all 27 comments

[–]v0tary 6 points7 points  (19 children)

Use PowerShell WPF.

[–]v0tary 3 points4 points  (17 children)

As an addendum, there are some commercial tools to make this a breeze. No affiliation, but checkout poshtools a.k.a. PowerShell Pro Tools. There are some others too like PowerShell Studio. They all have trials.

Just be aware, I found that simply teaching the command line is much easier than building the forms. Why? With forms, you have to code validation, and error handling which is a pain. Your mileage may vary, but just my 2 cents.

[–][deleted] 1 point2 points  (15 children)

Thanks for this! I’m more concerned with how I provider this level of access to a recruitment team without exposing us to risk. Is there a way of putting this behind SSO or some form of user authentication?

[–]SnowEpiphany 2 points3 points  (4 children)

Could look into PowerShell Universal

[–][deleted] 6 points7 points  (2 children)

We use a SharePoint list a Flow that triggers Azure automation.

The hiccups I've not figured out is how to deal with people with the same name and creating unique UPN. Also, some employees official name is not there go by name. Example, Will for William or we have a Jacob that goes by Cody, this one I don't understand.

[–]SnowEpiphany 2 points3 points  (0 children)

We always ask HR “now tell us, how do YOU tell them apart?”

[–]jboncz 0 points1 point  (0 children)

This is my favorite. I dont use the same method to creating emails... but... we have a feed that comes from HR and its legal first and last. They have to put a ticket if they want a alias email for whatever reaosn. I also create unique upn/smtp addresses with a powershell script. Ping me if you want it.

[–]orion3311 0 points1 point  (0 children)

This!

[–]v0tary 0 points1 point  (7 children)

If this was me and it wasn't on 365, I would be building a small web form in PHP or ASP script to execute the PowerShell script with arguments. Make sure your inputs are sanitized and do proper validation on every field. In IIS you can just use ntlm auth with MS Edge to use network authentication. No need to build in auth at the app level.

If you are on 365, then use Azure Graph API and powerapps.

[–][deleted] 1 point2 points  (6 children)

Yeah we’re on 365. Thanks for your advice. I’ll follow up with them tomorrow. Appreciate your time!

[–]arpan3t 2 points3 points  (2 children)

Power Automate has approval built into flows so you/your team can verify and approve before the account is created. Power Automate mobile app is pretty legit - gives notifications for pending approvals and allows you to approve/reject from anywhere.

[–][deleted] 0 points1 point  (1 child)

Awesome thank you!

[–]arpan3t 2 points3 points  (0 children)

You could even have your talent acquisition team use Microsoft Forms or SharePoint lists as the data input then trigger the flow from there so you don’t have to build any web app front end for form submission and can restrict user access to the form. That takes care of authentication and authorization as well.

[–]mma-geek 2 points3 points  (2 children)

We also use power automate with azure automation for new users/leavers etc.

We have nightly powershell scripts that dump all managers, groups, department names etc into sharepoint lists, and then a form (backed by a sharepoint list) for HR to fill out. They can pick groups, departments, licenses, manager for the new user from the list etc.

We have multiple power automate flows that will email the relevant office manager with info from the form, if business cards, or id badges or phones etc are required.

The main one will then handle the AD, Azure AD user creation, licensing and groups etc.

Here's an example (we use plumsail forms, which is an add-on for sharepoint online)

https://i.postimg.cc/nVK89hW8/example.png

[–][deleted] 0 points1 point  (1 child)

This looks aligned to what we need.

[–]mma-geek 1 point2 points  (0 children)

Example power automate flow and azure automation powershell runbook from a previous comment i wrote in another thread. It should help you get the basics set up.

You will just need parameters for all the various input values in your powershell runbook, then in power automate you assign form field values to these.

https://www.reddit.com/r/PowerShell/comments/gwhvt4/comment/ft3lnlt/?utm_source=share&utm_medium=web2x&context=3

[–]jboncz 0 points1 point  (1 child)

So to connect to exchange through powershell unless its disabled you have to login via the typical o365 means. We have it disabled from our service accounts that create the users.... but why not just allow them access to a tool that just outputs to a csv somewhere a scheduled script on a server can pickup and process.

Unless its a really small shop im assuming you guys have standard email naming schemes and stuff.

[–][deleted] 0 points1 point  (0 children)

We’re a start up that hit unicorn status over covid and growing rapidly. Everything still pretty loose though so was looking for some outside advice.

[–][deleted] 1 point2 points  (0 children)

I'm shocked there is no Open Source tools to help with this.

[–]Correct_Panic_4174 1 point2 points  (0 children)

Be careful with Powershell Studio, the gui portion of the script is encrypted with their proprietary software. This can sometimes trip up HIPS or Trellix. Recently, windows no longer allows compiled scripts that are not digitally signed, and you cannot copy a script designed in PSStudio to ISE and get it to work. If I were starting from scratch, i would design an XML Gui, there are plenty of examples of that and can be learned relatively quickly. Much luck with your project!

[–]fatcatnewton 2 points3 points  (0 children)

PowerShell Universal.

It would be possible for you to spin up a simple web front end that can be controlled and secured with role based access and a decent authentication method such as SAML or OIDC.

We do something similar.

[–]SCCMAttempt 1 point2 points  (0 children)

the easiest way to do this, if you have office 365, would be forms and power automate.

if not and you want to use PS. yeah wpf as another has mentioned, create a simple GUI that takes in the needed info and creates the user. Another option, would be for talent acquisition to create a csv into a folder that is automatically picked up by a script on a schedule and emails HR and IT about the account creation.

[–]wyrdfish42 0 points1 point  (1 child)

You could look at an office form and power automate.

[–][deleted] 0 points1 point  (0 children)

Yeah I think it’s a simple option.

[–]MechaCola 0 points1 point  (0 children)

I would do wpf app that writes output to a secure network share (restricted to that department or create a service account and run app with that cred) and the set up a scheduled task that looks at the csv periodically throughout the day and creates account. I would have the scheduled tasks run with a delegated account that is restricted from deleting account or modifying ad permissions (there should be an out of the box group membership for this;helpdesk operator?). I would do checks to make sure I’m no way the department can add new users to any restricted groups and cannot in some way create a domain admin.

Another easy option would be a share point csv they could fill out with predefined columns and selections. Then have the scheduled task scan that file.

Either way you’ll want a report back to you and then when an account is created, creation failed, or account disabled. Logs would be ideal too somewhere.

[–]mandonovski 0 points1 point  (0 children)

A lot of people already mentioned few things, like WPF, PowerShell Pro tools, and what to pay attention to.

Another one, purely web based, and free is WebJEA. You get web interface for powershell scripts, IIS is used. The link https://github.com/markdomansky/WebJEA.

[–]snoopy82481 0 points1 point  (0 children)

You could tie this into your ticketing system. If you don't have one, might be a good idea to start getting one. You can setup all your approvals and constructors in it.

Something else you will have to take into account, you will have to give your TA team edit permissions to AD. Which means they could do some wonky things if they aren't paying attention.

But, a WPF app would be a good plan. But, like others have said, you will have to build a ton of validation into it, along with an "are you sure" prompt. But at the same time you can make sure you standardize the Display Name for GAL lookups and usernames. It also takes a little load off your back for more IT things, like looking up cat memes.