Sync identities from Rippling to Microsoft Entra ID

Today, we’re thrilled to announce that customers using Rippling HCM can now automatically provision users to on-premises Active Directory and then synchronize them to Microsoft Entra ID as hybrid identities.  

Microsoft Entra ID and on-premises Active Directory are core components of every customer’s hybrid IT environment. To ensure the right people have access to the right resources at the right time, it’s crucial that consistent and accurate HR user profile, job profile and employment status is always available in Microsoft Entra ID. Earlier this year, we delivered API-driven user provisioning that enables HR ISVs, system integrators, and IT teams to connect any system of record with Entra ID. Rippling collaborated with Microsoft to build a native integration that enables secure and automated flow of HR user data to on-premises Active Directory. Customers can use Microsoft Entra Connect Sync or Cloud Sync to synchronize these users from on-premises Active Directory to Microsoft Entra ID.  

Sync users and automate Joiner-Mover-Leaver processes 

Once user data from Rippling is synchronized to Microsoft Entra ID, organizations can leverage robust capabilities of Microsoft Entra ID Governance to automate the Joiner-Mover-Leaver processes, which are critical for maintaining up-to-date access controls and reducing the risk of unauthorized access. 

• When a new employee is onboarded in Rippling, the user’s personal and job data automatically flow into Microsoft Entra ID through this integration. You can now configure joiner Lifecycle Workflows and Entitlement Management policies to automatically provision necessary access based on the user’s role. For example, you can grant a new marketing associate birthright access to the marketing team's SharePoint site, relevant CRM tools, and communication channels in Microsoft Teams. New hires can be productive from day one without any delays in access. 

• When there are changes to an employee profile (e.g., name change, or business title change or department change) in Rippling, these changes automatically flow downstream into on-premises Active Directory and then to Microsoft Entra ID. You can configure mover Lifecycle Workflows to trigger business processes associated with the move. For example, if a sales representative moves to the product management team, you can revoke their access to sales applications and grant them access to product management applications. This helps maintain least privileged access and employees avoid accumulating unneeded access over time. 

• When an employee is terminated in Rippling, the termination details automatically show up in Microsoft Entra ID. You can configure leaver Lifecycle Workflows to automate offboarding tasks. For example, if an IT administrator resigns, you can immediately revoke their access to sensitive systems and data, reducing the risk of unauthorized access or data breaches. This automated deprovisioning process helps protect the organization's assets and enables compliance with security policies. 

With this deep provisioning integration between Rippling and Microsoft Entra ID Governance, our mutual customers worldwide can confidently automate access to applications in their hybrid IT environments and enforce robust identity governance policies, enhancing their security and compliance postures. 

“With this integration between Rippling and Microsoft, IT teams managing hybrid environments will be able to seamlessly keep their HR and IT sources of truth in sync and automate account provisioning across the user lifecycle. This reduces the manual burden for IT administrators and fills in potential security gaps associated with onboarding and offboarding.”  - Anique Drumright, VP of Product, Rippling IT 

Getting started with the integration 

Prerequisites  

• To configure this integration with Rippling, you’ll need a Microsoft Entra ID Premium P1 or P2 license for the integration to create an API-driven provisioning app in your tenant (or a license that includes P1/P2, such as Microsoft 365 E3/E5). 

• To configure provisioning to on-premises Active Directory, you’ll need to install and configure the Microsoft Entra Connect provisioning agent.  

• To configure Microsoft Entra features like Lifecycle Workflows and Entitlement Management, you’ll need the Microsoft Entra ID Governance add-on license (or a license that includes it, such as the Microsoft Entra Suite).  

Selecting the integration to configure 

In the Rippling App Shop, there are two apps: 

• Microsoft Entra ID/Active Directory – Configure this application if you have a hybrid setup and need to provision hybrid users to on-premises Active Directory, who will eventually be synchronized to Microsoft Entra ID.   

• Microsoft Entra ID – Configure this application to provision cloud-only users to Microsoft Entra ID.  

Configuring the integration 

Here are the high-level steps for configuring the app integration Microsoft Entra ID/Active Directory:  

Note: The steps and screenshots listed below depict experiences built in the Rippling app and highlight the depth and flexibility of the integration.   

• Step 1 – Establish connection: In this step, the IT admin provides consent to Rippling to create an API-driven provisioning app in their Microsoft Entra ID tenant. The IT admin also provides details of the Active Directory domain and OU container to use for new user creations.  

• Step 2 – Configure attribute mapping: The app integration has a default mapping of Rippling user fields to Active Directory attributes. The IT admin can customize this attribute mapping and select which user fields from Rippling flow downstream to on-premises Active Directory. To use Microsoft Entra ID Governance Lifecycle Workflows with this integration, ensure that the fields “user start date” and “termination date” are present in the attribute mapping.  

• Step 3 – Test account provisioning: In this step, the IT admin can test the attribute mapping and verify account creation / update using a test user profile.  

• Step 4 – Configure account access rules: In this step, the IT admin configures account provisioning rules for Active Directory. Using the options in this step, the IT admin can enforce business policies around account creation and revocation.  

• Step 5 – Monitor provisioning: In this step, the IT admin can monitor the actions performed by Rippling and review the API calls from the “Action history” tab. The data shown here corresponds to information retrieved from Microsoft Entra ID provisioning logs.  

Using the above steps, once employee data from Rippling is available in Microsoft Entra ID, the IT admin can configure Microsoft Entra ID Governance Lifecycle Workflows to automate the Joiner-Mover-Leaver business processes.  

Give it a try 

We’re excited about this new integration with Rippling, and we'd love for you to try it out!   

Let us know what you think in the comments below. You can also post your feedback or suggestions for new capabilities that you would like to see in our feedback forum. 

Manmeet Bawa, Partner Director of Product Management 

Read more on this topic  

• Rippling HCM
• Configuring Microsoft Entra ID Governance Lifecycle Workflows  
• Understanding API-driven inbound provisioning  

Learn more about Microsoft Entra  

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. 

• ⁠Microsoft Entra News and Insights | Microsoft Security Blog  
• ⁠⁠Microsoft Entra blog | Tech Community  
• ⁠Microsoft Entra documentation | Microsoft Learn 
• Microsoft Entra discussions | Microsoft Community