Access Automation
The right groups and roles follow automatically from your users' attributes, such as department, location and job title. Applied across Microsoft Entra ID and your on-prem Active Directory. No more tickets for routine access.
The problem
Your service desk spends the day adding people to security groups in Entra ID by hand and taking them out again: every join, every move, every leave, over and over. A new hire waits days for the right access, and when someone leaves, access almost always gets left behind. It is predictable, endless, and it eats the time your team should be spending on real problems.
What you get
Automate the repetitive 80% of group management and leave the 20% that needs judgment to your people; in practice many customers reach up to 90% automation.
New hires work on day one
The right set of groups and roles follows automatically from department, location and job title, so access is there in minutes instead of days. No ticket needed.
No access left behind when people leave
Anyone who moves or leaves is flagged for review automatically, so old access gets cleaned up instead of lingering for years.
Cloud and on-prem from one model
The same attributes drive both Microsoft Entra ID and your on-prem Active Directory, via Microsoft Graph and a runbook, without keeping a second configuration in sync.
You stay in control before it counts
The Attribute Change Queue holds attribute changes for approval first, so a renamed field in Entra ID does not silently strip access from 200 people.
Temporary access cleans up after itself
Grant access for a project or a stand-in and let it expire automatically, so 'just for now' does not stick around for months.
An audit trail that backs your audit
Every change is recorded with what, when and which attribute drove it, usable as evidence for ISO 27001 or NEN 7510, for example.
How it works
1. Connect your tenant
Via OAuth2 with an app registration in your own tenant. Specific Graph scopes you can revoke at any time.
2. Define your sets
For each attribute value, such as a department or job title, link the set of groups and roles that belongs to it. Start with a handful and expand.
3. Let it run
ServiceChanger keeps groups and roles aligned with your users' attributes automatically.
Frequently asked questions
Does Access Automation work with on-prem Active Directory?
Yes. A PowerShell runbook on a hybrid worker applies the group changes in AD, which sync back to Entra through your existing Entra Connect. Cloud and on-prem work from one model.
What happens if we turn ServiceChanger off?
Groups and roles stay exactly as they are in Entra ID and AD at that moment. There is no shadow structure; everything is applied directly in your tenant.
How secure is the Entra ID connection?
Via OAuth2 with an app registration in your own tenant. You grant specific Microsoft Graph scopes and can revoke them at any time. No service account and no passwords.
Does Access Automation also create or delete accounts based on an HR system (onboarding and offboarding)?
No, ServiceChanger does not do that out of the box (yet). We do offer it through custom consultancy: with PowerShell scripts, running in Azure Automation via a runbook on hybrid workers, we read your HR system's API and perform the actions on your local Active Directory and/or Entra ID. This is deliberately custom work, because there is no standard to build here: every company has different needs and requirements.
Related
Want to see how Access Automation works in your situation?