1. Three layers in the Joinly architecture

Joinly consists of three logical layers that work together:

1. The source systems (HR)
   HR systems like AFAS, Visma or Nmbrs provide the data of employees.
   Joinly retrieves this data via a secure API connector.

2. The Joinly Core (processing layer)
   This is where the logic happens. Joinly compares HR data with the current situation in Microsoft Entra ID and determines what needs to change.
   This part includes:

   • The lifecycle engine (joiners, movers, leavers)

   • The mapping engine (translating fields and rules between systems)

   • The provisioning engine (creating, updating, deactivating accounts)

3. The target systems (targets)
   These are systems where Joinly manages accounts, such as Microsoft Entra ID, Active Directory, Exchange or SaaS apps via SCIM.

2. HR-driven provisioning as a starting point

Most organisations use HR as the source of truth.
When HR records a change (for example, new employee or job change), Joinly detects this and initiates a provisioning flow.

Joinly then determines:

• Which accounts need to be created or adjusted

• Which rights and groups are associated

• Which licences need to be assigned

This logic is stored in the Joinly Core and can be extended per organisation with rules, approvals or exceptions.

3. Delta API for efficiency

Joinly uses the Delta API from Microsoft Entra ID to retrieve only changes.
Instead of rereading all users every night, Joinly asks:

“What has changed since the last time?”

This makes the system fast, efficient, and scalable, even with thousands of users.

4. Secure communication

All communication takes place via secure HTTPS connections with OAuth 2.0 authentication.
Tokens are encrypted and periodically renewed.
No system gets more access than strictly necessary (least privilege).

When connecting to on-premises environments (such as Active Directory), Joinly uses:

• A hybrid connector or Azure Function in the customer environment

• Only outgoing connections, so no open ports from the outside

5. Expandable via connectors and APIs

Joinly is modularly built.
New connections are added as connectors:

• HR connectors (AFAS, Visma, Youforce, Personio, etc.)

• Target connectors (Microsoft Entra, AD, HubSpot, Exact, Topdesk, etc.)

Each connector uses the same underlying provisioning framework, ensuring extensions remain consistent.

6. In summary

The architecture of Joinly is easy to visualise:

HR determines what changes

• Joinly Core translates and automates

• Changes are passed through to Microsoft Entra ID/AD On Premise

• Users are passed from Microsoft Entra to Target systems and Microsoft Applications such as Teams, Sharepoint and Exchange with the correct rights

Conclusion

The strength of Joinly lies in simplicity: HR provides the data, Joinly processes the logic, and via secure APIs, all systems are kept up-to-date.
Whether that's in the cloud or on-premises, the architecture remains the same: secure, modular, and scalable.