I have an Azure AD group where members can be added to perform a specific function. However I don’t want people to be a member of this group and have the access it gives indefinitely.
After a big of playing azure with Azure Functions and PowerShell scripts and came to the conclusion that the easiest and more security method was to create and Azure Logic App.
If you haven’t come across Logic App’s yet they are great, there are a log of pre-made templates for performing common tasks like saving an email attachment to a SharePoint site or reacting to Tweets.
In this case I will take you through creating a custom Logic App to get all members of an Azure AD group and for each member remove them. We will trigger the Logic App to run on a schedule.
Creating the Logic App
Head over to Azure and create a new Logic App resource. You will have the option of creating the Logic App as either a Consumption or Standard type. I will choose Consumption as you only pay for the execution time, and as this app is only going to run once a day that will be the cheapest.. More information on the difference can we found here https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-overview
Set the Resource group, Logic app name and Region as required and review and create.
The first thing we are prompted to do is define a trigger, I am going to search for setup a Recurrence Schedule to run at hour 0 every 1 day i.e. midnight everyday.
Next we will create a connection to the Azure AD environment and get the groups membership.
Under “Choose an operation” search for “Azure AD” and select the action “Get group members” and click “Sign In”
After pressing “Sign in” you will be prompted to authenticate to Azure AD and agree for your Logic App to have certain permissions to Azure AD. Better than hard coded Azure AD credentials saved in a PowerShell script 😀
Now you will want to head over to Azure AD and get the “Object ID” for your group to populate the “Group ID” field in the Logic App
Next will add a For Each Control to loop through each of the group members returned by the previous Get Group Members operation
Now we will add a “Remove member from group” action to our for each control to remove each group member that was returned
Finally press “Save” at the top and then give it a test using the “Run Trigger” button at the top
I have found there can be a lag of a few seconds from the script running to members being removed.