IntuneHRFlow: Automate Employee Onboarding and Offboarding

Back in 2024, after yet another customer discussion, it struck me that the process for employee onboarding and, even more importantly, offboarding is NOT SIMPLE. For some, it’s a significant challenge. Sure, you could outsource it to one of the top HR solutions out there, like:

  • BambooHR
  • Deel
  • Workday
  • SAP SuccessFactors

But you will still need to do some integration work. You may even decide to use Microsoft’s Entra Lifecycle Workflow? BUT,these options will cost you more money, often as a per-user, per-year charge which is not always cheap. So, I thought, why not maximize existing Microsoft investments and utilize licenses (like M365 E3/E5) to solve these problems? Wave goodbye to the long list of inconsistent and manual tasks and say hello to automation joy!

So, after taking some time to design and build, I created IntuneHRFlow —a powerful Microsoft focused solution to seamlessly convert time-consuming tasks into a productive and automated process using Microsoft Intune, Entra ID, SharePoint, Forms, and the glue that holds it all together, Power Automate.

The target is to dramatically reduce the time and costs associated with your onboarding and offboarding, plus get new hires and graduates up to speed quickly while introducing fast access to key tools and services. IT admins can also smile as this allows them to concentrate on more important tasks while creating a better end-user experience. Obviously shrink-wrapped solutions naturally manage a suite of tasks outside of IntuneHRFlow like Rewards and payroll, Performance management and employment contracts but many utilise the resident identity platform like AD or Entra ID so that means IntuneHRFlow will integrate with these systems meaning it’s a Win Win.

Contents

What is IntuneHRFlow

  • What you’ll need first
  • Basic Microsoft knowledge required

IntuneHRFlow Overview

Integration using Power Automate (PA)

What is IntuneHRFlow?

IntuneHRFlow is a unique solution providing an easy-to-use interface for HR members to initiate Onboarding and Offboarding tasks.  It combines multiple Microsoft tools to build a comprehensive business solution including:

  • Employee Onboarding
  • Employee Offboarding
  • Asset Management
  • Workflow Tracker
  • Application Requests (add & remove) and Assignment
  • Windows Device Admin Assignment (Coming)
  • Persona Mapping for Structured Assignment and Management
  • Weekly run reports
  • Functionality for Windows 365 and Temporary Access Pass (TAP)

With the ability to integrate with other systems and services.

Today, I’m starting a series of blogs to help you take back control and put those already purchased Microsoft licenses to work. In this article, we’ll explore the full capability, dive into the prerequisites and components for setup in your tenant. IntuneHRFlow gives you the flexibility to adjust the presentation and automation to meet your specific needs easily with a little knowledge of the platforms. Collectively, the solution integrates multiple Microsoft toolsets:

  • Power Automate Template Flows
  • Intune User and Device Management (including targeted groups)
  • SharePoint Sites and Lists
  • A Single Entra Application Registration
  • Microsoft Forms

NOTE: Registered Private preview users will be given access to the functionality of onboarding, offboarding and Workflow functionality. Additional features can be made available on request.

What You’ll Need First

Let’s be clear—the pendulum of migration is now heavily swinging towards Cloud First management. That’s why IntuneHRFlow focuses on these companies. Maybe you’re on the edge of making that shift, and if you are, this will give you the opportunity for a clean start. As this is a solution rather than a script, using multiple toolsets together means there is some setup to complete.

You’ll need access to all included platforms and licensing for:

  • Azure Entra Tenant
  • Microsoft Intune and Associated features
  • Microsoft Office 365– SharePoint, Forms, Power Automate, Outlook
  • A Global Admin / Sharepoint Administration account to Access and Create:
    • Power Automate Flows (Premium license required)
    • An Azure Application Registration
    • SharePoint Sites, Lists, and Forms
    • Office 365 Administration Permissions for Distribution Groups and License Assignment
    • Entra ID and Intune Persona Groups, Application Groups, Windows 365 User Group

Basic Microsoft Knowledge required:

  • Azure
  • Intune
  • SharePoint Sites and Lists
  • Power Automate
  • Office 365

