Does Anyone Have a Script to Enable / Disable Global Admin on a Timed Basis?

Hello Everyone,

I’m looking for a method, script or otherwise to be able to enable then disable Global Admin access for a user when requested. I have some service desk folks who need the extra rights for specific tasks and I’m looking to automate it as much as possible.

 

Thanks,

Rob

Hi Rob,

I automated something very similar to this a while ago. We had a script to check for an approved requested for admin access, which also included the number of days this access was needed (maximun of 7 days). This information was stored in a database, and the user was added to the correct AD group.

The database columns where (from memory), index, Username, startdate, endate, current_state.

The database was checked for any user that was “active” and the enddate had past and then they would be removed from the AD group.

We had an autoation engine that ran this workflow, but it can be setup from a teak schedule as well.

I can expand more on this but not sure is this is the right place to go on about workflows etc.

 

If you are talking about Office 365/Azure related tasks, you could consider using Microsoft Flow. The automated task would handle all of the backend changes and you can grant access to users to execute the automation.

[quote quote=250874]If you are talking about Office 365/Azure related tasks, you could consider using Microsoft Flow. The automated task would handle all of the backend changes and you can grant access to users to execute the automation.

[/quote]
Great idea, I didn’t even think about that. I’ll look into it.

Thanks

Definitely recommend a RPA, Bot or workflow solution where you are only allowing them to do specific task as a proxy (service account) rather than elevating their account. Teams or Slack bots is another option that could provide flexibility.