Skip to main content

AD Group Review Process

Overview

The AI Delivery (AID) team runs a semiannual (every 6 months) automated review of Active Directory (AD) group memberships for each system under our portfolio. This ensures compliance with access management policies and keeps group memberships current.

Each review is triggered through an Azure DevOps pipeline that generates a membership report and automatically creates a task on the AID sprint board for review and documentation.

Pipeline Schedule

FrequencyTriggerResponsible SystemOutput
Every 6 monthsAutomated pipeline runEach system (e.g., S0PMOBAI, S0ITMOLM)CSV report + Azure DevOps work item

The pipeline executes automatically on a defined schedule for every registered system. Each run produces a timestamped report artifact and a new work item on the AID Sprint Board for review.

Workflow Summary

  1. Pipeline Execution The Azure DevOps pipeline runs using the ad-groups-template.yml template. It queries Active Directory for all groups tied to the specified system across environments.

  2. Report Generation The pipeline generates a CSV report including:

    • Group name
    • Full name
    • UPN (email)
    • Environment (DEV/TST/STG/PRD)
    • Group type (OnPrem/Cloud)
    • Elevated flag (Yes/No)

  3. Artifact Publication The report is published as a pipeline artifact named ad-group-members, available for download from the pipeline summary.

  4. Work Item Creation A user story is automatically created in the current sprint:

    • Title: AD Group Access Review - [SystemID]
    • Description: Includes the pipeline link and review steps
    • Tags: System ID, BAM
    • Effort: 0
    • State: Ready

Review Process

Once the work item is created:

  1. The assigned engineer downloads the latest report.
  2. Each AD group is reviewed for valid access.
  3. Invalid or stale access is escalated for removal.
  4. Review findings are documented in the work item's comments before closure.
  5. Publish results to the appropriate SharePoint folder:
    • S0PMOBAI (Publix Mobile App Chat): AD Group Audit Results
    • S0ITMOLM (Publix Pro Chat): AD Group Audit Results
    • Create a new folder named with the review completion date (e.g., 2025-11-10) and upload the report and any supporting documentation.

Process Flow

Access & Permissions

When setting up the process the pipeline accounts must have the following permissions

  • Azure Service Connection: Must have Microsoft Graph API read access
  • PAT Token: Required for creating Azure DevOps work items (Work Items: Read & Write)
  • Agent Requirements: Ubuntu agent with jq utility available