Monday, April 13, 2015

Manage users in Azure RemoteApp based on Active Directory groups, with PowerShell!

Prior to December 11/12/2014 Azure RemoteApp supported functionality to authorize users to an Azure RemoteApp Collection based on Azure Active Directory group membership.

image

However, this feature was deprecated starting from 11/12/2014. Also see: As of 11/12/2014 ‘Active Directory group’ support for Azure RemoteApp will be deprecated.

The statement that Microsoft made related to this change:

“…Continuous changes to user groups' membership, especially when that group owner is different from RDS admin, make billing and usage less predictable. Because of this, we are deprecating user group support in Azure RemoteApp…”

As a result, the only way to add users in bulk is using the .CSV bulk import option. You can find more info on that here: Introducing CSV based user import

To allow for easier management I wrote a PowerShell Script that synchronizes users to a Azure RemoteApp Collection based on Active Directory Group Membership.

The script will do the following, based on a specified Active Directory group & Azure RemoteApp Collection;

- Add users to an Azure RemoteApp collection who are a member of the AD group
- Remove users from an Azure RemoteApp collection who are not a member of the AD group anymore

This will result in only allowing access to, and being billed for, users that are added to an Active Directory group.

Below is a sample output in a scenario where 4 new users were added to the group and 4 other users were removed. When finished the scripts outputs the users currently allowed access to the Collection.

image

If needed you could create a Scheduled Task, or maybe even better in Azure Automation and have this run periodically and include the action to add users to the AD group in your current Identify Management solution.

The Azure Portal below reflects the changes instantly.

image

I uploaded the PowerShell script to TechNet Gallery, get the link here:

https://gallery.technet.microsoft.com/Manage-users-in-Azure-f793aea7

The PowerShell script obviously requires the modules of both Active Directory and Azure and a Azure Publish Settings file to be able to connect to Azure for Remote Management.

2 notes of caution:

- Any user that is not a member of group specific in the script will be removed from the Azure RemoteApp Collection, without a warning. So make sure the group contains all users that need access to the collection

- You will be billed by Azure based on the number of users that have been allowed access. So make sure that the group specific in the script only contains members that actually need access.

No comments:

Post a Comment