Forum Discussion

jahmed_cloud's avatar
jahmed_cloud
MCT
Apr 03, 2026

Introducing the Entra Helpdesk Portal: A Zero-Trust, Dockerized ITSM Interface for Tier 1 Support

Hello everyone,

If you manage identity in Microsoft Entra ID at an enterprise scale, you know the struggle: delegating day-to-day operational tasks (like password resets, session revocations, and MFA management) to Tier 1 and Tier 2 support staff is inherently risky.

The native Azure/Entra portal is incredibly powerful, but it’s complex and lacks mandatory ITSM enforcement. Giving a helpdesk technician the "Helpdesk Administrator" role grants them access to a portal where a single misclick can cause a major headache.

To solve this, I’ve developed the Entra Helpdesk Portal (Community Edition)—an open-source, containerized application designed to act as an isolated "airlock" between your support team and your Entra ID tenant.

Why This Adds Value to Your Tenant

Instead of having technicians log into the Azure portal, they log into this clean, Material Design web interface. It leverages a backend Service Principal (using MSAL and the Graph API) to execute commands on their behalf.

  1. Strict Zero Trust: Logging in via Microsoft SSO isn’t enough. The app intercepts the token and checks the user’s UPN against a hardcoded ALLOWED_ADMINS whitelist in your Docker environment file.
  2. Mandatory ITSM Ticketing: You cannot enforce ticketing in the native Azure Portal. In this app, every write action prompts a modal requiring a valid ticket number (e.g., INC-123456).
  3. Local Audit Logging: All actions, along with the actor, timestamp, and ticket number, are written to an immutable local SQLite database (audit.db) inside the container volume.
  4. Performance: Heavy Graph API reads are cached in-memory with a Time-To-Live (TTL) and smart invalidation. Searching for users or loading Enterprise Apps takes milliseconds.

What Can It Do?

  • Identity Lifecycle: Create users, auto-generate secure 16-character passwords, revoke sign-in sessions, reset passwords, and delete specific MFA methods to force re-registration.
  • Diagnostics: View a user's last 5 sign-in logs, translating Microsoft error codes into plain English.
  • Group Management: Add/remove members to Security and M365 groups.
  • App/SPN Management: Lazy-load raw requiredResourceAccess Graph API payloads to audit app permissions, and instantly rotate client secrets.
  • Universal Restore: Paste the Object ID of any soft-deleted item into the Recycle Bin tab to instantly resurrect it.

How Easy Is It to Setup?

I wanted this to be universally deployable, so I compiled it as a multi-architecture Docker image (linux/amd64 and linux/arm64). It will run on a massive Windows Server or a simple Raspberry Pi.

Setup takes less than 5 minutes:

  1. Create an App Registration in Entra ID and grant it the necessary Graph API Application Permissions (e.g., User.ReadWrite.All, AuditLog.Read.All).
  2. Create a docker-compose.yml file.
  3. Define your feature toggles. You can literally turn off features (like User Deletion) by setting an environment variable to false.

 

version: '3.8'

services:
  helpdesk-portal:
    image: jahmed22/entra-helpdesk:latest
    container_name: entra_helpdesk
    restart: unless-stopped
    ports:
      - "8000:8000"
    environment:
      # CORE IDENTITY
      - TENANT_ID=your_tenant_id_here
      - CLIENT_ID=your_client_id_here
      - CLIENT_SECRET=your_client_secret_here
      - BASE_URL=https://entradesk.jahmed.cloud
      - ALLOWED_ADMINS=email address removed for privacy reasons
      
      # CUSTOMIZATION & FEATURE FLAGS
      - APP_NAME=Entra Help Desk
      - ENABLE_PASSWORD_RESET=true
      - ENABLE_MFA_MANAGEMENT=true
      - ENABLE_USER_DELETION=false
      - ENABLE_GROUP_MANAGEMENT=true
      - ENABLE_APP_MANAGEMENT=true

    volumes:
      - entra_helpdesk_data:/app/static/uploads
      - entra_helpdesk_db:/app

volumes:
  entra_helpdesk_data:
  entra_helpdesk_db:

 

     4.Run docker compose up -d and you are done!

I built this to give back to the community and help secure our Tier 1 operations. If you are interested in testing it out in your dev tenants or want to see the full architecture breakdown, you can read the complete documentation on my website here

I’d love to hear your thoughts, feedback, or any feature requests you might have!

 

Access Management
Active Directory
Administrator
Authentication
azure
Azure Active Directory (AAD)
Azure AD Domain Services
device management
Identity Management
identity protection
No RepliesBe the first to reply