When someone joins, moves or leaves in BambooHR, you want that change reflected in Microsoft Entra ID without anyone touching it by hand. To connect BambooHR to Microsoft Entra ID, Joinly reads each HR change in BambooHR at the source — through the BambooHR REST API — and applies it automatically to the right account. BambooHR stays your source of truth; Joinly is the engine that keeps every action accurate and traceable, even when you have no middleware and no group concept in HR.
Key takeaways
BambooHR stays your source of truth; Joinly applies every joiner, mover and leaver to Entra ID automatically — no middleware or scripting to maintain.
Joinly maps BambooHR fields — department, division, location and job title — to the right Entra ID groups and licences, which the BambooHR gallery app simply can't do because it is SSO only.
Joinly reads the hireDate field, so accounts are provisioned on the actual start date rather than the moment HR enters the new hire.
Employment-status changes — on leave, contractor-to-FTE, termination — are handled explicitly via employmentHistoryStatus, so access tracks the real status of the person.
Every action is logged for a complete audit trail, aligned with NIS2 and ISO 27001.
Quick facts
Source system | BambooHR (employee directory) |
Target system | Microsoft Entra ID (formerly Azure AD) |
Connection method | BambooHR REST API → Entra ID |
Supported events | Joiner, mover, leaver (incl. rehire, status change, contractor conversion) |
Synced attributes | Name, work email / UPN, department, division, location, job title, supervisor, employment status, hire and termination date |
Authentication | BambooHR API key (HTTP Basic, 160-bit secret) |
Real-time or batch | Frequent sync, multiple times per day |
Compliance | ISO 27001, NIS2-ready, GDPR (EU data centre) |
How does Joinly sync BambooHR to Microsoft Entra ID?
Joinly reads each HR change in BambooHR through the REST API and applies it to the matching Entra ID account automatically. BambooHR holds the authoritative employee record, so it is the starting point for each identity action — no spreadsheet or PowerShell script in between.
Joiner. HR adds the new hire in BambooHR. Joinly reads the employee record — work email, department, division, location, job title and supervisor — and determines the role from those fields. It then creates the account in Entra ID, assigns the right licences and maps the person into the correct groups — timed to the hireDate.
Mover. When someone changes department, location or job title in BambooHR, Joinly updates their group membership, permissions and licences to match. Access that no longer fits the new position is revoked, so permissions stay aligned with the actual job — even though BambooHR itself has no group concept to drive that.
Leaver. On the terminationDate recorded in BambooHR, Joinly disables the Entra ID account automatically. There are no orphaned accounts left active after someone has left, and an employment-status change to a non-active status is treated as a leaver event so access is removed at the right moment.
Example: A SaaS startup hires a customer-success rep in BambooHR with a hire date next Monday, in its Amsterdam location, Customer department. Joinly reads the record, waits until the hire date, creates the Entra ID account, assigns a Microsoft 365 Business Premium licence and adds the rep to the CS-Team and Amsterdam-Office groups. When that rep later moves to the Sales department, Joinly swaps the group the same day and updates the job title, without anyone opening a ticket.
What manual user management costs
Without automation, every account starts as a BambooHR notification or a line in a spreadsheet that IT works through by hand. BambooHR's Entra gallery app only does SSO — it can't provision — and the native API-driven alternative means writing and maintaining PowerShell that calls the BambooHR API and builds SCIM payloads yourself, so the part that actually decides access still falls to people.
Onboarding delays. New joiners wait for accounts, licences and group access while a request sits in someone's inbox, losing productive days in their first week.
Permissions that don't keep up (privilege creep). When movers change department or location, old access often stays attached, so people accumulate rights they no longer need.
Forgotten offboarding. Accounts that aren't disabled on time are both a security and audit risk, and unused licences keep costing money — easy to miss when there's no automated trigger from BambooHR.
Joinly vs. the native BambooHR provisioning options
The BambooHR gallery app in Entra is SSO only, and the native API-driven inbound provisioning is a build-it-yourself path. Here's how Joinly compares for a BambooHR-driven setup.
