[REWST - TASK] Remove Group Memberships

This workflow automatically removes users from both Microsoft 365 and on-premises Active Directory groups, functioning as a critical building block in comprehensive user management automations like offboarding, permission adjustments, or security remediation processes. MSPs will find this particularly valuable during client offboarding processes, security incident responses requiring immediate access revocation, compliance audits, and multi-tenant management scenarios where maintaining accurate group memberships across different environments is challenging. Technically, the workflow retrieves the user's current group memberships via Microsoft Graph API, evaluates whether to process cloud-based groups (Microsoft 365) or on-premises Active Directory groups (or both), and then executes the removals using appropriate methods for each environment—API calls for cloud groups and PowerShell commands via RMM for on-premises groups.

This workflow contains 12 tasks.

Inputs

  • idp_config - string

    • Accepted values are: on_prem, hybrid_no_sync, azure_ad, on_prem_only. If no value is provided value will be determined via org var logic.

    • Default: {{ CTX.idp_config|d }}

  • on_prem_dc - string

    • The hostname of the On-Prem Domain Controller.

    • Default: {{ ORG.VARIABLES.primary_domain_controller|d }}

  • aad_user_id - string

    • The GUID of the Azure/Entra User.

  • default_rmm - string

    • Default RMM

  • on_prem_user_id - string

    • The User ID of the On-Prem user.

Outputs

  • automation_log: Standardized Rewst automation log

  • success: Boolean; States if workflow was successful.

  • removed_groups: List of groups that were removed.

  • dynamic_groups: List of dynamic groups that the user could not be removed from.

Key tasks

  • failure_catch: Core integration: noop

  • get_user_groups: Data retrieval

  • check_azure: Validation/verification

  • check_onprem: Validation/verification

  • check_for_groups: Validation/verification

Jinja examples

Example 1

{{ CTX.aad_user_id }}

Used in input parameter 'endpoint'

Example 2

{{ \r [\r group\r for group in CTX.get_user_groups.data.value\r if group not in [\"@odata.context\", \"value\"]\r ]\r }}

Unknown context

Last updated

Was this helpful?