Checkout the latest release notes
What is Hire2Retire¶
Hire2Retire is an employee lifecycle and identity access management solution. It automates manual, high-volume business processes and streamlines access provisioning by seamlessly integrating leading HR systems to Active Directory (AD), Entra ID, Google Workspace, and Okta Directory. Hire2Retire’s no-code, drag-and-drop UI ensures smooth onboarding, role changes, and offboarding by automating key HR workflows across your enterprise. With Hire2Retire, your HR and IT Teams will be freed up and will have more time and resources to focus on other core business areas.
Key Features of Hire2Retire¶
1. Automate Joiner-Mover-Leaver (JML) Lifecycle Processes
Hire2Retire automates high-volume tasks by processing employee lifecycle events in near-real time. Hire2Retire automatically creates identity profiles for new hires, ensures secure terminations by automatically disabling profiles after the last working day.
2. Implement Role-Based Access Control (RBAC), MFA, and SSO
Define custom group membership assignments and rulesets for Security Groups, Distribution Lists, Office 365 Groups, and more, then let Hire2Retire auto-provision system access to employees for lifecycle events. Easily enable multi-factor-authentication (MFA), single-sign-on (SSO), and access on a “need-to-know” basis.
3. Create and Send Custom Emails for Lifecycle Events
Use Hire2Retire’s communication hub to automatically send custom email templates for lifecycle events. You can use employee attributes in these emails, key information to be securely communicated without any manual intervention.
4. Add ATS Systems and Third-Party Apps to HR-IdP Integration
Augment HR to Identity integration by adding Applicant Tracking Systems (ATS), and hundreds of third-party applications to Hire2Retire workflows. Cover applicant profiles through the entire hiring and onboarding process with ATS integration, automatically create tickets for the IT team, and make access provisioning a one-stop-shop by adding third-party apps.
5. Customize Service Desk Integrations in Real-Time
Hire2Retire allows you to create custom service desk integrations that automatically generate tickets in the service desk when employee profiles are added, deactivated, or updated using REST Connectors. It takes less than five minutes to set up a custom service desk integration in Hire2Retire.
How Does Hire2Retire Work¶
Hire2Retire uses the integrated HR system as a source of truth (SOT) for employee identity lifecycle management. It receives employee profile data via file extracts or APIs, including Basic PII, job-related information, start date, and last day worked, and synchronizes this information to the Identity Provider (IdP) in near-real time. Hire2Retire integrations automate profile creation, deletion, and changes while implementing role-based access Control (RBAC) and keeping the Global Address List (GAL) and org charts current and free of ghost employees.
Here’s how to set up a Hire2Retire integration in just 4 easy steps:
1. Connect your HR system to Hire2Retire
Hire2Retire offers two methods of ingesting data from the existing HR system:
File Extract Integration¶
File extract integrations use the existing HR system’s reporting tool to request SFTP exports of data files with the employee HR attributes you want to synchronize to the Identity setup. You can set these data file extracts to run automatically at scheduled intervals and be sent to Hire2Retire via SFTP, with RSA key authentication and encryption that ensures secure data transfer.
API Integration¶
With API–based integrations, Hire2Retire uses the existing HR system’s REST API to securely retrieve employee profile data in near real-time, allowing for immediate and automated data synchronization.
2. Connect IdP Setup to Hire2Retire
Hire2Retire can connect HR system to the following IdP setups:
- On-Prem Active Directory (AD)
- Cloud-Only Entra ID (Azure AD)
- Hybrid AD (AD and Entra ID)
- Google Workspace
- Okta Directory
After selecting your preferred IdP setup option, you will connect to multiple endpoints based on your choice of IdP configuration to leverage the features and functionality offered by Hire2Retire. Typically, most customers in a Hybrid setup will connect to on-prem AD for account creation or updates, and to Entra ID, Exchange Online, and SharePoint to manage cloud resident groups, OneDrive, and Shared Mailboxes.
3. Set up Identity Lifecycle Business Process
This is the most important step where you would define your own business process as to how you onboard employees, assign UPN or email, manage role-based access control, handle terminations, and perform access and resource assignment or de-provisioning. You can do all of this without a single line of code on our simple intuitive UX by simply making choices on dropdowns, checkboxes, and radio buttons.
This step involves the following activities:
- Define input Data.
- Map HR profile fields to IdP (AD or Entra ID) attributes.
- Define your personalized business process rules for each of the employee lifecycles.
- Define profile-driven rule-based assignment of privileges or group memberships to security groups, O365 groups, and distribution lists.
- Set up template-driven emails that can be sent upon a lifecycle change.
- Configure role-based (RBAC) or attribute-based (ABAC) Access Provisioning to third-party applications.
- Check resource provisioning workflows to automate ServiceDesk integration.
Defining your identity lifecycle is highly customizable, ensuring that you can tailor Hire2Retire to perform the exact actions or operations you need to manage an individual employee identity lifecycle for all employees of your organization.
4. Assign Group Memberships or Privileges with Role-Based Access Control (RBAC)
Profile-driven rule-based assignment of privileges through group memberships in a core feature to implement “need to know” basis access and assignment of resources. Hire2Retire’s industry-leading RBAC is an optional but highly recommended part of the Hire2Retire setup process. By using AND/OR conditions, you can create rulesets using one or more employee profile attributes to assign memberships to security groups, mail-enabled distribution lists, Microsoft 365 groups, and more. The choices or the groups that you can manage memberships of depend on your Identity Provider (IdP) Setup.
Why Use Hire2Retire¶
1. Great "First Day at Work" Experience
Ensures new hires have instant access to the tools, systems, and resources they need from day one. It automates account creation, email setup, and device provisioning before they even step in and eliminates onboarding delays, boosting productivity and engagement from the start.
2. Sync Employee Profiles from HR to IT
It seamlessly integrates HR and IT systems to keep employee records up to date in real time. Any changes in the HR system—new hires, promotions, or departures—automatically reflect in IT directories and apps. Thus, reducing manual data entry and ensuring accuracy across platforms.
3. Role-Based Access Control & Birth Rights
It automatically assigns access permissions based on job roles, departments, and locations. It also ensures employees get the right level of access from day one while preventing unauthorized permissions.
4. Avoid Security and Compliance Risks
Hire2Retire helps eliminate orphan accounts and unauthorized access by instantly revoking access when employees leave. It maintains a strict audit trail to meet regulatory requirements like SOC 2, and others.
5. 90% Cost Avoidance on Employee Onboarding
Hire2Retire helps you cut down manual IT and HR workload with fully automated onboarding workflows ensuring no costly errors, delays, and inefficiencies in setting up new employees.