Scheduling a purge of an Azure AD group members using Azure Automation and PowerShell
In this post I will show you how to use Azure Automation and PowerShell to scheduly remove members of an Azure AD group.
Context
- You have a group on Intune/Azure AD
- This group contains members
- You want to remove all members
- You want to schedule this every week for instance
The solution
- Create a resource group (if you don't have one)
- Create an Azure Automation account
- Add Managed Identity on the Automation account
- Create a Runbook in Automation
- Runbook will remove members of the group
- Schedule the Runbook every week
Get the script
Click on the below GitHub picture to download the automation runbook script.
Create a resource group
1. Go to Azure
2. In the search bar type Resource group
3. Go to Resource group
4. Click on Create
5. Choose a Subscription
6. Type a Resource group name
7. Here: Automation_Scripts
8. Choose your region
9. Here: (Europe)France Central
10. Click on Review + Create
11. Click on Create
Create Azure Automation account
Create the account
1. Go to Azure
2. In the search bar type: Automation accounts
3. Go to Automation accounts
4. Click on Create
5. Type a name
6. Here: azuread-scripts
7. Choose a Subscription
8. Choose the Resource group
9. Here: intune_reporting
10. Choose your region
11. Here: (Europe)France Central
12. In Create Azure Run As Account, select No
13. Click on Create
14. Wait a bit
15. Click on Go to resource
Add modules
1. Go to your automaton account
2. Click on Modules gallery
3. Search: az.Accounts
4. Click on az.Accounts
5. Click on Import
6. Click on OK
7. Wait for importing
Set Managed Identity
1. Go to your automation account
2. Go to Identity (Preview)
3. Go to System assigned
4. Select On
5. Click on Save
6. Click on Yes
Add a group owner
1. Go to your group
2. Go to Owners
3. Add the automation account
Azure Automation Runbook
Create a Runbook
1. Go to Azure
2. In the search bar type: Automation accounts
3. Go to your Automation accounts
4. Go to Runbooks
5. Click on + Create a runbook
6. Type a name
7. In Runbook type, select PowerShell
8. Click on Create
Add script in Runbook
The runbook script is located downloaded sources
Its name is: Purge_AAD_group.ps1
Add the group ID in the variable $GroupID.
Test the Runbook
1. Click on Test pane
2. Click on Start
3. Once finished, you should see Completed
Publish the Runbook
1. Go to your Runbook
2. Click on Edit
3. Click on Publish
4. Click on Yes
Schedule the Runbook
1. Go to your Runbook
2. Click on Schedules
3. Click on + Add a schedule
4. Click on Link a schedule to your runbook
5. Click on + Add a schedule
6. Type a schedule name
7. In Recurrence, select Recuring
8. Click on Create
Enregistrer un commentaire