I developed the following PowerShell function to automate the creation and removal of Azure Resource Groups based on Azure AD Group membership in a Demo Azure subscription. The script is deployed as a Runbook in an Azure Automation account and scheduled to run once a day.

As new users are added to a designated Azure Active Directory security group, resource groups are automatically provisioned for them when the script runs. They are assigned the appropriate AD Role Definition for the resource group. When a user is removed from the Azure AD security group, the resource group and corresponding resources are removed automatically at the next script run.

The script takes a SubscriptionName parameter. The Azure logon process is initiated with a Service Principal Application Id and certificate thumbprint. In the script logic we get the MailNickNames property of the Azure AD group members. We also get the current Resource Groups with names matching the value of the $RGPrefix variable.

If there are currently no matching resource groups, the script creates resource groups for each of the Azure AD security group member. Each user’s resource group is named by appending the RGPrefix value with the MailNickName property of the user object. The resource groups are assigned initial tags. And the Owner role definition is assigned to the Azure AD user for the resource group. The following screen shot is an example of Resource Groups created after running the script:

The next section of the script processes the reverse scenario. The script compares the current resource groups object with the MailNickName property of the Azure AD users array. Based on the result of the Compare-Object cmdlet, resource groups are created for newly added group members. Resource groups are removed if there are no matching Azure AD users in the array.

This Runbook needs the AzureAD and AzureRM modules imported in the Azure automation account to run successfully. A Service Principal with a certificate associated with it needs to be created and granted access to Azure AD for the subscription.

param(
[parameter(Mandatory=$true)]
[string]$subscriptionName = "Trial Subscription"

)
#region Azure Logon
$adAppId = Get-AutomationVariable -Name “AutomationAppId”
$tenantId = Get-AutomationVariable -Name “AutomationTenantId”
$subscriptionId = Get-AutomationVariable -Name "AutomationSubscriptionId”
$cert = Get-AutomationCertificate -Name “AutomationCertificate”
$certThumbprint = ($cert.Thumbprint).ToString()
Login-AzureRmAccount -ServicePrincipal -TenantId $tenantId -ApplicationId $adAppId -CertificateThumbprint $certThumbprint
Connect-AzureAD -TenantId $tenantId -ApplicationId $adAppId -CertificateThumbprint $certThumbprint
Select-AzureRmSubscription -SubscriptionName $subscriptionName
#endregion

#region
$RGPrefix = "RGCloudGroup_"
$Location = "southcentralus"
$cloudGroupObj = Get-AzureADGroup -SearchString "Cloud Group"
$cloudGroupMembers = Get-AzureADGroupMember -ObjectId $cloudGroupObj.ObjectId
$groupMembersDisplayNames=Get-AzureADGroupMember -ObjectId $cloudGroupObj.ObjectId |%{($_.MailNickName)}
$rgNamesSplit=@(Get-AzureRmResourceGroup |? ResourceGroupName -like "*RGCloudGroup_*"| %{$_.ResourceGroupName.Split("_",2)[1]})
if($rgNamesSplit.Count -eq 0){
foreach($cloudGroupMember in $cloudGroupMembers){
$rgsuffix = ($cloudGroupMember.MailNickName)
$clouduser=Get-AzureADUser -SearchString $cloudGroupMember.MailNickName
$tags = @{
CreatedBy = "Automation"
Department = "CloudGroup"
}
$rgObj = New-AzureRmResourceGroup -Name ($RGPrefix + $rgsuffix) -Tag $tags -Location $Location
New-AzureRmRoleAssignment -ResourceGroupName ($rgObj.ResourceGroupName) -RoleDefinitionName Owner -ObjectId $clouduser.ObjectId -ErrorAction SilentlyContinue
}
}else{
$compares=Compare-Object -ReferenceObject $groupMembersDisplayNames -DifferenceObject $rgNamesSplit
foreach($compare in $compares){
if($compare.SideIndicator -eq "<="){ $newMember=$compare.InputObject $rgsuffix = $newMember $cloudUser = Get-AzureADUser -SearchString $newMember $tags = @{ CreatedBy = "Automation" Department = "CloudGroup" } $rg=Get-AzureRmResourceGroup -Name ($RGPrefix + $rgsuffix) -ErrorAction SilentlyContinue if($rg -eq $null){ $rgObj = New-AzureRmResourceGroup -Name ($RGPrefix + $rgsuffix) -Tag $tags -Location $Location New-AzureRmRoleAssignment -ResourceGroupName ($rgObj.ResourceGroupName) -RoleDefinitionName Owner -ObjectId $cloudUser.ObjectId -ErrorAction SilentlyContinue } }elseif($compare.SideIndicator -eq "=>"){
$removedMember=$compare.InputObject
Remove-AzureRmResourceGroup -Name ($RGPrefix + $removedMember) -Force -ErrorAction SilentlyContinue
   }
  }
}

#endregion
#Get-Variable | Remove-Variable -ErrorAction SilentlyContinue
#cls