• State Not Answered
  • Replies 7 replies
  • Subscribers 63 subscribers
  • Views 2606 views
  • Users 0 members are here
Options
Related

User Deprovisioning - Remove from all Azure Groups

infra_2020
over 2 years ago

Hi,

We're currently working on our user deprovisioning processes and have an issue I am hoping someone can help us with.

We are currently in a hybrid model (on premise AD synced to Azure using AD Connect).

The issue we face is that when a user leaves and gets deprovisioned, we need to remove them from all cloud groups. 


I know ARS can remove from on-premise groups and then AD Connect syncs the changes but that doesn't help for users added directly to AD Groups.

The problem with a PowerShell script is that if we run get-azureadgroupmembership it includes synced objects from on-premise so its not easy for them to be removed, does anyone have any ideas how we can handle this better?

Equally is there anywhere in ARS that records what AAD groups the user is a member of so if we need to undo a deprovision we can add the user back into the AAD groups easily?

TIA. 

Parents
  • 0 over 2 years ago

    I engineered an out of band process for this that works something like this:

    During the on-premise deprovision, mark a VA with "DeprovAzureGroups".  This includes the user in a Managed Unit where the membership looks for the above attribute.

    An Automation Workflow wakes up periodically and checks to see if there is anyone "queued" in the MU.

    If there is, it proceeds to find the equivalent object in the M365 tenant and remove its group memberships.

    It then clears the VA so that the object falls out of the processing queue.

    I write log entries into the AR event log for each of these actions.

    Now to your ask about storing the Azure group membership... there's no storage of these that I am aware of. That would be handy.

    I would suggest you store the details of the groups you removed the user from into a small SQL database on the same server as your AR server uses. Use the UPN of the user as the key (the on-prem AD & Azure Object GUID would be good to keep too).  That way, if you do an undo deprovision, you can script the read back of those memberships and put the Cloud object back into the groups.

    'Hope this helps.

  • 0 over 2 years ago in reply to JohnnyQuest

    Thanks Johnny, 

    Could you send screenshots of how you can achieve the below?

    "An Automation Workflow wakes up periodically and checks to see if there is anyone "queued" in the MU.

    If there is, it proceeds to find the equivalent object in the M365 tenant and remove its group memberships"

     

    If you could provide screenshots that would be really useful.

    TIA. 

  • 0 over 2 years ago in reply to infra_2020

    Here's how you create an Automation Workflow.

    Here's the code I use in a script activity:

    $ObjectsToProcess = Get-QADUser -Proxy -SearchRoot "CN=Accounts To Clean Cloud Memberships From,CN=Managed Units,CN=Configuration" -IncludedProperties userprincipalname | select userprincipalname,DN

    If (-not $ObjectsToProcess)
    {
           # Terminate the script if there are no objects returned from the MU
           return
    }

    Import-Module AzureAD

    # UserCreds below is your "service account" for accessing Azure
    # Could also use the creds provided by the built-in workflow activity that supplied Azure
    # creds configured in AR

    Try
    {
           Connect-AzureAD -Credential $UserCreds
    }
    Catch
    {
           # Terminate script if the connection to Azure fails
           return
    }


    Foreach ($ObjectsToProcessItem in $ObjectsToProcess)
    {

           $CurrentObj = $ObjectsToProcessItem

           $CurrentObjUPN = [string]$CurrentObj.userprincipalname

           $CurrentUserObjID = Get-AzureADUser -SearchString $CurrentObjUPN | select -expandproperty ObjectID

           # Move on to another object if we don't find an object with the UPN of current in-process object

           If (-not $CurrentUserObjID)
           {
                  continue
           }

           Get-AzureADUserMembership -ObjectId $CurrentUserObjID | foreach {

           Remove-AzureADGroupMember -ObjectId $_.ObjectId -MemberId $CurrentUserObjID

           } # End of processing returned group memberships

    } # End of objects from MU processing loop



Reply
  • 0 over 2 years ago in reply to infra_2020

    Here's how you create an Automation Workflow.

    Here's the code I use in a script activity:

    $ObjectsToProcess = Get-QADUser -Proxy -SearchRoot "CN=Accounts To Clean Cloud Memberships From,CN=Managed Units,CN=Configuration" -IncludedProperties userprincipalname | select userprincipalname,DN

    If (-not $ObjectsToProcess)
    {
           # Terminate the script if there are no objects returned from the MU
           return
    }

    Import-Module AzureAD

    # UserCreds below is your "service account" for accessing Azure
    # Could also use the creds provided by the built-in workflow activity that supplied Azure
    # creds configured in AR

    Try
    {
           Connect-AzureAD -Credential $UserCreds
    }
    Catch
    {
           # Terminate script if the connection to Azure fails
           return
    }


    Foreach ($ObjectsToProcessItem in $ObjectsToProcess)
    {

           $CurrentObj = $ObjectsToProcessItem

           $CurrentObjUPN = [string]$CurrentObj.userprincipalname

           $CurrentUserObjID = Get-AzureADUser -SearchString $CurrentObjUPN | select -expandproperty ObjectID

           # Move on to another object if we don't find an object with the UPN of current in-process object

           If (-not $CurrentUserObjID)
           {
                  continue
           }

           Get-AzureADUserMembership -ObjectId $CurrentUserObjID | foreach {

           Remove-AzureADGroupMember -ObjectId $_.ObjectId -MemberId $CurrentUserObjID

           } # End of processing returned group memberships

    } # End of objects from MU processing loop



Children