Does Anyone Have a Script to Enable / Disable Global Admin on a Timed Basis?

Welcome Forums General PowerShell Q&A Does Anyone Have a Script to Enable / Disable Global Admin on a Timed Basis?

Viewing 4 reply threads
  • Author
    Posts
    • #250868
      Participant
      Topics: 9
      Replies: 12
      Points: 155
      Rank: Participant

      Hello Everyone,

      I’m looking for a method, script or otherwise to be able to enable then disable Global Admin access for a user when requested.  I have some service desk folks who need the extra rights for specific tasks and I’m looking to automate it as much as possible.

       

      Thanks,

      Rob

    • #250871
      Participant
      Topics: 0
      Replies: 8
      Points: 48
      Rank: Member

      Hi Rob,

      I automated something very similar to this a while ago. We had a script to check for an approved requested for admin access, which also included the number of days this access was needed (maximun of 7 days). This information was stored in a database, and the user was added to the correct AD group.

      The database columns where (from memory), index, Username, startdate, endate, current_state.

      The database was checked for any user that was “active” and the enddate had past and then they would be removed from the AD group.

      We had an autoation engine that ran this workflow, but it can be setup from a teak schedule as well.

      I can expand more on this but not sure is this is the right place to go on about workflows etc.

       

    • #250874
      Participant
      Topics: 0
      Replies: 81
      Points: 362
      Helping Hand
      Rank: Contributor

      If you are talking about Office 365/Azure related tasks, you could consider using Microsoft Flow. The automated task would handle all of the backend changes and you can grant access to users to execute the automation.

    • #250877
      Participant
      Topics: 9
      Replies: 12
      Points: 155
      Rank: Participant

      If you are talking about Office 365/Azure related tasks, you could consider using Microsoft Flow. The automated task would handle all of the backend changes and you can grant access to users to execute the automation.

      Great idea, I didn’t even think about that.  I’ll look into it.

      Thanks

    • #250901
      Participant
      Topics: 15
      Replies: 1776
      Points: 3,218
      Helping Hand
      Rank: Community Hero

      Definitely recommend a RPA, Bot or workflow solution where you are only allowing them to do specific task as a proxy (service account) rather than elevating their account. Teams or Slack bots is another option that could provide flexibility.

Viewing 4 reply threads
  • You must be logged in to reply to this topic.