External User Management with Azure Active Directory Integration
External user management 1

Client

The client is a large multi national data storage company headquartered in USA


Problem Statement / Opportunity

When a document is shared or a meeting invite is sent from Microsoft Office 365 service (Sharepoint or outlook) to any external user (who is outside the organization), an account gets created in Azure Active Directory for that external user. There is no mechanism / limited capability to manage (delete, block, disable) such external users in the existing Microsoft Azure Active directory

 

Client requirement is to build an application which will a) enable automated process to maintain mapping of client employees to external users who they had invited on Office 365 / Sharepoint portal for content sharing or any other purpose b) better control on such external users access through timely expiry, renewal and deactivations of their credentials c) build automated workflows, relevant notification modules


Oneture's Role

We worked very closely with the client’s Information Security and Infrastructure  teams to better understand the problem statement, current process and infrastructure and discussed possible solution 

 

Developed various PoCs to explore access to Azure Active Directory logs, Sharepoints logs, On-premises AD user accounts and their audit logs and mailing system for notification workflows etc.


Proposed Solution & Architecture

This application accesses Azure AD logs through Microsoft Graph API, accesses Sharepoint logs through Microsoft APIs, accesses On-premises AD to fetch employee information using LDAP server and LDAP client. On a regular basis it fetches relevant information from logs, to identify guest users and invitees, stores it in MSSQL database, creates several workflow to notify external users, follows an escalation matrix to notify employees in relevant organizational hierarchy, extends guest user account access or block after specified time.

 

 

Major modules:

  • Azure AD management: Developed schedulers to read logs from Azure AD, after processing activity logs, stores information into the database. Developed several workflows on stored information to disable guest/delete users from Azure AD through graph API.
  • LDAP module: To fetch employee information from On-premises Active Directory, developed custom code using LDAP client to fetch all employee information and stored it in database.
  • Relationship building module: Developed module to establish relationship between guest users and employee from data stored in database and fetched from logs.
  • Sharepoint logs: developed module to access Sharepoint logs in recursive call, to establish many to many relationship between employee(s) and guest(s)
  • Notification schedules : developed several schedulers to periodically notify external users, managers of employees and invitee users prior to expiry of any guest users and after expiry date of anay guest account Automated process to disable and delete guest users.
  • Notification engine: Developed notification engine using Microsoft Graph API
  • Accept/Reject automation: Automated accept/reject account activation, extension of expiry and disabling any account using email server of client and by custom code to read email box, parsing of email content, accept/reject action based on  dual verification of email content. 

Tools and Technologies Used
Technology Domain Tools
Development Technologies Node.js, LDAP, Graph API, Azure AD, Shrepoint, Onprem AD, Office 365, MSSQL, AngularJS
Azure Product & Services
Azure AD, Azure Email Service, Graph API, Shrepoint,