-
Notifications
You must be signed in to change notification settings - Fork 0
z Automate Admin permission consent for new workspaces
GRANT ADMIN PERMISSION: Purpose: The purpose of this is to automate the admin permission consent that pops up when a new project is created within the SDE environment.
SCOPE: The scope of this solution is targeted at that SDE BETA level. This means that it is only the project that is created within the SDE Beta environment that will be automated for admin grant permission.
What is addressed? When a new workspace/Project is created within the SDE environment, a few resources are deployed within the organization’s Azure cloud. One of which is an enterprise application which serves as the gateway API to accessing the project. As the workspace/Project is created in the SDE environment, the SDE environment requires it has the necessary permissions and as a result pops up an admin permission grant window. We do not want to see this window and thus the need to programmatically automate the admin consent.
Solution: The solution that resolves the pop up is programmatically granting the Enterprise App of the newly created project access to the enterprise Application of the SDE environment. Configuration
- Log Analytics workspace: This helps to house data for querying, alerting and actioning.
- Diagnostics Settings: This listens to the creation of a new enterprise APP and sends the data from the Microsoft Entra ID to the Log analytics workspace.
- Alerts: This helps to periodically query the Log analytics workspace in search for newly created enterprise Application and upon the detection of any, it notifies an action group.
- Action Group: This helps to call the solution that runs the job.
- RunBook: This is the automation solution that hosts the solution that runs the job. SETUP:
- Log analytics workspace: A log analytics workspace Grant-adm-perm-wrk-spce was created. This is where the diagnostics settings named Grant Admin Permission Log Analytics sends aggregated data to for querying.
- Diagnostics Settings: A new diagnostics settings named Grant Admin Permission Log Analytics was setup on the Microsoft Entra Id to aggregate audit Logs data and send it to the Grant-adm-perm-wrk-spce Log analytics workspace.
- Alert: Within the Grant-adm-perm-wrk-spce Log analytics workspace, an alert named Grant Admin Permission Beta was created. This queries the Log Analytics workspace in search for a newly created Enterprise App. Upon the detection of any, it calls the action group.
- ActionGroup: Within the Grant-adm-perm-wrk-spce Log analytics workspace an action Group named Grant-admn-perm-auto-Beta was created. The purpose of this is to call the Azure runbook which runs the solution to grant the Admin permission.
- Azure RunBook: An Azure Runbook named Grant-admn-perm-automation was created within the organization’s automation account named bh-automation-acc. The purpose of this is to host the solution that upon triggered by the action group, grants the Admin permission consent.
Output when the admin permission is successfully granted