This chapter covers Lifecycle Workflows in Entra ID Governance, a key feature for automating identity lifecycle management. For the SC-900 exam, this topic appears in approximately 5-10% of questions under objective 2.3 (Describe the capabilities of Microsoft Entra ID Governance). You must understand what Lifecycle Workflows are, how they automate user onboarding and offboarding, their key components (workflows, tasks, triggers, execution conditions), and how they integrate with other Entra ID features like access reviews and entitlement management. This chapter provides the technical depth needed to answer exam questions accurately.
Jump to a section
Imagine a company where every new hire must go through a checklist: get a badge, set up a desk, assign a parking spot, grant building access, and schedule orientation. Without automation, HR sends separate emails to Facilities, IT, Security, and Training—each department manually processes their part, often with delays and errors. Lifecycle Workflows in Entra ID Governance is like a central orchestrator that, upon an HR trigger (e.g., new hire record in the HR system), automatically executes a predefined sequence of tasks: send a welcome email, create user account, assign group memberships, provision licenses, and trigger a review after 30 days. The orchestrator monitors each step, retries on failure, and logs the entire process. If a task fails (e.g., license assignment is full), it can pause and alert an admin. Similarly, when an employee leaves, a leaver workflow can revoke access, forward emails, disable the account, and schedule deletion after a retention period. This mechanistic analogy shows how Lifecycle Workflows eliminate manual handoffs and enforce consistent, auditable lifecycle management.
What Are Lifecycle Workflows?
Lifecycle Workflows are a feature of Microsoft Entra ID Governance that automates the lifecycle management of users—from creation through active employment to eventual offboarding. They replace manual, error-prone processes with automated, auditable workflows triggered by events such as HR system updates, scheduled times, or manual initiation. The feature is designed to ensure that users get appropriate access when they join, maintain it during their tenure, and have it revoked promptly when they leave.
Why They Exist
Organizations face compliance and security challenges when managing user lifecycles manually. Delays in provisioning or deprovisioning access can lead to security risks (e.g., former employees retaining access) or productivity loss (e.g., new hires waiting for permissions). Lifecycle Workflows address these by enforcing consistent policies through automation, reducing human error, and providing audit trails for compliance.
How Lifecycle Workflows Work Internally
A Lifecycle Workflow consists of three main parts: a trigger, a set of tasks, and execution conditions. The trigger defines when the workflow runs—either on a scheduled basis (e.g., daily) or when a specific event occurs (e.g., a new user is created in the HR system). Tasks are the actions performed, such as adding user to a group, sending an email, or triggering an access review. Execution conditions specify which users the workflow applies to based on attributes like department, job title, or employment status.
When a trigger fires, the workflow engine evaluates all execution conditions to determine the target users. For each matching user, the workflow runs the tasks in order. If a task fails (e.g., group does not exist), the workflow can be configured to continue or stop. The engine logs every step, including successes and failures, in the Entra ID audit log.
Key Components
Workflow: A container for a set of tasks and their trigger/conditions. Each workflow has a name, description, and category (onboarder, leaver, mover).
Tasks: Individual actions. Built-in tasks include:
- Add user to group (by group ID) - Remove user from group - Send email (with customizable template) - Trigger an access review (requires a review schedule) - Enable/disable user account - Update user attribute - Trigger: Can be schedule-based (runs at a specific time daily/weekly) or event-based (triggered by HR system via Microsoft Entra HR provisioning). For SC-900, know that event-based triggers are only available with HR integration (e.g., SAP SuccessFactors, Workday). - Execution Conditions: Filters based on user properties. For example, only users in the 'Sales' department with 'employeeType' equal to 'Employee'. - Schedule: For schedule-based workflows, you define how often to run (e.g., every day at 2 AM) and a time window.
Default Values and Timers
Maximum tasks per workflow: 10 (for onboarder/leaver), 25 (for mover).
Maximum workflow executions per day: 5000 (per tenant).
Timeout for a single task execution: 24 hours. If a task does not complete within 24 hours, it is marked as failed.
Retry policy: Failed tasks are retried up to 3 times with a 5-minute interval between retries.
Audit log retention: 30 days for workflow execution logs.
Configuration and Verification
Lifecycle Workflows are configured in the Entra admin center under Identity Governance > Lifecycle Workflows. You can also use Microsoft Graph API. For example, to create a workflow via Graph:
POST https://graph.microsoft.com/v1.0/identityGovernance/lifecycleWorkflows/workflows
Content-Type: application/json
{
"category": "leaver",
"displayName": "Offboard Employee",
"description": "Automated offboarding for employees",
"isEnabled": true,
"tasks": [
{
"taskDefinitionId": "a4183994-2d4f-4b3c-9e5d-1c2b3d4e5f6a",
"arguments": []
}
],
"executionConditions": {
"@odata.type": "#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions",
"scope": {
"@odata.type": "#microsoft.graph.identityGovernance.ruleBasedSubjectSet",
"rule": "(department eq 'Engineering')"
},
"trigger": {
"@odata.type": "#microsoft.graph.identityGovernance.timeBasedAttributeTrigger",
"timeBasedAttribute": "employeeLeaveDateTime",
"offsetInDays": 0
}
}
}To verify execution, check the audit logs or use the Graph API:
GET https://graph.microsoft.com/v1.0/identityGovernance/lifecycleWorkflows/workflows/{workflowId}/runsInteraction with Related Technologies
Lifecycle Workflows integrate with: - HR Provisioning: When used with Workday or SuccessFactors, user creation/deletion events can trigger workflows. - Entitlement Management: Workflows can trigger access reviews or assign access packages. - Access Reviews: A task can start an access review for the user. - Conditional Access: Not directly, but workflows can add/remove users from groups used in Conditional Access policies. - Microsoft Graph: All configuration and monitoring can be done via Graph API.
