Monitoring Azure AD group membership changes with Azure Logic Apps
TypeScriptTo monitor Azure AD group membership changes with Azure Logic Apps, you'll need to set up a few Azure resources:
- Azure AD Group: This is the Active Directory group whose membership changes you want to monitor.
- Logic App: This will be the core of your solution, where you'll define the logic for handling changes in group membership.
- Event Trigger: Logic Apps require a trigger to start the workflow. For monitoring group membership, you'll typically use an Azure Event Grid trigger that listens to Azure AD events.
- Action Group (optional): To perform an action such as sending an email or a notification, you might include an Azure Monitor Action Group.
As of my knowledge cutoff date and current Pulumi Registry, there is no direct event source for group membership changes that can trigger Azure Logic Apps. Therefore, you need to create an Azure Function or use a service with webhook capabilities to handle the event and invoke the Logic App. For the initial monitoring, you may need to use Azure functions to handle and filter the events and then forward it to the Logic App.
Below is a TypeScript program using Pulumi to set up an Azure Logic App that could be part of such a monitoring solution:
import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure"; import * as azuread from "@pulumi/azuread"; const resourceGroup = new azure.core.ResourceGroup("resourceGroup"); // Create an Azure AD Group to monitor, replace with an existing Group ID if monitoring an existing group const adGroup = new azuread.Group("adGroup", { displayName: "PulumiMonitoredGroup", mailNickname: "pulumimonitoredgroup", }); // Logic App that will be triggered by an event const logicApp = new azure.logicapps.Workflow("workflow", { resourceGroupName: resourceGroup.name, location: resourceGroup.location, httpAuthentication: { scheme: "ActiveDirectoryOAuth", tenantId: azure.config.tenantId, audience: "https://graph.microsoft.com/", clientId: azure.config.clientId, secret: azure.config.clientSecret }, triggers: { http: { type: "Request", methods: ["POST"], callbackUrl: pulumi.output(), // This provides the URL that you use to trigger the Logic App }, }, actions: { // Define the actions you want to execute when the Logic App is triggered. // For example: Sending an email notification, triggering another workflow, etc. // These will be specific to what you want to achieve in response to the group membership change. }, }); // Export the Logic App trigger URL export const logicAppUrl = logicApp.triggers.http.callbackUrl; // Logic for handling the event and invoking the Logic App would need to be deployed separately, // potentially using Azure Functions or another similar service.
Explanation
-
Resource Group: This is a container that holds related resources for an Azure solution. In Pulumi, you use
azure.core.ResourceGroup
. -
Azure AD Group: We're creating a new Azure AD Group called "PulumiMonitoredGroup". If you're using an existing group, you can omit this step.
-
Logic App Workflow: The
azure.logicapps.Workflow
defines the Logic App. Inside it, you'll specify the trigger and actions. ThehttpAuthentication
configures the Logic App to use OAuth with Azure Active Directory to secure the HTTP trigger. -
Trigger: The
triggers
block defines what will make the Logic App run. In this case, we have an HTTP Request trigger that listens for POST requests to its URL. -
Actions: The
actions
block is where you would define what the Logic App does when triggered. Since Azure AD doesn't directly trigger Logic Apps, you'd typically set up an Azure Function to process Azure AD events and send a properly formatted POST request to this Logic App when group membership changes are detected. -
Exporting Logic App URL: The Logic App URL used to trigger the Logic App is exported at the end so that it can be called from another service like an Azure Function.
Next Steps
Once the infrastructure is provisioned, you would need to:
- Deploy an Azure Function that hooks into Azure AD group membership changes and calls the Logic App's URL.
- Configure the required Logic App actions to handle the membership changes (e.g., notify via email).
- Set up any other desired resources, such as an Azure Monitor Action Group for notifications.
Remember that this Logic App workflow is only one piece of the solution, and to fully monitor Azure AD group membership changes, you'd need to implement additional parts of the system as described above.