title: Lifecycle Management category: Policies tags: lifecycle, remediation, violations, automation, offboarding, onboarding priority: Normal
Lifecycle Management
IdentityCenter's lifecycle management automates the actions that keep your identity environment secure and compliant. When policies detect issues, lifecycle actions automatically respond — disabling stale accounts, notifying managers, creating tickets, and more.
What is Lifecycle Management?
Lifecycle management covers the full journey of an identity in your organization:
| Phase | What Happens | IdentityCenter Actions |
|---|---|---|
| Onboarding | New employee joins | Detect new AD account, create Person record, link to org chart |
| Active | Day-to-day operations | Monitor access, track group changes, evaluate policy compliance |
| Role Change | Promotion, transfer, or team change | Detect department/title changes, flag access for re-review |
| Leave | Extended absence | Detect account inactivity, alert manager |
| Offboarding | Employee departs | Detect disabled/deleted account, flag orphaned access, trigger cleanup |
How It Works
Lifecycle management is driven by three components working together:
- Policies — Define the rules (e.g., "accounts inactive for 90 days are a violation")
- Violation Detection — Policies are evaluated on a schedule and generate violations when rules are broken
- Remediation Actions — Violations trigger automated responses
Violation Detection
When a policy evaluation finds objects that break the rules, violations are created:
Violation Severity Levels
| Severity | Meaning | Example |
|---|---|---|
| Low | Informational — review when convenient | Account description is empty |
| Medium | Should be addressed soon | User hasn't logged in for 60 days |
| High | Action required | Admin account with password never expires |
| Critical | Immediate action needed | Orphaned admin account with active access |
Viewing Violations
Navigate to Policies > Violations to see all detected issues:
- Filter by severity, policy, status, or date
- Sort by newest, oldest, or highest severity
- Click any violation to see full details and take action
Remediation Actions
When a violation is detected, IdentityCenter can automatically take action. Available remediation actions include:
Automated Actions
| Action | What It Does | When to Use |
|---|---|---|
| Log Only | Records the violation for review | Low-severity informational findings |
| Send Alert | Emails the user's manager or a designated contact | Medium-severity issues needing human review |
| Create Ticket | Opens a support ticket for tracking | Issues that need a tracked resolution process |
| Disable Account | Disables the AD account immediately | Critical violations (e.g., terminated employee still active) |
| Flag for Review | Adds the user to the next access review cycle | Access-related violations needing manager decision |
| Remove from Group | Removes the user from a specific AD group | Unauthorized group membership violations |
Configuring Remediation
When creating or editing a policy:
- Navigate to Policies > [Your Policy] > Edit
- Scroll to the Actions section
- Choose which action to take when a violation is detected
- Configure action-specific settings (e.g., who receives the alert email)
- Save the policy
Tip: Start with "Log Only" or "Send Alert" for new policies. Review the violations that get generated before enabling more aggressive actions like account disabling.
Common Lifecycle Scenarios
Stale Account Cleanup
Goal: Find and disable accounts that haven't been used in 90+ days.
- Create a policy with the condition: "Last logon is more than 90 days ago"
- Set severity to High
- Set action to Send Alert to the user's manager
- After confirming the alerts are accurate, upgrade to Disable Account
Orphaned Account Detection
Goal: Find AD accounts that exist for people who are no longer in the organization.
- Create a policy with the condition: "Account is active but Person status is Terminated"
- Set severity to Critical
- Set action to Disable Account + Send Alert to IT security
Password Policy Enforcement
Goal: Find accounts with "Password Never Expires" that shouldn't have it.
- Create a policy targeting accounts with the
DONT_EXPIRE_PASSWORDflag - Exclude service accounts and gMSAs from the policy scope
- Set action to Flag for Review so it appears in the next access review
Privileged Access Monitoring
Goal: Alert when new members are added to privileged groups.
- Create a policy targeting members of Domain Admins, Enterprise Admins, Schema Admins
- Set severity to Critical
- Set action to Send Alert to the security team immediately
Manager Change Notification
Goal: Trigger an access review when someone changes managers (new manager should review their access).
- Create a policy detecting changes to the
managerattribute - Set action to Flag for Review for the new manager to certify existing access
Violation Lifecycle
Each violation moves through a workflow:
Detected → Under Review → Action Taken → Resolved
↓
Accepted (risk acknowledged)
| Status | Meaning |
|---|---|
| Open | Newly detected, needs attention |
| Under Review | Someone is investigating |
| Action Taken | Remediation was performed (automated or manual) |
| Resolved | The violation no longer exists (object was fixed) |
| Accepted | Risk accepted — the violation is acknowledged but intentional |
Resolving Violations
Violations are automatically resolved when:
- The account is disabled (for "account active" violations)
- The policy condition is no longer true (e.g., user logged in recently)
- An admin manually marks it as resolved or accepted
Best Practices
- Start conservative — Use "Log Only" or "Send Alert" before enabling automated actions
- Review violations weekly — Don't let violations pile up unaddressed
- Exclude service accounts — gMSAs and service accounts often trigger false positives for login-based policies
- Use escalation — If a manager doesn't respond to an alert within a week, escalate to their manager
- Document risk acceptances — When accepting a violation, add a comment explaining why
- Combine with access reviews — Policies catch ongoing issues; access reviews provide periodic comprehensive checks
Next Steps
- Creating Policies — Define your compliance rules
- Policies Overview — Understand the policy framework
- Access Reviews — Periodic access certification
- Object Write-Back — How account disabling works