Is there a way to remove users from a specific group after x amount of time in Azure?

Question

Hello,

I want to know if there is a way to automatically remove users from a specific group after x amount of time. I think you can do it with Azure automation but i'm not sure.
And if there is a way how should I do it? Is there a script maybe somewhere I can use?

Or maybe there is a way that every week a script runs that removes all the users from a group.

Thanks in advance

Answer 1

Hi @Toekan500 , Thank you for reaching out to us.

I have reviewed the query and I understand that you'd like to know if we can have time based group assignments to users. I'd am glad to inform you that we can achive this by using Privileged Identity Management (PIM).
Ref.: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-features

However, Using this feature requires an Azure AD Premium P2 license

Ref.: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-features

-Sagar

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi @SAGOHIL-MSFT ,

Would PIM allow you to manage this on a 'per-user' basis? It seems like it can only clean out a group on a specific date.

We are looking for a solution that would allow us to assign a user to a group (which would then grant them recording capability in MS Teams) for a set period of time (e.g. 1, 3, 6, 12 months) and then warn them a week before their time is up that they will be removed.

Azure Automation 'seems' like the way to do this, but I've not been able to find anything on this topic specifically and MS rep tied to my customer isn't familiar enough with it.

Interested in your thoughts.

Regards,

Ivan

Answer 3

Hi,
If you want Just In time Access, you should use Azure AD Privileged Identity management - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Of course, the just in time access is usually given in hours rather days.

If you want to build something on your own you can use one of the automation platforms available in Azure: Azure Automation, Azure Functions or Logic Apps. All of these have some pros and cons when compared to each other. All of them support some kind of scheduling so the workflow that you want to run to execute at specified interval. For the first two you can use scripting language like PowerShell where the third has its own pre-defined activities. Usually choosing the platform heavily depends on your skills and what you are comfortable. Azure Automation is focused more towards IT Pros, Azure functions more towards Devs and Logic Apps is more end user friendly, but it is also limited on the activities available. If you go with PowerShell for example there is a command to remove a member from Azure AD group like:
https://learn.microsoft.com/en-us/powershell/module/az.resources/remove-azadgroupmember?view=azps-5.3.0

I have not come across such script so you will need to write your own if you do not find such on your own.

P.S. If you find this reply helpful, mark it as answer.

Answer 4

Hi, @iwebb - What solution did you end up with? We also need this functionality but we only have P1 license.

Thanks.