IntuneHRFlow Overview

Let’s start with SharePoint: Two SharePoint sites are required, which are key to the overall solution. These include:

  1. A SharePoint site created using the ‘Employee New Starters’ template

This Microsoft template provides key information for new hires like ‘Training’, ‘How We Work’, ‘Meet the Team’, ‘Documents’, and an onboarding checklist and is available from the SharePoint online library. You may want to adapt this to your own style and data, which can be achieved easily. And if not, why not make use of your own site—that’s fine too. (I’ll show you later how to do this). This is really an optional feature as it’s not something created by IntuneHRFlow, so if your organisation isn’t ready for this then leaving out is not a problem.

  • A New IntuneHRFlow SharePoint Site

This is a dedicated site created from new, starting with a blank SharePoint template to which you then import IntuneHRFlow Lists (available on GitHub as CSV files you import). The Lists include:

Onboarding List – Used for maintaining new starter data with recorded ‘States’ and settings updated as the Power Automate Flows are run.

** Included for Private Preview registered users rt of the IntuneHRFlow starter packaged

Offboarding List – Maintains the creation and states of the offboarding process as well as serving as a record of all employees leaving the business. The great thing about using SharePoint is that you can easily create different ‘Views’ of the data best serving your own needs.

** Included for Private Preview registered users rt of the IntuneHRFlow starter packaged

Asset Management – Your central location for all your devices, peripherals, and accessories purchased and asset-tagged to the employee. Devices managed and registered on Intune are automatically added by a scheduled PA flow and amended as devices are added, removed, and reassigned. Also, manually add non-Intune details as Intune isn’t an asset management system ( manages Android, iOS, iPadOS, macOS, Windows, and Linux). By maintaining the data on SharePoint, HR staff and/or IT can easily view and edit records without the need to submit IT Admin requests and gain access to Microsoft Intune.

** Included as part of the IntuneHRFlow extra features package (After private preview feedback)

Workflow Tracker – Automation is the power to IntuneHRFlow which creates multiple workflow tasks as onboarding and offboarding Power Automate Flows run each day. No guessing needed—easily check on the progress and view historical data when needed. Power Automate flows are numbered to represent how far the full process has progressed and identifying the source of the flow.

** Included for Private Preview registered users of the IntuneHRFlow starter packaged

Documents – Added as a new document library the IntuneHRFlow site, the library is used to house OneDrive files copied during the offboarding automation. When a user’s Office 365 license is revoked, Administrators have 93 days to access OneDrive documents, after which they are deleted. The account is set to an archive state and the end user no longer has access. Once the leave date is reached, a dedicated Power Automate Flow copies the files into the document library and automatically provides access to the employee’s assigned manager, ensuring the files are maintained after the 93 days.

** Included for Private Preview registered users of the IntuneHRFlow starter packaged

Application Requests– Day in and day out, I talk to customers who deploy time-consuming ways of implementing requests for new applications. The simplest way to manage this is to just assign all non-core apps as ‘Available’ through the Company portal app. But this approach isn’t always practical, and controlling the use becomes important based on budgets or licenses. Adding a level of control to this task often means time and effort. So, creating a simple way to implement this is key to freeing up IT Admin time. IntuneHRFlow gives end users access to a simple SharePoint form published on the Intranet. You can restrict which apps end users can choose within Intune by simply adding a description in the field. The way I created this was to prefix the lookup with ‘IHR-‘ but you can change this and name your Intune application groups to suit your own naming convention.

Users are mandated to provide a reason for use, and requests are sent via email to their manager for approval. If approved, a Power Automate flow will automatically assign a user to the configured Application group setup within Intune, for example, ‘IHR – Adobe Reader’ where IHR refers to IntuneHRFlow, used to easily identify available applications when searching on the request form. The process saves time and sometimes charges as users won’t need to raise a support ticket, which then sits in a queue and needs a support engineer to add the user to the right AD or Entra ID group manually.

