title: Joiner Templates - Onboarding Automation category: Lifecycle Management tags: joiner, onboarding, new-hire, automation, templates priority: Normal
Joiner Templates - Onboarding Automation
Joiner templates define the automated provisioning workflow that executes when a new identity enters your organization. By configuring a Joiner template, you ensure that every new hire, contractor, or vendor receives the correct accounts, group memberships, and notifications on day one -- without manual IT intervention.
What Joiner Templates Do
A Joiner template is an ordered sequence of actions that provisions a new identity. When triggered, the template:
- Creates the user's Active Directory account with standard attributes
- Assigns the user to default security and distribution groups
- Sets an initial password (or generates one according to policy)
- Configures the user's mailbox or email-enabled attributes
- Sends a welcome email to the new hire and their manager
Creating a Joiner Template
Navigate to Administration > Lifecycle Management (/admin/lifecycle) and select New Template. Choose Joiner as the template type.
Step 1: Template Details
| Field | Description | Example |
|---|---|---|
| Name | Descriptive name for the template | "Standard Employee Onboarding" |
| Description | Purpose and scope of the template | "Provisions AD account and default groups for full-time employees" |
| Priority | Execution priority when multiple templates match | Normal, High, Critical |
| Enabled | Whether the template is active | Yes |
Step 2: Trigger Configuration
Select how this Joiner template will be activated:
| Trigger Type | Configuration | Best For |
|---|---|---|
| Manual | No additional config needed | Ad-hoc onboarding, testing |
| HR Feed | Select HR import source, define matching criteria | Automated onboarding from HRIS |
| Schedule | Set cron expression or interval, define criteria filter | Batch processing of pending joiners |
HR Feed trigger example: When the HR Import detects a new employee record with a start date of today or earlier and no matching AD account exists, the Joiner template fires automatically.
Step 3: Target Criteria
Define which new identities this template applies to. Criteria can include:
- Department -- Match specific departments (e.g., "Engineering", "Sales")
- Employee Type -- Full-time, part-time, contractor, vendor
- Location -- Office or region code
- Job Title Pattern -- Regex or wildcard match on title
If a new identity matches multiple Joiner templates, the template with the highest priority executes. You can also configure templates to chain, allowing a base template to run first followed by department-specific templates.
Step 4: Define Actions
Add actions in the order they should execute. Each action has its own configuration:
CreateAccount
| Parameter | Description | Example |
|---|---|---|
| Target Connection | Which AD connection to create the account in | "Corporate AD" |
| Target OU | Organizational Unit for the new account | OU=NewUsers,DC=corp,DC=local |
| Username Format | Pattern for sAMAccountName generation | {FirstName}.{LastName} |
| UPN Format | Pattern for userPrincipalName | {FirstName}.{LastName}@corp.com |
| Display Name Format | Pattern for displayName | {LastName}, {FirstName} |
| Password Policy | How initial password is set | Generate random, use template |
| Account Enabled | Whether account is enabled immediately | Yes |
Tip: Username collision handling is automatic. If john.smith already exists, IdentityCenter will try john.smith2, john.smith3, and so on until a unique name is found.
