Source-available identity governance

Self-service Joiner, Mover, Leaver for everyone HR never sees.

Account Factory delegates routine identity lifecycle and dormant-account governance for the volunteers, trustees, contractors and service accounts your HR-driven provisioning was never built for – all in your own Entra tenant, with a clean, audited record of who did what. No per-seat licence. No vendor control plane.

Request access Read the spec
  • Runs in your own subscription
  • No per-seat fees
  • No phone-home
6
Purpose-built delegated roles, each backed by an Entra group
1command
From az login to a running instance
30days
Soft-delete holding period before hard-delete
0secrets
In source – all credentials come from Key Vault
100%
Of state changes audited – no silent mutations
The gap

The edge-case population is often the bigger one

A charity might have a few hundred payrolled staff and thousands of volunteers – yet it is exactly that population, the people HR never knew about, that automated provisioning does not cover. And plenty of organisations have no automated provisioning at all: HR API-driven and SCIM connectors are relatively advanced, so every account is still created by hand. Either way, volunteers, trustees, contractors, agency staff, shared and service accounts all become manual tickets.

Today

Everything routes through IT

  • JML is manual and ticket-driven. Every joiner, attribute change and leaver becomes a help-desk ticket. The business waits; IT context-switches; consistency suffers.
  • The people closest to the work can't self-serve. A coordinator knows exactly who is joining and leaving, but has no safe, scoped way to act on it – so it routes through IT anyway.
  • Dormant governance hits a licence wall. Manager confirmation for quiet accounts normally needs an Entra Identity Governance licence for every user – disproportionate for thousands of volunteers, so accounts go ungoverned.
  • The migration adds a deadline. Retiring AD and legacy Exchange means cleaning up and re-homing exactly these accounts – with no tool built for the job.
With Account Factory

Routine lifecycle, safely delegated

  • Push routine work out to business users. They create, modify and offboard their own people from locked profiles – IT sets the guardrails instead of doing the data entry.
  • Become the authoritative record. The app owns every account it creates or takes over, and writes only to accounts it manages – so the directory and the audit trail finally agree.
  • Dormant governance, no IG licence per user. Built-in manager confirmation chases quiet accounts, escalates, and offboards on a schedule – the feature you'd otherwise pay for per seat.
  • Built for the AD-to-Entra journey. Transitional tooling helps re-home accounts off on-prem AD and legacy Exchange, then switches itself off once migration is done.
Capabilities

Real identity infrastructure, scoped to its job

Locked-down profiles, least-privilege roles, and a tamper-evident audit trail – the guardrails travel with every action, so delegation never means losing control.

Delegated self-service lifecycle

No IT ticket for routine joiners, movers and leavers. Everyday account work goes to the people who actually know the person.

  • One-click Joiner: UPN computed and uniqueness-checked, manager mandatory, locked attributes enforced.
  • Mover edits only mutable fields; Leaver disables and soft-deletes, with a 30-day hard-delete worker.

Reusable profiles, immutable versions

Define the account shape once and apply it consistently. Editing a profile mints a new version; existing users keep theirs.

  • UPN domain and naming, attribute defaults, locked vs editable fields, group memberships, auth method.
  • Manager mandatory on every profile; locked fields can't be overridden by the delegate.

Six-role RBAC, per-profile scoping

Least privilege that matches how teams actually work. Nobody gets more power than their job needs.

  • Profile Administrators scoped per assignment – "Volunteers – London" vs "Volunteers – Manchester", enforced server-side.
  • Auditor is read-only oversight; Readiness Reviewer sees only the readiness pillar, isolated from user data.

Dormant governance, no IG licence

Continuous access review for low-touch populations, driven by the one person who actually knows whether an account is still needed: the manager.

  • Daily scan finds app-managed accounts inactive for 30 days; emails the manager a "still needed / no longer needed" link.
  • No reply in 14 days escalates to scoped admins; a further 14 days routes into the leaver flow. Every transition audited.
Headline differentiator

Tamper-evident audit, by design

Nothing mutates silently. Every create, modify, delete, take-over, TAP issue, config change and sign-in writes a structured row.

  • Captures actor, role, action, target, system written to, before / after state, result, and a correlation ID.
  • Admins and Auditors get CSV export; scoped roles see only their own actions and in-scope targets.

Passwordless onboarding

New joiners get a secure first sign-in with no shared password. Secrets are encrypted at rest and auto-purged on expiry.

  • Temporary Access Pass (8-hour, multi-use) via Graph – shown once, stored encrypted until expiry, then purged.
  • QR + PIN PDF labels (62 × 54 mm) for the help desk to hand out for Authenticator setup.

Onboarding, duplicate detection & bulk

Bring an existing estate under management safely, and stand up new cohorts in bulk without importing mess.

