Great explanation, great feature. Onboarding employees has been one of the pain areas in big organizations as they use reactive systems and not the other way around.
These videos really need to begin with "In this video we'll be discussing a product that requires the following licenses..." Save me the time of watching the whole thing then discovering we're not licensed for it.
Seriously I wish the Exchange Online team would get on it, or at least communicate with the public, about their journey to get all Exchange objects into the Graph. Feels like Exchange now, even in the cloud, is like the last to the party to be API/SSO/modern etc.
I found that currently Microsoft is working on a writeback for on-prem AD. There are a lot of environments that are either still on-prem and using AD Connect. But the tool is not bidirectional unfortunately as I've learned from them. This would be good for those on-prem groups that are needed as well as a part of onboarding.
Thanks for this. Brilliant for Admin roles. Is there a way we could leverage PIM to delegate access on behald of another user as a role? E.g. EA on behalf of CEO? (or anything else within Microsoft universe)?
I feel what is really needed here is a process that allows you to copy one user to another, you know like on prem was able to do in ADUC? That way it takes maybe five minutes to create a new user who will be fulfilling the same tasks as another user, and copy all the Role Groups, File Access groups and such instead of the sometimes up to ONE HOUR to copy and ensure all 120+ AAD groups have been successfully mimicked. (and PowerShell isn't capable of this either).
Honestly that's a terrible practice from a security standpoint. You'll end up giving way too much access to someone else. Least Privilege Access. The way you do this is you. have job families defined based on HRIS data. A new account rep comes on board and there is a workflow set up to add this new rep to all of the groups that they need for their role. These group define applications pushed to their machine, file share access, Saas provisioning, yada yada... Then when they leave you reverse the process. The issue I see with Entra so far is they do not have a lot of these options baked for hybrid related tasks. Creating an on prem user, adding to groups, etc. Hopefully it'll come.
An issue with the onboarding flow is that a pre-generated password is created with the user account. Sure you've provided the manager with the TAP and they, than give it to the new hire. But they can't and will not be able to modify their password unless IT manually send/provides one to them separately.
Dynamic groups in Entra ID (Azure AD) can automatically assign group/team membership, too. This can be predicated on attributes like location, title, etc. ExtensionAttributes are also pretty useful in this case for adding things not already available to query from.
@@MSFTMechanics Right but not if we are dealing with distribution groups and we want to dynamically assign memberships. Doesn't work and not compatible. Also, even with populating group memberships dynamically you don't have flexibility to also include an additional group as an exception or catch-all group.
Normally this isn't a good recommended security practice...scope this to a role (based on title or job family) and not so much a user as the template. The user may have more rights than you think.
@@SirRodhood Actually PowerShell cant do this, not last time I checked just back in June 2023, Distribution Groups, Security Groups, Mail Enabled Security Groups, Office 365 Groups, Microsoft 365 Groups and SharePoint Groups all need to be handled separately and not by the same module. Just finding the SharePoint root programmatically is a headache..
Great explanation, great feature. Onboarding employees has been one of the pain areas in big organizations as they use reactive systems and not the other way around.
These videos really need to begin with "In this video we'll be discussing a product that requires the following licenses..." Save me the time of watching the whole thing then discovering we're not licensed for it.
They offer trials.
Really expensive
@@angelcastillo8572 yeah and the tools aren't baked yet. Things are so basic.
Sooo... why are distribution groups not included in this? This is a common task for all users associated with onboarding employees.
Seriously I wish the Exchange Online team would get on it, or at least communicate with the public, about their journey to get all Exchange objects into the Graph. Feels like Exchange now, even in the cloud, is like the last to the party to be API/SSO/modern etc.
I also want to ask the same thing.
I'ts a nice feature, but I can't understand why it's so expensive. 6€ per user ? In addition, you need to have Entra P1 license :(
Is Automate onboarding & offboarding cloud based only for now? What about a Hybrid environment where new account syncs from AD to AAD?
I found that currently Microsoft is working on a writeback for on-prem AD. There are a lot of environments that are either still on-prem and using AD Connect. But the tool is not bidirectional unfortunately as I've learned from them. This would be good for those on-prem groups that are needed as well as a part of onboarding.
I also want to ask the same thing.
Thanks for this. Brilliant for Admin roles. Is there a way we could leverage PIM to delegate access on behald of another user as a role? E.g. EA on behalf of CEO? (or anything else within Microsoft universe)?
though. the question is, how much of this is accessible with a business premium license? Seems like most videos on 365 are geared towards E3-E5 users.
I feel what is really needed here is a process that allows you to copy one user to another, you know like on prem was able to do in ADUC?
That way it takes maybe five minutes to create a new user who will be fulfilling the same tasks as another user, and copy all the Role Groups, File Access groups and such instead of the sometimes up to ONE HOUR to copy and ensure all 120+ AAD groups have been successfully mimicked. (and PowerShell isn't capable of this either).
Honestly that's a terrible practice from a security standpoint. You'll end up giving way too much access to someone else. Least Privilege Access. The way you do this is you. have job families defined based on HRIS data. A new account rep comes on board and there is a workflow set up to add this new rep to all of the groups that they need for their role. These group define applications pushed to their machine, file share access, Saas provisioning, yada yada... Then when they leave you reverse the process.
The issue I see with Entra so far is they do not have a lot of these options baked for hybrid related tasks. Creating an on prem user, adding to groups, etc. Hopefully it'll come.
An issue with the onboarding flow is that a pre-generated password is created with the user account. Sure you've provided the manager with the TAP and they, than give it to the new hire. But they can't and will not be able to modify their password unless IT manually send/provides one to them separately.
Yes they will, you can make it so it requires password change on first sign-on or the user can change password after sign-in.
doesnt see to be in canada? anyone else able to see it
Would be good if there was a feature that would add someone into the same groups / teams as someone else
Powershell can do this. Get the groups of one user and recursively add the user to all the groups
Dynamic groups in Entra ID (Azure AD) can automatically assign group/team membership, too. This can be predicated on attributes like location, title, etc. ExtensionAttributes are also pretty useful in this case for adding things not already available to query from.
@@MSFTMechanics Right but not if we are dealing with distribution groups and we want to dynamically assign memberships. Doesn't work and not compatible. Also, even with populating group memberships dynamically you don't have flexibility to also include an additional group as an exception or catch-all group.
Normally this isn't a good recommended security practice...scope this to a role (based on title or job family) and not so much a user as the template. The user may have more rights than you think.
@@SirRodhood Actually PowerShell cant do this, not last time I checked just back in June 2023, Distribution Groups, Security Groups, Mail Enabled Security Groups, Office 365 Groups, Microsoft 365 Groups and SharePoint Groups all need to be handled separately and not by the same module. Just finding the SharePoint root programmatically is a headache..
One day, I will be the only one running my company, no more humans... Not even a dashboard will be needed for I will not have eyes nor feelings!
How do I change a users employeeleavedatetime attribute?
You would likely need to define an extension attribute for that.
Brillaint. But again need 5 $user. whatand why why wy??