Lifecycle Business Rules

Lifecycle Business defines the stages an employee progresses through within an organization. The Lifecycle Business Rules include the following stages:

1. Hire, Rehire
2. Change of Profile or Role
3. Termination
4. Leave:
   • Long term leave
   • FMLA (Family and Medical Leave Act)
   • Legal
   • Security and Discipline

You can select the lifecycle stages relevant to your business use case. At runtime, the workflow processes only the employees who match the selected stages. This section allows you to define how employee lifecycle events such as hiring, updates, termination, and leave are handled in your identity system.

Figure 1. Lifecycle Business Rules

Figure 2. Lifecycle Business Rules

Hire, Rehire

Create or reactivate users in the Identity Platform when employees are hired or rehired.

Choose password format - You can select one of the formats for the password you intend to create for a newly onboarded user.

1. Passphrase - Select the passphrase to align with your identity platform's password policy. The password will be randomly generated based on the specified length and will include lowercase letters, one uppercase letter, and one numeric digit or one special character. If needed, you can opt to receive the password via email by mapping the Password attribute in the Communication Hub.

   

   Figure 3. Choosing passphrase password length during Hiring or Rehiring for users in AD

2. A common password for ALL Employees - Select the "A common password for ALL Employees" format. This option provides a text area where you can map values from the HR profile or enter a custom password. You can also apply conditions using Excel-style functions.

   

   Figure 4. Choosing a common password during hiring or rehiring of a user in AD

3. Unique System-generated password - Select the initial password length to align with your identity platform's password policy. The password will be randomly generated based on the specified length and will include at least one lowercase letter, one uppercase letter, one numeric digit, and one special character. If needed, you can opt to receive the password via email by mapping the Password attribute in the Communication Hub.

   

   Figure 5. Choosing system-generated password length during Hiring or Rehiring for users in AD

Select User Account Control - You can select the user account control of the user from the dropdown that you want to assign to the user in the Identity Platform during the onboarding process. The user account control options available in Hire2Retire are:

1. 512 - Account Enabled: The user account is active and enabled.
2. 66048 - Account Enabled, Password Never Expires: The user account is active and enabled, with the password set to never expire.

Figure 6. Selecting User Account Control

Require user to change their password when they first sign in - This checkbox prompts the user to change their password upon initial login. It is selected by default. You can unselect it to not require the user to change their password.

Figure 7. Prompting user to change password at first sign-in

Temporary Access Pass - This checkbox appears only when using Entra ID. It is used to generate a temporary password (TAP) when a user is created in the Azure portal.

• You can set the duration for which the TAP is valid, allowing the employee to log in once or multiple times within that time period.

• To use this feature, the application must have the UserAuthenticationMethod.ReadWrite.All permission.

• If a service provider connection is selected, the user must have the Authentication Administrator role.

For more details on how to add these permissions and roles, please check Entra ID.

Figure 8. Temporary Access Pass

Figure 9. Temporary Access Pass checkbox checked

Write back work email to HR system during new hire/rehire process - This feature is compatible only with specific API-based HR systems. If enabled, the Identity Platform generates work email addresses for newly onboarded employees and records them in the “Business Email” field in the HR application.
For rehired employees, updating the work email in the HR system requires deselecting the "Primary Email" field from the non-updatable fields. By default, this field is non-updatable. Once deselected, you can update the email in the Identity Platform, and the new email address will be recorded in the "Business Email" field in the HR application.

Figure 10. Write back to HR during the onboarding of users in AD

Exclude Employee Attributes on Rehiring - The workflow updates employee attributes on rehiring if any attributes have changed in the HR platform. You can select not to change some attributes during rehiring.

Figure 11. Exclude attributes during Rehiring

Group Membership Handling During Rehire: This setting controls how group memberships are updated when an employee is rehired. Groups added manually (not through Hire2Retire) are preserved. Only groups defined in the group membership step are added or removed based on configured conditions.

Onboard & Hire

Select the time to execute Onboard and Hire - This field allows you to select when the Onboarding or Hire event should occur. You can use the lookup table to define conditional logic based on employee attributes. If the conditions are met, the chosen timestamp will be applied. If not, the event will default to the pre-set timestamp.

Figure 12. Time stamp for onboard and hire event

Days in advance of start date to onboard employee - This field enhances the onboarding experience for the IT team. Select the number of days before the start date when you want Hire2Retire to create the employee account. If this number depends on details like 'Department' or 'Location,' you can use the lookup table icon to define conditional logic based on employee attributes and set different rules for different situations.