  • Take-over is a field-by-field decision with a live similar-account check; unclean data is never imported as-is.
  • Bulk CSV create defaults to a dry run and rolls back any row that fails partway, keeping the rest.

Transitional hybrid AD tooling

For adopters still running AD, extend the same lifecycle and audit model on-prem – then help turn that side off.

  • AD-authoritative JML over LDAPS into per-profile OUs; Exchange attribute stamping via the Management Shell.
  • AD-to-Entra migration engine with a 30-day rollback window; read-only directory readiness that never writes to a DC.
Transitional – behind the AD master switch, not yet verified on a live hybrid tenant

Runs entirely on your terms

Per-tenant deployment, runtime config, and update awareness – no redeploy to change a setting, no remote kill switch.

  • Runtime-editable settings (domains, naming, timings, retention, templates, AD switch) persisted with full audit.
  • Daily update check reads the upstream GitHub release and shows a banner – it never pulls or deploys anything.
How it works

The Joiner → Mover → Leaver lifecycle

What a delegated business user actually does, end to end – with every step running against a locked profile and written to the audit log.

01Joiner

Create from a profile in a few guided steps.

  • 1Pick a profile – it pre-fills fixed and locked fields, including the default identity provider.
  • 2Fill the editable fields – manager is mandatory and can never be left blank.
  • 3Live duplicate check surfaces possible matches as a non-blocking callout as you type.
  • 4The app computes a unique UPN across every domain, plus active and soft-deleted users.
  • 5Create in Entra, stamp managedBy = AccountFactory, assign groups, issue a TAP if passwordless.

02Mover

Modify in place, with identity preserved.

  • 6Change only the mutable attributes the profile allows.
  • 7UPN, object ID and mailbox are preserved across the change.
  • 8The app refuses on any account it does not own – the ownership marker is the gate.
  • 9Every field change is written to the audit log.

03Leaver

One action to offboard cleanly.

  • 10Remove from app-managed groups, disable, and soft-delete in a single action.
  • 11Optionally convert the mailbox to shared and hand it to the manager, freeing the licence.
  • 12A nightly worker hard-deletes 30 days after soft-delete, if still soft-deleted.
  • Every step audited under a correlation ID.
Governance loop

Dormant-account governance, with a human in the loop

A daily worker keeps owned accounts from lingering unused – manager confirmation without buying an identity-governance licence for every user.

30 + 14 + 14 days
day 0

Daily scan

Finds app-managed accounts inactive 30 days, skipping new, disabled, and excluded accounts.

notify

Email the manager

"Still needed" / "no longer needed" links via ACS. A positive reply resets the clock.

+14 days

Escalate to admins

No manager response routes to the scoped Profile Administrator(s) for that population.

+14 days

Auto-action

Still no response soft-disables the account and routes it into the leaver flow.

always

Audited & idempotent

Every email, response and timer transition is written to the audit log; the worker is safe to re-run.

The timeline (30 + 14 + 14 days) ships at the spec defaults and is configurable per deployment. A human stays in the loop at every step.
Security & data sovereignty

Your directory stays yours

The distribution and security model is built around one principle: the adopting organisation keeps full custody of its own directory, its own credentials, and its own infrastructure. There is no shared SaaS platform and no vendor-held control plane – deliberate, because a tool that creates and deletes identities should never be remotely disablable.

In one line: your tenant, your subscription, your app registration, your keys, your audit log - source you can read and fork, least-privilege permissions, secrets only in Key Vault, no shared SaaS, no vendor data custody, no phone-home, and an app that cannot deploy itself.

Own tenant, own subscription

Each org runs its own single-tenant instance with its own app registration, admin consent and audit trail. No shared multi-tenant hosting – it is explicitly out of scope.

Secrets only in Key Vault

No secrets in source, ever. The App Service authenticates via managed identity; certificates and credentials live in Key Vault, not the database. SQL TDE is on, with column-level encryption for TAPs, PINs and PDF bytes.

Writes only to owned accounts

The managedBy = AccountFactory marker gates every mutation. Mover and Leaver refuse to act on accounts the app does not own; reads stay unrestricted within scope.

Source-available & auditable

Read, audit and fork the code under a restrictive licence. A prospective adopter can even take time-limited read access to audit it first.

No external control plane

No developer-hosted licensing or update server. The app never phones home for permission to run and contains no remote kill switch.

Least privilege throughout

Scoped Graph permissions, each tied to a stated purpose, and a deliberately weak read-only identity for directory readiness – the weakest of the on-prem identities.

