Microsoft Entra Lifecycle Workflows allow organizations to automate user provisioning, access governance, and lifecycle management tasks within Azure Active Directory (Azure AD). A crucial aspect of this automation involves synchronizing user attributes from on-premises Active Directory (AD) to Azure AD. This blog explores how to synchronize the “employeeHireDate” attribute, an essential data point for various identity and access management scenarios.
Microsoft Entra Lifecycle Workflows allow organizations to automate user provisioning, access governance, and lifecycle management tasks within Azure Active Directory (Azure AD). A crucial aspect of this automation involves synchronizing user attributes from on-premises Active Directory (AD) to Azure AD. This guide explores how to synchronize the “employeeHireDate” attribute, an essential data point for various identity and access management scenarios.
Purpose of synchronizing employee hire date
The employeeHireDate attribute in AD captures the date an employee joins the organization. Synchronizing this attribute to Azure AD serves several key purposes:
- Triggering automated workflows: Entra Lifecycle Workflows can be configured to initiate specific actions based on the “employeeHireDate”. For instance, a workflow can automatically create a new user account and assign essential access permissions upon the hire date.
- Enforcing access governance policies: Hire date can determine access eligibility. Employee access levels and privileges may differ based on tenure within the organization. Synchronizing employeeHireDate allows for enforcing such time-based access controls.
- Data consistency and reporting: Maintaining a consistent employeeHireDate across both on-premises AD and Azure AD ensures accurate data for reporting purposes. This data can be used for various HR analytics or compliance reporting needs.
Prerequisites
Before starting, ensure the following prerequisites are in place:
- Existing Azure AD Connect sync: Ensure Azure AD Connect sync is set up. You can also sync employeeHireDate attribute values using Azure AD Connect Cloud sync, but this guide uses Azure AD Connect sync.
- Existing attribute: Choose an existing Active Directory attribute to record the value for employeeHireDate. It must be a string. This guide uses the
msDS-cloudExtensionAttribute1Active Directory attribute. - Correct data format: The value must follow the format “yyyyMMddHHmmss.fZ”. For example, if the hire date is December 1, 2022, it will be
20221201080000.0Z(with 08:00 AM as the starting time).
How to synchronize employee Hire Date with Entra Lifecycle Workflows
These methods can be used for synchronizing the employeeHireDate attribute:
1. Using Azure AD Connect
Scenario: This approach is suitable if you are using Azure AD Connect to synchronize identities between your on-premises AD and Azure AD.
Steps:
- To map the employeeHireDate attribute on-premises to the corresponding attribute in Azure AD, usually employeeHireDate, configure a synchronization rule within Azure AD Connect.
- Ensure the synchronization schedule is configured to run periodically to keep the data in both directories up-to-date.
2. Using Microsoft Entra Connect Cloud sync
Scenario: This method is ideal if you are not using Azure AD Connect or prefer a cloud-based solution.
Steps:
- In the Entra admin center, enable cloud sync for Microsoft Entra Connect.
- During configuration, define a custom attribute mapping to synchronize the on-premises employeeHireDate attribute to the Azure AD employeeHireDate attribute.
- Set up a regular schedule for the cloud sync to ensure ongoing attribute synchronization.
3. Synchronization value for employeeHireDate attribute from on-premises AD
Workflow steps:
- Set department and manager attributes: The new employee’s manager should receive a Temporary Access Pass (TAP) via email. For this, users need to have a manager assigned before the workflow triggers.
- Set employeeHireDate attribute value: The value for employeeHireDate should be recorded in the specific format “yyyyMMddHHmmss.fZ” to ensure it populates correctly in Azure AD.
- Create custom sync rule:
- Log in to the on-premises server with Azure AD Connect installed.
- Launch PowerShell as Administrator and run
Set-ADSyncScheduler -SyncCycleEnabled $falseto disable the sync scheduler. - Open Synchronization Rules Editor from the Programs menu.
- Set up an inbound rule with the direction as inbound and add the rule. The connected system should be your on-premises Active Directory domain.
- On the Transformations screen, click Add Transformation. Use the following values:
FlowType: Direct,Target Attribute: employeeHireDate,Source: msDS-cloudExtensionAttribute1. - Set up an outbound rule with the direction as outbound and add the rule. The connected system should be your tenant.
- Resume the sync by running
Set-ADSyncScheduler -SyncCycleEnabled $truein PowerShell.
- Verify synced attribute values for employeeHireDate:
- Go to Graph Explorer and log in as global administrator.
- Ensure the method on the top of the window is set to GET.
Thus, the lifecycle workflow is successfully triggered!
Additional considerations: Data transformation (Optional)
You may need to set up data transformation rules in Azure AD Connect or Entra Connect cloud sync if the employeeHireDate attribute’s data format varies between your on-premises AD and Azure AD to ensure uniform formatting. Ensure proper security permissions are assigned to users or service accounts performing the attribute synchronization to maintain data integrity.
