Are you feeling overwhelmed with security and all the little things that you have to keep track of? All the accounts that need to be disabled, groups that need to be kept up to date? Administrative things, they're boring, but, they are really important.
These might not need to be done by a person necessarily, but if it's something that triggers a change in the group members how about we automate it.
One customer, in particular, had a need to change group memberships, they have people that travel overseas but need to make sure that only those people that are known to be overseas have access from countries outside New Zealand.
This customer needed to lower their attack surface so people logging into their environment need to physically be in New Zealand. However, this does not help if you've got people who travel overseas and still need access? They might be salespeople, or they might be going away for a conference and still need to be able to log into their accounts. How did we solve this?
What we need to do is allow those users to log in, the permission to access from an overseas location is handled from a group in Azure Active Directory. We start off with a group membership so those people in that group membership can have access to overseas. In phase 1 we are not going into detail about where from overseas they are accessing. We need to be moved into this group when traveling overseas and then moved out of this group when they are back in New Zealand again.
Let’s imagine Anna, Anna is going to Australia for a conference for a week. Rather than Anna emailing IT or her manager emailing IT (this company runs a very lean IT team so automation is key) we moved this closer to the end user.
We used a list in SharePoint, this list is going to hold who's going, when they're going, when they're coming back, and, where they're going (For phase two we will be restricting access to countries they will be in). This list needs to not be visible to everyone, it's purely there to do the automation. On top of the list, we have edited the input form to make it pretty and more in keeping with the company design. When the form is saved instead of just directing back to the list which is the standard behavior we direct back to the homepage of SharePoint (this is because we don't want them to go to the list directly and see all the data).
We created two different ways of picking up a change, when a record is added as well as daily. This is so that we don't miss anyone who might be logging them in the future or in the past. Here we use the power of Azure functions to do the heavy lifting with Azure AD using PowerShell and Graph API.
On go live our customer had great uptake they didn't realise that many people were going to be traveling over the next six months. The feedback from the customer has been very positive, getting something quick and simple which does the job. Any of those scenarios where you need to move people in and out of groups is simple, easy, tidy, and, more importantly, it works.
If your company spends time moving people in and out of groups regularly reach out, we can help remove the repetitive tasks so you can focus on your business.