Bridge the gap between HR IT and business with Azure Active Directory | OD292

[MUSIC] >> Welcome to the session on bridge the gap between HR, IT, and business with Azure AD My name is Chetan Desai and I’m part of the Azure AD Identity PM team, focusing on Azure AD integrations with HR systems like Workday and success factors >> I’m Jason Thompson, a Senior Program Manager in the Microsoft Identity Division on the customer and partner experience team We will begin by looking at the integration challenges facing HR, IT, and business leaders today So you can be ready to embark on this journey of digital transformation We will describe how Azure AD can bridge the gaps in the employee experience by simplifying the onboarding process with automated provisioning of employee data Chetan has also prepared a demonstration of this functionality Before we close, I will briefly cover upcoming features and some resources to help get you started in your own environment The recent pandemic has forced organizations to rethink company cultures and embrace a remote work environment Businesses are adopting their business processes to support a remote workforce so that employees can still be productive outside the workplace Workplace tools and technologies have allowed employees to engage, contribute, and innovate more effectively, both when in-person and remotely Team members should not feel isolated simply because they are distributed geographically HR teams have also found it necessary to restructure many HR processes, including virtual interviewing, onboarding, and new hire orientation Change can be difficult, but we’ve been hard at work to help alleviate these challenges through our products and services Our mission at Microsoft is to empower every person and organization on the planet to achieve more, and that is exactly what we hope to achieve with our Azure AD services by integrating your organizational divisions together First, Azure AD bridges the gap between HR and IT by using the employee and our contractors relationship with the organization to automate account provisioning and de-provisioning within IT systems such as your existing Active Directory Not only does this reduce human error when provisioning user accounts, but it enables IT teams to focus on higher value tasks than troubleshooting custom scripts and typos between systems This integration with HR also improved security by ensuring the latest changes in employment and business role are reflected in the user’s access to IT systems Azure AD also bridges the gap between IT and the business itself The business groups often drive use of tools, applications, and resources within an organization, and IT is then tasked to make it work Automation of users and group provisioning to these applications can again reduce human error and ensure that employees are granted the appropriate permissions in a timely manner With accurate, up-to-date HR data in the IT systems, role-based or attribute based access controls in Azure AD can automatically provision access to applications and resources required to perform a particular job function For scenarios where access requests and approvals are required, IT can delegate access control to an application owner within the business who understands the business needs and requirements for that application Finally, Azure AD bridges the gap between HR and the business, by ensuring the business has up-to-date and consistent identity data Data can be used to improve and streamline business processes by using automation and user contexts The lifecycle within Azure AD enables organizations to iterate quickly and adapt effectively to future change Many of our customers are already experiencing the benefits of the Azure AD platform ASOS is a large online fashion retailer using Azure AD provisioning to bring in users from Workday and provision to not only their on-prem Active Directory, but also a range of Software as a Service business applications In doing this, Azure AD is able to detect when an employee or contractor is terminated and revoke access across all apps accordingly Pernod Ricard, one of

