AAD Register Approver

Ever wondered how how you could require Admin consent for Azure AD Registering devices?

In Azure Active Directory any user can, by default, register a Windows device with Azure AD. This gives the device an identity and enables Single Sign-On. This makes it a great option for Bring Your Own Device scenarios. But BYOD should not mean a free for all on which devices a user can join to your environment.

AAD Register Approver is an Azure Logic App that disables any Windows Azure AD registered devices until an Administrator approves them.

Disclaimer: This is a Proof of Concept. I offer no warranty, support or guarantees of any kind for this App. You can use it at your own risk. You are free to make any changes to it that you require. Just be sure to check everything in a test environment before going to production!

Logic App Flow

  • User Azure AD registers a Windows device.
  • App disables the Azure AD object for the new device and sets extensionAttribute1 to ‘Pending Approval’.
  • App emails user notifying them that device approval is pending.
  • App emails Administrator requesting approval.
  • Administrator approves or rejects the device using one time use buttons in that email.
  • If approved, the App enables the Azure AD object for the device and sets extensionAttribute1 to ‘Approved’. The user is emailed notifying that the device is approved.
  • If rejected, the App leaves the Azure AD object disabled and sets extensionAttribute1 to ‘Rejected’. It also emails the user notifying that the device was blocked.

Pre-Requisites

  • Office365 mail enabled service account for sending approval emails.
  • Application Administrator role in Azure.
  • Privileged Role Administrator role in Azure AD.

Implement AAD Register Approver

Prepare The Tenant

It is necessary to set the extensionAttribute1 for all legacy devices prior to implementing the Logic App. Failure to do this will result in all Windows AAD Registered devices being immediately disabled and approval emails being sent.

  • Open a Powershell console and run the command:
Install-Module Microsoft.Graph
  • Connect to MS Graph. Accept the permissions but do not grant admin consent for the organisation:
Connect-MgGraph -Scopes "Directory.AccessAsUser.All"
  • Get all target devices in to a variable:
$TargetDevices = Get-MgDevice -Property "createdDateTime,id,deviceId,displayName,operatingSystem,operatingSystemVersion,trustType,extensionAttributes" | ?{($_.operatingSystem -contains ‘Windows’) -and ($_.trustType -contains ‘Workplace’)}
  • Write the extensionAttribute1 Approved to all target devices:
Foreach($Device in $TargetDevices){
$Attributes = @{
          "extensionAttributes" = @{
          "extensionAttribute1" = ‘Approved’}
         }  | ConvertTo-Json
Update-MgDevice -DeviceId $Device.Id -BodyParameter $Attributes 
      }
  • Optionally, delete the Enterprise Application Microsoft Graph Powershell. Before deleting, make sure that no one else is using it by checking:
    • a) the instance you are deleting is the one created on the date that you first ran the Powershell commands
    • b) that only your user account has the permissions applied to it.

App Registration

An App Registration is required to expose Graph API for the Logic App to use.

  • In Azure AD > App Registrations > New Registration
  • Enter the Name AAD Register Approver > Leave everything else as it is and select Register.
  • On the Overview tab, make a note of the following fields
    • Application (client) ID
    • Directory (tenant) ID
  • On the left, select Certificates & secrets > New client secret.
  • Enter a Description and set the expiry as required > Select Add
  • Make a note of the Value of the secret key

Note: Once you navigate away from this screen you cannot retrieve the key’s value in the portal.

  • Lastly, we need to assign the Cloud Device Administrator role to the Service Principal for the App Registration.
  • In Azure AD > select Roles and administrators.
  • Search for ‘Cloud device’ > select Cloud device administrator
  • Select Add assignments > Select members > You must enter the name of the App Registration in the search field because it will not appear in the initial scrollable list.
  • Select AAD Register Approver > Select Next and enter a justification
  • The service principal is now listed with the Cloud Device Administrator role

Logic App

The Azure Logic App is the key component of AAD Register Approver. It searches for new devices and processes the approval emails.
Note: If you need to use a shared mailbox as the sending email address, then after importing the app, open the Designer and change the ‘Send an email’ actions to ‘Send an email from a shared mailbox’ actions.

  • Set the Resource Group and Region as required > Create
  • In Resouce Group you will see a Logic App and an API Connection
  • Select the new Logic App > Select Disable at the top to stop it from running while you make changes.
  • On the left, select API Connections > office365 > Edit API connection
  • Change the Display Name to the mailbox that will be used to send emails from > Select Authorise > Login with the mailbox > Save
  • Go back to the Logic App > Overview tab > at the top select Edit
  • Expand the following Compose actions and populate each one with he equivalent information that was copied during the App Registration steps.
    • Compose – Tenant ID
    • Compose – Client ID
    • Compose – Client Secret
  • For the below actions, edit as required:
    • Compose – Company Name
    • Compose – Approver Email Addresses (these are the mailboxes where approval requests will be sent)
  • Once finished editing > select Save
  • Go back to the Logic App’s Overview tab > Select Enable
  • You can monitor and delve in to the processing of each run in the Run History on the Overview tab
  • You can check the approval state of a device by selecting it in Azure AD. Look for the Extension Attributes section and you will see extensionAttribute1 is either Pending Approval, Approved or Rejected.

Ideas

Here are some other changes you could make to suit your environment.

  • Change the interval in the reoccurrence action. Keep in mind that the more often it runs the more it will cost.
  • Use an Azure Key Vault for storing the Client Secret.
  • Use Teams channels instead of emails for requesting approvals.
  • Use Conditional Access to:
    • Require Multi-Factor Authentication whenever a user tries to Azure AD Register a device.
    • Block authentication from non-Azure AD registered devices.

Advertisement