Know how to Automate Access Requests, Certifications, and Compliance Reporting
225 Employees
For decades, making clean water affordable was defined by a simple mandate: recover more energy, waste less, and make desalination feasible at scale. Energy Recovery Inc built its reputation on delivering exactly that.
But today, the obligations to run a high-expertise energy & utilities company are far higher than ever before. While Energy Recovery Inc. was an accuracy-focused company in every sense, it was struggling with onboarding, transitions, and offboarding governance.
With a hybrid identity environment, a team of 225 employees, and a growing contractual workforce, Energy Recovery reached a clear tipping point.
Identity and access management was no longer a back-office admin function. It has become a core operational requirement that directly affects:
● How quickly new talent becomes productive,
● How securely employees are offboarded, and
● How confidently regulatory compliance is met.
To overcome that, Energy Recovery needed a platform that could automate the process without rebuilding everything from scratch.
Founded in 1992 and located in San Leandro, California, Energy Recovery Inc is a global leader in energy efficiency technology. Energy Recovery Inc. has spent more than three decades solving one of the world’s hardest problems, making clean water affordable at scale.
Its flagship PX® Pressure Exchanger® technology has been deployed across more than 35,000 installations in over 100 countries. This technology has helped recover up to 98% of otherwise wasted pressure energy in desalination plants. Energy Recovery Inc’s PX technology has reduced energy consumption by up to 60% for its customers, saving approximately $7.2 billion in annual energy costs.
With manufacturing and R&D facilities across California and Texas, alongside a globally distributed workforce, Energy Recovery operates as a highly skilled organization. At Energy Recovery, every employee’s access to systems and data directly supports business-critical engineering and commercial work.
The identity and access management environment for Energy Recovery Inc was technically refined by a hybrid Active Directory syncing to Entra ID, Okta for SSO, FreshService for ITSM, and UKG Pro for HRIS.
But the process connecting these systems relied entirely on human coordination. There was no automated handoff from an HR event to an IT action, no governed contractor onboarding, and no structured offboarding for timely access removal.
Some of the core challenges Energy Recovery was facing include:
Fully Manual JML Workflow: New hire events in UKG Pro did not trigger automated actions in Active Directory or Okta. So, HR had to send a notification email to IT to create accounts. These accounts were then created manually with no audit trail or guarantee of day-one readiness.
No Contractor Management Process: Contractors and consultants had no records in UKG Pro, meaning their identities existed outside any governed system. Department heads provisioned access directly without HR visibility, with no contractual end dates mapped to the identity layer, no expiry notifications, and no formal offboarding path. The result was a growing pool of active credentials with no accountability, a direct compliance and security risk.
Fragmented Offboarding: There was no buffer period, no advance notifications for contractor access expiry, and no systematic mechanism to verify that all access had been removed following termination.
Job Title & Architecture Gaps: With 175 job titles having no formal job hierarchy or leave type structure in UKG Pro, identity attributes were inconsistently populated. This made role-based access control difficult to implement and left group membership governance unreliable.
Over-Licensing Risk: Microsoft 365 licenses were allocated without a proper group-licensing structure, creating duplicate or orphaned licenses.
RoboMQ’s Hire2Retire enabled Energy Recovery Inc. to bridge the gap between UKG Pro and its hybrid AD environment through real-time API integration. Now, every lifecycle event, from initial onboarding to role changes and terminations, triggers a governed, automated workflow.
To meet specific organizational needs, Hire2Retire also implemented two distinct workflows: a core automated workflow for seamless account creation and email setup, and a secondary workflow designed for complex requests and access approvals that require manual oversight and cross-functional coordination.
Below are the key functionalities that Hire2Retire streamlined for Energy Recovery Inc.
UKG Pro to AD Integration: Real-time API integration with Hire2Retire bridges UKG Pro to the hybrid Active Directory environment. Now every new hire event triggers provisioning within minutes, no SFTP lag or manual exports required.
Okta SSO Lifecycle Sync: Okta receives automatic provisioning and deprovisioning updates driven by the AD sync, ensuring SSO-connected applications reflect the current employee directory status without manual Okta administration.
FreshService ITSM Integration: Onboarding and offboarding events auto-generate structured FreshService tickets, replacing informal email coordination with a traceable IT workflow tied to every employee lifecycle event.
Group-Based M365 Licensing: Mutually exclusive security groups for Microsoft 365 license assignment eliminate duplicate licensing, ensure contractors receive default access, and enable clean license governance.
Workforce360: Energy Recovery Inc also adopted Hire2Retire’s Workforce360. This helped provide a real-time view of the entire workforce with department-based color coding for at-a-glance organization insight.
Email Collision Handling with Naming Convention: Automated email naming collision detection and resolution ensure unique UPN and email addresses are assigned correctly at provisioning, without manual IT intervention for duplicate name scenarios.
Termination Buffer & Selective Access Retention: Hire2Retire has a configurable aging period to prevent immediate data loss upon termination. It disables the user account and revokes access while keeping the identity intact for a set duration. This allows IT to easily restore access if a termination is reversed or retrieve files and emails before the system triggers the final, irreversible deletion.
Future HRIS System Portability: Hire2Retire’s connector architecture supports future HR system migrations, ensuring Energy Recovery’s automation investment is not tied to any single HR platform. new HRIS without accidentally deleting or repeating existing data.
By automating the joiner, mover, and leaver process, Energy Recovery gained a governed, auditable identity infrastructure that’s built to scale.
From hire to termination, up to 90-95% of identity lifecycle events now execute automatically from UKG Pro. The remaining 5-10% are structured exceptional flows, rather than being informal workarounds.
New employees now arrive at a fully provisioned environment, the right accounts, the right access, the right tools, without a single manual step between the HR record and the identity system.
With UKG Pro connected to Hybrid AD, Okta, and FreshService through a governed dual-workflow architecture, Energy Recovery now runs its identity operations with the same precision it applies to its pressure exchanger technology.
Ready to join the wave of companies automating their employee lifecycle management processes with Hire2Retire? Schedule a demo call with us today to see what Hire2Retire can do for your business.
RoboMQ is not affiliated, associated, authorized, endorsed by, or in any way officially connected with any of HR systems that it provides integration with and are mentioned in this case study. All product and company names are the registered trademarks of their original owners.
225 Employees
