A complete walkthrough of the user workflow — from initial setup to hands-off automation. See exactly what happens at each stage and what you need to do (hint: not much).
Designed for IT Admins, HR Ops, and InfoSec teams managing Office 365 tenants.
Three types of users benefit from Xito. Most of them never need to interact with the system after the initial setup.
Sets up Xito, configures credentials, runs the initial sync, and enables the automated schedule. After that, monitors logs and handles exceptions.
Continues to use EmployWise as usual. Xito picks up changes automatically — no new tools, no new processes, no training needed.
Reviews audit logs to verify leavers are offboarded on time. Uses the complete audit trail for compliance reporting and access reviews.
Here's the entire workflow in one view — from data sources to outcomes.
You only do this once. It takes about 15–30 minutes. After this, Xito runs on its own.
Go to Azure Portal → App Registrations → New Registration. Grant the required Microsoft Graph permissions for user management, directory access, and group operations. Note the Tenant ID, Client ID, and create a Client Secret.
Contact your EmployWise admin or extract the API key and endpoint URL from the EmployWise settings. You need the employee export API endpoint and a valid API key.
Deploy Xito to your environment and provide your Azure AD and EmployWise credentials. Configure customer filters if you need domain whitelisting, status exclusions, or employee code filtering.
Create an incoming webhook in your IT/DevOps Teams channel and add it to the Xito configuration. Xito will post alerts here whenever an AI agent encounters an error.
Xito pulls a complete snapshot from both systems and stores them locally. This is the foundation for everything that follows.
Xito's sync agent connects to Microsoft Graph, fetching all users from your Azure AD tenant. For each user, it captures name, email, department, job title, location, mobile, manager, hire date, exit date, and account status — building a complete local snapshot.
Xito's HRMS agent imports all employees from EmployWise, applies your customer-specific filters (domain whitelist, status exclusions, emp-code exclusions), and builds a local snapshot. Then it auto-links HRMS records to AD records by matching email addresses.
Now Xito compares HRMS data against Azure AD and patches only what's actually different. HRMS is the source of truth.
For every linked employee, Xito's comparison agent analyzes 10 fields (name, department, title, location, mobile, emp ID, hire date, exit date). If the HRMS value differs from the AD value, it intelligently updates only the changed fields in Azure AD.
Xito's org-chart agent compares reporting manager emails. If the HRMS manager differs from the AD manager, it sets, changes, or removes the manager relationship in Azure AD — keeping your org chart accurate across Teams, Outlook, and SharePoint.
When HR marks someone as exited, Xito's cleanup agents automatically handle the full offboarding after the grace period passes.
After the configured grace period (default: 7 days past exit date), Xito's access agent disables the user's Azure AD account. They immediately lose access to email, Teams, SharePoint, and all M365 apps. Already-disabled users are skipped.
Xito's license agent retrieves every M365 license assigned to the leaver (E3, E5, Business Premium, Power BI, etc.) and removes them. Each cancellation is logged with full details. License seats are freed immediately.
Xito's group agent fetches all the leaver's group memberships, intelligently filters out dynamic groups (Azure manages those automatically), and removes the user from every manually-assigned group — security groups, distribution lists, Teams, etc.
Every action Xito takes is logged at two levels. You always know what happened, when, and why.
Every time an AI agent runs, a detailed execution log is created with start time, end time, status (success / partial_success / failed), and a human-readable summary like "Processed 420 users. Disabled: 3, Errors: 0".
Every individual user-level action is logged with full detail — user ID, email, operation type (DISABLE_USER, CANCEL_LICENSE, etc.), before/after values, and status. This is your compliance audit trail.
When any AI agent encounters an error, Xito sends a formatted alert to your Microsoft Teams channel with the agent name, error message, and timestamp. Successful runs are silent — you only hear about problems.
Enable the automated schedule and Xito handles everything autonomously. You only intervene when Teams pings you about an error.
Configure the automated schedule to run the full pipeline on your preferred interval. Every 30 minutes is a common choice. The entire 8-step AI pipeline executes autonomously with full error handling and retry logic.
For troubleshooting or one-off runs, you can trigger any individual AI agent directly via MCP or the Xito dashboard. Each agent is independent and safe to run in isolation.
xito:sync_ad_users — just refresh the AD snapshotxito:sync_hrms — just re-import HRMS dataxito:disable_accounts — just process leaversHere's what your day-to-day looks like once Xito is up and running.
Register Azure AD app, get EmployWise API key, configure Xito, initialize the data store. Done once, never again.
Trigger xito:run_pipeline manually. Watch the AI agents pull AD users, import HRMS employees, update fields, and process leavers. Review the output.
Enable the automated schedule to run every 30 minutes. From this point forward, Xito runs on its own.
HR continues using EmployWise. When they update departments, titles, or managers — Xito picks it up on the next cycle. When they enter an exit date — Xito handles the offboarding automatically.
Check the Xito execution logs and operation audit trail periodically. Everything is timestamped with before/after values — ready for compliance audits.
If something fails (expired secret, API downtime, permission issue), you get a Teams notification. Fix the issue, Xito retries on the next cycle.
Setup takes 30 minutes. After that, your identity lifecycle runs on autopilot.