I believe that we all have some Azure AD Groups, which need periodic cleanup on weekly, or monthly basis, like Groups giving us temporary exclusion of Conditional Access policies for example.
I recently spoke with a client, who told me that they do it manually, so I decided to automate it with a Azure Logic App
So let’s start from scratch:
Part 1: Create the Logic App
Let us say that we have a setup, where we have 3 Azure AD Groups:
A User account, called ex*****@********ar.com is a member of each one of the Groups
Due to some reason (housekeeping, etc.) we want to make sure that the groups are being emptied on weekly basis
In portal.azure.com go create a new Logic App, Choose a Resource Group and a Region:
Once we are ready, we can build the logic in the App
Part 2: The Logic App Code
Of course we could just copy-paste the code from a ready App, but I wanted to do it step-by-step with the GUI Designer, just to show how the App works:
On the left-hand side of the screen, select “Logic App Designer” and then Select “Blank Logic App”
First we need to define a Recurrence for the App
In the Seach bar search for Schedule – Recurrence
and select the interval in which you want to execute the cleanup – in our case weekly
Now we need to save the Groups IDs in an Array
Add a new Step – Go to Variables and choose “Initialize Variable”
Select the Variable Type “Array” (as we need to cleanup members from multiple groups) and under Values provide the ID’s of the AAD Groups in the following Format:
[
“Group A ID”,
” Group B ID”,
” Group C ID”
]
To make it easier to remember which step is which, we can also rename the steps
Now we need 2 nested ForEach Loops, to cleanup the Groups
Go to Controls->For Each , Enter the Array as an Output from the previous Step
Then in the For Each Loop (I renamed it again) click on “Add an Action”
Select “Azure” -> “Get Group Member” and sign-in in order to give the App the required permissions
Accept the Permissions Request (you need to be signed as a Global Admin to do so)
On the “Group ID” select “Current Item” from the “For Each Group in AAD Groups” Step
and click on “Add an Action”
Now we need to nest another Loop, to cleanup every member of the group
Go to Controls->For Each and add another Loop (this ForEach Loop is nested in the previous one !)
In “Select and output from previous steps” select “Group Members“
Then Click on “Add an action” but the one INSIDE the second Loop
Select “Azure AD“-> Remove Group Members
under “Group ID” select “Current Item” – BE CAREFUL here to select the Current Item for the AAD Groups, not the one for the Group Members, as we need the Group ID’s here
For Member ID, select the “Group Member ID“
The entire solution looks like this:
Part 3: Monitor
You can check the Runs History and will see that the User was removed from each of the 3 AAD Groups
In Azure AD We also see now that the 3 Groups are empty
Enjoy 🙂