On risk & trust

A highly privileged tool – and built to be treated like one

Account Factory creates, modifies and deletes identities, and in hybrid mode it also holds an on-premises service account that can write to Active Directory and Exchange. That makes it a privileged, control-plane application, and it straddles two boundaries a security team is right to guard: the seam between on-premises AD and Entra ID, and the line between IT administration and the delegated business users it hands lifecycle actions to. We will not pretend otherwise – the design assumes the tool itself is a target.

Is a self-built identity plane an anti-pattern? It can be. The safest identity tooling is the tooling you do not build, and bridging the boundary between AD and Entra with custom code is exactly the sort of thing that deserves scrutiny. Where a vetted, certified product fits – Entra ID Governance, or HR-driven and SCIM provisioning – use it. But not every organisation has that: HR API-driven provisioning is advanced, and plenty of teams still create every account by hand. Account Factory serves that need directly, and where those products do exist it sits alongside them and covers the non-HR population they never reach – plus the transitional window while AD is still live. The honest recommendation is to scope it tightly, read the source before you trust it, and switch the hybrid half off the moment your migration allows.
How the design contains it

Blast radius stays inside your perimeter

It runs in your own tenant and subscription, so it adds no new external trust boundary and no third party with standing access to your directory. There is no vendor to breach in order to reach you.

It can only touch what it made

The managedBy = AccountFactory marker gates every write. Even a fully compromised instance cannot rewrite arbitrary objects or privileged groups it does not own – it is not a general directory-write oracle.

The hybrid seam is off by default

The AD and Exchange surface – the part that actually crosses the on-premises to cloud boundary – sits behind a single master switch, disabled for cloud-only adopters, and is transitional by design: built to shrink that boundary, then be switched off.

Separation of duties, enforced

Six least-privilege roles, scope evaluated server-side on every read, an Auditor with no write power and a Help Desk that cannot create. Delegation is bounded, never a blank cheque.

Standing privilege is observable

Every state change writes to a tamper-evident audit log the app cannot silently rewrite, and the privileged code path is readable and forkable – open to inspection, not a black box.

No remote hold over a privileged app

It cannot deploy itself, carries no kill switch and never phones home. Nobody outside your tenant, the developer included, can reach the privileged surface.

Do not take our word for it. The full attack surface – the architecture, the exact Graph and on-premises permissions and why each one is needed, the owned-writes gate, the audit schema and the AD master switch – is written down for you to review before you adopt. Read the specification.

For organisations still on AD – transitional

Retire AD and on-prem Exchange, then switch the tooling off

If you are mid-migration, Account Factory extends the same lifecycle and audit model onto the on-prem side, then helps you turn that side off. This entire surface sits behind a single AD master switch – cloud-only adopters simply leave it disabled.

Maturity note. The cloud-only, Entra-authoritative path is the fully shipped happy path. The hybrid AD / Exchange paths and the directory-readiness pillar are built behind the master switch but are not yet verified end to end against a live hybrid tenant – treat them as transitional capabilities for organisations still on AD, not as battle-tested. They cover AD-authoritative JML over LDAPS, on-prem Exchange attribute stamping via the Exchange Management Shell, an AD-to-Entra migration engine with a 30-day rollback window, and read-only directory readiness that never writes to a DC, GPO or registry.
Deployment

From nothing to a running instance, in one command

An interactive wizard stands up the whole instance against a single az login – idempotent, and it shows a plan and cost estimate before it provisions anything.

1

az login

Authenticate to your own Azure subscription and Entra tenant. Nothing org-specific ever leaves your environment.

2

npm run setup

Launch the interactive wizard. It creates the resource group, six role groups, the single-tenant app registration with API scope, group claims, Graph permissions and admin consent, plus a Key Vault-stored certificate and OIDC credentials for CI/CD.

3

Review the plan, then provision

The wizard shows a plan and cost estimate before it deploys the Bicep stack – App Service, Azure SQL (Free Limit), Key Vault and Communication Services – and is idempotent on re-run.

4

Push to main

Commit to your fork. GitHub Actions ships the app to App Service over OIDC; schema migrations run idempotently on startup.

5

The app can never redeploy itself

Updates always pass through your own pipeline and change control. The running app holds no rights to deploy.

Cost

Self-hosted. No per-seat fees.

You pay only your own Azure consumption. There is no licensing server and no usage metering by the developer.

Baseline running cost
£10 – 18 typically / month

On baseline SKUs using the Azure SQL Free Limit. The stack is mostly idle, so a B1 App Service plan and auto-pausing serverless SQL keep it cheap. The deployment wizard shows a cost estimate as part of the plan, before anything is provisioned.

