Creation of Azure AD users with Graph API (triggered by a Power Automate or Logic Apps flow)

In this blog, I will explain how to create Azure AD users with Graph API, triggered by a Power Automate flow (you can also use Logic Apps). Next step is to assign licenses to the created user with a PowerShell script in Azure Automation and send notifications when there are not enough available licenses anymore in the tenant.

PART 1: Creation of the user

PART 2: Assign licenses to the user with PowerShell and Azure Automation

PART 3: Overview of the Power Automate Flow

Creation of the User

You can create a SharePoint list or a Microsoft Form to enter the required information about the user, e.g. first name, last name, job title, department,… Once the information is submitted, a Power Automate will be triggered to start the user creation process.

Graph API

To create the user with application permissions in Graph API, we need to create an app registration in Azure AD. You can follow this documentation to register an app.

The required permissions to create an Azure AD user, are found in the documentation of the api:

https://docs.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#permissions

We need the permission “User.ReadWrite.All” to be added to the registered app. In the registered app, navigate to App Permissions and click on “Add a permission”:

Click on Microsoft Graph:

Select the Microsoft Graph api

Search for User.ReadWrite.All in the application permissions and click on “Add permissions” at the bottom:

ReadWrite application persmissions

This permission needs consent of a global admin before we can use it for the user creation process. Click on “Grant admin consent” as a global admin.

Grant admin consent

Now we need a client secret to authenticate against the registered app. You can create this in the Certificates & secrets section of your app:

add New client secret

Copy the client secret somewhere because you can only see it once. We need this client secret later. Other things that we need are the Application ID and Tenant ID. You can find it in the Overview. Copy them also:

Power Automate flow

Create a new flow and select the trigger you want to use for the process (for example SharePoint of MS Forms).

Initialize 4 string variables, we will use them in an HTTP action to authenticate against our app in Graph. Paste the copied values from your client secret, tenant ID and client (application) ID in the variables.

The audience variable is https://graph.microsoft.com.

Add a new HTTP action and rename the action to “Create user in Azure AD”.

Fill in the URI and Headers as shown below in the screenshot. In the Body you need to fill in the (required) properties for the user. You can find all the properties that you can use in this documentation.

Important: the “usageLocation” property is required if you want to assign licenses later in the process. If you leave this empty, you will get an error when you assign licenses!

As you can see in the screenshot, I use information from a SharePoint list to populate the properties like Displayname, Surname,…

Remark: the mailnickname is just the Displayname of the user without any spaces. You can use the “Replace” function in Power Automate to remove the spaces with for example a period.

Now we need to authenticate against the app. Click on “Show advanced options” and select “Active Directory OAuth” in the Authentication box. Enter the Tenant, Audience, Client ID and Secret values with the variables created before.

Add a delay of 2 min to provision the user in Azure AD.

Now save your flow. Next step is to assign the licenses to the user.

Assign licenses to the user with PowerShell and Azure Automation

Remark: you can also assign licenses by using dynamic membership AD groups, but this needs an Azure AD P1 license for each user that is part of an dynamic AD group.

Azure Automation

Prerequisites: you need an active Azure Subscription and an Azure Automation Account. How to create one, can be found here.

In your Automation Account, you need to import the module “AzureAD” to connect to it in the PowerShell script.
 

Add a new credential to authenticate to Azure AD in your Automation Account. This account needs sufficient permissions to be able to assign licenses to the user!

We will now create a new Runbook where the PowerShell script will be saved and triggered by the Power Automate flow.

Now add the script below in your Runbook. We want to assign the licenses MICROSOFT 365 BUSINESS BASIC (O365_BUSINESS_ESSENTIALS) and Microsoft Defender for Office 365 (ATP_ENTERPRISE) to the user. You can find here all the licenses and their corresponding internal name.

param 
    (
        [Parameter(Mandatory=$true)]
        [string]$user
        #The parameter $user will be retrieved from the Power Automate flow
    )

#Get Office 365 credential from Azure Automation and connect to Azure AD
$cred = Get-AutomationPSCredential -Name 'Office 365 - Azure AD'
Connect-AzureAD -Credential $cred

#Check if the licenses needed are available, if not, stop the script.
$neededlicenses = @("O365_BUSINESS_ESSENTIALS","ATP_ENTERPRISE")
foreach ($neededlicense in $neededlicenses)
{
    $availablelicenses = Get-AzureADSubscribedSku | Select SkuPartNumber,ConsumedUnits -ExpandProperty Prepaidunits| Where {$_.SkuPartNumber -eq $neededlicense}
    $countavailablelicenses = $availablelicenses.Enabled - $availablelicenses.ConsumedUnits
    write "${countavailablelicenses}: $neededlicense"
    if ($countavailablelicenses -lt 1)
    {
        Write "Result:Failed (not enough licenses)"
        Write "Description: LicensesNeeded for $neededlicense"
        $_.Exception.Message
        $_.InvocationInfo.ScriptLineNumber
        exit
    }

# Get the assigned licenses of a template user. This can be useful if you want to assign for example the license MICROSOFT 365 BUSINESS BASIC but without a license to Power Apps, Stream,…
    $TemplateUser = "templateuser@email.be"
    $AssignedLicenses = Get-AzureADUser -ObjectId $TemplateUser | Select -ExpandProperty AssignedLicenses

    foreach ($AssignedLicense in $AssignedLicenses)
    {
        # Get all the assigned plans from the template user
        $DesiredServicePlan = Get-AzureADUser -ObjectId $TemplateUser | Select -ExpandProperty AssignedPlans
        # Get all the plans from the Assigned License
        $StandardLicense = Get-AzureADSubscribedSku | Where {$_.SkuId -eq $AssignedLicense.SkuId}
        $StandardLicense
        $DesiredLicense = $StandardLicense.ServicePlans | ForEach-Object { $_ | Where {$_.ServicePlanId -NotIn $DesiredServicePlan.ServicePlanId}}
    
        # Compose the new license without the disabled plans
        $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
        $License.SkuId = $StandardLicense.SkuId
        $License.DisabledPlans = $DesiredLicense.ServicePlanId
        $LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
        $LicensesToAssign.AddLicenses = $License

        # Assign the license to the new user
        Set-AzureADUserLicense -ObjectId $user -AssignedLicenses $LicensesToAssign
}

Publish the runbook:

Power Automate flow

Return to your Power Automate flow and add a new action: “Create job” from Azure Automation.

Add another action which gets the output from the script in your runbook:

Add a new condition which checks if there are enough licenses. Add in the Yes branch a “Do until” action. This action will send an approval email if there are not enough licenses to assign, until someone from IT has added sufficient licenses in the tenant to assign to the new user.

Don’t forget to change the Timeout limit in the Do Until to PT720H, otherwise this action will stop after 1 hour!

Once someone from IT has bought the required amount of licenses and clicks on Approve, we will start the PowerShell script again to assign the licenses to the user.

Remark: let’s say IT has clicked on Approve but they didn’t bought the required license. The script will fail again and will send a new approval mail to IT. That’s why we have added a Do Until in the workflow. The Do Until action will only stop until the assigning of the licenses is successful.

Overview of the Power Automate flow

Need more info? or looking for our experts to assist you? contact us!

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published.