Database examples

These sample Azure Logic apps meet your administration needs

Learning to manage expectations is a skill for managing people – and when linked to IT processes.

One of the useful features for automating processes with Azure Logic Apps is the trigger functionality in many connectors. A trigger defines an event to automatically launch a workflow. In the previous article, we looked at tutorials that, while still very useful, required triggering the workflow through a script. The following Azure Logic Apps samples demonstrate how to automate processes by responding to events that we expect to occur. This tutorial shows how to create a workflow to provision access in Microsoft Teams and SharePoint Online, then how to create another workflow that monitors a group for Azure Active Directory membership changes and sends a notification when a user is added or removed.

How to provision access with Azure Logic Apps

Typically, a team and department are tracked through groups in Azure Active Directory, possibly synced from an on-premises Active Directory. Groups can also be used for a multitude of IT-managed scenarios, such as accessing file shares, shared mailboxes, or resource groups in Azure.

Azure Logic Apps can extend this further to provision access to a team in Microsoft Teams or a folder in SharePoint.

How to use triggers in Azure Logic Apps

The following Azure Logic Apps examples use a trigger when a user is added or removed from a group in Azure Active Directory. To get started, create an empty Azure Logic App and for the trigger find Office 365 Groups. Select the called trigger When a group member is added or removed.

Figure 1. To start configuring Azure Logic Apps, configure the trigger when a user is added or removed from a group.

Then select the group. After you authenticate with Office 365 in the Azure Logic App, you don’t need to know the group ID. Simply click in the Group ID drop-down list to load the groups. If you have many groups in your Office 365 tenant to sort through, you can use a faster method by clicking on the group in the admin center to view the group ID in the URL.

After selecting the group, set the polling period. Each time the Azure Logic application polls the group, you will be charged for one run if you are on a consumption plan. If there is no change, the fee only applies to one action, which is minimal.

Group ID in URL
Figure 2. One way to find the group ID in the Office 365 tenant is to check the section of the URL that relates to the group from the admin center.

How to determine group changes

A trigger occurs when members are added or removed. To adjust this setting so that it works only when members are added, add a condition statement. Condition statements are part of the Control Shares.

Azure Logic Apps condition
Figure 3. Add a condition statement to fire the trigger only when a member is added to a group.

To understand how to filter only member additions, find the output of When a group member is added or removed looks like. You can check the documentation for this trigger, but it’s not clear what the data will look like. Instead, you can run a test run of the workflow and collect data from the run history. To get started, remove a user from this group, then trigger the workflow with the Run Trigger > Run selection.

Go back to Insight Azure logic app page and open the Execution history.

Azure Logic run history
Figure 4. Review the Run History section to gather information about group member deletions.

Click on the top item in the list, which should take you to a new page with indicators for the execution status of each action. Click on the When a group member is added or removed trigger. Scroll down for the The exits section and look for a labeled area Body.

Trigger Body Section
Figure 5. The trigger for Azure Logic App contains a Body section that can be used to collect data related to the removal of a group member.

Perform the same process again after adding a user to the group to see the difference in the Body section.

Delete user action
Figure 6. Add a user and run the workflow to see the difference in the Trigger Body section.

This investigative work shows us that if the @deleted property exists and is not empty, the user has been deleted.

Return to Azure Logic App and convert it to a conditional statement.

Open the Condition action in the workflow and click Choose a valuethen click on the Expression tab in the pop-up window.

Azure Logic App conditional statement
Figure 7. Create a conditional statement based on the data collected when adding and removing a group member.

In the Expression box, paste the following:

empty(triggerBody() ?[‘@removed’])

This refers to the @deleted property found earlier in the trigger body. Use the empty() expression to return true if empty or false if not. Then select Choose a value on the Condition action on the right.

Navigate to the Expression tab again and type true and knock OKAY. The complete condition statement should look like the screenshot in Figure 8.

Azure Logic App Conditional Expression
Figure 8. In the conditional statement, use the Expression section to control what happens in the workflow when a user is added to a group.

Now whenever the trigger runs and finds that a user has been added to the group, the expression will return true and all shares placed in the True the section will be executed.

How to add the user to a team in Microsoft Teams

In the True condition statement section add in Microsoft Teams Add a member to a team stock.

automated Microsoft Teams workflow
Figure 9. Complete the Azure Logic Apps workflow to add a user to a team in Microsoft Teams when added to a group.

For the team, click in the box and search for the team to add the user. In the A user AAD ID that the user can add to the team zone, reference the user ID from the trigger.

Now when a user is added to the group, they will be added to that team in Microsoft Teams.

Provision access to a folder in SharePoint Online

To add the user to a folder in SharePoint, you need two things: the user’s email address and the folder ID in SharePoint. Use the SharePoint connector to create the workflow.

To get the user’s email address, use the Get user profile (V2) action and find the user based on the trigger user ID. To add mail to Select fields setting.

user's email address
Figure 10. To grant access to the SharePoint folder with a workflow, start with the user’s email address.

Then use the SharePoint>Get Folder Metadata option to search folder ID; you need two things: the site address for the SharePoint site in the format https://domain.sharepoint.com/sites/sitename and the folder path in the format /Folder/Folder. The example shown in Figure 11 uses the Integration documents folder in the Shared documents library.

SharePoint folder information
Figure 11. Gathering SharePoint Folder Information in Workflow.

If you don’t know the folder path, click the folder icon and browse for the folder to find it.

Then use the SharePoint > Grant access to an item or folder action with the same site address. With this information in action, you can then search for the List or library name by clicking on the drop-down menu.

Next, we need the folder ID. Select Item ID from Get folder metadata stock.

SharePoint Folder ItemId Metadata
Figure 12. Add the ItemId for the SharePoint folder from the folder metadata action.

Then for the Recipientsselect Mail of Get user profile (V2).

Click on to safeguard to complete the workflow construction process.

How to Test SharePoint Online Automated Workflow

To test the workflow, add a user to the group and wait for the time defined in the trigger or start the workflow with the Run trigger button. You can either wait on the same page for a few seconds or check the execution history to see the status of the workflow. If successful, the run should have green checkmarks at each step in the Azure Logic App.

Testing Azure Logic Apps
Figure 13. Test the Azure Logic Apps workflow to see if the steps work correctly.

How to configure automated notifications with Azure Logic Apps

Apart from provisioning access with a group change, you can also send an email notification whenever a group change occurs. This is useful for tracking important group membership changes, such as a group used to assign the global administrator role.

Using the same trigger and condition we created earlier, add an action on either side of the condition and move the Get user profile (V2) above condition. For this tutorial, use Office 365 Outlook > Send Email (V2).

In the True and Fake blocks, add the notification action and fill in the parameters. This example sends an email to [email protected] with information indicating whether the user was added or deleted.

Azure Logic Apps audit email
Figure 14. When a user is added or removed, the Azure Logic Apps workflow automatically sends an email to the organization’s security team.

Completed Azure Logic Apps workflow now automatically audits group changes.

Azure Logic Apps paves the way for more automation possibilities

These Azure Logic Apps samples should help you follow the steps and triggers to create an automated workflow suitable for your organization. For more inspiration, it’s worth looking at the full list of connectors on Microsoft’s site to browse the triggers and actions for each platform.