the largest producers of wine and spirits in the world, uses this integration to simplify management of users across multiple AD domains managed by its global subsidiaries Their Azure AD integration with Workday reduces the repetitive tasks and managing the data across systems, allowing their service desk to focus on more important tasks You can read the full customer stories by navigating to the URLs on the screen We’ll now hand it over to Chetan to describe how the provisioning works in Azure AD >> Thank you Jason. With that, let’s look into the world of HR-driven user provisioning and what makes it unique If you take a look at the world of HR, HR admins are often juggling with joiner, mover, leaver scenarios When a new person is joining as a pre-higher or when a user gets activated, when there are changes or relocations, either at an org level or at the department level Finally, there are people who are going on long leave, submitting resignation, and terminations, and how this impacts an IT person So if you take a look at the IT admin perspective, the IT admin has to perform different operations based on these HR events Right from creating a user account, updating the account, managing the licenses, and when someone leaves the company disabling the user account What are some of the traditional approaches IT is using for this integration? They are running scripts to pull HR data every night Some IT teams engage IT help desk to create, update, and remove those accounts Then there are some that use the approach of CSV file exports and custom scripts Finally, there are IT teams using third party provisioning tools As we speak to customers, we hear that there are problems with each approach Let’s take a quick look at what those problems are In terms of running custom scripts to pull HR data, we’ve heard customers say that there’s an operational overhead to this Especially when you add a new custom field in HR, then you need to update each script The consultant who developed a script no longer works with us So how do we update those scripts? Then with regards to the second approach of IT help desk, this process doesn’t scale and is prone to manual errors The third approach also has a problem wherein it’s not modern enough, and there are problems with those files, if they are formatting changes, if there are structural changes in the file, then the export and import happens to fail Finally, even with third party provisioning tools, there are additional costs associated with it and customers desire to consolidate all their provisioning into one application With these motivations we decided to come up with a modern approach for integrating Cloud HCM Where we directly connect to the Cloud at HCM systems and enable HR-driven user provisioning and to automate their joiner, mover, and lever processes What that means is, we also manage an entire spectrum of HR scenarios, right from new hire, new contingent worker creation, generating unique IDs and passwords for the users Handling scenarios such as worker conversion, for example, full-time converting to contingent workers, contingent workers converting to full-time, and so on This feature requires Azure AD P1 or M365 E3 license We are also trying to push the envelope in terms of partnering with companies like ServiceNow to deepen their integration to enable automated onboarding and access provisioning for new hires Specifically, this disintegration is useful for those companies that are using ServiceNow to define business roles, and those business role’s map to certain permissions such as Azure AD groups,

and you want to trigger automated provisioning based on those group memberships So we’ll take a look at this scenario also in our demo With that, we will look into our demo scenarios Our first demo scenario is around new hire provisioning What we’re going to do in this scenario is, we are going to, in step 1, hire a new user in success factors Then we are going to create Azure AD and on-premises AD account for this user and a ServiceNow account, which is automated with Azure AD In step 4, the Hiring Manager will login into ServiceNow and assign a business role to this user Finally, in step 5 and 6 we’ll see how the IT can assign groups that will drive application access and also write back IT-managed attributes like e-mail and phone number to success factors The demo users for this scenario would be a new hire called Jeff Taylor and the hiring manager for Jeff Taylor would be Nick Stuart Let’s take a look at the scenario We’re going to first login as the HR admin into success factors admin console, and here we are going to hire Jeff Taylor HR creates a profile for Jeff Taylor As you see, he’s hired as a Retail Sales Associate in store Operations Department and Nick Stuart is the Manager for Jeff Taylor Now, let’s take a look at what IT has done IT has configured an inbound user provisioning app, from SuccessFactors to Azure AD, and all attributes have been mapped Each SuccessFactors’ attribute has been mapped to a corresponding Azure AD attribute This provisioning job runs every 40 minutes, pulling data changes from SuccessFactors, and creating those users in Azure AD There’s also a feature called provisioning on-demand, which we can use to provision this new hire, Jeff Taylor, on-demand When we initiate this process, what happens is, Azure AD will pull all details of Jeff Taylor from SuccessFactors, and automatically create an Azure AD account for Jeff Now, if you take a look at Jeff’s profile in Azure AD, we see all the same attribute data from SuccessFactors in Azure AD Now, once the new hire has an Azure AD account, we can also automate provisioning to business applications like ServiceNow Here, you are seeing as provision, the same user into ServiceNow So IT has provisioned Jeff’s account in ServiceNow Let’s log in to the ServiceNow console, and take a look at Jeff Taylor’s profile Here, you see the same information and alternative data from SuccessFactors shows up in ServiceNow, that he’s part of the retail store operations department, and Nick Stuart is the manager for Jeff Taylor As I mentioned earlier, some IT departments, they require hiring managers to assign additional business roles Nick can log in into ServiceNow, and use the to-do list to access those tasks Here, we see Nick assigning Jeff the business role of a retail delivery manager, and then sending a welcome e-mail to Jeff for his first day of work Here, Nick completes these two processes, these two tasks that were assigned to him Now, if you take a look at Jeff’s profile back in Azure AD, we see that the business role assigned in ServiceNow, grants him access to a new security group called the retail delivery group Then as a final step, we’ll see that IT can assign the phone number to the new hire, and flow that change into SuccessFactors, so that was the last step of the onboarding flow With this, we come to the end of our demo Now then, let’s take a look at the demo scenario for department level change Here we are going to see the employee Martin Snow, moving from Shared Services

