Use Okta to Access Microsoft Powershell on-Prem? Yes, You Can.

Since its beginnings, the vision for Okta has been to enable any company to use any technology—that promise includes use of the ubiquitous Powershell code in enterprise environments through the Okta platform. 

Microsoft Powershell is commonly used as part of the Joiner, Mover, Leaver identity-centric business processes to manage Microsoft technologies. Using its Lifecycle Management capabilities, Okta can remove the reliance on most of these Powershell scripts. Users can also directly invoke the Microsoft Graph API. But for that small subset of use cases that cannot be solved by other means, Okta can be used to integrate with Powershell.

Okta Workflows is an interface-driven, no-code-required design console that facilitates the implementation of automated business processes, especially for identity-related use cases. Burying logic deep within code is hard to maintain and incurs a lot of technical debt. Being graphical and easy to visualise makes Okta Workflows the most efficient choice for identity-centric business processes.

Microsoft PowerShell is a commonly used task automation and configuration management framework used with on-premises Microsoft technologies such as Active Directory, Exchange, and Windows file-shares. PowerShell continues to be a key enabler to perform on-prem operations such as creating an Exchange mailbox, setting legal hold, creating a UserProxyFull object in ADLDS and creating network shares on-prem. Even with Microsoft 365, all operations are not yet covered with Graph API, making Powershell the only tool for automation in cases like setting mail forwarding on a Microsoft 365 mailbox, adding guest users to Teams, or setting a legal hold.

Azure Automation delivers a cloud-based automation service that supports automation across Microsoft Azure, on-premises non-Azure, and hybrid environments. Within Azure Automation, Powershell code can be executed as Runbooks. Because they run on the Azure cloud platform, Runbooks in Azure Automation may not have access to resources in your on-prem or other cloud environments.You can use the Hybrid Runbook Worker feature of Azure Automation to run Runbooks directly on the machine that's hosting the role, and against resources in the environment, to manage those local resources. Runbooks are stored and managed in Azure Automation and then delivered to one or more assigned machines.

A webhook allows Okta Workflows to start a particular runbook in Azure Automation through a single HTTP request with the Okta Workflows Http Connector. This is a simple way to execute a runbook since Okta Workflows can use a webhook to start a runbook without implementing the full Azure Automation API. The HTTP request returns synchronously, although the execution of the runbook is queued for execution. The Azure Management API enables Okta Workflows to monitor the job execution status. 

gRT9ewHomAhE2U LPzbQZBfwYA0X7lSHGcGdtC8UvPa5feNd2kywF7eNAQMHVnHu JBeujZlvt HRrBXqaF8SkXt6Zpw3BuHZUX1xi7a J10CIlXy4wdhVFaCTBPMZL  KQzH6gV

Okta Workflows integrated with Azure Automation for Powershell execution “anywhere” in the Azure Cloud and on-premises. 

The Hybrid Runbook Worker can run on on-prem Windows and Linux platforms. User-defined runbooks run directly on the Windows and Linux machine that are members of one or more Runbook Worker groups.The group can include a single worker or multiple workers for high availability. Each worker in the group polls Azure Automation to see if any jobs are available. If a job is available, the first worker to get the job takes it on a first-come, first-served basis. This enables Microsoft to execute Powershell on-premises, without opening any inbound firewall ports. Please note that the processing time of the job queue depends on the hybrid worker hardware profile and load. 

Okta Workflows can store Runbook job status in Okta Workflow tables and use the Azure Automation API to get runbook job status. The Okta workflow is highly configurable. It can easily be tailored to notify a system admin of jobs that are taking longer than expected or that error out via an email—initiated through Microsoft 365 Email Connector.

The out-of-box Okta Workflows features of the Http Connector, Microsoft 365 Email Connector and Tables with Azure Automations provide an operationally robust approach for executing “Powershell anywhere”. Automating these common identity tasks can bring a huge boost to admin productivity.

Interested in learning more? Check out our Workflows landing page right here