  • One Windows App Service (B1)
  • Azure SQL on the Free Limit
  • Key Vault for all secrets
  • Azure Communication Services email
  • Application Insights
  • No per-seat SaaS billing
Request access

What drives the bill

Cloud-only baseline£10 – 18 / mo
Hybrid AD / Exchange (optional)+ £12 / mo
Developer licensing servernone
Usage meteringnone
Per-seat feesnone

The hybrid figure covers VNet integration, NSGs, private DNS and read-only DC access, and only applies if you turn on the transitional AD / Exchange path. Cloud-only adopters skip all of it.

Who it's for

Built for lean teams with large non-HR populations

Enterprise-credible, but human – it speaks to overstretched teams, not procurement committees. The people who own the tenant, and the organisations whose directory is full of people HR has never heard of – whether they run HR-driven provisioning that never reached those people, or have no automated provisioning at all.

Primary

IT and identity leads mid-migration

The people who own the tenant, run the AD-to-Entra project, and field every "can you create an account for our new volunteer?" ticket. They want the routine cases off their desk and a clean, audited record – without standing up a heavyweight IGA platform.

Tenant owners AD-to-Entra project leads Overstretched help desks
Equally

Charities and mission-driven bodies

Organisations whose "edge case" population is often bigger than the payrolled one – a charity with a few hundred frontline staff but thousands of volunteers. Cost-sensitive, lean IT, and wanting something they can read, audit and run themselves.

Volunteers & trustees Contractors & agency staff Service & shared accounts Guest & partner identities
FAQ

Questions a security-conscious lead asks

Honest over hyped – what it does, and what it deliberately does not.

Where does our data live?
Entirely in your own Azure subscription and Entra tenant. The app, its Azure SQL database, Key Vault and Communication Services all run in resources you own. The developer never holds another organisation's keys, and there is no developer-hosted control plane.
How is it licensed – is this open source?
It is source-available under a restrictive licence, not open source. Authorised organisations get read access to a private repository so they can clone, fork, audit and run the tool in their own tenant. Redistribution, sublicensing and use outside the authorised organisation are prohibited. The final licence terms are still being chosen – a Business Source License or PolyForm Noncommercial style licence is the starting point.
We're cloud-only Entra – do we need the hybrid AD pieces?
No. v1 is a cloud-only, Entra-authoritative happy path, and the on-prem AD / Exchange surfaces are gated behind a single master switch that cloud-only adopters leave off. Organisations still running AD and on-prem Exchange can enable the transitional path (and its VNet connectivity); everyone else skips it entirely. Treat the hybrid surface as transitional – it is not yet end-to-end verified against a live hybrid tenant.
Do we need HR-driven or SCIM provisioning already in place?
No. HR API-driven provisioning is relatively advanced, and many organisations have none of it – every account is still created by hand. Account Factory works as your primary delegated joiner / mover / leaver for whichever populations you point it at, not only as a supplement for the people an HR feed misses. Where you do run HR-driven or SCIM provisioning, it coexists cleanly – staying authoritative only for the accounts it owns and leaving the rest alone.
Do our end users need an identity governance licence?
No end-user IG licence is required to use Account Factory itself – it acts on your directory through its own app registration. Account licensing (for example freeing a licence when someone leaves) is something the tool can help with: on leaver, it can optionally convert a mailbox to shared and hand it to the manager. Licence usage for the managed accounts themselves is governed by your normal Microsoft licensing.
What happens to a leaver's mailbox?
By default nothing extra – the account is disabled, removed from app-managed groups, soft-deleted, then hard-deleted after 30 days. Optionally (per leaver or per profile), the app can convert the mailbox to a shared mailbox and assign the manager as a delegate, which frees the licence. That option defaults to off.
How are passwords and TAPs handled?
Passwordless profiles (Entra-authoritative only) get an 8-hour, multi-use Temporary Access Pass generated via Graph at creation, shown once to the Profile Administrator, and stored encrypted only until it expires – then auto-purged. The audit record of who issued it and when is retained. A QR + PIN PDF can also be issued and is kept encrypted until first sign-in or a configurable maximum. Standard AD accounts receive an initial password at creation instead.
Can we customise naming and profiles?
Yes. Profiles define UPN domain, attribute defaults, locked attributes, group assignments, mandatory fields and the auth method, and are versioned immutably – editing creates a new version while existing users keep theirs. The UPN naming pattern is configurable per profile and per deployment. Profile Administrators can be scoped so they only see and act on their own population.
What does it cost to run?
Typically around £10 – 18 per month on baseline SKUs with the Azure SQL Free Limit enabled. The deployment wizard shows a cost estimate as part of the plan before anything is provisioned. Hybrid AD / Exchange features add infrastructure – and cost – only if you turn them on.

Run your own identity governance, in your own tenant.

Delegate account creation. Keep the audit trail. Read the spec, or request time-limited access to the source to audit it before you commit.

Request access Read the spec