Cloud & Governance

Access Management shouldn't be an afterthought in your Internal Developer Platform

Øystein — Tue, 17 Mar 2026 20:12:50 GMT

Introduction

One common challenge that all Internal Developer Platforms (IDP) will reach at some point is how to handle access management. Who should be able to request self-service resources? Who should own the solutions that are requested? How should members be onboarded and offboarded? In this blog post I will introduce the concept of Team Boundary as a first-class citizen as a way to solve these challenges, with examples from how we have done it at our client.

The Challenge

At our client we have self-service solutions for many different types of resources: GitHub repositories, Kubernetes namespaces, databases, Azure Subscriptions, among others. These solutions exist so developers can quickly get ready-made environments and start doing what matters: writing code. As a platform team we want to avoid being blockers and ensure that new projects and features can be delivered quickly.

However, we do not want to tie these resources to individual users. That would make it time-consuming for developers to onboard and offboard members to each individual solution — wasted time from both a developer and business perspective. We also don't want the platform team to micromanage members. We do not have full insight into who should have access to what, and at some point managing access would become at least a full-time job. The security risk of improperly offboarded members compounds over time. And of course, granting everyone access to everything is never a solution.

What is a Team Boundary?

A Team Boundary is a named team identity that serves as a prerequisite for provisioning any platform resource. It is a first-class citizen — built into the core of the platform, not an afterthought. It is the first resource a developer must have before they can request anything else.

How it works in practice

The Team Boundary is where it all starts. Before a developer can create anything, they need to either be a member of an existing Team Boundary or create a new one. At our client we use Azure Entra ID as the identity provider, so this was a natural place to start. When a developer requests a new Team Boundary the automation does the following:

Creates an Entra ID group: The members of this group will automatically get access to all resources related to the Team Boundary
Adds the requestor as a member of the group: It's assumed that the requestor will need access to the resources, so the requestor is automatically added as the first member
Adds the requestor as an owner of the group: The requestor will be responsible for onboarding and offboarding members to the group
Adds a scheduled Entra ID access review for the group: This acts as a reminder for the owner to evaluate who should continue to have access

Now the developer has a Team Boundary. This serves as an input for all other resources the team will need. To request a Kubernetes namespace, the developer provides their Team Boundary as input. The automation takes the Team Boundary (the Entra ID group) and grants it the necessary access to operate resources inside the namespace and all its supporting resources. The same applies to databases, additional repositories, and any other resource — the automation wires up access automatically.

The Entra ID group is the single source of truth. Everything else is a projection of it: the GitHub Team is synced from the group, Grafana directories are provisioned automatically, Azure resources grant access to the group directly. Developers can't create orphaned access — they cannot manually create a GitHub team and add whoever they want. All access flows through the Team Boundary, enforced by automation. When the team needs to onboard a new member, the only thing they do is add that person to the Entra ID group.

What this unlocks

This model follows a key design principle: coarse-grained control, fine-grained autonomy. The platform is strict about who belongs to a team, but relaxed about what team members can do within their space. Once inside, teams have meaningful autonomy — free rein in their Grafana directory, and the access they need to operate within their GitHub repositories and namespace.

This is fundamentally different from traditional IT access management, where both membership and permissions are tightly controlled centrally. It also means that even if a team goes off the golden path for some resources, their identity and access still flows through the same boundary.

Yes, some developers may not need all these resources — that is an accepted trade-off. The alternative is micromanaging access control, which becomes more complex and fragile than simply managing members of one group.

While our example uses Azure Entra ID, the concept is platform-agnostic. In AWS you would map this to IAM Identity Center groups; in GCP to Google Groups. The implementation differs, but the principle — one team identity primitive that everything else flows from — holds regardless.

Key decisions

Every organization will have different requirements around the Team Boundary. Key questions to ask:

Who should be able to be owners of the Team Boundary? Should it be project leaders, only internal employees, any developers?
Should we allow multiple owners of the Team Boundary? Or should we have a process for handling onboarding / offboarding if the owner is not available?
How often should an access review be scheduled? What should the default action of an access review be?
How do we communicate the responsibilities to owners of the Team Boundary?
How do we grant the Team Boundary access to what they need and not more?

Conclusion

Access management is one of those things that feels easy to defer — until it isn't. By treating the Team Boundary as a first-class citizen in your IDP, you give your platform a stable identity primitive that scales with your organization. Onboarding new members becomes a single operation. Offboarding is equally simple, and the security benefits compound over time. The platform team stays out of the business of micromanaging access, and developers retain the autonomy they need to move fast.

The right time to introduce this concept is at the start, before self-service resources multiply and access management becomes a tangled mess to untangle. But even if you're further along, the Team Boundary is worth introducing — the earlier the better.

Unlocking the Power of MCP Servers on Linux: A Quickstart Guide

Øystein — Sun, 06 Apr 2025 12:46:53 GMT

What is MCP and why should I use it?

