One of the first things you do when setting up your Drata account is establish a connection with your Identity Provider (IdP) on Google Workspace or Office 365. This will allow Drata to pull in all of the identities (name, email, avatar, and timestamp when user was added to the IdP). This will create the personnel records on Drata and grant everyone an EMPLOYEE role.

If you connect your HRIS system (like Gusto, Rippling, or others), Drata will pull the user records and match them to the now existing personnel records in Drata. This secondary integration is used to enrich the original personnel data pulled in from your IdP.

The data in your HRIS is considered to be the "source of truth" from an auditor's perspective when it comes to an employee or contractor's name, start/separation date, and employment status. For organizations looking to streamline operations, switching to a natively supported HRIS platform, such as ADP Workforce Now or Insperity, is recommended to achieve complete automation and avoid manual overhead. For HRIS systems that are not natively supported, Drata provides alternatives to capture personnel data. Organizations can use Drata's Public API to create and update employee records, track terminations, and maintain offboarding data. This requires a premium paid account and allows customization to address the limitations of unsupported platforms.

There are six employment statuses in Drata:

When you only have your IdP connected, Drata imports everyone as a current employee, unless the email is an obvious alias (admin@, marketing@, info@, etc.). Though once the HRIS is connected, Drata is able to enrich the employment status with more supplemental/accurate data by looking at the HRIS separation date to set the Former status and remove authentication access to Drata. This keeps your former employees and contractors in your Drata instance even if they are removed from your IdP to ensure an audit trail for all personnel and account access.

When a termination date is recorded in the HRIS, Drata immediately updates the employee's status to Former. This update occurs whether the termination date is in the past, present, or future.

In the event a person's status cannot be determined due to no matching record from the IdP to the HRIS, the system assigns that personnel record with an Unknown status.

To address such cases, ensure that the user's status in external systems like HRIS or IdP has been correctly configured and synced, or manually reconcile discrepancies by reviewing syncing logs if needed.

If you have personnel that will not be included in an audit, as they are out of scope (learn more about who is in scope for your audit), and therefore should be excluded from the automated testing and personnel compliance checks, you can mark them as Out of Scope on the Personnel page. You will be prompted to enter business rationale to justify this exclusion. Be aware that all email addresses used to access critical services and customer data are in scope for SOC 2.

The IdP connection is the only required connection on Drata, which will pull in your personnel and allow them to authenticate into their My Drata page. The HRIS connection will enrich the personnel records with audit-ready "source of truth" data to better paint a picture of your personnel during your audit period.

Drata has put these processes in place to allow you to demonstrate proper access control procedures in preparation for your audit and to strengthen your overall security posture. Reviewing syncing logs periodically can help identify and resolve potential syncing issues and ensure seamless personnel data management.

If employee data is not syncing as expected, resolve the issue using the following steps:

If employees still appear in Drata despite attempts to resync, it is likely because they’re still marked as active in your IdP (e.g., EntraID). Verify their status in the IdP and adjust accordingly.

If there are aliases set on the user record in the IdP for receiving/forwarding email, Drata will use those for matching purposes on the HRIS sync. Though the identity syncing process will only associate the primary email address on the Drata personnel record.

If your company is currently providing employees with multiple email addresses or has in the past, we recommend utilizing aliases as it will consolidate the accounts, maintain email forwarding, and reduce costs.

Managing accounts for disabled users in EntraID should be approached with precision. Users won't sync into Drata as "former" unless they were active during the process when initially synced and later disabled. Adjust these EntraID settings manually if required.

Drata has direct partnership with Deel for first time and new customers. Check out more partner offers and discounts.