How do you automate complex employee onboarding?

Posted by dnuohxof-1@reddit | sysadmin | View on Reddit | 38 comments

So I’m kinda stuck developing a smoother process for our employee onboarding and offboarding. We have a process in place for requesting, approving, access, etc however it’s all very manual. Were cloud only M365 with a mix of SSO apps and unique login apps all online. I looked into Flow/Power Automate and there’s some useful bits, but the problem is our enterprise is getting quite complex. We’ve grown up to almost 50 offices this year have several departments and numerous job titles per department. Each office has the same set of approved departments and titles with the same scope of responsibilities. Then there’s the corporate office that needs oversight of a given department across ALL locations. The issue I have automating is we have a matrix of departments, titles, access, equipment and software licenses but the column by row is like 18x40 18 categories of requirements across 40+ roles. For example: a Driver at the D.C. office may need a company phone, Office E1 for teams and outlook access, an ID, badge access to their building, while an engineering coordinator would need a laptop, access to shares, business cards, access to systems owned by other stakeholders who need to approve, etc. Ideally it’d be awesome if I could just feed some AI this matrix of titles & access and say: pump out a user account, with all required email groups, access groups, team chats, and notify all relevant app owners of new hire or fire. I tried to set up a Power Automate flow based off inputs from a form, but I found myself making unsustainable if/ands, conditions, branches etc that was a delicate scaffold of nonsense and maintaining it would be a nightmare. The form was also ridiculous because I needed a header for each location and department to filter titles available and then inputting those as variables in Power Automate was beyond insane. (Imagine 102 variables all saying “Job Title” to cover every option listed in a multiple choice form from multiple sections) I also want to eliminate human error as much as possible. I want our hiring managers to fill out a form. If they choose their location and department the relevant equipment, title, and access options are already filtered. Notices to relevant stakeholder emailed when needed I’ve looked into apps like ManageEngines ADManager plus and it has templates but has lots of weird quirks that makes automated onboarding a bit difficult and empowering HR for official approval means additional user licenses and costs for access. I don’t need a free thing, willing to pay for a product that will do this, but it has to tick all the boxes between IT & HR. So my question is: how do some of you sysadmins in enterprises with >25 locations and >1500 employees deal with this? Hiring manager submits a request form, HR approves and access and resource request list sent to IT for response. Now I know many will be using traditional Active Directory, on prem, and have hooks into a HR system like ADP or Oracle for automation. So I’m specifically interested in any advice from those who’ve worked in cloud only or cloud-heavy infrastructures.

Reply to Post

38 Comments

[-]

fepey@reddit

I’m surprised no one has mentioned it yet but what you described is a perfect use case for Softerra Adaxes. I couldn’t imagine our organization running without it. It handles onboarding and provides a framework that allows for the scenarios you described to be handled dynamically through and easy to use backend console and user facing web interface. For example the dynamic group options are way more customizable and powerful than m365 dynamic groups and are also easier to setup and visualize. Workflows and approvals are also supported. Check it out they have great videos that introduce the main tenants of the product and you can download and trial it before purchase. Adaxes — check it out.

[-]

RunSilent_Deep@reddit

Second that! I have been using Adaxes for years and love its available features and for everything else, it let's you drop in a few lines of Powershell to get the job done. Their extensive library of PS scripts comes in handy. I usually connect Adaxes to ADP via AD Linked (a 01Logix product) they work together completely automating the onboarding/offboarding/updating process.

[-]

dnuohxof-1@reddit (OP)

Omg! Their 2 minute promo video was like it was talking directly to me. This looks verrry promising, I think I’ll start a demo! Thank you for this tip!

[-]

fepey@reddit

Hah! That’s a great description of my initial reaction to their videos too. They actually show the product and not just marketing fluff and provide real world examples of problems it can solve. We’ve been on it for two years and it has changed our AD and identity related stuff for the better. Our third party IT auditors noticed and asked how we kept everything so uniform and up to date in IT and this is the secret sauce. Good luck with a trial of it. It’s commercial software for sure but inexpensive for what it does and best of all it just works and is stable and easy to interface with.

[-]

dnuohxof-1@reddit (OP)

If you don’t mind, what are the costs like? Is it a set price/perpetual? A per/user yearly license. I’m trying to keep below $3-$4/user/mo, any more expensive and it’ll raise too many eyebrows in Finance.

