I'm currently facing a major Identity & Access Management (IAM) issue and need your advice on cleaning things up. Here's my situation:
We use Workday as our HR system, which feeds data into Azure Active Directory (Entra). Entra handles user creation for our on-premises Active Directory (AD), which then syncs back to Entra ID for all our internal employees and contractors. For external users and service accounts, we manage them through Microsoft Identity Manager (MIM).
The problem is that the connection between these systems feels shaky. I often encounter situations where a user is marked as terminated in Workday, but that change doesn't propagate properly, leaving their accounts active in both AD and Entra. This results in orphaned accounts and inconsistencies, creating governance and audit challenges.
I'm looking for suggestions on how to:
- Clean up this messy setup
- Create effective lifecycle management across Workday, AD, Entra, and MIM
- Automatically detect and deprovision outdated or mismatched accounts
- Potentially simplify this complicated architecture (if that's even feasible)
Has anyone experienced similar issues? What tools or strategies helped you resolve them (like SailPoint, Saviynt, Entra Lifecycle, custom scripts, etc.)? Any personal experiences or advice would be greatly appreciated!
1 Answer
It sounds like a real challenge! I don't use MIM myself, but in our environment, we pull data from Workday using RaaS exports. We have clear timelines for different statuses: Hire Date when a user shows up, Start Date for when they become active in AD, and Term Date for when accounts are disabled. This clears up a lot of confusion. We sync via scheduled scripts that run regularly to keep everything updated between systems, minimizing stale accounts. It's a bit of a juggling act but helps to have everything documented, especially for audits.
Thanks for the insights on the RaaS. Does your setup ensure that the data syncs almost in real-time? I'm worried about delays, especially for terminations. How do you handle service accounts without using MIM?