Configure Lifecycle Workflows for Sponsor Mover/Leaver Scenarios
Implementation Effort: Medium – Requires configuring lifecycle workflow templates in Microsoft Entra ID Governance and integrating them with the organization's existing joiner/mover/leaver processes.
User Impact: Low – Sponsors and managers receive automated notifications; no runtime impact on agents or end users.
Overview
When a sponsor of an agent identity moves to a different role or leaves the organization, accountability for that agent must transfer without interruption. Microsoft Entra ID Governance lifecycle workflows automate this by notifying managers and cosponsors when sponsorship changes are imminent. Without these workflows, a departing sponsor's agent identities silently transfer to their manager through automatic succession — but no one is alerted that the transfer occurred. The agent continues to operate with whatever permissions it had, and no human actively knows they are now responsible for its lifecycle and access decisions.
This activity supports Verify explicitly by ensuring that every sponsorship change triggers an explicit notification and human acknowledgment, rather than relying on silent automatic transfers that no one monitors. It supports Use least privilege access because a notified incoming sponsor can immediately review whether the agent's current access packages are still justified — and revoke what is no longer needed. It supports Assume breach by eliminating gaps in human oversight during sponsor transitions; if an agent identity is compromised during a sponsorship handoff, the notifications ensure someone is actively watching. If lifecycle workflows are not configured, sponsor departures create orphaned accountability — the system transfers sponsorship, but no human is alerted, and agents continue operating without active governance.