The instinct is right: HR is the conduit all employee information should flow through, and the HCM is where that information lives. The problem isn't the philosophy — it's the gap between what an HCM is designed to do and what IT needs to happen when an employee is added, changed, or removed.

HCMs are built to manage employee records, benefits, compensation, and HR workflows. They're not built to send API calls to Active Directory, assign M365 licenses, or route hardware provisioning tickets to a helpdesk. The workflow you want to build — new hire appears in UltiPro, IT accounts and hardware are automatically provisioned before day one — requires a layer between the HCM and the IT systems that executes the downstream actions HR's platform was never meant to handle.

Right now, that layer is a form on a file share, an email to HR, a scanned document to the helpdesk, and IT waiting to be notified. That's the gap this article closes.

Why Building the Workflow Inside the HCM Doesn't Work

The OP's instinct — use UltiPro directly to create IT request workflows — is a reasonable first thought. Most enterprise HCMs do have workflow and forms capabilities. The problem is that those workflows are designed for HR processes: approval chains, compliance acknowledgments, benefits enrollment steps. They're not designed to make API calls to Azure AD, query an application catalog, or generate structured ITSM tickets with the right fields pre-populated.

Several teams in the thread tried variations of this: UltiPro pushing a file to an FTP that a script processes, APIs from the HRIS into an ITSM tool that triggers PowerShell downstream, ServiceNow HR Service Delivery as a middleware layer. These work — the ServiceNow implementation in the thread sounds well-executed — but they all require IT to build and maintain the integration layer, and the complexity grows with each additional system that needs to be part of the onboarding workflow.

ManageEngine AD Manager Plus with a UltiPro integration was mentioned specifically in this thread. It handles AD and O365 provisioning tied to the HCM data. The ceiling is the same as any AD-specific tool: it addresses the Microsoft stack, and everything outside that requires additional solutions or manual steps.

The pattern across all of these: the HCM is the right starting point, the downstream IT systems are the right destination, and the question is what sits in between to execute the connection reliably without custom scripts that require ongoing maintenance.

The Right Architecture: HCM as Source of Truth, IGA as Execution Layer

The industry approach that eliminates the form-and-email process connects the HCM to an IGA orchestration platform, which handles all downstream execution. HR does exactly what they already do — enter employee data in the HCM. IT gets the result — provisioned accounts, assigned licenses, routed hardware tickets — without anyone submitting a form or scanning a document.

Joiners. When HR adds a new employee in UltiPro with a hire date, the IGA platform detects the record and triggers an Onboarding Playbook. The playbook uses the HR data — name, department, title, start date — to create the AD account, assign the M365 license, add the user to the correct security groups, and provision role-appropriate access to downstream SaaS applications, all before the hire date and without any IT manual action. For hardware — which can't be automated via API — the playbook generates a tracked ITSM ticket in Jira, Freshservice, or ServiceNow with the employee details, the hardware specification for their role, and the required delivery date. The helpdesk gets the ticket automatically. IT doesn't need to be notified by HR first.

Movers. When an employee's department or title changes in UltiPro, the platform detects the attribute change and runs a Mover workflow. Access tied to the previous role is revoked; access appropriate for the new role is provisioned. Both sides happen in the same automated run rather than requiring two separate requests. This is the change management workflow the OP described — and it's the one that most manual processes handle worst, because it requires both taking something away and giving something new, and the "take away" step is usually the one that gets forgotten.

Leavers. When an employee is terminated in UltiPro, the platform detects the status change and triggers an Offboarding Playbook immediately. No manager needs to submit a termination form. No helpdesk ticket needs to be created. The account is disabled in AD, the M365 license is reclaimed, and every downstream SaaS application the employee had access to — including tools that were never formally provisioned through IT — is covered by the deprovisioning workflow.

Getting HR and IT Aligned on the Architecture

The organizational piece — getting IT access to the HCM configuration, convincing HR that the HCM should feed IT systems rather than the other way around — is often harder than the technical implementation.

The framing that works is: HR already owns all the data. The only thing changing is that instead of IT extracting that data via a scanned form, the HCM pushes it automatically. HR's workload doesn't increase. IT's manual steps disappear. The hiring manager stops directing new hires to a form on a file share and instead simply does nothing — because the account is already provisioned by the time they ask.

The OP noted that IT doesn't currently have access to the HCM to explore its configuration. The right entry point for that conversation is not "IT needs access to the HCM" — it's "IT needs to connect to the HCM via API so we can stop asking hiring managers to fill out forms." That's a proposal that reduces HR's administrative burden, which is an easier sell than a request for system access.

Hardware Provisioning and the Manual Task Layer

Physical hardware can't be provisioned via API. This is the part of onboarding that always requires a human step, and it's where automated task routing matters most. A new hire's laptop needs to be ordered, configured, and delivered before day one — and that process needs to start as soon as the hire is confirmed in the HCM, not when the hiring manager finally finds the form.

Zluri's onboarding playbooks include a Manual Task action that generates a structured ITSM ticket in the connected helpdesk system — Jira, Freshservice, ServiceNow — with the employee's name, start date, role, and hardware requirements pre-populated from the HCM data. The helpdesk gets the ticket at the moment HR adds the new hire record, with enough lead time to fulfill it. The task has a completion requirement, so IT can see which hardware provisioning tasks are pending, in progress, and done without chasing anyone for updates.

Frequently Asked Questions

Should IT build onboarding and offboarding workflows directly inside the HCM?

HCMs handle HR-side workflows well — approvals, compliance tasks, benefits enrollment. They're not designed to execute IT provisioning: API calls to Active Directory, M365 license assignment, ITSM ticket generation. The right architecture uses the HCM as the authoritative data source and connects it to an IGA platform that handles downstream IT execution. HR enters data in the HCM; IT provisioning happens automatically without forms or email.

How do you use a HCM as the source of truth for IT provisioning?

By integrating the HCM with an IGA orchestration platform via API. When HR adds a new hire, changes an employee's role, or marks someone as terminated, the IGA platform detects the event and executes the corresponding provisioning workflow — account creation, role adjustment, or offboarding — across AD, M365, and downstream SaaS applications. HR's process doesn't change. IT's manual steps are eliminated.

What is the joiner-mover-leaver process in IT provisioning?

The joiner-mover-leaver (JML) framework covers three identity lifecycle events. Joiner: a new hire triggers account creation and initial access provisioning. Mover: a role or department change triggers simultaneous removal of previous-role access and provisioning of new-role access. Leaver: a termination triggers account disablement and deprovisioning across all systems. Automating all three from a single HCM data source eliminates the manual steps, missed steps, and delayed actions that manual forms-based processes create.

How do you automate hardware provisioning tickets from an HCM new hire event?

Physical hardware can't be provisioned via API, but the ITSM ticket for it can be generated automatically. When an HCM new hire event triggers an onboarding playbook, a Manual Task action creates a helpdesk ticket in Jira, Freshservice, or ServiceNow with the employee's details, role, start date, and hardware requirements pre-populated from the HR record. The helpdesk receives the ticket immediately — not when the hiring manager remembers to notify IT — with enough lead time to fulfill it before day one.

Connect Your HCM to IT Provisioning

If your current onboarding process still starts with a hiring manager finding a form on a file share, see how Zluri connects to your HCM and automates the full IT provisioning sequence — accounts, licenses, application access, and hardware tickets — from a single HR data event, without IT waiting to be notified.