Documentation/Getting started

Overview

What ServiceChanger does, how the modules fit together, and what you need to get started.

What ServiceChanger does

ServiceChanger applies group and role memberships in Microsoft Entra ID and in your on-prem Active Directory based on attributes. You define once which attribute grants which access (an ABAC rule). After that ServiceChanger keeps memberships in line with those rules. When an attribute changes, access adjusts.

Cloud changes run through Microsoft Graph. On-prem changes run through a PowerShell runbook on a hybrid worker that writes back through your existing Entra Connect.

ServiceChanger is Microsoft-only. It works with Entra ID and Active Directory, not with other identity providers.

What ServiceChanger does not do

This is worth being clear about up front:

  • It reads attributes, it does not write them. How attributes get into Entra stays your choice.
  • By default ServiceChanger reacts to the attributes already in Entra. If you want to connect your HR system for onboarding and offboarding (joiner-mover-leaver), we build that as custom work using automation accounts and runbooks in Azure.
  • The License module does not assign or revoke licenses. It tracks usage and keeps a contract and seat registry.
  • Asset automation through Intune is on the roadmap. It is not live yet.

The modules

ModuleWhat it does
Access (ABAC)Links attributes to Entra and AD groups and keeps memberships in line with your rules.
Group miningScans your tenant and suggests which groups can link to which attributes, cleans up, and flags drift.
LicenseTracks real license usage from sign-in activity and keeps a contract and seat registry with alerts.
Self-Service PortalEmployees request access through a portal with an approval flow to a manager or owner.
AssetOrder hardware and link it to Intune. On the roadmap, not available yet.

How it fits together

  1. You connect your Entra tenant via OAuth2 with admin consent.
  2. ServiceChanger pulls your users, groups, and licenses.
  3. Group mining suggests which groups belong to which attributes.
  4. You define ABAC rules and test them on a small test group first.
  5. You take rules live. Memberships stay in line with the attributes.
  6. Meanwhile the License module tracks usage and the contract registry.

What you need to get started

  • An Entra tenant with the Global Administrator role to approve the connection and the app registration.
  • Users with the attributes populated that you want to base access on.
  • For hybrid environments: a Windows host that can run the runbook agent and reach your domain controllers.

Next steps