What is the joiner-mover-leaver process?
Joiner-mover-leaver (JML) is the identity lifecycle management framework that describes how user access is managed across three fundamental events. It is the operational backbone of any identity governance program.
Joiner
Someone joins the organization. An account is created, role-appropriate access is granted, and the person is productive from day one.
Mover
Someone changes roles, departments, or locations. Old access is removed. New access is granted. Nothing is left over from the previous role.
Leaver
Someone leaves the organization. All access is removed promptly. The account is disabled and fully deprovisioned. No orphaned permissions remain.
The joiner process
A good joiner process is predictable and consistent. The new employee gets exactly what their role requires — not more, not less — and they get it before their first day, not a week after.
In Entra ID environments, joiner automation typically includes:
- Create the Entra ID account with the right properties (department, job title, manager)
- Assign Microsoft 365 and other licenses appropriate to the role
- Add the user to the correct security groups and distribution lists
- Provision access to Azure AD-integrated applications
- Create the Active Directory account if running hybrid (Entra Connect or cloud sync)
- Trigger any additional onboarding workflows (welcome email, IT ticket for hardware, etc.)
The most common joiner failure: different admins follow different processes, resulting in inconsistent access across new hires with the same role. Automation eliminates this.
The mover process
Role changes are where access accumulates. An employee moves from Marketing to Engineering: they get Developer group membership added, but the Marketing distribution lists stay. They move again. Old access layers stack up.
A correct mover process:
- 1Detects the role change — ideally triggered by the HR system
- 2Identifies which access belongs to the old role and removes it
- 3Identifies which access the new role requires and grants it
- 4Logs the transition with a clear before/after access record
Without automation, mover events are handled manually — if they are handled at all. Most organizations have employees carrying access from roles they held years ago. Auditors call this access accumulation or privilege creep.
The leaver process
The leaver process is the highest-risk area in the JML lifecycle. A former employee with active access is a security incident waiting to happen. In regulated environments, it is also a compliance finding.
What a complete leaver process covers in Entra ID:
- Disable the Entra ID account immediately on the termination date
- Revoke all active sessions and refresh tokens
- Remove all group memberships — security groups, Microsoft 365 groups, distribution lists
- Remove application assignments and licenses
- Transfer ownership of any owned resources (OneDrive, Teams channels, shared mailboxes)
- Disable the Active Directory account if running hybrid
- Log the full deprovisioning with timestamps for each action
- Schedule account deletion after the retention period defined in your policy
Disabling an account is not the same as deprovisioning it. Disabled accounts still hold group memberships and application assignments. Full deprovisioning removes everything. This is what auditors check.
Automating JML in Microsoft Entra ID
Full JML automation requires an HR integration and a governance layer. The typical automation architecture:
HR system as source of truth
Your HR system (Workday, BambooHR, HiBob, etc.) triggers lifecycle events. When a new hire is added in HR, the joiner flow starts. When a termination is processed, the leaver flow starts. Role changes trigger mover flows.
Role-based access profiles
Define what access each role requires. A Developer profile includes: Developer security group, development licenses, DevOps application access. A Finance profile includes different groups and applications. Automation assigns the right profile at the right time.
Workflow engine
Handles the sequencing of provisioning and deprovisioning actions, retries on failure, and logs everything. In Entra ID terms, this is where lifecycle workflows or a dedicated IGA tool operate.
Audit trail
Every action logged with timestamps, action type, before/after state, and the trigger that caused it. This is what you show auditors when they ask about your JML controls.
Common JML failure points
These are the patterns that generate compliance findings and security incidents:
- HR and IT systems not connected — joiner events triggered by email rather than system integration
- Mover events not handled — access from old roles accumulates over years
- Leaver process stops at account disable — group memberships and application assignments remain
- Different admins following different processes — inconsistent results
- No documented deprovisioning evidence — can't demonstrate to auditors that the process was followed
- Contractor and agency worker accounts not covered by the same process
- Service accounts and shared accounts not included in the governance scope
JML and compliance requirements
The joiner-mover-leaver process is explicitly referenced in every major compliance framework:
SOC 2
CC6.2 — Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users. CC6.3 — The entity authorizes, modifies, or removes access based on changes in job roles.
ISO 27001
A.9.2.1 (User registration and deregistration), A.9.2.2 (User access provisioning), A.9.2.6 (Removal or adjustment of access rights) — all require documented, consistent, auditable processes.
NIS2
Article 21(2)(i) requires access control policies and asset management. Consistent JML processes are the operational implementation of access control policy.
Frequently asked questions
What is the joiner-mover-leaver process?
Joiner-mover-leaver (JML) is the identity lifecycle management framework that describes how user access changes across three key events: when someone joins an organization (joiner), when they change roles or departments (mover), and when they leave (leaver). A good JML process ensures access is always appropriate and promptly updated.
How do you automate JML in Microsoft Entra ID?
Automation requires connecting HR data to Entra ID lifecycle events. At minimum, you need an HR integration that triggers provisioning on join events and deprovisioning on leave events. For movers, you need role-change detection that removes old access and grants new access. Native Entra ID lifecycle workflows handle basic scenarios; a dedicated IGA tool handles the full complexity.
What is the biggest risk in the leaver process?
Orphaned accounts — former employee accounts that are disabled but not fully deprovisioned, leaving group memberships, shared mailbox access, delegated permissions, and application assignments active. These create security risk and compliance gaps that auditors will find.
How quickly should access be removed when someone leaves?
Best practice is same-day or next-business-day for standard users, and immediate for privileged accounts. For compliance frameworks like SOC 2 and ISO 27001, you need to demonstrate that your process consistently meets your defined timeframe — whatever that is.
Does Adcyma handle the joiner-mover-leaver process?
Yes. Adcyma automates the full JML lifecycle for Entra ID and Active Directory. Connect to your HR system, define role-based access profiles, and lifecycle events run automatically. Every action is logged for compliance purposes.