Skip to content

Add option to remove expired role memberships from Entra ID during sync #120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Add option to remove expired role memberships from Entra ID during sync #120

wants to merge 3 commits into from

Conversation

Copy link

Copilot AI commented Jun 16, 2025
edited
Loading

This PR implements a new synchronization feature that automatically removes users from Entra ID groups when their corresponding DNN role memberships have expired.

Problem

Currently, when DNN roles have expiry dates and expire, users lose access locally in DNN but remain in the corresponding Entra ID groups. This creates a security gap where users retain permissions in Azure/Microsoft 365 services even after their role access has expired in DNN.

Solution

Added a new configuration option "Remove Expired Role Memberships from Entra ID" that:

  1. Identifies expired memberships during the sync process
  2. Removes users from corresponding Entra ID groups using Graph API
  3. Allows natural cleanup of DNN role memberships on next user login

Key Features

Backend Implementation

  • New RemoveExpiredRoleMembershipsEnabled setting in AzureConfig
  • RemoveExpiredRoleMemberships() method in sync scheduler
  • Enhanced user lookup logic to map DNN users to Entra ID users
  • Comprehensive error handling and logging

Frontend Implementation

  • Toggle switch in Advanced Settings → Sync Settings panel
  • Localized labels and help text
  • Integrated with existing settings save/load flow

Security & Compatibility

  • Only processes roles imported from Entra ID (IdentitySource=Azure)
  • Respects existing role mappings and group name prefixes
  • Uses existing Graph API permissions
  • Disabled by default, opt-in feature
  • No impact on existing functionality when disabled

Example Workflow

1. User has "Marketing Team" role with expiry date 2024-01-01
2. Current date: 2024-06-16 (role has expired)
3. Sync process runs with new feature enabled
4. User is removed from "Marketing-Group" in Entra ID
5. On next login, DNN automatically cleans up the local role membership

Technical Details

  • Configuration: Added to AzureConfig with proper persistence
  • API Integration: Enhanced AzureADProviderSettings for frontend support
  • User Lookup: Uses AuthenticationController.GetUserAuthentications() to map DNN users to Entra ID
  • Graph API: Leverages existing RemoveGroupMember() functionality
  • Error Handling: Individual failures don't stop the entire sync process
  • Logging: Detailed success/error reporting with statistics

Testing

  • Validated configuration persistence and API integration
  • Verified frontend component state management
  • Confirmed proper error handling for edge cases
  • Ensured backward compatibility with existing sync functionality

Fixes #119.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI changed the title [WIP] New option to remove expired role groups from Entra ID Add option to remove expired role memberships from Entra ID during sync Jun 16, 2025
Copilot AI requested a review from davidjrh June 16, 2025 16:39
Copilot finished work on behalf of davidjrh June 16, 2025 16:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidjrh davidjrh Awaiting requested review from davidjrh

Assignees

@davidjrh davidjrh

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

New option to remove expired role groups from Entra ID

2 participants

@davidjrh