Figure 13. Days in advance for the onboard event

By default, employee is created in a disabled state, uncheck to enable employee upon creation - This checkbox is visible when you select any number of days from the dropdown 'Days in advance of start date to onboard employee'. This checkbox ensures that the user is created in a disabled state during the onboard event. It is selected by default. You can unselect it to create the user in an enabled state.

Figure 14. Selecting the checkbox to create employee in a disabled state

Time in advance of start date time to enable the account - This checkbox is visible when you select any number of days from the dropdown 'Days in advance of start date to onboard employee'. The checkbox (highlighted in blue) is used to select the time (4, 8, or 12 hours) before the start date time to enable the account.

Figure 15. Time in advance for enabling account

By default, an employee’s password is reset upon rehire, and Hire2Retire automatically restores the mailbox and OneDrive configurations that were modified during the termination process, including converting the shared mailbox back to a user mailbox, revoking previously granted access, removing auto-reply messages, and disabling email forwarding.

Change of Profile or Role

This section defines how user attributes and access are updated when employee details change in the HR system.

Group Membership Handling During Profile Update

This setting controls how group memberships are updated when an employee’s profile or role changes. The group memberships of the employee profile will be updated during the Change of Profile or Role operation based on the selections below.

Retain all groups NOT defined in group mapping automation - Groups added manually (not through Hire2Retire) are preserved. Only groups defined in the group membership step are added or removed based on configured conditions.

Retain ALL existing groups - None of the existing group memberships will be removed, and only new group memberships will be added.

Do not retain any existing groups - All existing group memberships will be removed, and new group memberships will be added.

Retain below selected groups - The selected group memberships will not be removed, rest will be removed along with the addition of new group memberships.

Figure 16. Updating Group Memberships during Change of Profile or Role in AD

In a multi-domain controller setup, when selecting the 'Retain below selected groups' option under 'Handling of group memberships', you can select Groups for any of the base DNs in your AD.

Figure 17. Updating Group Memberships during Change of Profile or Role in AD with MDC

Handle group type specific membership

It allows users to define individual rules for each group, enabling more precise control over group membership handling. Instead of applying one common rule, users can configure specific retention logic per group type. This is especially useful during employee update, termination and leave lifecycles, where different groups may require different treatment. It ensures flexibility and better alignment with organizational policies.

When both common and group type–specific rules are configured, the group type–specific rule will take precedence over common whitelist group membership.

Figure 18. Updating Group Specific Memberships during Change of Profile or Role in AD

Figure 19. Updating Group Specific Memberships during Change of Profile or Role in AD with MDC

Transition Period

The transition period defines how long an employee’s existing group memberships from their previous role will be retained after a role change. When the role change event occurs, Hire2Retire immediately assigns any new groups required for the employee’s updated role. Once the transition period expires, Hire2Retire applies standard group membership rules and removes any groups that no longer apply. To configure a transition period, first select the attributes that determine the employee’s role. After selecting the attributes, you can set the transition duration and define how group memberships should be managed during this period.

Figure 20. Transition Period under Change of Profile or Role in AD

Exclude Employee Attributes on Updating - The selected attributes will not be considered when updating an employee profile.

Write back work email to HR system when mail is updated - Since this feature is compatible only with specific API-based HR systems, if this option is available and selected in your workflow, then Identity Platform will update the email and it will be reflected in the "Business email" field in HR application.
Note that the primary email field is set as non-updatable by default, However, you can deselect this field from "Exclude Employee Attribute(s) on Updating" to update the email information in the Identity Platform.

Figure 21. Change of Profile or Role in AD

Termination

This operation terminates user accounts in the Identity Platform when employees are terminated in the HR system.

Choose OU for terminated user - All terminated users will be moved to the selected Organizational Unit (OU). By default, the "Do not change OU" option is selected which does not change the OU of the user upon termination.

Figure 22. Terminate the user in AD

Selected attributes will be purged on rescind - All the selected Identity Platform attributes will be purged upon rescind. The values of unselected attribute(s) are preserved.

Figure 23. Purge user's AD Attributes upon Termination

Set Description on termination - Users can choose to add a description on employee's profile upon termination. This is an optional field. You can use the lookup table to define conditional logic based on employee attributes. If the conditions are satisfied, the specified description will be applied. If not, the default description will be used.

Figure 24. Set Description on Termination

Note: The set Description on Termination feature will not work if the user has selected the description attribute for purging or excluded the description attribute update on terminating.

And, if you have enabled 'Enable onboarding, future hires and scheduled terminations' on Application page then the options mentioned below will be provided in the design.

Scheduled Terminations

Employee termination time - Choose a preferred time to schedule the termination record of the employee. The lookup table allows you to define conditional logic based on employee attributes. The termination event will take place at the scheduled time.
With the lookup table (highlighted in red), you can set conditions based on attribute values. If the conditions are satisfied, the specified timestamp will be applied. If not, the event will use the default timestamp.

