Back in 2023, Microsoft released the Lifecycle workflow feature, which we covered in this article. Lifecycle workflows are one of the most impactful non-security related features we’ve gotten in the past few years, plus the fact that Microsoft released it with Graph API support from the get go made me appreciate the feature even more. That said, there were some limits as well as missing functionalities with this initial release. In this article, we will take a look at some recent updates of the feature that address few of the gaps. Sadly, some scenarios are still not possible via Lifecycle workflows, and few limitations still exist.
We’re starting with the most recent update, namely granular permissions for the lifecycle workflows Graph API endpoints. If previously we had the choice between a “read-only” and “edit” scopes that covered all the functionalities lifecycle workflows support, we are now able to granularly delegate permissions for specific scenarios. For example, we now can use a scope that only allows you to activate a given workflow, without being able to make an modifications to it. The full list of permissions is shown below:
- LifecycleWorkflows-Workflow.Read.All (existing one)
- LifecycleWorkflows-Workflow.ReadWrite.All (existing one)
- LifecycleWorkflows-Workflow.ReadBasic.All
- LifecycleWorkflows-Workflow.Activate
- LifecycleWorkflows-Reports.Read.All
- LifecycleWorkflows-CustomExt.Read.All
- LifecycleWorkflows-CustomExt.ReadWrite.All
All of the above are supported in either application or delegate context. As a side note, all of these seem to have been around for a few months now, but for some reason never made it to the Graph changelog or “What’s new” page.
When it comes to admin roles, the Lifecycle workflows administrator role remains the “least permissions” one. Sadly, said role cannot be scoped via the standard RBAC controls we have in Entra ID. While we still lack granularity for delegating or restricting the process of creating and editing a lifecycle workflow, we do have a lot of flexibility when it comes to executing them. This is further enhanced by support for scoping the execution of a lifecycle workflow via custom security attributes, which Microsoft added back in August 2024.
Switching gears a bit, one of the limits for the GA version of the feature was the total number of workflows being set to 50. It has been updated to 100 since then, though this value is probably still quite low. Another limit I mentioned in my initial look into the feature was the set of built-in tasks, or actions. I am happy to mention that assigning or removing a license is one of the tasks that are now supported, and the enable, disable and delete user account tasks can now also be performed against synchronized users. The latter set of tasks requires additional configuration, as detailed in this article.
While we have seen few new tasks being added, my expectations were that by now the list would grow to at least 50 or so and will include common actions across Microsoft 365 workloads. Unfortunately, the only positive I can mention on this front is that the Remove user from all groups tasks now has a proper description, informing you that it will not affect any groups that Entra doesn’t natively support, i.e. mail-enabled security groups, distribution lists and their dynamic sibling. No tasks cover mailboxes, sites or teams related operations currently. And no task to provision a user object is available, either.
On a more positive note, one of things on my “wish” list that Microsoft addressed is to provide a template using an “attribute change” based trigger for Mover type workflows, addressing the scenario where a user’s department, job role, or location has been changed. You can find detailed step-by-step instructions on how to configure workflow for this scenario in the following article. Another thing I pointed out in my initial review, the 30-day window for reprocessing a user, has also been addressed.
Lastly, we’ve also gotten some improvements in handling of workflow history, where we can now use the Download button to export data to CSV across the Users, Runs and Tasks views. Some additional insights are available under the Overview page now, under the Workflow Insights tab. These should help give customers an easier way to monitor the functionality, so they don’t have to rely on the audit logs instead.
Overall, we’ve seen some gradual improvements with the feature, but nothing earth-shattering. From my perspective, I think the feature will greatly benefit from expanding tasks support across various M365 workloads, instead of having to rely on the Logic app extensibility. And speaking of extensibility, if ISVs such as CoreView are able to provide customers with the ability to execute custom PowerShell scripts, surely Microsoft can also provide a way to address common tasks via the “standard” admin tools.
Similarly, the feature remains “coupled” to other Entra features, such as HR Inbound provisioning, which might be seen as an overkill for smaller shops. Allowing customers to create custom workflows and run tasks such as “create a user account” is something that would improve the feature’s adoption, IMO. Then again, customers can pay us to do this instead, so why am I complaining? 🙂
1 thought on “Some (not so) recent improvements with Lifecycle Workflows in Entra”