Automating Onboarding and Offboarding with Make.com & Microsoft Entra ID

Managing new hires and departures can eat up a lot of time—especially when dealing with multiple systems. By combining Make.com (formerly Integromat) with Microsoft Entra ID (Azure AD), you can automate processes and keep everyone in the loop. Below is an overview of how to tackle both onboarding and offboarding.

Automating employee offboarding is crucial for maintaining security and operational efficiency. By integrating Make.com with Microsoft Entra ID, you can streamline this process effectively.

While Microsoft Entra Lifecycle Management empowers an identity-centric offboarding strategy—swiftly, consistently, and compliantly removing departing users’ access—it currently doesn’t offer shipping label procurement or direct ticket updates. By adding further integration or automation tools, your IT department can streamline and optimize the offboarding process even more. Here’s how to set it up Offboarding in Make.com:

1. Establish Connections:

• Microsoft Entra ID Integration: Ensure you have the necessary permissions to connect Microsoft Entra ID with Make.com. In Make.com, add a Microsoft Entra ID module to your scenario and create a connection by authenticating your account.

2. Design the Offboarding Workflow:

• Trigger Event: Set the workflow to initiate when an employee’s status in Microsoft Entra ID changes to ‘terminated’ or ‘inactive’.
• Tasks to Automate:
  • Remove User from Groups: Utilize the ‘Remove Member from Group’ module in Make.com to eliminate the user from all associated groups.
  • Revoke Access: Implement the ‘Update a User’ module to disable the user’s account, preventing further access.
  • Notify Relevant Parties: Use Make.com’s email modules to inform HR and IT departments about the completed offboarding.

3. Implement the Workflow:

• Scenario Execution: Activate the scenario in Make.com to ensure it runs automatically upon detecting the specified trigger event.

4. Monitor and Maintain:

• Regular Audits: Periodically review the workflow to confirm its effectiveness and make adjustments as needed.
• Stay Updated: Keep abreast of updates to both Make.com and Microsoft Entra ID to leverage new features and maintain compatibility.

By following these steps, you can create an efficient offboarding process that enhances security and ensures compliance with organizational policies. Follow these steps to streamline your offboarding and ensure nothing falls through the cracks.

1. SharePoint List Item Fetch (Watch Items) Watches a SharePoint list for new or updated offboarding requests. Configure the site, list name, and filters.

Note: Watches a SharePoint list for new or updated offboarding requests. You can configure the site, list name, and filters to capture specific criteria. In addition, this fetch mechanism can come from various inputs: for instance, a Power Automate form submission, a service desk ticket, or even a manual entry from HR. By centralizing offboarding triggers in a SharePoint list, you create a single source of truth that can kickstart the rest of the workflow in a clear and organized manner.

1. 1. Service Desk New Term (Create a Problem) Creates a helpdesk ticket (e.g., in SolarWinds) using the data from SharePoint, mapping fields such as user name and termination reason.
   2. Microsoft Entra Search for User Looks up the user in Entra ID (Azure AD) to confirm existence. Outputs user info like Object ID.
   3. Router (Check if User Found)
      • • What It Does: Splits the flow into multiple paths depending on whether the user was located in Entra ID.
      

 

1. • How to Set It Up:
     1. After “Microsoft Entra Search for User,” click the + and choose Router.
     2. Route 1 (User Found): Set a filter checking if the User Object ID is not empty. Continue to offboarding steps (disable account, remove group memberships).
     3. Route 2 (User Not Found): Set a filter if the User Object ID is empty. Update the service desk ticket as “unknown.”
   • Best Practices:

1. • • Use clear filter logic to avoid mismatches.
     • Test both routes with valid and invalid users.

1. Service Desk Update Ticket User Unknown Updates the ticket indicating the user can’t be found, then closes or flags the request.
2. Disable User and Change Password (Update a User) Disables the user in Entra ID (BlockSignIn = true). Optionally forces a password reset.
3. Microsoft Entra Remove User Groups (Remove Member from Group) Removes user from groups. If licenses are tied to these groups, removal also revokes their Microsoft licenses.
4. Microsoft Graph API Refresh Intune PC (Make an API Request) Forces a device sync in Intune to update or reclaim licenses.
5. SolarWinds Service Desk Update Ticket (Update a Problem) Updates the service desk ticket to reflect that the user has been disabled and removed from groups.
6. Validate User Address Confirms shipping address for any hardware returns.
7. Router (Address Validation) Divides into Valid (create shipping label) or Invalid (update ticket).
8. Shippo – Create Shipping Label Generates a return label for devices. Produces a link or PDF.
9. Wait 5 Minutes (Sleep) Gives external systems time to sync.
10. Router (Label Sending Logic) Directs the label to the user or to HR/manager first.
11. Send Shipping Label to User (Outlook) Sends the label link or attachment via email.
12. Send Email to Manager and HR Notifies management or HR about shipping details.
13. Service Desk Update Ticket Bad Address Marks the ticket if the address is invalid and requests updated info.

Note: This is just a simplified overview of the offboarding process and its key steps. If you have any questions or need further guidance, please reach out to our team for more in-depth support or personalized assistance. Additional Considerations

• Ensure security logs are reviewed for compliance.
• Confirm group-based licensing alignment, especially for specialized software.
• Test each step before going live to avoid surprises.