Hello!
I’m working on a (number of) problems at work right now related to the interaction of our current (very outdated) HR system and how we create users and set permissions to various resources in AD/AAD.
Right now we are running into a problem where we have some dynamic DLs with restricted sending. Unfortunately, in O365, it does not seem possible to do group-based access control to send emails to these groups, and due to the number and complexity of our environment, we are having a hard time automating these requests.
Has anyone implemented any sort of middleware to handle permissions to resources like this, where Microsoft does not provide tooling as part of Exchange/AAD to do RBAC/GBAC?
I’m personally of the opinion that something like this should be handled by an ERP system, but ours is not going to work, and a replacement is probably 5 years out.
Right now, our theorized solution is a database that contains a record for each DL, with a mapping of who should have access to that DL, which will then be reconciled against a couple of times a day to keep AAD/EXO from drifting.
TL;DR: Create a database to track who has access to various resources in AD/AAD/EXO that is reconciled against at regular intervals?