matt-taylor.tech
← Back to projects

Work · National food brokerage · 2026

Client Services activity report (serverless)

Azure Automation PowerShell 7 Managed identity Microsoft Graph

A recurring monthly report summarizing Microsoft 365 activity (email, Teams, SharePoint, and OneDrive usage) for Client Services and Reconciliation staff. The reporting logic already existed; this project moved it off an on-prem scheduled task and onto a serverless Azure Automation runbook, and in doing so removed the whole class of infrastructure the old design depended on.

The migration

  • From a PowerShell script on an on-prem box behind Windows Task Scheduler, with the credential handling and patching that implies.
  • To an Azure Automation runbook (PowerShell 7.4) triggered on a schedule in the cloud, with no server to maintain.
  • Auth a system-assigned managed identity calling Microsoft Graph. No certificates to rotate, no client secret to store, no credential to leak.

What it produces

Each run filters the target audience by department (ASE, ACP, ACE, AMW) and by an extension attribute identifying Client Services and Reconciliation roles, aggregates a 30-day rolling window of email, Teams, SharePoint, and OneDrive usage (Graph usage data lags roughly two days), and emails the result to a configurable recipient list.

Operational details

  • Config without redeploy recipient and sender addresses live in Automation variables editable in the portal, so changing them does not require republishing the runbook.
  • Scoped send the Mail.Send permission is constrained by an application access policy to a single no-reply mailbox, so the identity cannot send as arbitrary users.
  • No secrets anywhere the managed-identity model means there is no stored credential in the runbook, in a vault, or on a host.