SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Lifecycle Workflows Joiner Mover Leaver Coverage
description: Audit Microsoft Entra lifecycle workflows for joiner, mover and leaver automation coverage and manual identity gaps.
---
# Lifecycle Workflows Joiner Mover Leaver Coverage
> **TL;DR:** This skill reads your Microsoft Entra lifecycle workflow configuration to confirm joiner, mover and leaver events are automated, then reports where identity changes still rely on manual handling that can leave stale access.
## What are Microsoft Entra lifecycle workflows?
Microsoft Entra lifecycle workflows are an Entra ID Governance capability that automates routine identity tasks as people join, move between roles, or leave an organisation. They run tasks such as enabling accounts, generating temporary access pass credentials, assigning access packages, and disabling or removing accounts on a schedule tied to attributes like employee hire and leave dates. This skill inspects that automation alongside related controls such as Conditional Access and access reviews so you can see whether identity hygiene is enforced consistently rather than left to manual help desk effort.
## When should you run this skill?
- "Do we have automated leaver offboarding, or are accounts disabled by hand?"
- "Show me which joiner, mover and leaver events are covered by lifecycle workflows."
- "Are there gaps where stale accounts could keep access after someone leaves?"
- "Prove to the auditor that offboarding is automated and timely."
- "Which lifecycle workflows are scheduled but disabled or failing?"
- "Are mover scenarios handled, or only joiners and leavers?"
- "What manual steps remain in our identity lifecycle process?"
## How this skill works, step by step
1. Connect read-only to Microsoft Entra ID Governance and enumerate all configured lifecycle workflows.
2. Classify each workflow by category as joiner, mover or leaver based on its trigger and tasks.
3. Record whether each workflow is enabled, its schedule, and the trigger attribute (for example employee hire date or employee leave date).
4. Inspect the task collection in each workflow to confirm essential actions are present, such as account enablement, temporary access pass issuance, group and access package handling, and account disablement or deletion.
5. Check recent workflow run history for failures or skipped users that indicate broken automation.
6. Cross-reference the three lifecycle categories to identify any category with no enabled workflow, marking it a manual gap.
7. Derive a risk score by weighting missing leaver automation highest, followed by missing mover and joiner coverage, then disabled or failing workflows.
8. Compile the findings into a coverage table with prioritised remediation guidance.
## Output format
The skill produces a coverage assessment of lifecycle automation across joiner, mover and leaver events.
| Lifecycle category | Workflow status | Trigger attribute | Coverage gap | Risk |
| --- | --- | --- | --- | --- |
| Leaver | No enabled workflow | Not configured | Accounts disabled manually after departure | High |
| Joiner | Enabled, scheduled daily | Employee hire date | Temporary access pass task missing | Medium |
| Mover | Enabled, last run failed | Department change | Group reassignment not applied for 12 users | Medium |
Summary findings:
- Overall coverage rating across joiner, mover and leaver categories.
- Count of enabled, disabled, and failing workflows.
- List of lifecycle categories with no automation, treated as manual gaps.
- Prioritised remediation actions, leaver gaps first.
## Scope and safety
This skill is read-only by default and makes no changes to your tenant, workflows, or user accounts. It only reads configuration and run history to produce an assessment.
This skill does NOT:
- Create, edit, enable, or disable any lifecycle workflow.
- Modify, disable, or delete any user account or its access.
- Trigger workflow runs or alter schedules.
- Change Conditional Access, access packages, or group memberships.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Microsoft Entra lifecycle workflows | Microsoft Entra ID Governance |
| Conditional Access and access reviews cross-checks | Microsoft Entra ID P2 (included in ID Governance) |
### Least-privilege roles
- Global Reader, to read tenant configuration without making changes.
- Lifecycle Workflows Administrator is only needed for changes, so it is not required for this read-only skill; assign Global Reader instead.
### Microsoft Graph permissions (read-only)
- `LifecycleWorkflows.Read.All` — reads lifecycle workflow definitions, tasks, schedules and run history.
- `Directory.Read.All` — reads user attributes such as employee hire date and employee leave date used as workflow triggers.
- `Policy.Read.All` — reads Conditional Access policy configuration for the cross-reference checks.
- `AccessReview.Read.All` — reads access review configuration referenced alongside lifecycle coverage.
## Sources and compliance
- [What are lifecycle workflows?](https://learn.microsoft.com/en-us/entra/id-governance/what-are-lifecycle-workflows)
- [Understanding lifecycle workflows](https://learn.microsoft.com/en-us/entra/id-governance/understanding-lifecycle-workflows)
- Supports the Essential Eight control of restricting administrative privileges by ensuring access is removed promptly when staff leave or change roles.
