This article explains how to set up the Microsoft Entra ID integration with Personio. When connected, the Microsoft Entra ID integration facilitates your company's on-and offboarding processes by automatically synchronizing any changes in the employee's information in Personio (role or department changes, for example) with their matching user ID in Microsoft Entra ID. It automatically updates Microsoft Entra ID with up-to-date information from Personio to manage the different access rights or equipment given to employees.
The synchronization only works from Personio to Microsoft Entra ID. When you update information in Microsoft Entra ID, this information is not automatically synchronized in Personio.
Pre-requisites for a successful integration
Before beginning the integration process, ensure the following is in place:
- You have an admin role or editing rights for the Marketplace in Personio via Settings > People > Employee Roles > Access rights > Account configuration > Marketplace integration.
- You have Global Administrator, Cloud Application Administrator, or Application Administrator rights for Microsoft Entra ID.
- The Tray.io, Inc checkbox is activated via Settings > Support > Plan & Billing > Data Protection Information.
Connect and authenticate Microsoft Entra ID
Set up the Microsoft Entra ID integration directly in Personio's Marketplace with the Configuration Wizard. This requires you to find your Microsoft Entra ID tenant ID, which you then enter in Personio. Follow these steps:
- Go to Marketplace in Personio, then search for and select the Microsoft Entra ID integration.
- Click Connect to open the Configuration Wizard.
- Enter your tenant ID in the Microsoft Entra ID Tenant ID text box.
- Click Next to go to step two of the Configuration Wizard and Authenticate Microsoft Entra ID.
Authenticate Microsoft Entra ID
In step two of the Configuration Wizard, you need to authenticate Microsoft Entra ID from the Microsoft account that’s associated with Microsoft Entra ID.
- Follow the steps outlined in the Configuration Wizard.
- Click Authenticate Microsoft Entra ID (formerly Azure Active Directory) to move to step three of the Configuration Wizard and Authenticate Personio.
Step three of the Configuration Wizard requires you to grant the Microsoft Entra ID integration access to the necessary Personio data. Follow these steps:
- Review the permissions that the Microsoft Entra ID integration requires.
- Click Next to continue to step four of the Configuration Wizard and Define UPN schema.
You can review the granted permissions after the setup process by going to Marketplace > See connected integrations. The button is in the top-right corner of the Marketplace page.
Define UPN schema
Choose the format for the User Principle Name (UPN) in which new logins will be created. This is generally the business email address, for example, "firstname.lastname@example.org".
In case an employee with the same values for the chosen attributes is added, Microsoft Entra ID creates a profile with the UPN schema UPNBeginning[Separator]UPNEnd_EmployeeID@domain (e.g. email@example.com).
- Create the UPN schema by choosing a UPN Beginning from available attributes (e.g. "First name") and define if the Entire field or only the First letter shall be used.
- Optional: Add a Separator (e.g. ".")
- Add a UPN End (e.g. "Last name")
- Select a Preferred Microsoft Entra ID Domain (e.g. "demo.com").
- Click Next to continue to step five of the Configuration Wizard and Map attributes.
If you prefer not to add a Separator and UPN End, enter None for both options and make sure you have additionally selected Entire field or First letter for the UPN End.
In step five of the Configuration Wizard, you can select which Microsoft Entra ID attributes should be synchronized, or aligned, with Personio. Follow these steps:
- Review all the attributes and ensure that each Personio attribute matches the corresponding Microsoft Entra ID attribute.
- Click Add new attribute to include more attributes.
- Click Finish
The integration setup is complete.
You cannot map all of your attributes in Personio to Microst Entra ID custom attributes, but you can map all of your attributes in Personio to the following Microsoft Entra ID system attributes:
- Business Phones
- Company Name
- Country, Department
- Employee Type
- Given Name
- Hire Date
- Job Title
- Mobile Phone
- Office Location
- Postal Code
- Street Address
On-, offboarding and role change workflows
Once the integration is set up, the user linking flow begins. It maps the UPN attribute in Entra ID to the Email address attribute in Personio.
- If the UPN attribute in Entra ID matches the email attribute in Personio, the integrations adds the corresponding Personio employee ID to the employee ID attribute field in Entra ID.
- The employee ID becomes the connector that the integration considers in all future user updating and user deprovisioning workflows.
- Profiles that do not have a matching Personio email address attribute, and are not "Inactive" in Entra ID will be provisioned.
The integration does not link any inactive Microsoft Entra ID profiles.
If an employee's Email attribute in Personio doesn't match a UPN attribute in your Microsoft Entra ID account, the integration creates a new user profile in Microsoft Entra ID. Personio then transfers the employee ID to the respective profile, triggers the default password creation process, and creates the UPN in Microsoft Entra ID.
The created UPN must be used as the user login in Microsoft Entra ID. You can create the UPN schema according to your needs.
To create a profile in Microsoft Entra ID, the employee profile in Personio must:
- have the First name, Last name, and Email fields filled.
- not have a termination date.
- not have an "Inactive" status.
Umlauts in names are transformed for the UPN in Microsoft Entra ID according to your billing country. For DACH region customers (for example, Germany), umlauts are transformed to their alternative spelling: ä → ae, ö → oe, ü → ue, ß → ss. For all other countries, umlauts are removed: for example, ä → a.
For this workflow to run successfully, the Employee ID must be entered in the Microsoft Entra ID profile.
Every 30 minutes, Microsoft Entra ID runs the user updating workflow to check if any attributes mapped during the setup process have changed in Personio. If an attribute changes, it automatically updates the mapped attribute in Microsoft Entra ID.
Microsoft Entra ID can use this information to grant or revoke access rights to specific tools. Changes are only transferred from Personio to Microsoft Entra ID. If you manually change an attribute in Microsoft Entra ID, this is not automatically updated in Personio.
One of the attributes a company mapped between Personio and Microsoft Entra ID was the "Department" system attribute. In this case, consider an employee moving departments from the Customer Support department to the Sales department. When the HR Manager makes this adjustment in Personio, Microsoft Entra ID automatically receives a notification of the change and revokes the employee's access rights to their customer support tool (for example, Zendesk), and grants them access to their CRM tool (for example, Salesforce).
Entra ID revokes an employee's access permission once their Status attribute changes to Inactive in Personio. You can manually change the Status attribute, or it will automatically change when an employee passes their termination date in Personio.
The employee can no longer log in to their accounts, but the user is not deleted. This helps you maintain access to their details and connected services like email inboxes.
Hybrid Microsoft Entra ID / on-prem AD setups
Personio only supports full cloud setups – no cloud/on-prem hybrid setups – which means the integration only allows the creation, update, and deactivation of users in Microsoft Entra ID.
Assigning users to groups
The integration only allows the creation of users. Users are not added to groups.
All attributes selected in the mapping table will be sent from Personio to Microsoft Entra ID – the integration does not currently support a sync from Microsoft Entra ID to Personio.
To find out more about automating your identity and access management by integrating it with Personio, read our Help Center article Identity and Access Management.