[-]

fepey@reddit

Yeah their licensing is a breath of fresh air in a world of subscription everything. They operate on a perpetual license with optional support contracts that provide tech assistance as well as upgrades during the duration you keep support. We bought it originally with1 year of support and used the helpdesk/tech support very very little. We let the support contract expire and then eventually after 2-3 years wanted an upgrade because of OAUTH support for M365 and they had an option for a discounted upgrade license. It is licensed by AD objects that you are managing so for things you don't need automated like service accounts and other things you can add them to an unmanaged license group that gets automatically removed from the licensed object count. They give price breaks as your user count goes up but for smallest one 100 objects it is $1.7 per month per user. So it is pretty inexpensive. You can always skip support/upgrades for a few years and run at $0 too. We have an 800 user license and if you do find yourself needing upgrades it goes in 100/200/400/600/800/1000 /1500/2000 bundles for small business. Anything higher and you'll be in the enterprise category. Their website isn't sandboxed and behind a paywall so you can go check out their good Q&A support forum where they answer questions as well as browse their script repository as well. Like I said its a company that is a please to deal with rather than a Solarwinds, VM Turbio, something like that. Not pushy at all.

[-]

dnuohxof-1@reddit (OP)

Man they should give you commission. You really sold this. I’m going to look deeper into this, get a trial going and talk to a sales rep. Thank you for this info, it really helped! This is why I love /r/sysadmin

[-]

KojTxivEverywhere@reddit

This is exactly what I've been working on for the past year. I am trying to find ways to automate and streamline onboarding/offboarding employees to the minimum possible. We started using ManageEngine last year for imaging and other features but have yet to get a chance to dabble with it for Onboarding.

[-]

ApoplecticMuffin@reddit

I use Power Automate and Azure Logic Apps to handle most of these things. Instead of a form, I get the data fed in via an API integration between Power Automate and our HR system. This way, all changes get made as close to real time as possible. PA handles the user actions in Azure and the domain. As part of the flows, when the account gets created, an API call is made to our ticketing system for a hardware request since that part requires some human interaction anyway. For groups, I use dynamic group membership in Azure to populate membership based on title, location, or other relevant attribute status. Basically, I use all the tools I have available to me to make it a pretty seemless process. It does take time and effort to get set up at first, but we've now been running this for the past few years without much trouble.

[-]

dnuohxof-1@reddit (OP)

We have a shitty HR system whose only solution for automation is a daily report exported to CSV that must be retrieved via SFTP. It’s bullshit and Hr is not changing systems anytime soon. I get the PA, and look more into azure logic, but I’m struggling with simplifying the automation logic. I feel like there will just be hundreds of if/ands and I have to manually provide a logic for every single combination of location x department x role across 18 categories of access and needs. For example we have an engineering team for every office so the logic needs to filter their resources by location, then department, then job title, and then provide all the access for that role. And some of that is just needing to pump out an automated email to various app owners with the user info. I’m just struggling to visualize a 18x40 matrix of conditions into a simplified logic.

[-]

ApoplecticMuffin@reddit

Take the CSV, import the full user set into a SharePoint List. Create an additional column for the automation processing status (like - new, update, term) so you can keep track. In a PA flow take the CSV and do a compare against the previous day, output the difference. Now take the difference and import just that into your SP list. In your flow if the key attribute (like employee #) is not in the list, make the processing status new. If they are in the list and active in the HR file mark it as update. If they are in the list but marked as termed in your HR file, mark it as Term in your list. Have another flow that searches the SP list for users in "new" status. You'll create those users as new. Then, create two more flows, one for user updates and another for terminations. Create additional sub flows for these as needed to help logically break up overly complex scenarios. Create additional main flows for other use cases as needed. Flows in PA and Azure Logic Apps always seem very complicated at first. It's just the nature of the process. It doesn't mean it's wrong or not optimized. You are not supposed to create one huge flow for every possible thing. Make one per use case. You can call one flow from another easily if needed. >For example we have an engineering team for every office so the logic needs to filter their resources by location, then department, then job title, and then provide all the access for that role. Set these with dynamic group membership instead. Then, you can monitor that group and have PA send out emails, create a ticket or whatever when the membership changes. Use all the features that are available to you to accomplish the goal.

