Hi @Christophe_Havard , thanks for the quick reply here.
To explain our case: I work for a financial company, spread around the world in 30 countries, and have many contractors in IT. You can imagine that every month we have a load of new contractors coming in and leaving us as well. From a security perspective we need to remove access immediately once someone has been offboarded. Also for all the regulation that we have to fulfil in all the 30 countries we have to comply to local financial company related laws and regulations.
When someone gets offboarded, through our official process, they should loose all access in all systems as they no longer work for us. With SonarCloud right now, it is not possible for us to detect if we have loopholes there. We cannot see the accounts based on our Azure AD. I can also not limit membership to accounts created based on our Azure AD. I can also not automatically have them added or removed as an organization member.
So what I would look for, maybe as intermediate:
- Allow me to relate my organization to an Azure AD subscription, so only members from that subscription can be added to my organization in SonarCloud (to avoid me from selecting the wrong person)
- Let me choose to automatically add members of our Azure AD subscription to be added to the organization (e.g. someone creates an account on SonarCloud based on our Azure AD, and gets added to our organization automatically).
- When using the user-api, allow me to see their upn, so I can validate if they need to be removed. Or email address
When it comes to offboarding members, I would (as intermediate) like to be able to find the account in SonarCloud based on the Azure upn, so I can call a SonarCloud rest-api and have their membership to our organization removed. And maybe even the account removed?
Thats what I mean with maintenance automation: No manual interference to remove a member from the organization, no more needing to trust them to have used Azure AD login (instead of their own gmail and just send me that account). Right now I have no clue if all the members in our organization actually did use their Azure AD account correctly, making it not possible to be 100% sure that only validated users have access to our source code (especially after they have left our company).
Long story, hope it helps.