Automate Microsoft Entra User Management with Azure Function: Deactivate Inactive Users

Introduction

Managing user accounts manually in Microsoft Entra can quickly become tedious and error-prone, especially when it comes to disabling inactive users. Thankfully, you can easily automate this task by creating an Azure Function to Deactivate Inactive Users. This guide provides a beginner-friendly, step-by-step approach to automating user management in Microsoft Entra using Azure Functions and PowerShell. By following this process, you’ll maintain a secure, efficient, and cost-effective identity management system.

Why Use an Azure Function to Deactivate Inactive Users?

Inactive accounts pose security risks, compliance issues, and unnecessary licensing costs. Automating their management offers several significant benefits:

  • Enhanced Security: Automatically disabling inactive users significantly reduces potential entry points for unauthorized access and security breaches.
  • Cost Efficiency: Deactivating unused accounts frees up software licenses, enabling your organization to optimize costs.
  • Time-Saving: Automation eliminates manual, repetitive administrative tasks, allowing your IT staff to focus on higher-value projects.
  • Compliance: Automatically managing inactive accounts helps your organization meet regulatory requirements and industry best practices.
  • Scalability: Easily manage user accounts across large or growing organizations without increasing administrative overhead.

Step 1: Choose the Right Azure Function Hosting Plan

Azure provides several hosting plans for Function Apps. Each plan has distinct features suitable for different use cases:

Hosting PlanScale to ZeroScaling BehaviorVirtual NetworkDedicated ComputeMax Instances
Consumption✅ YesEvent-driven❌ No❌ No200
Premium❌ NoEvent-driven✅ YesMinimum 1100
Flex Consumption✅ YesFast Event-driven✅ YesOptional1000
App Service❌ NoMetrics-based✅ YesMinimum 130
Container Apps✅ YesEvent-driven (KEDA)✅ YesOptional300

Recommended Plan

For automating the deactivation of inactive users, the Consumption Plan is highly recommended due to:

  • Automatic and efficient scaling based on workload.
  • Cost-effectiveness for scheduled tasks.
  • Billing occurs only when the function is active.

Step 2: Create an Azure Function App

Follow these detailed steps to create your Azure Function App:

  1. Navigate to the Azure Portal.
  2. Click Create a resource and search for Function App.
  3. Click Create, then enter the following configuration details:
    • Subscription: Choose your Azure subscription.
    • Resource Group: Select or create a resource group.
    • Function App Name: Choose a unique, descriptive name (e.g., DisableInactiveUsers).
    • Region: Choose a location nearest to your primary users.
    • Runtime stack: Select PowerShell Core.
    • Operating System: Choose Windows.
    • Plan Type: Select Consumption (Pay-as-you-go).
  4. Click Review + Create, verify your settings, then click Create.

Step 3: Add a Timer Trigger Function

To automate your Azure Function, create a Timer Trigger:

  1. In your Function App, click Functions, then click Create.
  2. Choose Timer Trigger.
  3. Provide a clear name (e.g., CheckInactiveUsers).
  4. Configure a CRON expression for scheduling (e.g., daily at 01:00 AM: 0 0 1 * * *).
  5. Click Create to set up your Timer Trigger.

Step 4: Configure Microsoft Entra Permissions

To allow your Azure Function to manage users, configure Microsoft Entra permissions:

  1. Navigate to Microsoft Entra IDApp registrationsNew registration.
  2. Provide a name, such as AzureFunctionUserManagement.
  3. In API permissions, add the following Application permissions:
    • User.ReadWrite.All
    • Mail.Send
    • AuditLog.Read.All
    • Directory.Read.All
  4. Click Grant admin consent.
  5. Generate a Client Secret and store it securely.

Note: Certificate-based authentication is significantly more secure than using a client secret. We’ll explore certificate-based authentication in detail in a future guide.

Step 5: Securely Store Environment Variables

Securely store credentials within your Azure Function settings:

  1. Open your Function App in the Azure Portal.
  2. Navigate to Environment Variables under Settings.
  3. Click + Add and enter these values:
TenantId = "your-tenant-id"
ClientId = "your-client-id"
ClientSecret = "your-client-secret"

Click Save to securely apply these settings.

Accessing Environment Variables in the Script

In your PowerShell script, reference these environment variables as follows:

$TenantId = $env:TenantId
$ClientId = $env:ClientId
$ClientSecret = $env:ClientSecret

Step 6: Deploy and Run the PowerShell Script

The comprehensive PowerShell script needed for automation is available here:

🔗 GitHub repository

Highlights of the PowerShell Script:

  • Connects to Microsoft Graph API to retrieve user activity.
  • Automatically identifies and disables inactive user accounts.
  • Sends administrative notifications via email.
  • Provides robust error handling and logging.

Step 7: Test Your Azure Function

Perform a test run to ensure your function works correctly:

  1. Select your Timer Trigger function in the Functions menu.
  2. Open Code + Test.
  3. Click Test/Run, followed by Run.
  4. Monitor logs to confirm successful execution and accurate identification of inactive users.

Conclusion

You’ve successfully established an efficient and secure automated solution by setting up an Azure Function to Deactivate Inactive Users. This approach optimizes your Microsoft Entra environment, enhances security, reduces administrative overhead, and supports compliance.

🚀 Take the next step in automating your Microsoft Entra environment securely and efficiently!

Beitrag erstellt 15

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Ähnliche Beiträge

Beginne damit, deinen Suchbegriff oben einzugeben und drücke Enter für die Suche. Drücke ESC, um abzubrechen.

Zurück nach oben