This is a quick way (should we say interim solution?) for implementing some sort of PAM / PIM / JIT / JEA / IAM / IM solution for an Active Directory environment. Since all those acronyms are favorite topics for Security and Compliance, I figured I share the idea and hope it'll be useful to some. For a more robust solution, check out Microsoft Identity Manager or any other Identity Management solutions.
Please feel free to post your questions/comments/suggestions. Open to feedback! My first attempt to share, so hope to learn more and share more. Maybe more acronyms?
gMSA/User Account/MSA to run the script and flow
Azure AD Group
On-Prem Security Group
Here's the overview of the solution:
1. Azure Active Directory. Create an Azure AD Security Group - this is where we will store the approved users, so our on-prem PowerShell script can check them. Make sure to note ObjectID, we will use it when creating the Microsoft Flow.
1.1 Create an OnPrem Security Group - this is the nested group within the Super User Group (i.e. Domain Admins & Enterprise Admins). So we'll add the approved users upon their request then remove them at a scheduled time.
2. SharePoint Online. Create a SharePoint List with at least the following columns:
Group Choice (if you are doing multiple groups).
3. Microsoft Flow. Create a Flow from the SharePoint list. Picture1 for single group, Picture2 for 2 groups or more, just keep adding a tree if you have more. I submitted this as a template, will update once approved.
3.1 Details of the Microsoft Flow:
a. When someone submits a form in SharePoint, get the File Metadata (this is to update SharePoint item later to show Status of Approval).
b. For multiple groups, add a Condition which group was selected
b.1 Set the approvers using their email address.
c. Logic if approved:
c.1 Inform the requester his request has been approved using Outlook Flow.
c.2 Get the requester User Information (specifically ObjectID)
c.3 Add the user to the Azure AD Group. You will need the Azure AD Group ObjectID here.
c.4 Update SharePoint Approval Status to "Approved" (the File Metadata)
d. Logic if rejected:
d.1 Inform the requester his request has been rejected using Outlook Flow.
d.2 Update SharePoint Approval Status to "Rejected" (the File Metadata)
3.2 Use those concepts to fit your use case.
4. On-Premise Items.
4.1 Set up a workstation with RSAT installed or if you have an existing "scripting" workstation.
4.2 Setup a Service Account to run the script with the appropriate permission to edit the concerned users and groups. (I'm going to assume you know what you are doing here - you are in IT after all!)
4.3 PowerShell Time! Please see attached AD-PAM-Scripts.zip. I've added comments in each area and left clues for things you have to fill out. You will need to run these scripts as a Scheduled Task, schedule them as you see fit. Review the Flow Chart for some ideas. I recommend creating and using a gMSA account - see Getting Started with Group Managed Service Accounts.
I hope this helps improve AD security for some organization that are unable to implement a robust solution!