soft-delete, group memberships and licenses are not automatically restored.
These come up on the exam all the time. Here's how to tell them apart.
Manual Provisioning (Admin Center/PowerShell)
Requires manual creation of each user account.
Prone to human error (typos, missing attributes).
No automatic deprovisioning; IT must manually disable/delete.
Scalability limited; not feasible for large organizations.
No audit trail for provisioning actions.
Automated Provisioning (HR System Sync)
Users are automatically created from HR system data.
Reduces errors by using authoritative source attributes.
Automatic deprovisioning when employee is terminated in HR.
Scales to thousands of users with configurable intervals.
Full audit logs in provisioning service.
Mistake
Disabling a user in Microsoft 365 automatically removes their licenses.
Correct
Disabling a user (setting AccountEnabled to false) only blocks sign-in. Licenses remain assigned and continue to incur cost. Licenses must be removed separately, either manually, via group-based licensing (removing user from license group), or through a lifecycle workflow.
Mistake
Soft-deleted users are automatically hard-deleted after 30 days even if the source still exists.
Correct
Soft-delete occurs when a user is deleted from the authoritative source and synced. The user is moved to the recycle bin for 30 days. If the source still exists (e.g., on-prem AD user not deleted), the user will not be soft-deleted. Hard-delete happens only after 30 days from soft-delete, and only if the user is not restored.
Mistake
Microsoft Entra Connect automatically assigns licenses to synced users.
Correct
Entra Connect synchronizes identity attributes and account status but does not handle license assignment. Licenses must be assigned via group-based licensing, direct assignment, or other automation. Entra Connect only syncs what is in on-prem AD.
Mistake
Lifecycle workflows are available in all Microsoft 365 subscriptions.
Correct
Lifecycle workflows are a feature of Microsoft Entra ID Governance, which requires Azure AD Premium P2 licenses. They are not available in Microsoft 365 Business Basic or Standard plans without additional licensing.
Mistake
When a user changes departments, their licenses and group memberships update instantly.
Correct
Updates depend on sync intervals. For cloud HR provisioning, changes may take up to 40 minutes (default). For dynamic groups, membership recalculation occurs periodically (up to 5 minutes for small groups, longer for large groups). License assignment via group-based licensing can take up to 30 minutes.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
When a user is deleted from the authoritative source (e.g., on-prem AD or HR system), the provisioning service or Entra Connect syncs the deletion. The user is soft-deleted in Entra ID (moved to recycle bin) for 30 days. Licenses are automatically removed from the user at the time of soft-deletion because the user object is no longer active. However, if the user is restored within 30 days, licenses must be reassigned manually or via group membership.
Dynamic group membership recalculation is not instantaneous. For small groups (fewer than 15,000 members), the process typically completes within a few minutes but can take up to 30 minutes. For larger groups, it may take longer. Microsoft recommends using static groups for time-sensitive changes. On the exam, remember that it is asynchronous and can take up to 30 minutes.
Lifecycle workflows do not directly assign licenses. They can trigger tasks like sending email, adding user to groups, or enabling/disabling accounts. However, you can use a lifecycle workflow to add a user to a group that has a license assigned via group-based licensing. So indirectly, you can automate license assignment by adding the user to the appropriate group in the workflow.
Both sync identities from on-prem AD to Entra ID, but Cloud Sync is a lighter-weight agent that uses a different sync engine. Cloud Sync supports syncing from multiple forests and has a simpler configuration. For lifecycle, both sync attribute changes and account status. However, Cloud Sync does not support writeback features like device writeback. On the exam, know that Cloud Sync is for organizations without complex on-prem AD infrastructure.
After blocking sign-in and removing licenses, you can convert the user's mailbox to a shared mailbox (which is free) and grant access to a manager or delegate. Alternatively, you can set up email forwarding via PowerShell or admin center. For compliance, you may place a litigation hold on the mailbox before converting. Remember that a shared mailbox does not require a license if it is under 50 GB.
When a user is deleted, their OneDrive files are retained for 30 days by default. During this time, an admin can restore the files. After 30 days, the OneDrive is moved to the recycle bin for an additional 93 days (total 123 days). However, the default retention for the user's account in Entra ID is 30 days (soft-delete).
No. Once a user is hard-deleted (after the 30-day soft-delete period), the user object is permanently removed from Entra ID and cannot be restored. You would need to create a new user account. This is why it's important to have a backup or recovery process for critical user data.
You've just covered Identity Lifecycle: Joiners, Movers, Leavers — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?