to the Information Technology department In the process, we’ll see how Azure AD can be used to automate these tasks 2, 3, and 4, where we will update the users or UNAD, update the user organization attributes, and also update the manager Here, we’re going to log in into SuccessFactors and take a look at Martin Snow’s profile Martin Snow is a customer service agent working in the Shared Services department, and is reporting to James Patrick What we’ll do now, is also take a look at Martin Snow’s AD profile, and we see that he is in the shared services OU, and the same information from SuccessFactors is in sync with the attributes in Active Directory Let’s change Martin’s position from customer service agent to analyst in the IT department This triggers the move from Shared Services to the Information Technology department, and also update Martin’s manager from James to Joe Flores Now when you run the SuccessFactors to AD sync, in the provisioning logs, we will see that an update record shows up for Martin Snow In this update we see that the parent distinguished name, or the OU for the user, has changed from Shared Services to the Information Technology department If you go to the users Active Directory profile we see the same change, he’s in the Information Technology department and the manager is set to Joe Flores With using this integration, you can ensure a timely flow of information changes to downstream systems Now let’s take a look at the third demo scenario of user separation Here, we are going to look at Jay Walker who opts for early retirement, and this initiates the termination workflow HR initiates the termination in SuccessFactors and that triggers disabling the user account in Azure AD, and also deactivating Jay’s ServiceNow account We’ll start with SuccessFactors admin console Here, HR initiates the termination process for the user, and this workflow completes within SuccessFactors After all the approvals are complete, IT can process the termination event and Azure AD disables the user account, also blocking the sign-in for this user If we go into ServiceNow and open Jay’s profile, we see that Azure AD has also disabled ServiceNow account associated with this user So that completes all the demo scenarios for this session Here’s a quick wrap up of the demo scenarios we went through We first went through new hire onboarding flow, how it can be automated We then had a look at how department changes can flow all the way from SuccessFactors, and you can use it to update the attributes in on-prem Active Directory Finally, with user separation, we saw how automatic deactivation of accounts can take place, based on SuccessFactors termination events With that, I will hand it over to Jason for the next part of this presentation. Thank you >> In summary, Azure AD provides HR integration today with both SAP SuccessFactors, and workday for automating, provisioning workflows, associated with your joiner, mover, and leaver processes The key features include: direct API integration with Cloud HCMs, automated creation of user accounts for employees and contractors to AD, Azure AD and beyond Continuous updates of user data from HCMs, as well as write-back of data to HCMs, and configurable termination events to automatically disable user access to business applications and resources These provide the benefit of automated onboarding and offboarding workflows, decommissioning of HR flat-file integrations and custom scripts, enhanced security, improved compliance and better productivity In the future, we intend to support provisioning to additional applications and services,

including those on your on-premises network We are also planning to add more popular HR platforms such as Oracle HCM, Utility Pro, and Ceridian Dayforce, as well as possibly a generic HR connector for pulling data from a SQL staging table With more enhancements to Cloud provisioning rolling out over the next couple of months, you can now eliminate on-premises workloads, and manage all provisioning tasks from the Cloud Here are some resources and documentation you can reference, to get you started with Azure AD provisioning We understand the integration with HR involves multiple stakeholders and requires careful planning To help jump start this process, we have published a Cloud HR deployment plan, to ensure that key items are addressed as part of the planning process Lastly, for both SuccessFactors and Workday, we offer a step-by-step tutorial which you can use to get started evaluating the functionality in your own environments and labs Thank you for listening, and I hope you will consider Azure AD as the Cloud provisioning platform for your organization