Exam-Relevant Details
Lifecycle Workflows are part of Entra ID Governance (requires P2 license for full functionality).
The three categories: onboarder, leaver, mover.
Event-based triggers require HR integration.
Tasks are executed sequentially.
Failed tasks can be configured to continue or stop the workflow.
You can test a workflow on a single user before enabling it.
Workflows can be enabled or disabled.
The execution conditions use a rule syntax similar to dynamic group rules (e.g., (department eq 'Sales')).
Define Business Process
Identify the lifecycle events you want to automate, such as new hire onboarding, employee transfer, or termination. Determine the tasks required: group memberships, email notifications, account enable/disable, attribute updates. This step is conceptual but drives the technical configuration. For exam purposes, understand that workflows are designed around business processes, not arbitrary actions.
Create the Workflow
In the Entra admin center, navigate to Identity Governance > Lifecycle Workflows > Create. Choose a category (onboarder, leaver, mover). Define a name, description, and enablement. This step creates a container. Note that you can create up to 100 workflows per tenant. The category determines which built-in tasks are available (e.g., leaver workflows have 'Disable user account' task).
Add Tasks
Select tasks from the built-in list. Each task has a specific taskDefinitionId. For example, 'Add user to group' requires the group object ID. You can configure task arguments (e.g., group ID, email template). Tasks run in the order you add them. You can reorder tasks. For SC-900, know the common tasks: Add to group, Remove from group, Send email, Trigger access review, Enable/disable account, Update attribute.
Configure Execution Conditions
Define which users the workflow applies to. For schedule-based triggers, set a schedule (e.g., daily at 2 AM). For event-based, specify the time-based attribute (e.g., employeeHireDate, employeeLeaveDateTime) and offset (e.g., 0 days). Then define a scope rule using a syntax like `(department eq 'Sales')`. The scope filters users based on attributes. This is critical: only users matching the scope and trigger will be processed.
Test and Enable
Before enabling, test the workflow on a single user using the 'Run on demand' feature. This executes the workflow immediately for that user, allowing you to verify tasks work correctly. Check the audit logs for success/failure. After testing, enable the workflow. Once enabled, it will run according to its trigger (schedule or event). You can also disable it later.
Enterprise Scenario 1: Automated Employee Onboarding
A large enterprise with 50,000 employees uses Workday for HR. When a new hire is created in Workday, an event-based lifecycle workflow triggers immediately. The workflow adds the user to the 'All Employees' group, sends a welcome email with onboarding instructions, and schedules an access review after 30 days to verify the user's access. The workflow uses employeeHireDate as the trigger with offset 0, so it runs on the hire date. In production, they configured retry on failure for email delivery (if SMTP is down). Common issues: if the group ID is incorrect, the task fails. They monitor via the 'Runs' tab and set up alerts for failures.
Enterprise Scenario 2: Leaver Offboarding
A financial services firm must disable accounts within 1 hour of termination. They use a schedule-based workflow that runs every hour, checking for users whose employeeLeaveDateTime is in the past. The workflow disables the account, removes from all groups except a 'Former Employees' group, forwards emails to the manager, and triggers an access review for the manager to confirm data retention. They set the scope to (employeeStatus eq 'Terminated'). Performance consideration: with 10,000 leavers per year, the workflow runs smoothly within the 5000 executions per day limit. Misconfiguration: if the scope rule is too broad, it could accidentally process active employees.
Scenario 3: Mover Workflow for Transfers
When an employee changes departments, a mover workflow updates their group memberships. The workflow removes them from old project groups and adds to new ones based on department attribute. They use employeeDepartment change as a trigger (requires HR integration). This ensures access is aligned with new role. Common pitfall: if the HR system does not update the attribute immediately, the workflow might miss the event. They set an offset of 1 day to account for HR data latency.
What SC-900 Tests on Lifecycle Workflows
SC-900 objective 2.3 focuses on describing the capabilities of Entra ID Governance. Lifecycle Workflows are a specific capability. Exam questions typically ask:
What is the purpose of Lifecycle Workflows? (Automate onboarding, offboarding, and moves)
What are the three categories? (onboarder, leaver, mover)
What triggers can be used? (schedule-based and event-based)
What tasks are available? (Add/remove group, send email, trigger access review, enable/disable account, update attribute)
How are execution conditions defined? (Scope rules using attribute conditions)
What license is required? (Entra ID P2)
Common Wrong Answers and Why
'Lifecycle Workflows can replace all manual provisioning.' Wrong: They automate specific lifecycle events but do not cover ad-hoc access requests (that's Entitlement Management).