Figure 25. Termination event time scheduling

Day(s) to terminate after the last day worked - Select the number of day(s) by which you want to delay the offboarding of an employee after their termination date. The lookup table allows you to define conditional logic based on employee attributes. By default, the None option is selected, you can modify it as per the requirements.
Using the lookup table (highlighted in red), you can set conditions based on attribute values. If the conditions are satisfied, the number of days specified will be applied. If not, the event will use the default number of days.

Figure 26. Schedule days for termination event after termination date

Support Immediate Termination - Based on the configured conditions, the employee will be terminated immediately, irrespective of the last working day.

Figure 27. Support immediate termination

Reset MFA on Termination - Removes the authentication methods configured for the user.. Currently, Hire2Retire removes the following authentication methods:

• Microsoft Authenticator
• Voice calls
• SMS
• Email
• Software OATH tokens
• Windows Hello for Business

Figure 28. Reset MFA on Termination

Group Membership Handling During Termination

This setting controls how group memberships are updated during employee termination. The group memberships will be updated upon terminating an employee profile based on the below selection.

Remove ALL assigned groups - All assigned group memberships will be removed.

Retain ALL assigned groups - None of the existing group memberships will be removed.

Remove selected groups - The selected group memberships will be removed, the rest will be preserved as is.

Retain selected groups - The selected group memberships will be preserved, rest will be removed.

Figure 29. Handling the Group memberships on employee termination

Handle group type specific membership

It allows users to define individual rules for each group, enabling more precise control over group membership handling. Instead of applying one common rule, users can configure specific retention logic per group type. This is especially useful during employee update, termination and leave lifecycles, where different groups may require different treatment. It ensures flexibility and better alignment with organizational policies.

When both common and group type–specific rules are configured, the group type–specific rule will take precedence over common whitelist group membership.

Figure 30. Updating Group Specific Memberships during Termination

Figure 31. Updating Group Specific Memberships during Termination with MDC

Remove directly assigned Microsoft licenses - All directly assigned Microsoft licenses will be removed from the user. If this option is unchecked, directly assigned licenses will not be modified.

To use this feature, the application must have the LicenseAssignment.ReadWrite.All permission.

For more details, how to add these permissions and roles please check Entra ID.

Figure 32. Removing directly assigned Microsoft licenses from the user

Note: For Hybrid AD flows, the checkbox "Remove directly assigned Microsoft licenses" will only be visible when the 'Entra ID Security Groups' option is selected on the application page.

Figure 33. Configure Entra ID Security Groups

Revoke Sign-In Sessions - By default, Hire2Retire revokes all active Microsoft sign-in sessions associated with that user on termination. This ensures that the user is immediately signed out of active Microsoft sessions.

Note: For Hybrid AD workflows, revoking Microsoft sign-in sessions will only work when Entra ID Security Groups checkbox is enabled on the application page.

Give another user access to OneDrive - An employee's OneDrive can be shared with another user upon termination. For more information click here.

Convert user mailbox to shared mailbox - The employee’s mailbox will be converted to a shared mailbox upon termination. For more information click here.

Figure 34. Terminate the user in AD and convert the user mailbox to a shared mailbox

Figure 35. Terminate user in AD with Multi-Domain Controller

In a multi-domain controller setup, when selecting the 'Retain selected groups' and 'Remove selected groups' option under 'Handling of group memberships', you can select Groups for any of the base DNs in your AD.

Figure 36. Handling group memberships during termination in AD with Multi-Domain Controller

Aging Period to delete account after the "Last Working Day" - The user account will be deleted from the Identity Platform after the specified aging period. Only the terminated employee account which matches the criteria will be deleted. If none of the criteria matches, then the default aging period will be selected.

Figure 37. Aging Period to delete account after the "Last Working Day"

Exclude Employee Attributes on Terminating - The workflow would update employee attributes on termination if any attributes changed in the HR platform. You can select not to change some attributes on termination.

Figure 38. Excluding attributes to be updated during termination in AD

Note - By default, the manager attribute will be purged. Additionally, if the attribute ms-Exch-Hide-From-Address-Lists (msExchHideFromAddressLists) in Active Directory or showInAddressList in Azure AD is included in your attribute list, the user will be removed from the corresponding list.

Leave

An organization can have multiple types of leave for its employees. Hire2Retire supports multiple types of leave. Each type can be configured to specify employee access differently for different leave types based on the requirement.