- Maps to ISM controls for privileged and standard account management, including timely disablement of accounts that are no longer required.
- [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English.
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Lifecycle Workflows Joiner Mover Leaver Coverage
TL;DR: This skill reads your Microsoft Entra lifecycle workflow configuration to confirm joiner, mover and leaver events are automated, then reports where identity changes still rely on manual handling that can leave stale access.
What are Microsoft Entra lifecycle workflows?
Microsoft Entra lifecycle workflows are an Entra ID Governance capability that automates routine identity tasks as people join, move between roles, or leave an organisation. They run tasks such as enabling accounts, generating temporary access pass credentials, assigning access packages, and disabling or removing accounts on a schedule tied to attributes like employee hire and leave dates. This skill inspects that automation alongside related controls such as Conditional Access and access reviews so you can see whether identity hygiene is enforced consistently rather than left to manual help desk effort.
When should you run this skill?
- “Do we have automated leaver offboarding, or are accounts disabled by hand?”
- “Show me which joiner, mover and leaver events are covered by lifecycle workflows.”
- “Are there gaps where stale accounts could keep access after someone leaves?”
- “Prove to the auditor that offboarding is automated and timely.”
- “Which lifecycle workflows are scheduled but disabled or failing?”
- “Are mover scenarios handled, or only joiners and leavers?”
- “What manual steps remain in our identity lifecycle process?”
How this skill works, step by step
- Connect read-only to Microsoft Entra ID Governance and enumerate all configured lifecycle workflows.
- Classify each workflow by category as joiner, mover or leaver based on its trigger and tasks.
- Record whether each workflow is enabled, its schedule, and the trigger attribute (for example employee hire date or employee leave date).
- Inspect the task collection in each workflow to confirm essential actions are present, such as account enablement, temporary access pass issuance, group and access package handling, and account disablement or deletion.
- Check recent workflow run history for failures or skipped users that indicate broken automation.
- Cross-reference the three lifecycle categories to identify any category with no enabled workflow, marking it a manual gap.
- Derive a risk score by weighting missing leaver automation highest, followed by missing mover and joiner coverage, then disabled or failing workflows.
- Compile the findings into a coverage table with prioritised remediation guidance.
Output format
The skill produces a coverage assessment of lifecycle automation across joiner, mover and leaver events.
| Lifecycle category | Workflow status | Trigger attribute | Coverage gap | Risk |
|---|---|---|---|---|
| Leaver | No enabled workflow | Not configured | Accounts disabled manually after departure | High |
| Joiner | Enabled, scheduled daily | Employee hire date | Temporary access pass task missing | Medium |
| Mover | Enabled, last run failed | Department change | Group reassignment not applied for 12 users | Medium |
Summary findings:
- Overall coverage rating across joiner, mover and leaver categories.
- Count of enabled, disabled, and failing workflows.
- List of lifecycle categories with no automation, treated as manual gaps.
- Prioritised remediation actions, leaver gaps first.
Scope and safety
This skill is read-only by default and makes no changes to your tenant, workflows, or user accounts. It only reads configuration and run history to produce an assessment.
This skill does NOT:
- Create, edit, enable, or disable any lifecycle workflow.
- Modify, disable, or delete any user account or its access.
- Trigger workflow runs or alter schedules.
- Change Conditional Access, access packages, or group memberships.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Microsoft Entra lifecycle workflows | Microsoft Entra ID Governance |
| Conditional Access and access reviews cross-checks | Microsoft Entra ID P2 (included in ID Governance) |
Least-privilege roles
- Global Reader, to read tenant configuration without making changes.
- Lifecycle Workflows Administrator is only needed for changes, so it is not required for this read-only skill; assign Global Reader instead.
Microsoft Graph permissions (read-only)
LifecycleWorkflows.Read.All— reads lifecycle workflow definitions, tasks, schedules and run history.Directory.Read.All— reads user attributes such as employee hire date and employee leave date used as workflow triggers.Policy.Read.All— reads Conditional Access policy configuration for the cross-reference checks.AccessReview.Read.All— reads access review configuration referenced alongside lifecycle coverage.
Sources and compliance
- What are lifecycle workflows?
- Understanding lifecycle workflows
- Supports the Essential Eight control of restricting administrative privileges by ensuring access is removed promptly when staff leave or change roles.
- Maps to ISM controls for privileged and standard account management, including timely disablement of accounts that are no longer required.
- ASD Essential Eight Maturity Model
- Output in Australian English.
Last updated on