AscendCore
Back to Runbook Library
Identity Live in production

Group Membership Management

Automate Microsoft Entra security group, M365 group, and distribution list membership changes from Slack and Teams. Name-resolved, approval-gated, idempotent.

Integrates with

Entra ID

The problem

Group-membership requests are high-volume, low-risk, and chronically manual. A user joins a project team and needs to be added to the project's security group. Someone changes managers and the access groups need to be updated. An employee gets a promotion and the leadership distribution list needs the new name. Each request takes IT 5-10 minutes of clicking around in the Microsoft Entra admin center — and across hundreds of such requests per quarter, the cost adds up.

What AscendCore does

A user requests a group-membership change in Microsoft Teams or Slack with the explicit syntax group-add <email> <group name> or group-remove <email> <group name>. AscendCore resolves the user against Microsoft Entra ID, resolves the target group by exact display-name match (with disambiguation suggestions if multiple groups share the name), proposes the membership change to an IT admin, and executes via Microsoft Graph on approval.

Workflow

  1. Detect — chat command (group-add <email> <group name> or group-remove <email> <group name>)
  2. Resolve user — Microsoft Entra ID directory lookup by email or UPN
  3. Resolve group — exact display-name match against Microsoft Graph /groups. If ambiguous, surface disambiguation candidates inline
  4. Propose — admin approval card with user, group, group type (security / M365 / distribution / mail-enabled), and group ID for verification
  5. Approve — one-click human approval (always required by default)
  6. ExecutePOST /groups/{id}/members/$ref (add) or DELETE /groups/{id}/members/{userId}/$ref (remove). Idempotent — re-adding existing members or removing non-members both treated as success
  7. Notify — DM to the requester with the result
  8. Audit — every change logged with approver, target user, group ID, timestamp

Integrations

  • Microsoft Entra ID/groups endpoint for resolution and /groups/{id}/members endpoint for membership changes
  • Microsoft 365 — same Graph API surface for unified groups and distribution lists
  • Slack + Microsoft Teams — request triggers and approval flow

Required Microsoft Graph permission

GroupMember.ReadWrite.All (preferred — narrowest scope) or Group.ReadWrite.All (broader fallback). Granted via admin consent at app registration in your Entra tenant.

Status

Live in production. Real Microsoft Entra group membership changes execute end-to-end against real tenants with full audit trail and idempotency protection.

Runbook source preview

Versioned, deterministic, auditable

Every runbook is defined as a versioned YAML manifest with explicit triggers, steps, and approval policies. The runbook itself is the audit-ready record of what AscendCore can and will do — chat is just the interface that triggers it.

name: group-membership
trigger:
  channels: [slack, teams]
  intents: [group_add, group_remove]
steps:
  - resolve_user:
      provider: entra_id
      query: ${input.email}
  - resolve_group_by_name:
      provider: entra_id
      query: ${input.group_name}
  - update_membership:
      action: ${input.action}    # add | remove
      idempotent: true
approval:
  required: true
  approvers: [it-admins]
Ready to deploy

Run group membership management from Teams or Slack today

AscendCore deploys in 48 hours for Slack + Okta or Teams + Entra stacks. See the first automated resolution the same day.

See plans & pricingBrowse all runbooks

More identity runbooks

Live

Access Role Change

Multi-system orchestrated role transitions for promotions, transfers, and contractor-to-FTE conversions. Five seed roles ship out of the box (support tiers, sales SDR/AE, engineering contractor/FTE/intern, HR generalist/manager); each transition produces a single approval card showing the full access diff and executes sequentially across Okta + Entra + Jira + M365 with per-step audit outcomes.

Read more
Live

Account Unlock

Automate Microsoft Entra ID and Okta account unlocks from Slack and Teams. Identity verification, approval-gated unlock, failed-login counter reset.

Read more
Live

MFA Re-enrollment

Automate Okta and Microsoft Entra ID MFA factor reset and re-enrollment from Slack and Teams, with approval-gated execution and audit-friendly logging.

Read more
AscendCore

AscendCore Team

Online · Ask us anything

AscendCore

Hi! Welcome to AscendCore. Ask us anything about how we automate your IT help desk — or just say hi.