Deterministic Joiner-Mover-Leaver (JML) Automation
Rules-driven JML state machines for Microsoft Entra ID, on-prem AD, and disconnected sources, without per-user licensing.
What is Deterministic Joiner-Mover-Leaver (JML) automation?
Deterministic Joiner-Mover-Leaver (JML) automation governs every account state change (joiner, mover, leaver, re-hire, suspension, secondary admin) through an explicit, auditable state machine. The same HR or directory inputs always produce the same downstream actions in Microsoft Entra ID, on-premises Active Directory, and every connected SaaS application. There is no PowerShell ambiguity, no script left to interpret, and no "ghost" behaviour at end-of-quarter.
Apporetum delivers JML automation on Microsoft Entra ID Free, P1, or P2, as part of a fixed monthly subscription that does not scale with seat count. Joiner-Mover-Leaver workflows do not have to live behind an additional per-user governance entitlement.
Identity Management Platform
The full Joiner-Mover-Leaver lifecycle:
Joiner
New hires, contractors and B2B partners receive their Entra ID account, group memberships, and downstream access on day one, or not at all until pre-conditions are satisfied. Birthright access is policy, not a manual ticket.
Mover
Role, department, cost-centre, or manager changes trigger access gains and revocations atomically. Old entitlements do not linger; new entitlements are granted under the same guardrails.
Leaver
On termination or contract end, Apporetum disables accounts, revokes Entra group memberships, deprovisions SaaS access, and produces a full audit trail, within minutes, not next quarter.
Re-hire & Return from Leave
First-class transitions remember prior identity correlation, so accounts, group memberships, and entitlements are restored intentionally rather than rebuilt from scratch.
Contractor & Secondary Account
Contractor identities, secondary admin accounts, and service accounts run on their own JML state machines, each with its own timers, expiry, and approval rules.
Time-bound Access
Apporetum applies expiry timers to every entitlement granted by JML automation. Access does not accumulate beyond its useful life; renewals are explicit and approved.
Replace brittle PowerShell with a state machine your auditors can read.
Most Microsoft-shop JML implementations are a patchwork of PowerShell, Logic Apps, MIM rules-extensions, and synapse pipelines that nobody remembers commissioning. Apporetum captures the same business rules as declarative, version-controlled state transitions: observable, auditable, and reversible. The same JML rules that fire in production can be replayed in a dry-run against historical HR data.
Migrating from MIM/FIM?
How Apporetum operates Joiner-Mover-Leaver automation
Every Apporetum JML transition is a function of the workforce record: hire date, manager, department, contract type, separation date. Where Microsoft Entra ID Governance offers entitlement management at a per-user cost, Apporetum delivers the full JML workflow under a flat-fee IAM subscription, with the deterministic audit story enterprise risk teams actually want.
Multi-HR Workforce Feeds
Consume from SAP SuccessFactors, Workday, payroll, contractor registers, and HRIS feeds. Workforce-person records are reconciled into a single golden record before JML actions fire.
Declarative State Transitions
Joiner, mover, leaver, suspend, re-hire, archive and delete are modelled as explicit transitions. Each carries a policy, optionally an approval, and a downstream action set.
Identity Correlation
Accounts across on-premises AD, Entra ID, multiple Entra tenants, LDAP, and ITSM are correlated to the workforce person so JML applies consistently across the estate.
Event-Driven Downstream Actions
JML transitions trigger Entra ID provisioning, group memberships, ITSM tickets, webhooks, and API calls, observable end-to-end.
Membership Timelines
Every state change and every entitlement decision is recorded on the identity's timeline: "who had access, when, and why" in a single audit query.
Guardrails on Every Transition
Combine JML with Apporetum's dynamic guardrails to enforce least privilege, segregation of duties, and contract-type rules before any access is granted.
JML automation in Microsoft Entra, without per-user licensing
Microsoft Entra ID Governance unlocks Microsoft's built-in entitlement management and access reviews, but at a per-user monthly fee that scales linearly with workforce size. Apporetum delivers Joiner-Mover-Leaver automation, access requests, access reviews, and identity correlation on top of your existing Entra ID (Free, P1, or P2) under a fixed monthly subscription. Predictable cost regardless of seat growth.
See the flat-fee IAM model 5,000-seat TCO comparisonWhat auditors want
- Evidence each JML transition fired under a documented rule
- Replay of a joiner / leaver event against the same inputs
- Time-bound access expiry with automatic revocation
- One identity timeline per workforce person, across systems
- ISO 27001 / SOC 2 / Essential Eight aligned audit logging
Run deterministic Joiner-Mover-Leaver automation on your existing Entra ID.
Apporetum delivers JML automation, identity correlation, and membership audit on top of your existing Microsoft Entra ID, without per-user governance licensing.