Skip to content

berkeleyo/time-bound-geo-bypass-access

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
docs
docs
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
RUNBOOK.md
RUNBOOK.md
 
 

Repository files navigation

Time‑Bound Geo‑Bypass Access (M365 → Entra ID → Conditional Access) 🌍⏳

status-badge automation-badge security-badge

Redaction statement: This repository contains no secrets, IP addresses, tenant IDs, or organisation identifiers. All values are placeholders or samples.

Purpose: Provide a production-ready, fully documented pattern to grant time-bound Azure access from outside the country using Microsoft Forms → SharePoint list → Power Automate → Entra ID security group → Conditional Access.

👀 What this does

  • Collects a justification + timeframe from a Microsoft Form.
  • Persists requests in a SharePoint List (auditable).
  • Power Automate approves and adds user to an Entra ID group with an expiry.
  • A Conditional Access (CA) policy targets that group to permit Azure sign-in from outside the country for the approved window.
  • Auto-expiry / cleanup removes access and posts a confirmation to Teams/Email.

🧭 Architecture (Mermaid)

flowchart LR
  A[Requester: Microsoft Form] --> B[SharePoint List: Requests]
  B --> C[Power Automate Flow]
  C -->|Validate & Approve| D[Entra ID: Time-Bound Group]
  D --> E[Conditional Access: Geo-bypass Policy]
  C --> F[Notify: Teams/Email]
  C --> G[Scheduler: Remove member on expiry]
  subgraph Lifecycle
    L1((Design)) --> L2((Build)) --> L3((Test)) --> L4((Pilot)) --> L5((Cutover)) --> L6((Operate)) --> L7((Retire))
  end
Loading

📂 Repo layout

time-bound-geo-bypass-access/
├─ README.md                 # this file
├─ RUNBOOK.md                # step-by-step operations runbook
├─ .gitignore                # tuned for clean, secure repo hygiene
├─ docs/
│  ├─ OVERVIEW.md
│  ├─ ARCHITECTURE.md
│  ├─ CUTOVER_CHECKLIST.md
│  ├─ ROLLBACK.md
│  └─ SECURITY.md
└─ scripts/
   ├─ new-sharepoint-list.ps1
   ├─ register-ca-policy.ps1
   ├─ ensure-timebound-group.ps1
   ├─ flow-definition.json         # example Power Automate-style skeleton
   └─ sample-settings.json         # centralised placeholders

🚀 Quick start

  1. Create or choose a SharePoint Site for the list (e.g., OpsRequests).
  2. Run ./scripts/new-sharepoint-list.ps1 to scaffold the Requests list (fields match the flow).
  3. Import scripts/flow-definition.json into Power Automate and wire connectors (placeholders marked REPLACE_ME_*).
  4. Run ./scripts/ensure-timebound-group.ps1 to create the geo-bypass group with AccessReviews-enabled description markers.
  5. Apply CA policy using ./scripts/register-ca-policy.ps1 (country list and conditions come from sample-settings.json).
  6. Pilot with 1–2 users, then complete the CUTOVER_CHECKLIST.md.

✅ Non-goals / guardrails

  • No tenant data in this repo.
  • No hard-coded IDs, secrets, or IPs.
  • No production connectors are exported — only a skeleton JSON is provided.

📄 Licensing & attribution

MIT License. Diagrams and text © 2025 Berkeley Orogodo.
This repo is intentionally redacted and generic for public sharing.

About

No description or website provided.

Topics

security automation powershell azure geo-location conditional-access entra-id

Resources

Readme

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages