From Headcount to Config File

The App Matrix Problem

Somewhere in your organization, there's a spreadsheet. It maps job titles to applications. Marketing gets Adobe Creative Cloud. Engineering gets Visual Studio. Finance gets Power BI Pro. Everyone gets Office and Chrome.

That spreadsheet is maintained by a person — sometimes two. When a new hire starts, someone reads the spreadsheet, builds a list of packages, and pushes them to the device. When someone transfers departments, the old apps stay and new ones pile on. When someone leaves, the device gets reimaged because nobody trusts the uninstall scripts.

This is the headcount model: every endpoint change requires human interpretation.

The Config File Model

Role-based deployment flips the approach. Instead of a spreadsheet that a person interprets, you have configuration that machines execute:

• Define the role — "Marketing Designer" includes Creative Cloud, Figma, Slack, and the standard productivity suite.
• Assign the user — When a new hire is tagged as Marketing Designer in your identity provider, their device automatically receives exactly that software stack.
• The endpoint configures itself — No tickets. No manual intervention. No spreadsheet lookup.

Beyond the Endpoint: Entra AD Dynamic Rules

Role-based deployment doesn’t stop at the device. When you combine this approach with the power of Microsoft Entra AD dynamic group rules, the same role assignment that configures the endpoint also configures everything else the user touches.

Dynamic rules evaluate user attributes — department, job title, location, cost center — and automatically add or remove users from groups in real time. Those groups drive everything downstream:

• Licensing — Microsoft 365 E3 vs. E5, Power BI Pro, Visio, Project — assigned automatically based on role. No license spreadsheet, no over-provisioning, no audit surprises.
• SharePoint and Teams — Group memberships control access to team sites, document libraries, and Teams channels. A new marketing hire gets added to the Marketing team, the Brand Assets library, and the Campaign Planning channel — before they ever open the app.
• Third-party SaaS provisioning — Entra AD’s SCIM integration automatically creates and deactivates user accounts in applications like Salesforce, Slack, Zoom, and dozens of others. When a user is assigned a role, their SaaS accounts are provisioned. When they leave, accounts are deprovisioned. No manual admin work in each vendor’s console.
• Conditional Access policies — Security policies follow the role, not the individual. Engineers get MFA requirements and compliant-device enforcement for code repositories. Executives get stricter policies for financial systems. The rules are defined once and applied continuously.

The result is a single source of truth that extends from the endpoint all the way through the cloud. Change a user’s role in Entra AD, and the cascading effect handles their device software, license assignments, collaboration access, SaaS accounts, and security policies — all without a ticket, a spreadsheet update, or a manual step.