BIO 09.01.01

Identity Lifecycle Workflows Design

πŸ“… 2025-10-30
β€’
⏱️ 7 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Automatiseer Joiner-Mover-Leaver processen met Lifecycle workflows Workflows om toegang tijdig toe te kennen en veilig in te trekken.

Aanbeveling
IMPLEMENTEER LIFECYCLE WORKFLOWS
Risico zonder
High
Risk Score
7/10
Implementatie
32u (tech: 16u)
Van toepassing op:
βœ“ Azure AD
βœ“ Identity Governance

Handmatige JML-processen leiden tot vertraging, fouten en achterblijvende toegang. Lifecycle Workflows reduceren risico via events (hire, transfer, termination) met automatische acties (toegang toekennen, updaten, intrekken).

PowerShell Modules Vereist
Primary API: Microsoft Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph

Implementatie

Workflows: Joiner (pre-hire account, dag 0 licenties, groepen), Mover (toegang heralloceren), Leaver (same-day disable, licenties intrekken, mailbox litigation hold, account delete na retention).

Vereisten

  1. Azure AD P2
  2. HR bron (Entra ID provisioning of SCIM)
  3. Standaard rol-naar-groepen mapping
  4. Licentiesjablonen

Implementatie

Gebruik PowerShell-script lifecycle-workflows.ps1 (functie Invoke-Remediation) – Aanmaak van workflows.

  1. Configureer event-triggers (pre-hire, hire date, termination date)
  2. Joiner: Assign licenties en groepen
  3. Mover: Update afdelingsgroepen, app-rollen
  4. Leaver: Schakel uit + revoke sessions + remove Licenties + manager mailbox access + final export
  5. Pilot, dan productie

Monitoring

Gebruik PowerShell-script lifecycle-workflows.ps1 (functie Invoke-Monitoring) – Controleren.

  1. Workflow runs success/fail
  2. Doorlooptijd J/M/L
  3. Achterblijvende toegang (zero)

Compliance en Auditing

  1. BIO 09.01 - User provisioning
  2. ISO 27001 A.6.1 - Roles en responsibilities
  3. NIS2 art. 21

Remediatie

Gebruik PowerShell-script lifecycle-workflows.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Identity Lifecycle Workflows Design .DESCRIPTION Implementation for Identity Lifecycle Workflows Design .NOTES Filename: lifecycle-workflows.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/design/identity/lifecycle-workflows.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert ) $ErrorActionPreference = 'Stop' $VerbosePreference = 'Continue' $PolicyName = "Identity Lifecycle Workflows Design" $BIOControl = "9.01" function Connect-RequiredServices { # Connection logic based on API } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..." $result = [PSCustomObject]@{ ScriptName = "lifecycle-workflows" PolicyName = $PolicyName IsCompliant = $false TotalResources = 0 CompliantCount = 0 NonCompliantCount = 0 Details = @() Recommendations = @() } # Compliance check implementation # Based on: Design Document $result.Details += "Compliance check - implementation required based on control" $result.NonCompliantCount = 1 return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan # Remediation implementation Write-Host " Configuration applied" -ForegroundColor Green Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total: $($result.TotalResources)" -ForegroundColor White Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" } Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color return $result } function Invoke-Revert { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow } try { Connect-RequiredServices if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Revert) { Invoke-Revert } else { $result = Test-Compliance if ($result.IsCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } } } catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
High: Manual JML (Joiner/Mover/Leaver) = lingering access post-termination (ex-employees retain access dagen/weken), onboarding delays (new hires wait days access), inconsistent processes, compliance issues. Het risico is HOOG - leaver access.

Management Samenvatting

Lifecycle Workflows: Automated JML processes - Pre-hire (accounts ready day 1), Onboarding (access provisioning, Teams creation, training assignments), Job changes (access updates), Offboarding (immediate access revocation, data retention). Vereist: Azure AD P2 (Identity Governance). Activatie: Entra ID β†’ Lifecycle Workflows β†’ Define workflows (joiner/mover/leaver). Kosten: P2 license. Verplicht BIO 9.02. Implementatie: 32 uur (workflow design + HR integration + testing). Secures employee lifecycle - fast + consistent + secure.