I spent this weekend exploring MCP (Model Context Protocol), a protocol that allows LLMs (Large Language Models) to interact with other systems. This means you can connect your LLM, like Claude, to your file system, for example. You can then instruct your LLM to "change all my file names with whitespace to underscores," and it will execute the commands on your system, making the actual changes. This enables you to use natural language to interact with the systems you're working with, potentially transforming how we engage with our systems.

How do I interact with MCP?

To interact with an MCP, you need a client that can communicate with an MCP server. See here for a matrix of supported clients. In this post, I will use Claude Desktop. Since I’m running Linux and there’s no officially supported version of Claude, I’m using the unofficial desktop version of Claude Desktop. NB: Read and evaluate the code before you run it!

Adding an MCP server

After installing the desktop version, you can add your first MCP server. Our MCP server in this example will require npx. Check if you have it installed:

npx --version

If not, install it.

We will then add an MCP server to your Claude desktop config that interacts with your local file system:

vim .config/Claude/claude_desktop_config.json

Add the following:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "/home/oystein/Desktop",
        "/home/oystein/Downloads"
      ]
    }
  }
}

This list will specify the directories in which the LLM can operate. Replace with the name of your home directory.

Restart Claude Desktop. You will now see a hammer with a number, indicating that you have MCP tools available:

You can also select the “attach” button to the right of the hammer to see connected MCP servers:

You can see that I have two file servers installed.

Make changes to your local filesystem

You can now start interacting with Claude to make changes to your file system. Here, I ask it to create a script in my Desktop directory:

You will have to confirm when it wants to execute commands on your system:

Claude does its work:

And to confirm that it actually exists:

As you can see, the file now exists locally in my file system.

A very basic example, but full of potential. Let’s take it a bit further and see how we can interact with Azure DevOps.

Interacting with Azure DevOps

In this example, I will use the mcp-server-azure-devops for interacting with Azure DevOps. Note: I recommend using this only in your personal lab Azure DevOps organization.

Start by adding the Azure DevOps MCP server to your Claude Desktop config:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "/home/oystein/Desktop",
        "/home/oystein/Downloads"
      ]
    },
    "azureDevOps": {
      "command": "npx",
      "args": ["-y", "@tiberriver256/mcp-server-azure-devops"],
      "env": {
        "AZURE_DEVOPS_ORG_URL": "https://dev.azure.com/",
        "AZURE_DEVOPS_AUTH_METHOD": "pat",
        "AZURE_DEVOPS_PAT": "",
        "AZURE_DEVOPS_DEFAULT_PROJECT": "Demo"
      }
    }
  }
}

Add your organization in and your Azure DevOps PAT to . I granted the PAT read access with write access to tasks.

Restart Claude and ask it to:

It will start listing all tasks assigned to me and their states:

I can even add comments and close tasks:

Conclusion

This was a quick introduction to the how and why of the MCP server. Even though it’s early, I believe this will significantly change our daily workflow, and it will be interesting to see what MCP server capabilities people will develop. However powerful it is, security departments will have a lot to monitor going forward, and the chance of user mistakes can increase since one can quickly select “yes” to all prompts asked by the LLM.

Want to Save Money, Ship Faster, and Improve Security? Automate IT Processes, Not Just Tasks

Øystein — Mon, 10 Feb 2025 23:00:48 GMT

The Cost of missing automated processes

Many platform engineers focus on automating individual tasks that run from their local machines. While these scripts are helpful, the real value comes when automation is embedded into a structured process. The comic below illustrates a common scenario in many IT departments where an automated process is missing:

For many developers and platform engineers, this is an all-too-familiar day. These interruptions are costly—not just in time, but in focus. Constant context switching slows development, delays progress, and frustrates everyone involved. Developers waste time waiting for what they need, while platform engineers get stuck handling repetitive requests instead of improving the system.

The Problem: Scripting Tasks Doesn’t Solve the Root Issue

A typical reaction from platform engineers is to write a script that helps automate these tasks. While this reduces some manual effort, it doesn’t eliminate the costly back-and-forth between developers and platform teams. The interruptions continue, context switching remains, and the fundamental inefficiencies persist.

Now, imagine taking that script and embedding it into a fully automated process that considers the entire developer experience.

The Solution: Automate the Process, Not Just the Task

We can simplify it like this:

By providing a self-service interface, developers can request common services without interrupting anyone. If necessary, approval steps can be added, and validation checks can ensure input accuracy. By automating the entire process, we eliminate all unnecessary communication between teams.

In the early stages, simplicity is key. For instance, you might start with a GitHub Actions pipeline that developers can trigger on demand, serving as a straightforward self-service interface. As your team gains experience and your processes mature, you can explore more advanced interface options to further streamline operations.

Even if the initial process isn’t perfect, having a process in place is always better than having none at all—it creates a foundation that you can continuously improve.

The benefits extend beyond just saving time:

✅ Clear traceability – Every request and approval is logged.
✅ Improved security – Compliance can be built into the process itself.
✅ Defined business processes – Security teams and stakeholders can refine automation rather than fight ad-hoc scripts.

If security is unhappy with how something is automated? No problem—the process can be improved. If the user experience is lacking? Refine the workflow. This is where the real value of automation begins to take effect.

