Marina Costa Silva had not even collected her laptop yet when her identity footprint started expanding. The moment her HR profile in ADP Workforce Now changed from candidate to employee, downstream systems needed to know what that meant: which Microsoft 365 groups she should inherit, which SaaS apps her team requires, and which access should stay blocked until approvals are complete.

That is the promise of HR-driven identity governance. HR remains the system of record, a connector layer translates workforce events into lifecycle transactions, and Microsoft Entra Identity Governance applies policy, approvals, and ongoing control. Done well, the process feels invisible. Done poorly, it becomes a breeding ground for access sprawl, audit fatigue, and security gaps that only surface after an incident.

Section 01

The Identity Lifecycle Problem at Scale

Identity lifecycle management breaks down when organizations still treat onboarding, internal transfers, and terminations as ticket-driven chores. Every manual step introduces lag, ambiguity, and exceptions. The issue is not whether teams understand joiners, movers, and leavers. The issue is whether the control plane can keep up with the pace of workforce change.

35+

Apps per employee

58%

Access drift after role changes

3×

More audit effort with manual JML

72h

Typical lag for leaver cleanup

At enterprise scale, a delayed termination is not merely an administrative nuisance. It is a standing authorization problem. A stale department code can over-provision access. A missed manager change can keep approvals flowing to the wrong owner. And a slow offboarding sequence leaves accounts active long after the employment relationship has ended.

Why orphaned accounts matter

Orphaned accounts rarely announce themselves. They sit quietly in SaaS apps, retain tokens, accumulate entitlements, and expand audit scope. HR-driven lifecycle automation exists to prevent that silent buildup.

Section 02

ADP Workforce Now as the System of Record

The cleanest architecture starts by respecting the source. ADP Workforce Now already owns the authoritative facts about employment status, start date, manager, cost center, and business unit. Rather than duplicating those facts in downstream directories, a modern identity program listens for workforce events where they are born and lets every other system react to them.

🟢

Joiner

New hire entered in ADP triggers account creation, starter access, and time-bound approvals before day one.

🔵

Mover

Department, manager, or location changes update memberships and revoke access that no longer fits the role.

🔴

Leaver

Termination events disable identities quickly, reclaim licenses, and reduce risk across every connected application.

This is where many organizations realize HR data alone is not enough. The event has to be normalized, enriched, and routed into the identity layer in a way Entra can operationalize. That is why the connector tier matters so much.

Governance begins when the organization can say, with confidence, that an HR event is the trigger, policy is the filter, and access is the outcome.

— Identity architecture principle for scalable JML

Section 03

The Connector Layer: Aquera vs SailPoint

Bridging ADP and Microsoft Entra usually comes down to two strategic paths. Aquera is often chosen when the priority is rapid, low-friction provisioning and orchestration. SailPoint is the stronger fit when the identity program is broader than provisioning and must include certifications, role models, and policy-heavy governance.

Capability

Aquera

SailPoint

Primary fit

Fast HR-to-IT automation

Broader governance program

Implementation style

No-code / low-code SaaS connector

IGA platform with policy depth

Best for

Teams prioritizing speed and simplicity

Enterprises needing certification and role mining

Governance depth

Provisioning-centric with orchestration

Strong lifecycle, certification, and SoD controls

Typical outcome

Quicker time-to-value for JML

End-to-end identity governance operating model

Neither connector removes the need for governance discipline. They simply determine how events arrive and how much orchestration intelligence exists before Entra takes over. Connector choice should therefore reflect operating model maturity, not just feature comparison.

Section 04

Microsoft Entra IGA: Where Governance Happens

Once HR events have been translated into lifecycle actions, Microsoft Entra Identity Governance becomes the policy engine. This is where access packages, lifecycle workflows, entitlement management, approvals, and downstream provisioning controls converge. Entra does not replace HR; it operationalizes HR truth into governed access.

Core concepts

Lifecycle workflows automate joiner, mover, and leaver tasks.

Access packages bundle the right resources for the right personas.

Entitlement management keeps access requestable, reviewable, and time-bound.

In practice, this means Marina's hire date can trigger account readiness, a manager change can adjust approvals and group inheritance, and a termination can start a deterministic shutdown path across Microsoft 365 and connected SaaS applications. The identity program becomes event-driven instead of ticket-driven.

IGA

Interactive Demo

Visit the standalone version for the full interactive experience

Static Preview

Entra IGA Lifecycle Flow

HR event → connector orchestration → governed provisioning

PreviewTenant Demo

Aquera

SailPoint

🟢Joiner

🔵Mover

🔴Leaver

Interactive Demo Placeholder

Interactive Demo — Visit the standalone version for the full interactive experience.

ADP Workforce Now

Authoritative employee profile

Employee Event

Marina Costa Silva

Joiner

Department

Platform Engineering

Manager

A. Navarro

Start Date

2026-04-18

Location

Seattle

↔

Lifecycle Workflow

Static sequence preview

Capture ADP hire eventAquera

Start date, department, manager, and worker type arrive as the source identity payload.

Evaluate Entra lifecycle workflow

Policies map Marina into the correct starter bundle and approval chain.

Awaiting manager-ready state

Provision downstream apps

Access lands in Microsoft 365, Jira, GitHub, and internal developer platforms with least privilege.

☁

Connected Applications

Governed target systems

Microsoft 365

Baseline productivity access

Ready

Jira

Engineering ticket visibility

Pending

GitHub Enterprise

Scoped repo entitlements

Pending

Run Workflow

Reset

Static article preview — controls disabled

Audit Trail Snapshot

09:00:01 ADP event received for Marina Costa Silva

09:00:05 Connector normalized payload and forwarded SCIM attributes to Entra IGA

09:00:09 Lifecycle workflow prepared starter access package and awaited approvals

Section 05

What This Means for Your Organization

The value proposition is not limited to faster onboarding. HR-driven Entra IGA shrinks time-to-productivity, improves auditability, reduces license waste, and gives security teams a cleaner story about who has access to what and why. Most importantly, it replaces tribal process with repeatable policy.

For leadership teams, that means fewer identity exceptions living in email threads. For IT, it means less ticket chasing and fewer one-off scripts. For security and compliance, it means a lifecycle model that is easier to explain, easier to review, and much harder to bypass accidentally.

Getting started

Begin with one clean joiner flow, one authoritative HR source, and one governed access package aligned to a high-volume persona.

Measure time-to-provision, access drift after role changes, and leaver disablement speed before expanding to broader governance scenarios.

The architecture pattern is simple to describe but powerful in practice: ADP declares workforce truth, Aquera or SailPoint carries the event into the identity layer, and Microsoft Entra Identity Governance turns that event into controlled access outcomes. That is what mature identity lifecycle management should look like in an Azure-first enterprise.