The great thing is it doesn’t just manage new App requests there is also the ability to remove apps from users. Both include workflow approvals with the result of the user account being removed from the application group. This is achieved by removing the account from the add user account into the uninstall user group for the chosen application. In reality not many people remove apps very often unless there’s an issue. BUT this may be something you open up to support teams.

When you add a user account to an Intune uninstall user group that is assigned to a Windows application, the following happens:

  1. Application Uninstall Policy Applies: Intune policies associated with the uninstall group trigger, instructing the Windows device to uninstall the application for that user account.
  2. Device Synchronization: The user’s devices enrolled in Intune will sync with the Intune service. During the next sync, Intune will identify that the user is now part of the uninstall group and proceed with the uninstallation process.
  3. Application Removal: The assigned application will be removed from the user’s devices that are managed by Intune. The timing of the uninstallation depends on how frequently the devices sync with Intune (usually every 8 hours by default).
  4. Impact on User Access: Once the application is uninstalled, the user will lose access to it on their managed devices. However, this doesn’t affect unmanaged devices or personal installations outside of Intune control

** Included as part of the IntuneHRFlow extra features package (After private preview feedback)

And there’s more to come…. Admin Uplift – We plan to introduce Windows Admin access, which following approval, provides an end user with administrative access to a specific Windows device. This is based on using a best practice security approach by only allowing admin access on request and by exception and implementing ‘Standard’ accounts by default. This introduces a simple method for Admin Uplift as required.

On the home page to the new SharePoint site the solution includes an easy-to-use dashboard for the different HR and IT admin Actions. The links open the 4 different user forms each of which initiate the Power Automate flows. These being:

  • Create new starter record
  • Create new Leaver’s record
  • Request Application for adding or removing
  • Request a user’s Admin uplift

It’s important that this is a private site and only selected IT Admins have access plus selected HR staff who require access to initiate the new starters and leavers automaton. The form available for Application request can be published on a different IT Support page on an intranet and allow end users the ability to raise requests.

Note: Homepage setup is not included with phase 1 of private preview.

One last list to mention here is ‘AutomateSettings’. This list provides common settings used within all PA Flows. By extracting these settings into a list, we can easily call on them to make it simpler for each PA flow, as well as making it much quicker to deploy IntuneHRFlow between tenants.

Integration using Power Automate (PA)

The glue to the overall solution that provides the powerful integration is Power Automate (PA). Part of the Power Platform, Microsoft Power Automate is a cloud-based service that allows you to create automated workflows between your favourite apps and services to synchronize files, get notifications, collect data, and more. It helps to automate repetitive tasks and streamline business processes with minimal effort. Some of the key features include integration with over 1,000 apps and services, including Microsoft 365, SharePoint, EntraID, Intune, and Teams. Without PA, this solution would not be possible. Security and Governance. Built-in security features manage and monitor automation.

Employee onboarding and offboarding actions can sometimes be complex and include many activities, making PA the perfect solution. To address this, it’s necessary to break the tasks down into individual logical actions. This helps identify the order in which tasks should be applied. IntuneHRFlow adopts this approach and splits the automation and integration tasks into 17 actions.

You will quickly notice that the structure of the flows are also built for simplicity and testing. Variables are explicitly included to identify connecting data. The purpose of this is to help you adjust the flows as required for your environment. Within each flow is an initial SharePoint connection to the ‘AutomateSettings’ List which when updated (Required during setup) as required will adjust the flow to your SharePoint and PA environment (this will save you time for the PA Imports). PLEASE ensure you use the same naming for the lists as provided which will save you even more time.

You can access Power Automate using ‘https://make.powerautomate.com’ and you will need to be a global admin account with a PA premium license assigned.

As an introduction to IntuneHRFlow this first blog provides the overview of the solution and features currently included but I will be diving into the detail with specific Power Automate flows and demonstrations in future blogs. I also want to fine tune and add new features. While this is going through a private preview, this solution will be made available to the community plus anyone wanting consultancy to have this implemented, please get in contact. (Andy@move2modern.co.uk).

Alternatively I will be running more previews giving people the opportunity to get involved. Take a look at https://IntuneQLinks.net/IntuneHRFlow and register your interest for future releases.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.