Automation as a Business Value Driver

One of the biggest challenges platform engineers face is communicating the value of their work to stakeholders. Automating IT processes makes this easier by providing clear, measurable benefits.

Without a structured, automated workflow, each request costs nearly 10,000 NOK in lost productivity. Multiply that by an estimated 500 requests per year, and the total yearly cost approaches 5 million NOK—just for a single process!

Let’s break down the numbers using the app registration process as an example:

Cost Breakdown for One App Registration Request

1️⃣ Developer Time

Total Process Time: 5 hours
Hourly Rate: 1500 NOK/hour
Total Cost: 5 hours * 1500 NOK = 7,500 NOK

2️⃣ Interruption Costs (Context Switching & Actual Work)

Tech Lead: 23 minutes ≈ 0.38 hours
Platform Engineer One: 23 minutes ≈ 0.38 hours
Platform Engineer Two: 23 minutes (interruptions) + 30 minutes (actual work) ≈ 0.88 hours

Total Interruption Time:
0.38 + 0.38 + 0.88 = 1.64 hours

Total Cost: 1.64 hours * 1500 NOK = 2,460 NOK

3️⃣ Total Cost for One Request

Total Cost: 7,500 NOK + 2,460 NOK = 9,960 NOK

Yearly Cost Impact

Number of App Registrations per Year: 500
Total Yearly Cost:
500 * 9,960 NOK = 4,980,000 NOK

Take a moment to consider this:
Each app registration request costs nearly 10,000 NOK. Multiply that by 500 requests a year, and you're facing almost 5 million NOK in annual expenses. This stark figure shows how even minor inefficiencies—like repeated context switching and manual interventions—will result in massive, unnecessary expenses. Streamlining these processes through automation isn’t just about saving time; it’s about saving a substantial amount of money.

The Hidden Benefit: Platform Engineers Win Too

Beyond the cost savings, platform engineers benefit directly:
✅ Less context switching
✅ Fewer repetitive tasks
✅ More time to focus on higher-impact automation

By shifting from task automation to process automation, organizations can save money, improve security, and accelerate development—all while making life easier for everyone involved.

The Best Part? The Cost Can Be Reduced to Practically Zero

By investing in process automation, this 5 million NOK cost can be reduced to nearly zero. The solution isn’t just about automation—it’s about building scalable, efficient processes that eliminate waste at its core.

Automating Azure PIM Role Elevation with PowerShell

Øystein — Sat, 01 Feb 2025 10:31:41 GMT

Azure Privileged Identity Management (PIM) is a crucial security feature that enables just-in-time role elevation for both Azure resources and Azure Entra roles. While this significantly enhances platform security by eliminating permanent active assignments, the traditional portal-based elevation process can introduce inefficiencies into development workflows.

The Challenge with Portal-Based Elevation

The Azure Portal interface for PIM, while functional, presents several operational friction points:

Time-consuming role selection, especially with multiple assignments
Significant context switching for developers working primarily in PowerShell
Interrupted development flow when managing multiple role elevations

A PowerShell-Based Solution

For developers who primarily work in PowerShell, here's a solution that simplifies the role elevation process:

param(
   [Parameter()]
   [string]$SubscriptionId,

   [Parameter()]
   [string[]]$RoleDefinitionName = @("Contributor", "User Access Administrator"),

   [Parameter()]
   [string]$Justification = "Local development",

   [Parameter()]
   [int]$DurationInHours = 8
)

$ErrorActionPreference = "Stop"

$currentContext = Get-AzContext

ForEach ($role in $RoleDefinitionName) {
   Write-Verbose "Elevating to role $role on subscription $SubscriptionId for $DurationInHours hours" -Verbose:$true
   $roleDefinitionId = (Get-AzRoleDefinition -Name $role).Id
   $inputObject = @{
       Name = [guid]::NewGuid().ToString()
       Scope = "/subscriptions/$subscriptionId/"
       ExpirationDuration = "PT${DurationInHours}H"
       ExpirationType = "AfterDuration"
       PrincipalId = (Get-AzAdUser -Mail $currentContext.Account.Id).Id
       RequestType = "SelfActivate"
       RoleDefinitionId = "/subscriptions/$SubscriptionId/providers/Microsoft.Authorization/roleDefinitions/$roleDefinitionId"
       ScheduleInfoStartDateTime = Get-Date -Format o
       Justification = $Justification
       Verbose = $false
   }

   New-AzRoleAssignmentScheduleRequest @inputObject
}

Implementation Guide

Save the script as Elevate-PimRole.ps1
Execute with your subscription ID:

./Elevate-PimRole.ps1 -SubscriptionId xxxxxxxx-xxxx-xxxx-xxxxxxxx

Important Considerations

The default configuration elevates both Contributor and User Access Administrator roles
The script assumes subscription-level scope; modify the scope parameter for resource group-level operations
Default elevation duration is set to 8 hours
Custom justification messages can be provided via the -Justification parameter

This approach maintains security while significantly improving developer productivity by eliminating unnecessary context switching and portal navigation.