Joinly | BambooHR gallery app / Entra API-driven provisioning | |
|---|---|---|
Source | Reads BambooHR REST API directly | Gallery app: SSO only, no provisioning |
Provisioning | Full joiner / mover / leaver | BambooHR has no inbound SCIM; you build the sync yourself |
Role-to-group mapping | Built in, rule-based on department / location | Not available; manual or scripted |
Hire-date timing | Times account creation to the hireDate | Needs custom logic in your script |
Employment-status changes | Handled via employmentHistoryStatus | Manual; easy to miss |
Custom fields | Mapped by field ID via Liquid templates | Hand-coded in the payload builder |
Audit trail | Per-action logging tied to the HR source | Whatever you log yourself |
Watch-outs when connecting BambooHR to Microsoft Entra ID
A few BambooHR-specific details decide whether this connection stays reliable as you grow.
No group concept in BambooHR. BambooHR's org model is flat — department, division and location — with nothing that maps to an Entra group. Joinly builds explicit rules from those fields to the correct groups and licences, so role drives access rather than manual assignment.
Reliance on custom fields. Much of the data that decides access often lives in custom fields, which BambooHR exposes only by numeric field ID and not by default. Joinly discovers them via /meta/fields and maps the ones you need with Liquid templates, so a local cost centre or contract type lands in the right place.
Employment-status changes. A move from active to on-leave, or contractor to full-time, is a status change rather than a hire or termination. Joinly reads employmentHistoryStatus and applies your rules, so access reflects the real status instead of only reacting to a hire or leave date.
Directory vs. full record. The directory endpoint returns a limited field set, and the API key only sees fields its user can see. Joinly fetches the full per-employee record with the right field aliases, so no attribute is silently missing because of a permissions gap.
Hire date that isn't today. BambooHR stores the hireDate well before the first working day. Joinly times account creation to that date, so access is ready on the right day and not the moment HR saved the record.
Joinly handles each of these by default with custom mapping and transformation.
Always audit-ready
Every account action Joinly performs is logged: who was affected, when it happened, which access changed and which BambooHR change triggered it. For NIS2 that matters directly: access can be traced back to an authorised HR source rather than an ad-hoc message in a chat. Joinly is ISO 27001 certified, runs in an EU data centre in Amsterdam, applies least-privilege by default, and is built to meet NIS2 and ISO 27001.
Example case
Picture a fast-growing SaaS startup with around 220 employees across two offices, running BambooHR as its HR core but provisioning Entra ID accounts by hand. There's no middleware and no IAM team. When someone is hired, an ops person reads the BambooHR profile and clicks the account together in Entra, picks licences from memory and adds groups by guesswork. The BambooHR gallery app gives them SSO but nothing more, and as headcount climbs the manual work and the mistakes climb with it.
Connect BambooHR to Microsoft Entra ID with Joinly and that work disappears. Joinly reads each HR change in BambooHR at the source and acts on it automatically: new hires have their account, Microsoft 365 licence and group access ready on their hire date, a move from Support to Sales swaps the right groups the same day, a switch from contractor to full-time updates access through the employment-status field, and leavers are disabled on their termination date with a 30-day soft-delete grace window.
"We went from clicking every account together out of a BambooHR profile to nothing — an account is simply ready on the start date, and we can show exactly which BambooHR change created every bit of access."
The outcome this setup is designed for: onboarding drops from days to zero touch, the guesswork in licences and groups disappears, and a small ops team can walk into a NIS2 assessment with a complete, source-backed audit trail.
More than a connector
A standalone BambooHR to Entra ID connection is a good start, but identity rarely stops at one target. Joinly manages the complete chain from joiner to leaver across all your systems, with logging and governance built in. You review the exceptions; Joinly maintains the chain.
Schedule a demo
Installation guide
Follow these steps to connect BambooHR to Microsoft Entra ID with Joinly. The entire cloud setup happens in the platform, with no scripts or local software required.
1. Create your account
Go to platform.joinly.app and create your account.
Note: charges may apply for using the platform after the trial period ends.
Sign up at platform.joinly.app to get started.