'Event-based triggers work with any HR system.' Wrong: They require integration with Workday or SuccessFactors via HR provisioning.
'Tasks run in parallel.' Wrong: They run sequentially.
'Workflows can be triggered by user sign-in.' Wrong: They are triggered by schedule or HR events, not authentication events.
Specific Numbers and Terms on the Exam
Maximum tasks per workflow: 10 (onboarder/leaver), 25 (mover)
Maximum executions per day: 5000
Task timeout: 24 hours
Retry count: 3
Retry interval: 5 minutes
Categories: onboarder, leaver, mover
Execution conditions use rule syntax similar to dynamic groups.
Edge Cases
If a user matches multiple workflows, all applicable workflows run (order is not guaranteed).
Workflows can be disabled; disabled workflows do not run.
Testing a workflow on demand does not count toward the daily execution limit.
Deleted users cannot be processed; workflows only apply to active users.
How to Eliminate Wrong Answers
Focus on the trigger mechanism: if a question mentions 'when a new user is created in HR', the answer is event-based trigger. If it says 'runs every night', it's schedule-based. For tasks, remember the specific built-in tasks and that they are sequential. License: any advanced governance feature requires P2.
Lifecycle Workflows automate onboarding, offboarding, and moves using sequential tasks.
Three categories: onboarder, leaver, mover.
Triggers: schedule-based (time) or event-based (HR integration).
Execution conditions use attribute-based scope rules.
Maximum 100 workflows per tenant; 10 tasks for onboarder/leaver, 25 for mover.
Requires Entra ID P2 license.
Tasks include: add/remove group, send email, trigger access review, enable/disable account, update attribute.
Failed tasks retry up to 3 times with 5-minute intervals.
Workflows can be tested on a single user before enabling.
Audit logs capture all executions for compliance.
These come up on the exam all the time. Here's how to tell them apart.
Lifecycle Workflows
Focuses on lifecycle events: hire, transfer, leave.
Uses triggers (schedule or HR event) to run workflows.
Tasks are predefined: add/remove group, send email, etc.
Targets users based on scope rules (attributes).
Primarily automates provisioning/deprovisioning actions.
Entitlement Management
Focuses on access requests and approvals.
Users request access packages or admins assign them.
Includes approval workflows and access reviews.
Targets access packages (collections of resources).
Primarily manages ongoing access governance.
Mistake
Lifecycle Workflows are available in Entra ID Free tier.
Correct
Lifecycle Workflows require Entra ID P2 license. Free and P1 tiers do not include this feature.
Mistake
Tasks in a workflow run in parallel to speed up execution.
Correct
Tasks run sequentially in the order defined. Parallel execution is not supported.
Mistake
Event-based triggers can be configured without HR integration.
Correct
Event-based triggers require HR provisioning from Workday or SuccessFactors. Without it, only schedule-based triggers are available.
Mistake
You can have unlimited workflows per tenant.
Correct
The maximum number of workflows is 100 per tenant.
Mistake
Lifecycle Workflows can automatically delete user accounts.
Correct
There is no built-in 'Delete user' task. You can disable accounts, but deletion must be handled separately (e.g., via retention policies).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Lifecycle Workflows require Microsoft Entra ID P2 license. Without P2, you cannot create or use workflows. This is a common exam point: any advanced governance feature like lifecycle workflows, entitlement management, or access reviews requires P2.
No. Lifecycle Workflows are triggered either by a schedule (e.g., daily at 2 AM) or by HR events (e.g., new hire created in Workday). They are not triggered by authentication or sign-in events. For exam questions, if a scenario mentions 'when a user signs in', that is not a valid trigger.
Onboarder workflows are designed for new hires or users being activated. They typically include tasks like adding to groups, sending welcome emails, and enabling accounts. Leaver workflows are for terminating employees and include tasks like disabling accounts, removing group memberships, and forwarding emails. The category determines which built-in tasks are available.
You can use the 'Run on demand' feature in the Entra admin center. Select a single user to run the workflow immediately. This allows you to verify that tasks execute correctly without affecting other users. The test execution does not count toward the daily execution limit of 5000.
By default, the workflow retries the failed task up to 3 times with a 5-minute interval. If it still fails after retries, the workflow can be configured to either continue with the next task or stop. You can view the failure details in the workflow's run history.
Lifecycle Workflows are designed for employee lifecycle management, not guest users. Guest users are managed through other features like Entitlement Management and access reviews. The scope rules typically target employee attributes (e.g., employeeType, department).
For onboarder and leaver workflows, the maximum is 10 tasks. For mover workflows, the maximum is 25 tasks. This is a specific number that may appear on the exam.
You've just covered Lifecycle Workflows in Entra ID Governance — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?