Delegate Group Management to Guest Owners

In the first part of this series, we explored how to set up email notifications using EasyLife365 webhooks. Today, we’re tackling another common IT admin headache: managing group memberships for guest users. EasyLife 365 offers multiple ways to streamline this, from built-in provisioning features to fully customizable workflows using webhooks. In this post, we’ll walk through a lightweight example that uses Azure Functions to automate group assignments.

The Challenge: Maximizing IT Resources

IT administrators handle countless priorities, from security initiatives to infrastructure projects. Yet they frequently find themselves handling routine guest access requests such as adding users to VPN groups, file sharing permissions, or application access groups. While these tasks are important, they're also repetitive and take valuable time away from strategic IT initiatives.

The traditional flow:

1. Business user invites a guest
2. Guest gets basic access
3. Business users realize guests need additional access (VPN, specific apps, etc.)
4. Business user contacts IT admin
5. Admin manually adds guest to appropriate groups
6. Repeat for every access change

The Solution: Empower Business Users, Free Up IT Resources

This approach uses EasyLife 365’s webhook capabilities to trigger external automation. It is perfect when you want full control over how access is handled. That said, you can achieve similar results directly within EasyLife 365 Collaboration using native provisioning actions without coding. Now, let’s return to our example that uses webhooks. The flow in this scenario looks like this:

1. Business user invites guest through EasyLife 365
2. EasyLife 365 template includes checkboxes for access requirements (VPN, Box, Confluence, etc.)
3. Guest owner selects appropriate access during invitation
4. Webhook triggers Azure Function that assigns the guest to the appropriate groups
5. Guests get proper access immediately - admins focus on strategic initiatives!

The Solution Architecture

Our example uses a two-function Azure Functions app that processes EasyLife365 webhooks:

1. HTTP Trigger Function (guestrequest): Receives webhook requests and queues them for processing
2. Queue Trigger Function (guestqueue): Processes queued requests and manages group memberships via Microsoft Graph

This decoupled architecture ensures webhook reliability while allowing for complex processing logic.

Setting Up Your Environment

Before we dive into the code, you'll need:

• An Azure subscription with permissions to create Function Apps
• Azure CLI installed (download here)
• Access to the EasyLife admin cockpit
• Custom data fields configured in your EasyLife guest user template
• Entra ID security groups to control access

EasyLife Template Configuration

First, set up your guest user template with custom data fields that represent the access options you want to delegate:

1. In EasyLife admin center, go to Templates > Guest Accounts
2. Edit your template or create a new one
3. Add custom data fields like:
   1. VPN Access (checkbox) - for VPN group membership
   2. Box Access (checkbox) - for Box file sharing access

These fields will appear as options for the person inviting the guest, letting them specify exactly what access the guest needs upfront.

The Code Structure

The Azure Functions app consists of two simple but powerful functions:

HTTP Trigger Function (guestrequest)

This function acts as the webhook endpoint for EasyLife. When a guest user event occurs, it:

• Receives the webhook payload from the EasyLife backend
• Immediately acknowledges the request with a 200 OK response
• Queues the request for processing in Azure Storage Queue

This pattern ensures webhook reliability - EasyLife gets an immediate response while the actual processing happens asynchronously.

Queue Processing Function (guestqueue)

This function handles the business logic when a message appears in the queue:

• Connects to Microsoft Graph using the Function App's managed identity
• Extracts the user ID and custom data field values from the webhook payload
• Retrieves the user's current group memberships from Entra ID
• Compares current memberships against the desired state (based on custom field values)
• Adds the user to groups where access is needed but missing
• Removes the user from groups where access is no longer required

The magic happens through a simple mapping configuration that connects your EasyLife 365 custom field names to Entra ID group IDs.

Deploying to Azure

The deployment is fully automated with PowerShell and Azure CLI. Here's the complete script:

# Configuration parameters
$resourceGroupName = "rg-easylife-webhook"
$functionAppName = "func-easylife-webhook"
$storageAccountName = "saeasylifewebhook"
$location = "westeurope"
$dataFieldGroupIdMapping = "vpnUsers:82b18a56-1700-4679-a949-d1706a2d0c70,boxUsers:1cca2261-00b8-4bd1-946c-ef34e1048eb7" 

## Authenticate to Azure
az login

# Create resource group
az group create --name $resourceGroupName --location $location

# Create storage account
az storage account create --name $storageAccountName --resource-group $resourceGroupName --location $location --sku Standard_LRS