1. Long-Term Leave: Long-term leave refers to an extended period off from work, usually beyond a few weeks or months. It could be due to medical reasons, maternity/paternity leave, sabbaticals, or other personal reasons. It is a general leave type currently supported in Hire2Retire.
2. FMLA (Family and Medical Leave Act): FMLA is a federal law in the United States that entitles eligible employees of covered employers to take unpaid, job-protected leave for specified family and medical reasons with continuation of group health insurance coverage under the same terms and conditions as if the employee had not taken leave.
3. Legal Leave: Legal leave refers to a type of leave that is granted to an employee as required or protected by law. This could include leave for jury duty, military service, voting, or other legally mandated absences.
4. Security and Disciplinary Leave: Security and Disciplinary Leave is a type of leave that is imposed as a result of disciplinary action taken against an employee for misconduct or violation of company policies.

According to the leave types chosen, you can configure the below properties. You can configure one or many types of leaves according to the usage.

If you have selected an ATS System, then you will not be provided with the leave operation.

Disable User - (Optional) Select the Disable User checkbox to terminate the user.

Choose OU - Choose the OU which you want to configure for an employee who is on long-term leave. You can choose "Do not change OU" from the dropdown if you do not want to change an OU.

Group Membership Handling During Leave

This setting controls how group memberships are updated when an employee is on leave.

Retain all groups NOT defined in group mapping automation - Groups that are added manually (not with H2R) to the user will be preserved, only the one mapped in the group membership step will be added/removed according to the condition specified in that step.

Retain ALL assigned groups - None of the existing group memberships will be removed.

Remove ALL assigned groups - All the existing group memberships will be removed.

Retain selected groups - The selected group memberships will be preserved when an employee is on long-term leave, the rest will be removed.

Remove selected groups - The selected group memberships will be removed when an employee is on leave, the rest will be preserved as it is.

Figure 39. Process leave for user(s) in AD

Figure 40. Process leave for user(s) in AD with Multi-Domain Controller

In a multi-domain controller setup, when selecting the 'Retain selected groups' and 'Remove selected groups' options under 'Handling group memberships', you can select Groups for any of the base DNs in your AD.

Figure 41. Process leave for user(s) in AD with Multi-Domain Controller

Figure 42. Process leave for user(s) in AD with Multi-Domain Controller

Handle group type specific membership

It allows users to define individual rules for each group, enabling more precise control over group membership handling. Instead of applying one common rule, users can configure specific retention logic per group type. This is especially useful during employee update, termination and leave lifecycles, where different groups may require different treatment. It ensures flexibility and better alignment with organizational policies.

When both common and group type–specific rules are configured, the group type–specific rule will take precedence over common whitelist group membership.

Figure 43. Updating Group Specific Memberships during leaves

Figure 44. Updating Group Specific Memberships during leaves with MDC

Give another user(s) access to OneDrive - An employee's OneDrive can be temporarily shared with another user(s) during their leave. For more information click here.

Figure 45. Give another user(s) access to OneDrive on leave

Convert user mailbox to shared mailbox - The mailbox of the employee will be temporarily converted to a shared mailbox during their leave. For more information click here.

Figure 46. Convert user mailbox into shared mailbox on leave

Exclude Employee Attribute - If there is any data that should not be updated, then you can check those attributes from the multi-select checklist when an employee is on leave.

Figure 47. Process leave user in AD

MFA Policy Enforcement

To secure user sign-in events in Microsoft Entra ID, you can configure Microsoft Entra multifactor authentication (MFA). Hire2Retire enables you to configure multi-factor authentication (MFA) settings for users. You can also define MFA configuration based on user attributes.

Ability to assign MFA status based on user attributes (Conditional Access) is a Microsoft Entra ID P1 or P2 feature. Hire2Retire offers this capability without the need for any Entra ID plan.

MFA Policy Enforcement is supported in Entra ID and Hybrid AD flows.

Figure 48. MFA connection

The MFA Policy Enforcement dropdown will be disabled if your Entra ID connection does not have the required privilege to edit MFA policy. To assign the required privilege to the connection follow the steps below:

1. Steps for Service Provider Application.
2. Steps for Customer Owned Application.

Figure 49. MFA Policy Enforcement

You can select the desired MFA state from the drop-down menu for the users.

Figure 50. MFA Policy States

• Enforced: Multi-Factor Authentication (MFA) is mandatory, and the user cannot access Microsoft services without configuring it.

• Enabled: MFA is activated, and the user will be prompted to set it up. However, it can be skipped for a period, depending on the Azure administrator’s policy.

• Disabled: MFA is not active and does not require setup.

• Do Not Change: Hire2Retire will not change the MFA state.

You can define rules based on employee attributes like Department to assign different MFA states to different users.

Figure 51. MFA Policy Rules