AssignGroups
| Parameter | Description | Example |
|---|---|---|
| Static Groups | Groups assigned to every new user | "All Employees", "VPN Access" |
| Dynamic Groups | Groups assigned based on attribute values | Department = "Engineering" adds "Dev Tools Access" |
| Nested Group Support | Whether to resolve nested memberships | Yes |
Dynamic group assignment uses parameter templates to map attribute values to group names. For example:
Department = "Engineering" --> "Engineering Team", "GitHub Access", "Dev VPN"
Department = "Sales" --> "Sales Team", "CRM Access", "Sales VPN"
Department = "Finance" --> "Finance Team", "ERP Access", "Finance Reports"
SendEmail
| Parameter | Description | Example |
|---|---|---|
| Email Template | Which email template to use | "Welcome - New Employee" |
| Recipients | Who receives the notification | New hire, manager, IT helpdesk |
| Include Credentials | Whether to include initial login info | Yes (encrypted link) |
SetInitialPassword
| Parameter | Description | Example |
|---|---|---|
| Generation Method | How the password is created | Random, pattern-based |
| Complexity | Minimum password requirements | 16 chars, upper/lower/number/symbol |
| Must Change | Require password change at first login | Yes |
| Delivery Method | How password is communicated | Email to manager, secure link |
ConfigureMailbox
| Parameter | Description | Example |
|---|---|---|
| Mail-Enable | Set mail attribute on the AD account | Yes |
| Email Format | Pattern for primary email address | {FirstName}.{LastName}@corp.com |
| Alias Formats | Additional email aliases | {FirstInitial}{LastName}@corp.com |
Step 5: Error Handling
Configure how the template responds to action failures:
| Option | Behavior |
|---|---|
| Stop on Error | Halt execution if any action fails; mark event as Failed |
| Continue on Error | Log the error and proceed to the next action |
| Retry on Error | Retry the failed action up to N times before failing |
Recommendation: Use "Stop on Error" for critical actions like CreateAccount, and "Continue on Error" for non-critical actions like SendEmail.
Parameter Templates
Parameter templates let you dynamically configure action values based on the identity's attributes. They use a simple placeholder syntax:
| Placeholder | Source | Example Value |
|---|---|---|
{FirstName} |
HR record or identity field | "John" |
{LastName} |
HR record or identity field | "Smith" |
{FirstInitial} |
Derived from FirstName | "J" |
{Department} |
HR record or identity field | "Engineering" |
{EmployeeID} |
HR record | "EMP-10042" |
{ManagerDN} |
Resolved from manager field | CN=Jane Doe,OU=Users,DC=corp,DC=local |
{Location} |
HR record or identity field | "New York" |
{StartDate} |
HR record | "2026-03-01" |
Integration with HR Import
When connected to an HR system, Joiner templates can fire automatically:
- HR Import detects a new employee record (see HR Integration Overview)
- The import record includes
StartDate,Department,Title, andManager - IdentityCenter evaluates all Joiner templates against the new record's attributes
- The matching template executes, provisioning the account before the employee's first day
- A lifecycle event is logged with full audit details
This integration ensures zero-touch onboarding for organizations with an authoritative HR source.
Example: Standard Employee Joiner Template
Template: Standard Employee Onboarding
Trigger: HR Feed (on new hire detection)
Criteria: EmployeeType = "Full-Time"
Actions:
1. CreateAccount
- Connection: Corporate AD
- OU: OU=Users,OU={Department},DC=corp,DC=local
- Username: {FirstInitial}{LastName}
- UPN: {FirstName}.{LastName}@corp.com
2. AssignGroups
- Static: "All Employees", "Company WiFi", "Building Access"
- Dynamic: Department-based group set
3. SetInitialPassword
- Method: Random (20 chars)
- Must Change: Yes
4. ConfigureMailbox
- Email: {FirstName}.{LastName}@corp.com
5. SendEmail
- Template: "Welcome - New Employee"
- To: Manager, IT Helpdesk
Best Practices
- Create department-specific templates rather than one monolithic template with complex conditional logic
- Test with a preview run before enabling HR Feed triggers
- Use unique username formats that minimize collision (e.g.,
{FirstName}.{LastName}over{FirstInitial}{LastName}) - Never send plaintext passwords -- use secure links or encrypted delivery
- Set "Must Change at First Login" for all initial passwords
- Log all actions for compliance and troubleshooting
Next Steps
- Mover Templates -- Handle transfers and role changes
- Leaver Templates -- Automate offboarding
- Lifecycle Events -- Monitor template execution
- HR Integration Overview -- Connect your HR source for automatic triggers
- Connections Overview -- Configure the target directory connection