Skip to content

Latest commit

 

History

History
46 lines (33 loc) · 2.31 KB

Readme.md

File metadata and controls

46 lines (33 loc) · 2.31 KB

Automated solution which offers an Azure AD Access review like user experience to get regular approval for guest accounts.

Deploy to Azure Visualize

Notable features

  • The 'Manager' attribute of your guest users get's automatically populated with the identity of the inviter
  • All Azure AD app registration information is stored in Azure Key Vault
  • Almost zero touch deployment with ARM templates
  • You can integrate existing guest users into this solution by populating the manager attribute in Azure AD
  • You can configure the approval frequency for guest accounts
  • Approval frequency respects last approval date for each guest account

Prerequisites

  • Azure Subscription
  • Azure AD Audit & Sign-In Log forwarding to a log analytics workspace
  • Azure AD App Registration
    • Required permissions: Directory.ReadWrite.All, AuditLog.Read.All

Post deployment steps

  • Authorize 'Office 365 Outlook' API Connection in the Azure Portal with the Account you want to send your notification e-mails
  • Create an action group for your log analytics workspace to trigger the Azure Function: 'PopulateGuestInviterAsManager'
  • Add an alert rule to your log analytics workspace which triggers the action group

Query for the alert rule:

AuditLogs
| where OperationName == 'Invite external user' and Result == 'success'

Deployment via Az PowerShell

# Create new resource group
$rgName = "RG_AzureADGuestLifecycleMgmt"
$rgLocation = "West Europe"
New-AzResourceGroup -Name $rgName -Location $rgLocation

# Deploy ARM Template with app registration details in parameters.json file
New-AzResourceGroupDeployment -ResourceGroupName $rgName -TemplateFile "C:\Repos\GitHub\AzureADGuestManagement\03-LogicApp\template.json" -TemplateParameterFile "C:\Repos\GitHub\AzureADGuestManagement\03-LogicApp\template.parameters.json" -Verbose