Integrating an HR system with Entra ID (either directly or through on-prem AD) to drive new user account provisioning is a fairly common and well-known scenario.

The benefit there is clear – a new employee comes in, has a record created for them in the HR system and a new Entra ID (EID) user account is automatically provisioned. The employee’s contract terminates in the HR system and the EID account is frozen as well. Simple & useful.

Apart from a person’s name, the HR system might also optionally be made to synchronize various other nuggets of information to an EID account, such as (but not limited to):

• Job title
• Company name
• Department
• Unique employee ID
• Employee type
• Hire date
• Office location
• Manager

Allowing these other data points to flow from the HR system to enrich Entra ID user accounts opens up a world of opportunities that goes far beyond user account governance. In this blog, I’ll go over a some of these.

Note: If you’re using on-prem AD between your HR system and Entra ID as many are, you might need to configure certain attributes as Directory Extensions to get them to sync to the cloud as well.

Getting started with dynamic groups

Entra ID allows us to build Security and Microsoft 365 groups that update their membership depending on rules instead of expecting owners or admins to manually add and remove members. These dynamic groups are a foundation for unlocking many of the benefits of enriching Entra ID with your HR data.

Building membership rules is now very straightforward thanks to the user-friendly rule editor. It can be as simple as picking the combination of attributes you want to evaluate and desired values for those attributes that members need to have.

The typical HR attributes like department are all available here. You could get going by setting up dynamic groups for each department, for example.

Leveraging dynamic groups

Microsoft Teams

You might recall I mentioned you can make Microsoft 365 groups dynamic, right? That means you can also build attribute-based membership in teams. ✅

This possibility is commonly used to build departmental or role-based teams that new employees are automatically picked up into as they start working, connecting them to peers and relevant content without delay.

You can even convert a previously static team into a dynamic one. Just remember – if the previously manually maintained members aren’t in scope of the new dynamic rule, they will get kicked out.

SharePoint Online & Viva Connections

In SharePoint, you can share individual sites with dynamic groups. For example, you could build an information hub scoped for all Legal department users in your organization.

Perhaps more powerfully, you can leverage audience targeting to tailor various aspects (navigational links, web parts and more) of your intranet, Viva Connections global navigation and number of other scenarios so people only see the content relevant to what they do in the organization.

A common criticism of many intranets is that they can be bloated and confusing. This is something that intelligently used dynamic audience targeting can play a key role in fixing.

Defender for Cloud Apps

Did you know you can import individual Entra ID groups to Defender for Cloud Apps and then use them to target policies? You can bring in up to 500 groups from EID and other external sources. Once imported, imported user groups update their membership roughly once every hour.

You could use this to build things like hardened activity and file policies for users of certain departments or roles.

Let’s say you want to get an alert if a user account belonging to a person from Legal removes the Information Protection sensitivity label from three or more files in a 30min window, constituting a clear data protection risk.

You can do this by building your policy as usual and then scoping it to the imported dynamic group, which in turn is based on HR data.

Power Platform environment access restrictions

The benefits of HR data based dynamic Entra ID groups extend to the Power Platform as well. You can now limit access to each non-default environment (to both the data in the environment -and- the apps, after a recent change) through dynamic groups, unlocking the option of setting up dedicated environments for countries, departments etc.

Leveraging HR data attributes

Profile card extensions

The Microsoft 365 profile card is familiar to most. What is not as familiar to all is that you can customize your profile cards to show additional built-in and custom fields.

Each Entra ID account has 15 unpurposed attributes called extensionAttributes that you can use to store custom information from various sources – including from your HR system.

As long as your HR integration supports it, you could bring in any data point you need to Entra ID user accounts, store it in the selected extensionAttribute and then surface it on your Microsoft 365 profile card – with a localized attribute name, if necessary.

Jan Bakker wrote a nice blog about profile card extensions last year. I suggest you give it a read if you want to see good practical examples.

Role-based data lifecycle management

Not all data is created equal and protecting the most highly sensitive documents from accidental or intentional deletion is a key part of a holistic information governance strategy.

Often ownership of such files is practically tied to certain roles or departments. You might want to ensure that any Microsoft 365 files owned by C-suite (or adjacent) users are automatically retained for 3 years regardless of user actions for compliance or risk management purposes.