[-]

dnuohxof-1@reddit (OP)

Dynamic groups don’t work simply because I need a contains operand. Believe me 80% of my problem would be solved if I can just have Dynamic Mail group that can add members by “contains” For example add to group if Office = LA; Title contains “Engineer”; or if Office = Corporate; CustomAttribute contains LA_Engineering This group would add the team members at the LA office whose role/title is any Engineer and any corporate folks who need access by using key words in exchange custom attributes that need to be on these same lists or access groups. M365 groups are so bloated with sharepoint sites, teams channels, etc when all I want is an email blast. And Mail Enabled Security Groups don’t accept dynamic query.

[-]

MagicHair2@reddit

Could you rather create your logic in say a custom PS script, save the users as a variable then refresh membership into a standard EXO DG daily?

[-]

mnoah66@reddit

Exchange ddg have the -like operand. I create ours with powershell with relatively no issue

[-]

dnuohxof-1@reddit (OP)

> When you use the -like operator in Exchange Online PowerShell, the wildcard character is supported only as a suffix in most parameters. For example, "Department -like 'sales*'" is allowed, but "Department -like '*sales'" isn't allowed. > Even if a wildcard prefix works in a filter parameter in Exchange Online PowerShell, we don't recommend using it due to low performance issues. That’s the problem, I need prefix variables The naming scheme of each group is $Office - $Department so for example PhysicalDeliveryOfficeName=LA; JobTitle -like “*Engineer*” or CustomAttribute -like “LA_Engineer” would be the ruleset to put LA Engineers and any additional members via a CustomAttribute Key Word into the group. Because I can’t use prefix variable, this whole idea is bunk.

[-]

MagicHair2@reddit

> and my colleague have been working for last 1.5 years to develop a platform which can automate your entire employee onboarding Could you rather create your logic in say a custom PS script, save the users as a variable then refresh membership into a standard EXO DG daily?

[-]

mnoah66@reddit

Yeah that part about wildcards stinks. I usually get most of the members with the -like operator and a suffix-based wildcard, then I’ll add the rest as hardcodes. My luxury being a small set of users without too much complexity.

[-]

ApoplecticMuffin@reddit

I use M365 dynamic groups for this. Personally, I have no complaints about using M365 over Security groups. But if you are against using M365 groups, you could still process the changes as they come in through automation. For example, you can filter your list for your users that meet your criteria and then update just those. You don't need to process 10k user records each day. Just the changes. You can create this logic in PA or whatever automation tool you prefer.

[-]

dnuohxof-1@reddit (OP)

I would use M365 groups but how do you deal with all the resource bloat? We have 50 locations x ~20 role per location split among ~8 departments and there’s email or access groups (and the occasional teams channel) for each department per location. That’s, at minimum, 400 groups, 400 Sharepoint sites, 400 teams. We spent a year whittling down several hundred groups/sharepoints/teams down to manageable 52 Sharepoint sites (one for each location + 2 special corporate teams) I don’t want to see 400+ Sharepoint sites and teams teams

[-]

ApoplecticMuffin@reddit

So, to send this mail you already have 400 groups anyway. They just are not M365 groups. M365 only need to create SharePoint sites. Teams is not necessary. We set these groups so they don't send out a welcome email and so that they are followed in the inbox automatically, so SP sites really don't get much exposure. We run additional automation jobs to maintain SharePoint and Teams teams and clean them up as needed. But again, if you don't want to go down the dynamic group path, you can build this logic into your automation. Nothing is ever 100% perfect in every possible aspect. You have to weigh your options and pick what makes the most sense. IMO, creating and maintaining user accounts manually is at the very bottom of that list of options.

[-]

FriedFred@reddit

Rather than sequential if then statements, have you considered a pattern matching approach? Have a set of data about the new user, and for each automated action, store a match criteria for the action using that data, that returns true if the action needs to be taken for this user, and false otherwise. This has a couple of advantages - it lets you think about the match criteria for each action in isolation, and you can run it across all actions without hooking it up to the automation bit, so that you could test which actions it would trigger. Your actual automation would then use the exact same code to fire off each action, if applicable, once you’ve looked over the action list it spits out.

[-]

dnuohxof-1@reddit (OP)

How would I do this practically? I am no programmer so my development of custom solutions is very limited lol. We talking using some regex in powerautomate or is there a specific kind of solution you have in mind?