2. Connect your Microsoft account
Open platform.joinly.app/settings/provisioning/idp-setup and connect your Microsoft tenant. Select the scopes you need. For provisioning you don't need any additional scopes.
Connect your Microsoft tenant and pick your scopes.
3. Import your existing accounts from Entra ID
Import all existing accounts from Entra ID at platform.joinly.app/settings/provisioning/entra-import. This gives Joinly a baseline of every account that already exists, so it can match people to their current account instead of creating duplicates.
4. Find the BambooHR integration in the Joinly marketplace
Open the Joinly marketplace and search for the BambooHR integration.
Don't see your system listed? Get in touch at support@koppelhet.nl and we'll help you out.
Search the marketplace for the BambooHR integration.
5. Follow the installation wizard
You may be redirected to integrations.joinly.app. Create an account there and enter your BambooHR connection details: your company subdomain and a BambooHR API key. Generate the key from your name in the lower-left of any BambooHR page → API Keys; Joinly uses it as the Basic-auth username. We only ask for the information needed to establish a successful connection with BambooHR. All data is encrypted and stored securely.
Enter your BambooHR subdomain and API key in the wizard.
6. Configure your field mapping
Set up all your field mappings here. Templates support Liquid, so you can build your display name, UPN and other attributes dynamically from BambooHR fields.
Frequently asked questions
How do I map the manager? Reference the supervisor field in the mapping and Joinly resolves the link to the right manager automatically.
How do I use a custom field? Look up its numeric field ID via /meta/fields and reference it in the mapping; Joinly exposes custom fields alongside the standard ones.
How do I prevent duplicate usernames? Use the
generateUniqueUsernamehelper, which falls back to the next pattern when the first one is already taken:{{ generateUniqueUsername: "{firstName}.{prefix}.{lastName}", "{initials}.{prefix}.{lastName}" }}
Map BambooHR fields to Entra ID attributes with Liquid templates.
7. Configure the scheduled import
At platform.joinly.app/settings/import-configs, configure how often the import from BambooHR should run.
8. Configure your workflows
Workflows are where Joinly turns each HR change into the right action in Entra ID. Create an onboarding (joiner) and offboarding (leaver) workflow with trigger-based execution, then an Identity updated workflow with a Create/update employee in Entra action so every change in BambooHR flows straight through to Entra ID. Finally, add a threshold workflow with the Entra soft delete action that runs a set period after the termination date (for example 30 days) to retire accounts safely.
Create a trigger-based onboarding workflow.
Add the create/update action, then set your matching strategy and field mapping.
Add the Entra soft delete action to retire accounts safely.
AD on-premise support
Need to provision to an on-premise Active Directory as well? See our dedicated guide on connecting BambooHR to Active Directory, or contact support at support@koppelhet.nl to request setup of the Joinly AD Agent.
Frequently asked questions
Does the BambooHR to Microsoft Entra ID connection work in real time?
It runs as a frequent sync that updates multiple times per day, so changes in BambooHR reach Entra ID quickly without waiting for a nightly batch.
Doesn't the BambooHR gallery app already do this?
No. The BambooHR app in the Entra gallery is SSO/SAML only, and BambooHR doesn't support inbound SCIM on any plan. Joinly adds the actual joiner, mover and leaver provisioning the gallery app can't do.
How are future-dated hires handled?
Joinly reads the hireDate on the BambooHR record and times account creation to it, so access is ready on the start date rather than the moment HR saved the record.
Which attributes sync from BambooHR to Entra ID?
Name, work email / UPN, department, division, location, job title, supervisor, employment status, and hire and termination date. Custom BambooHR fields can be mapped by their numeric field ID via Liquid templates.
Do I need middleware or a script to connect BambooHR?
No. Joinly connects directly to the BambooHR REST API with an API key and handles the provisioning, role-to-group mapping and status handling, so there's no PowerShell or SCIM payload builder to maintain.
Does Joinly also support AD on-premise or hybrid provisioning?
Yes. Joinly has its own AD on-premise agent and also supports the native Microsoft Entra provisioning agent, so you can provision users to your on-premise AD environment as well. See the BambooHR to Active Directory guide.