# Create function app with managed identity
$funcAppOutput = az functionapp create --consumption-plan-location $location --name $functionAppName --os-type Windows --resource-group $resourceGroupName --runtime powershell --storage-account $storageAccountName --functions-version 4 --runtime-version 7.4 --assign-identity '[system]' | ConvertFrom-Json

# Configure the data field mapping
az functionapp config appsettings set --name $functionAppName --resource-group $resourceGroupName --settings "dataFieldGroupIdMapping=$dataFieldGroupIdMapping"

# Set up Microsoft Graph permissions
$servicePrincipalId = $funcAppOutput.identity.principalId
$graphObjectId = (az ad sp list --display-name 'Microsoft Graph' | ConvertFrom-Json)[0].id

@(
    'df021288-bdef-4463-88db-98f22de89214', # User.Read.All
    '62a82d76-70ea-41e2-9197-370581804d09'  # Groups.ReadWrite.All
) | ForEach-Object{
    $body = @{
        principalId = $servicePrincipalId
        resourceId = $graphObjectId
        appRoleId = $_
    } | ConvertTo-Json -Compress
    az rest --method POST --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$servicePrincipalId/appRoleAssignments" --header "Content-Type=application/json" --body $body.Replace('"',"'")
}
# Deploy the function code
$deployPath = Get-ChildItem | Where-Object {$_.Name -notmatch "deploypkg" -and $_.Name -notmatch "_automation" } | Compress-Archive -DestinationPath deploypkg.zip -Force -PassThru
az functionapp deployment source config-zip --name $functionAppName --resource-group $resourceGroupName --src $deployPath.FullName

Configuration and Testing

Setting Up Data Field Mapping

The key to this solution is the dataFieldGroupIdMapping environment variable. This maps your EasyLife365 data field names to Entra ID group IDs:

 vpnUsers:82b18a56-1700-4679-a949-d1706a2d0c70,boxUsers:1cca2261-00b8-4bd1-946c-ef34e1048eb7

To find your group IDs, use the Azure Portal or Azure CLI:

az ad group show --group "VPN Users" --query objectId

Testing Your Function

Once you have deployed the function to Azure, you are ready for testing. Get your function URL from the Azure Portal and test it:

   $uri = 'https://your-function-app.azurewebsites.net/api/guestrequest?code=your-function-key'
   $testPayload = @{
   "eventType"= "guestmodified"
   "user" = @{
      "id"= "c91ee487-757a-4167-a6b0-5144cc5998e3"
      "metadataExtension"= @{
         "additionalData"= @{
         "vpnUsers"= $true
         "boxUsers"= $false
         }
      }
   }
   }
   Invoke-RestMethod -Uri $uri -Body ($testPayload | ConvertTo-Json -Depth 4) -Method Post

Integration with EasyLife

Now connect your Azure Function to the EasyLife 365's webhook system:

1. Navigate to Templates > Guest Account in EasyLife Admin Center
2. Select the template with the custom meta data fields
3. Add the function app under
   1. Provisioning (when new guests are created)
   2. Data Collection (when custom field data changes)

This ensures your Azure Function runs whenever access decisions are made, providing real-time group membership management without admin intervention.

The Business Impact

By implementing this solution, you've achieved several key benefits:

For IT Administrators:

• Freed up time for strategic projects and security initiatives
• Reduced routine support tickets for guest access requests
• Maintained control through predefined, secure group mappings
• Enhanced governance with automated audit trails of access decisions

For Business Users:

• Self-service access provisioning when inviting guests
• Immediate access for guests without waiting for IT
• Clear visibility into what access they're granting
• Ability to modify guest access as business needs change

For Guest Users:

• Faster onboarding with appropriate access from day one
• Consistent experience across different business sponsors
• Reduced friction in collaboration

Conclusion: A Practical Approach to Automating Guest Group Access

The key insight is that by empowering business users to make access decisions within IT-defined boundaries while automating the technical implementation, you create a win-win scenario: IT administrators can focus on high-impact work while business users get the agility they need for effective collaboration.

Whether you're keeping things simple with built-in provisioning or adding extra logic through integrations like this one, EasyLife 365 helps you stay in control without locking you into rigid processes. Ready to automate your guest user management? Download the complete source code and get started with your own Azure Functions integration today! Need a hand or have questions? Just drop us a line at unicorn@easylife365.cloud.

Resources

• EasyLife365 Documentation
• Azure Functions Documentation
• Microsoft Graph PowerShell SDK