Maintain groups in Azure AD with dynamic groups and set expiration settings.
Example scenario : Controlling remote access to sub contractors working on a short term project. The project owner should remove all access for sub contractors after the project completes
How to guide :
If we combine Dynamic Groups and Expiration settings, we can automatically populate groups and then invoke regular check to maintain groups are still required. Group owners will be reminded regularly to verify groups are required. Owners will have a better understanding of who has access and this help assist with your security policies.
Dynamic Group Example
Steps: Azure Active Directory > New Group > Type : Office 365 > Name, Description, Dynamic User > Owner > Dynamic user Members
Group Name : Sub Contractors – Set the value for department equals “Sub Contractor”
Dynamic User Members – Add Experssion
(user.department -eq “Sub Contractor”)
Configure Group lifetime / Expiration Settings
Steps: Azure Active Directory > Groups > Expiration > Days > No Owner email > Selected > Group > Save
“Renewal notifications are emailed to group owners 30 days, 15 days, and one day prior to group expiration. Group owners must have Exchange licenses to receive notification emails. If a group is not renewed, it is deleted along with its associated content from sources such as Outlook, SharePoint, Teams, and PowerBI.” Info from the portal Expiration settings.
How to maintain the patch status of your Windows and Linux machines
“You can use Update Management in Azure Automation to manage operating system updates for your Windows and Linux machines in Azure, in on-premises environments, and in other cloud environments.” Microsoft
To enable on a specific virtual machine in Azure
Note – You only pay for logs stored (Log Analytics)