[-]

FriedFred@reddit

I'm not so hot with the kind of tools you'll be using (programming background), so I was more commenting about how you might disentangle the business logic hairball. At a glance, maybe each action could be a separate logic app workflow, with the user data supplied as part of the trigger?

[-]

dnuohxof-1@reddit (OP)

I mean pattern matching certainly would work best. Every facility has the same 8/9 email groups that need a corporate liaison on each one relevant to their role. I just don’t know how I’d do that

[-]

FriedFred@reddit

I mean, the hard part is figuring out how to do the first one - the rest will be similar to that one with a few changes. The other advantage of the pattern matching approach is that you can implement it piecemeal - you could try it out for just one kind of action while still doing the rest manually, and get a feel for how it works, before you get to the trickier actions.

[-]

Hungry_Committee7949@reddit

Me and my colleague have been working for last 1.5 years to develop a platform which can automate your entire employee onboarding process, across countries, offices and teams. We are launching it as a startup starting Jan 24. Want to jump on a pilot and be a part of our pilot ?

[-]

smeggysmeg@reddit

We import from our HRIS system every attribute, like employee/contractor, contractor vendor, manager, division, department, team, etc. And then assign groups, and then apps, based on attributes. All done in Okta.

[-]

wareagle1972@reddit

I have been wrestling with this as well lately. The company I work for has always treated this process like an after thought. I will get an email from a manager "oh so-so and so is starting in two days...he lives in Montana...can you get a Mac up to him in time for onboarding?"

[-]

doweactuallycare@reddit

> "oh so-so and so is starting in two days...he lives in Montana...can you get a Mac up to him in time for onboarding?" Sure, with a company credit card I can do many things. The cost will be exorbitant though. Will prob have to grab a first class seat if things are booked out. It'll also be overtime, i'll have to stay in a nice hotel. So yeah, with company funds I can absolutely achieve that. Would you like me to head straight to the airport? Oh its not worth that? We should just ship it and they'll manage for a week or so? ...weird.

[-]

dnuohxof-1@reddit (OP)

We’ve gotten much better with things like that with help and enforcement from HR. IT drafted an official SLA policy for user management requests that HR approved and holds hiring managers to. Occasionally we’ll still have emergency hires but the whole “oh they started last week and need all this stuff today” has calmed down to maybe once or twice a year.

[-]

TheButtholeSurferz@reddit

Lifecycle Workflows is what I been messing around with here and there in Azure. I haven't tested it fully yet, but my expectation is that I can work the process in reverse from Entra to onprem AD with account and group writeback. But I ain't got that deep into it yet.

[-]

GullibleDetective@reddit

Powe automate and user logic but ultimately tie things to user templates and let the groups handle it

[-]

Ninjaintheshadows3@reddit

.NET Web API backend with either a JavaScript framework frontend. Could also do it all in Blazor if you want to eliminate the API level.

[-]

bofh@reddit

> So my question is: how do some of you sysadmins in enterprises with >25 locations and >1500 employees deal with this? By having an enterprise architecture team with the goodwill of the business and enough teeth to insist on change where necessary. My first thought looking at your post is that you don’t have ‘a’ business, you have a group of loosely defined and affiliated ‘offices’ with their own unique processes for no good reason. Management of the business functions should be centralised and the tools modernised to, for example, support SSO wherever possible.

[-]

MadManMorbo@reddit

I'm quite fond of sailpoint.

[-]

ChiSox1906@reddit

Azure Access Packages where the use requests and manager approves. Adopt a model of zero touch for the IT. Set up the ability for self-service and walk away. Additionally dynamic groups for certain subsets.

[-]

jazzdrums1979@reddit

Quite familiar with Workday handling the entry and exit of employees. This intern writes to Okta/AAD and we have automations to add users to groups based on departments which can also provision apps. Sounds like not having proper buy-in from HR and HRIS might be a limiting factor. You can still set up the automations regardless.

[-]

cheekzilla@reddit

This is where Identity Governance & Administration (IGA) tools fit in. We use SailPoint IdentityNow (IdN) for this. It allows you to build out the roles for these users, connect IdN to these other apps, and it can handle the account creation/provisioning aspects. They also have tools that use AI/ML to help you discover “peer groups” with common access and create roles (bundles of access) from that.