Rippling + Microsoft Entra ID integration: Simplifying hybrid user lifecycle management

Managing user identities when you’re dealing with a hybrid IT environment can feel like juggling a dozen spinning plates. It’s a common scenario for many businesses today, balancing legacy on-premises systems with modern cloud solutions. When not monitored closely by skilled IT professionals, it can be a huge challenge.

Each change or new user needs to be mirrored in both environments, and if even one piece falls out of sync, it can lead to major headaches—everything from access issues to potential security breaches. Let’s not forget the tedious nature of individually provisioning accounts for new hires, manually removing user access during offboarding, and relying on HR to communicate workforce changes in a timely fashion. 

It’s time to evolve. We are proud to announce we’ve expanded our integration with Microsoft. In addition to our existing offerings, like our integrations with Microsoft Entra ID and Microsoft 365, we’re excited to report Rippling now seamlessly integrates with companies that have on-premises Microsoft Active Directory (AD) instances to automate hybrid user account provisioning and streamlines the user lifecycle. Rippling now integrates  with Microsoft Entra ID API-driven provisioning to deliver event-based management of hybrid user accounts in on-premises AD. This integration sets the foundation for automating Joiner-Mover-Leaver processes using Microsoft Entra ID Governance. 

“Many businesses rely on hybrid environments with on-premises Active Directory and Microsoft Entra ID today. Being able to automate provisioning and deprovisioning accounts over the user lifecycle reduces manual work and fills in potential security gaps associated with traditional manual onboarding and offboarding," says Anique Drumright, VP of Product for Rippling IT.

Why an integration between Microsoft Entra ID, on-premises Active Directory and your HRIS just makes sense

Many organizations today use Microsoft Entra ID in a hybrid environment, where user accounts are managed in on-premises AD and these accounts are periodically synchronized to Microsoft Entra ID. Without an integration between Microsoft Entra ID, on-premises AD and your Human Resource Information System (HRIS), both systems end up siloed. IT admins are forced to manually update data in on-premises AD as changes are made in the HRIS. Then they are required to manually create and suspend these accounts each time a new employee joins or leaves the company. This isn’t sustainable for a few reasons:

• Security risks: People make mistakes, and this process is very prone to human-error. Updates may be missed or entries may be inaccurate. Employees might have the wrong levels of access for their role, or even worse, offboarded employees might wave goodbye and take sensitive company data with them.
• Heavy administrative burden: IT admins must manually reconcile systems, provision and deprovision accounts, and work closely with HR to flag changes in the HRIS that need to be addressed. This can easily eat up hours in your day each week. 
• Friction with HR: Data needs to be manually communicated between HR and IT, which requires good communication, but also risks changes slipping through the cracks. Not to mention employees might end up not having what they need to do their jobs, which could negatively impact morale and productivity. 

Few companies have pre-built integrations or support for hybrid environments, so you may be used to handling Microsoft Entra ID and on-premises AD users manually—but there’s a better way.

Automate account provisioning by integrating Rippling with Microsoft Entra ID and on-premises Active Directory integration

Rippling and Microsoft have collaborated together to build a seamless integration between the Rippling HRIS and your hybrid setup of Microsoft Entra ID and on-premises AD, utilizing an event-based API and the Microsoft Entra Connect provisioning agent.

This eliminates the burden of managing your hybrid identities without requiring time-intensive custom integration builds, developer resources, or a large IT team. Instead, you can seamlessly integrate the two systems in just a few minutes.

Picture this: A new hire is added to Rippling, automatically triggering the creation of an on-premises AD account. This trigger then provisions all of their downstream access through Microsoft Entra ID, including enterprise apps backed by a zero-trust security model. This means IT admins can use Microsoft Entra ID capabilities like conditional access, identity protection, and identity governance to improve their security posture. 

"With this deep provisioning integration between Rippling and Microsoft Entra ID, our mutual customers worldwide can confidently automate access to applications in their hybrid IT environments and enforce robust identity governance policies, enhancing their security and compliance posture," said Manmeet Bawa, Partner Director of Product Management at Microsoft.

By integrating Rippling with their hybrid Microsoft Entra ID and on-premises AD environments, IT admins can now automate user lifecycle management based on employee data. This integration means new hires are productive on their first day, and offboarded employees lose access on their last day. IT admins can sleep better knowing access is automatically provisioned (and deprovisioned) based on traditional HR events. 

• Automated employee onboarding: Build custom access policies to define exactly who should get an on-premises AD account and set a precise time/day for access to start. Rippling will then automatically create an on-premises AD user account for new hires based on your policies.
• Secure employee offboarding: When a user is offboarded in Rippling, their on-premises AD user account will automatically get disabled. No need to worry about offboarded employees slipping through the cracks or retaining access.
• Automated employee profile updates: When updates are made to an employee record in Rippling like name, title, and manager changes, an API call will immediately be triggered to make the corresponding changes to their Active Directory user account. That keeps your HR and IT sources of truth in sync, automatically.
• Customized attribute mapping: Configure the default attribute mapping to modify exactly which Rippling values are associated with existing Microsoft Entra ID attributes. You can also update your Microsoft Entra ID attribute mapping page, prompting Rippling to update its attribute page accordingly—and link the newly imported field to a Rippling attribute.

Embrace one source of truth for user identities + access

In addition to Microsoft Entra ID and on-premises AD, you can take advantage of Rippling Identity & Access Management to manage account provisioning, group membership, data syncing, and custom workflows in 600+ pre-built integrations, plus custom SAML and SCIM apps. You can learn more about Rippling IT or schedule a live tour to see the integration for yourself.

This blog is based on information available to Rippling as of December 3, 2024.

Disclaimer: Rippling and its affiliates do not provide tax, accounting, or legal advice. This material has been prepared for informational purposes only, and is not intended to provide or be relied on for tax, accounting, or legal advice. You should consult your own tax, accounting, and legal advisors before engaging in any related activities or transactions.