You could do this by first creating an adaptive scope targeting HR-derived title and/or department attributes, as seen below.

You would then create a retention policy based on the adaptive scope and target it to the desired locations such as Exchange email and OneDrive accounts.

Finally, you would set the retention period and any post-retention actions you need (if any).

In this way, employees moving into executive roles would automatically move into the scope of the controls without manual intervention.

Apart from targeting retention policies, adaptive scopes based on HR-enriched data can also be used to publish and/or auto-apply retention labels, which are used by people to ensure the lifecycle of individual documents instead of entire services.

Driving Insider Risk policies

In the duality of security efforts, technical security focused on external threats often takes the center stage. What is easily forgotten but nevertheless important is to remember the other side of the coin – those already working for the organization, with privileged access to information.

Security efforts should also focus inwards, aiming to ensure that employees mishandling or outright exfiltrating sensitive and valuable information can be detected, educated and the greatest risks mitigated before they impact the business in a tangible way – all the while without compromising privacy or turning the organization into a dystopian “Big Brother” monitoring state. Not an easy task, but possible. Microsoft actually released a great whitepaper on this recently – here’s a link.

Purview Insider Risk Management (IRM) is a tool for helping mitigate risks and threats posed by insiders while respecting individual privacy concerns.

Most insider risks manifest in the final months of a person’s employment. For example, people might want to take the company’s intellectual property with them by printing it out or copying it to a private USB drive. Maybe the content is something they have worked hard on and feel ownership of, even though it actually belongs to the company. This is understandable on a human level and – I would guess – rather common.

One of the core policy types in IRM – the Data theft by departing users policy – is at its most effective when it is directly connected to your HR system through an HR data connector, from where the resignation and termination dates of individuals can be derived ahead of time.

Doing this allows the AI & machine learning driven engine to automatically keep an eye out for chosen indicators of risky behavior, which when found in significant-enough numbers cause pseudoanonymized alerts for further investigation if necessary.

If alerts are found to warrant follow-up actions, the pseudoanonymization can be removed for those individuals assigned to handle the case – proceedings usually involve legal in some capacity and this point. This is very similar to how eDiscovery cases are typically handled.

Without the HR data connector in place, this specific key IRM policy would be limited to looking at events after the employee’s Entra ID user account is terminated – by which time any brewing insider risks have already had a chance to happen.

Manager-led application access reviews

Overpermissioned user accounts are something you’ll want to try to mitigate as much as possible. Sometimes a person’s direct manager might be the best one to assess whether the person still needs access to a certain business application.

With your employee’s Manager attribute enriched from your HR system, you can use Entra ID Access Reviews targeted at specific applications to have managers do period reviews where they can easily indicate if a selected person no longer needs access to that app.

Access Reviews also benefits from user-to-group affiliation signals. Microsoft describes them as follows:

Reviewers will get the recommendation to Approve or Deny access for the users based on user’s average distance in the organization’s reporting-structure. Users who are very distant from all the other users within the group are considered to have “low affiliation” and will get a deny recommendation in the group access reviews.

Profile picture update automation

A non-native use case relying on HR data -enriched EID user profiles is to set up an employee photograph to Entra ID profile picture automation pipeline. It can work something like this:

1. A new employee walks into a contracted photography studio or other suitable location and gets their employee photo taken.
2. The studio sends the photo to the company for post-processing or uploads it directly to an agreed-on Microsoft 365 SharePoint site. The photo includes the employee’s employee ID in its name.
3. A Logic App uses a System-assigned Managed Identity and Graph API to look through the pictures in the repository and matches the file name’s employee ID to an Entra ID account based on the user’s employeeID attribute.
4. The Logic App then leverages Graph API again to update users’ profile pictures as necessary and adds information to the SharePoint document library indicating when the picture was last updated so unnecessary repeated update rounds can be avoided.

I built a solution similar to this a while ago and it neatly sidesteps issues arising from an individual’s name and UPN changing mid-employment.

Parting thoughts

These are just a few isolated examples of the types of scenarios enriching Entra ID with HR data can unlock. I’m sure there are a thousand more, including things like Power BI analytics aggregated by department etc.

If you have some good examples you’d like to share, please do so in the comments!

Have a good one ✌️