AscendCore
Back to Runbook Library
Network Live in production

VPN Access Grant

Automate VPN access provisioning via Intune and Microsoft Entra ID — approval-gated, with optional immediate device sync so the VPN profile pushes without waiting for the natural ~8-hour Intune cycle.

Integrates with

IntuneEntra ID

The problem

VPN access requests are high-frequency in remote-first organizations. Each grant requires group-membership update, profile push to the user's device, and verification that the connection works. Manual provisioning takes 10-15 minutes per request and requires the user's device to be online — leading to back-and-forth scheduling that breaks the help desk's day.

What AscendCore does

A user requests VPN access in Microsoft Teams or Slack. AscendCore proposes adding them to the configured VPN security group, and on approval adds the user to the Entra group and triggers an immediate Intune sync on each of the user's enrolled devices so the VPN profile pushes without waiting for Intune's natural ~8-hour sync cycle.

Workflow

  1. Trigger/vpn-access <user-email> from Slack or vpn-access <user-email> from Teams
  2. Verify — pre-flight check that the configured Intune VPN device configuration exists
  3. Propose — admin approval card with target user + configured VPN group
  4. Approve — IT admin approval (configurable to require security-team approval too)
  5. Add — user added to the VPN Entra security group
  6. Sync — for each of the user's Intune-enrolled devices, trigger an immediate sync
  7. Audit — single vpn_access.granted row written to the tamper-evident audit chain with full per-step outcomes

Integrations

  • Microsoft Intune — device-configuration verification + per-device sync triggering
  • Microsoft Entra ID — VPN security group membership management
  • Slack + Microsoft Teams — Request triggers and confirmations

Configuration

INTUNE_VPN_GROUP_NAME       (default: "vpn-users")  # Entra security group
INTUNE_VPN_TRIGGER_SYNC     (default: "true")       # Trigger Intune sync after group-add
INTUNE_VPN_VERIFY_CONFIG    (default: "true")       # Pre-flight: verify VPN config exists
INTUNE_VPN_CONFIG_NAME      (default: matches group name)

Status

Live in production — admin-initiated approval flow on Slack + Teams with full audit-chain coverage.

Runbook source preview

Versioned, deterministic, auditable

Every runbook is defined as a versioned YAML manifest with explicit triggers, steps, and approval policies. The runbook itself is the audit-ready record of what AscendCore can and will do — chat is just the interface that triggers it.

name: vpn-access-grant
trigger:
  channels: [slack, teams]
  intents: [vpn_request]
steps:
  - resolve_target_user
  - verify_intune_vpn_config        # optional pre-flight (INTUNE_VPN_VERIFY_CONFIG=true)
  - add_to_entra_group: vpn-users   # configurable via INTUNE_VPN_GROUP_NAME
  - trigger_intune_sync             # optional (INTUNE_VPN_TRIGGER_SYNC=true) — fires on each enrolled device
approval:
  required: true
  approvers: [it-admins, sec-team]
Ready to deploy

Run vpn access grant from Teams or Slack today

AscendCore deploys in 48 hours for Slack + Okta or Teams + Entra stacks. See the first automated resolution the same day.

See plans & pricingBrowse all runbooks
AscendCore

AscendCore Team

Online · Ask us anything

AscendCore

Hi! Welcome to AscendCore. Ask us anything about how we automate your IT help desk — or just say hi.