Automated user provisioning for Azure AD

Identity management is one of the most important topics in the cloud and security area. Obviously, the best way to create user accounts and groups in a directory is by using an automatic workflow / connection. This should be sourced from a Identity Management system or a HR system directly. Especially on this last topic, Microsoft is working closely together with Workday which you definitely should check out. Also, one of the most common ways to extend your accounts and groups to a Cloud world is by using Azure AD Connect. Azure AD Connect synchronizes the objects, which are located in the local AD, to Azure AD which is ideal for a hybrid situation. All tough I have come across a couple of mid-size businesses which do not have these kind of infrastructure in place and/or do not want to invest in an automatic workflow to provision Azure AD. For these smaller companies we have developed an User Management application which is now published as open source on GitHub. In this post I will go over the details on how to automate the user provisioning for Azure AD by using this User Management application and what technology is being used on the background.

The overview

First we start with some overview on how the application works and what technical components and services are in play:

Solution overview

The User Management application is deployed using .Net core by using an Azure WebApp service. The details on how to configure this, are covered in a different post. The logic for creating users and groups is defined in Azure Automation. This logic is based on the RBAC structure as mentioned in this post.

In our example we define three runbooks:

  • Create;
  • Update;
  • Delete;

Each of these runbooks contains its own logic and can be adjusted per case. The WebApp is able start a runbook by using the Webhook which is exposed per runbook. To do this, the request must contain a JSON object with the correct variables. These variables are derived from the JSON object using the following runbook step:

AutoProv1

In our runbooks we make use of the SendGrid service to send the newly created user an email with the login credentials. The email is formatted like this:

AutoProv2

This email initiates the first sign-in workflow for the end user in which the user is asked to change its temporary password, fill in alternate login information and register for MFA.

Last but not least, some logging mechanism is added to the runbooks to enable some monitoring and insights for events generated by the different create, update and delete jobs. This information is stored on a Azure blob storage account.

Start the configuration

This part describes the setup of Azure Automation for provisioning Azure AD. First of all make sure the following prerequisites are met:

  • Create an account Azure AD account and assign the User Admin role.
  • Create an Azure Storage Account in a newly create Resource Group.
  • Assign Azure Contributor permissions on the created Resource Group.
  • Create an Azure Automation account in the Resource Group.
  • Create and configure a SendGrid account in the Resource Group.
  • Download the MS Online PowerShell module.

First of all configure the Azure Automation account by importing the MS Online PowerShell module:

AutoProv3

Next, we setup the credentials for the runbooks. We create the following credentials:

  • Mail; Fill in the SendGrid SMTP credentials.
  • AAD UserAdmin; Fill in the credentials for the Azure AD user admin service account.

AutoProv4

Next, import the first runbook into the Azure Automation account:

AutoProv5

Now make sure the variables are changed and match the environment:

  • $UPNDomainName; This is the Azure AD domain which is used to create new users.
  • $ResourceGroup; This is the Azure Resource Group which contains the Storage Account.
  • $StorageAccountName; The name of the Storage Account.
  • $LicenseName; The SKU name of the license(s).
  • $StorageAccountKey; The key of the Storage Account.

AutoProv6

Now create a unique webhook for the runbook. Make sure to save the URL of the webhook containing a secret ID.

AutoProv7

That’s it! You can now use the webhook URL in the WebApp configuration to start creating users.