Automating starter and leaver workflows in Microsoft 365
Ask most small businesses how they onboard a new starter and the answer is usually the same: someone remembers to copy the previous starter's setup, tick a few boxes, and hope nothing's missed. Leavers are worse — often it's a Friday-afternoon scramble triggered by a Slack message.
The good news is you don't need enterprise identity software to fix this. Microsoft 365 already has most of what you need. Set it up once and starter and leaver workflows become almost invisible.
Start with groups, not individuals
The single biggest change you can make is to stop assigning permissions to individuals and start assigning them to groups.
Create a small set of security groups in Entra ID (formerly Azure AD) that reflect how your business actually works:
- By department (Sales, Finance, Operations)
- By role (Manager, Team member)
- By tool (CRM users, Design tool users)
- By location, if relevant
Assign SharePoint sites, Teams channels, shared mailboxes and third-party app access to those groups — never to individual users.
Now, onboarding a new starter is a matter of adding them to the right groups. Offboarding is removing them. That's it.
Use group-based licensing
Microsoft 365 lets you assign licences to a group rather than a user. Combine this with your role or department groups and licensing takes care of itself:
- Add a new starter to "Sales Team" — they get a Business Standard licence automatically
- Remove a leaver from the group — the licence is freed up for reuse
No more chasing which licence someone had, no more paying for accounts nobody uses.
Standardise with dynamic groups (if you have Entra ID P1)
If your plan includes Entra ID P1 (part of Microsoft 365 Business Premium), dynamic groups take this further. Membership is set by rules against user attributes — for example, "everyone whose department is Sales" — so groups update themselves as HR data changes.
Set it up once, and starter and leaver access becomes a side effect of updating a single field.
Lock things down with conditional access
Conditional Access is the layer that turns "the account works" into "the account works safely." A sensible baseline for small businesses:
- Require MFA for all users, all the time
- Block sign-in from countries you don't operate in
- Require a compliant, managed device for access to company data
- Force reauthentication when risk is detected
Apply these policies to groups (naturally), so any new starter is protected from the moment they're added.
Build a repeatable leaver runbook
Even with automation, a leaver still needs a defined sequence. Keep it short and consistent:
- Block sign-in on the account
- Revoke all active sessions and refresh tokens
- Reset the password
- Remove from all groups (this cascades permissions and licences)
- Convert mailbox to shared
- Reassign OneDrive to the manager
- Wipe the device via Intune
- Record what was done and when
Because almost every step is a group removal or a one-click Microsoft 365 action, the whole thing takes minutes rather than an afternoon.
Where automation fits
For most small businesses, you don't need Power Automate flows or third-party identity tools to get most of the value. The wins come from:
- Group-based access and licensing
- Conditional Access as a safety net
- A consistent, documented leaver runbook
Add Power Automate later if you want to trigger the runbook from an HR form, or to notify managers when an account is offboarded. It's a nice-to-have, not a starting point.
The short version
Automating starter and leaver workflows in Microsoft 365 isn't about buying more software — it's about using what you already have properly. Groups do most of the heavy lifting; Conditional Access keeps it safe; a written runbook keeps it consistent.
If you'd rather have this set up and maintained for you, starter and leaver management is included with Dynamiti One — group-based access, Conditional Access baseline and a documented leaver process, all handled as part of the service.
Start with the leaver flow
Counter intuitively, the leaver flow is usually the easier one to automate first. It has fewer moving parts, the steps are more predictable, and the security benefit is immediate. Once that is running smoothly, the starter flow is a natural next step.
Keep HR as the source of truth
Automation only works if there is one clear system that says who works here and in what role. For most small businesses that is the HR system or a simple shared list. Whatever it is, agree that it is the source of truth and build every workflow to trust it.
Log everything
Automated workflows should leave a clear audit trail. Who was created, when, by which process, with which licences and group memberships. The same for leavers. That log is invaluable for security reviews, insurance questions, and the occasional awkward disagreement about who had access to what.
Review the flow every quarter
Microsoft 365 changes, your business changes, and your workflows should change with them. A short quarterly review to check that the automations still match how the business actually works will keep the process reliable for years.