Schedule the removal of unwanted members from an Entra ID group with Azure Automation

In this post I will show you an Azure Automation runbook allowing to automatically removing unwanted members of a group every x days or hours.

Context

- You have a group containing users.

- You have whitelisted users meaning users that should be members.

- You need to add some users for some tasks like assigning licence.

- You need then to remove users from the group.

The remote help example

Let's take an example with the Remote Help solution.

As you may know to use Remote Help you need yo assign a licence to both the IT guy (you) and a licence to the user you want to help.

To do that you can assign Remote Help licence to a group.

Once a user is in the group he will have the remote help licence and you can help him.

IT guys should be always in the whitelist.

When a user needs help, you have to add him in the group.

You want to limit licence, so once the issue with a user is solved you need to remove him the group.

This way he won't have the remote help licence anymore.

Sometimes you may forget to remove the use from the group after helping the user.

This is why, the runbook can be useful.

It will automatically remove unwanted users (meaning users who are not in the whitelist) from the group for instance every night.

The solution

- Create an Automation account

- Configure a managed identity (MI)

- Make the MI owner of the group

- Create a runbook (script)

- It will be executed every night

- It will remove unwanted users

Get the script

Click on the below GitHub picture to get the script.

Whitelist users

To add users in the whitelist you just need to add ID of the Entra ID users in the $Whitelist variable.

Fill the $Group_ID with the ID of the group from which to remove members.

Azure Automation part

Creating the account

1. Go to the Azure portal

3. Go to Automation accounts

4. Click on Create

5. Type a name

6. Choose a Subscription, resource group and region

7. Click on Create

Set Managed Identity

1. Go to your automation account

2. Go to Identity

3. Go to System assigned

4. Select On

5. Click on Save

6. Click on Yes

7. Go to the Azure portal

8. Go to Enterprise applications

9. Filter on Managed identity

10. You will find an app with the name of your automaton account

Creating a Runbook

1. Go to your Automation accounts

2. Go to Runbooks

3. Click on Create a runbook

4. Type a name

5. In Runbook type, select PowerShell

6. Click on Create

7. Choose one of the PS1 file

8 Click on Edit on the runbook

9. Copy script content

10. Click on Publish

11. Click on Yes

Schedule the execution

Now we want to execute automatically the runbook every night to remove unwanted users from the day.

To do that, we will proceed as below:

1. Go to your runbook

2.  Go to Resources > Schedules

3. Click on Add a schedule

4. Click on Schedule

5. Click on Add a schedule

6. Type a name

7. In Recurrence select Recurring

8. Select every 1 day

9. In Starts, select the next day

10. Select 1:00 AM

11. Click on Create

This way the script will be executed everu night at 1:00 AM.

Add group owner

1. Go to your group

2. Go to Owners

3. Go to Add owners

4. Select your automation account name