Learning to manage expectations is a skill for managing people – and when linked to IT processes.
One of the useful features for automating processes with Azure Logic Apps is the trigger functionality in many connectors. A trigger defines an event to automatically launch a workflow. In the previous article, we looked at tutorials that, while still very useful, required triggering the workflow through a script. The following Azure Logic Apps samples demonstrate how to automate processes by responding to events that we expect to occur. This tutorial shows how to create a workflow to provision access in Microsoft Teams and SharePoint Online, then how to create another workflow that monitors a group for Azure Active Directory membership changes and sends a notification when a user is added or removed.
How to provision access with Azure Logic Apps
Typically, a team and department are tracked through groups in Azure Active Directory, possibly synced from an on-premises Active Directory. Groups can also be used for a multitude of IT-managed scenarios, such as accessing file shares, shared mailboxes, or resource groups in Azure.
Azure Logic Apps can extend this further to provision access to a team in Microsoft Teams or a folder in SharePoint.
How to use triggers in Azure Logic Apps
The following Azure Logic Apps examples use a trigger when a user is added or removed from a group in Azure Active Directory. To get started, create an empty Azure Logic App and for the trigger find Office 365 Groups. Select the called trigger When a group member is added or removed.
Then select the group. After you authenticate with Office 365 in the Azure Logic App, you don’t need to know the group ID. Simply click in the Group ID drop-down list to load the groups. If you have many groups in your Office 365 tenant to sort through, you can use a faster method by clicking on the group in the admin center to view the group ID in the URL.
After selecting the group, set the polling period. Each time the Azure Logic application polls the group, you will be charged for one run if you are on a consumption plan. If there is no change, the fee only applies to one action, which is minimal.
How to determine group changes
A trigger occurs when members are added or removed. To adjust this setting so that it works only when members are added, add a condition statement. Condition statements are part of the Control Shares.
To understand how to filter only member additions, find the output of When a group member is added or removed looks like. You can check the documentation for this trigger, but it’s not clear what the data will look like. Instead, you can run a test run of the workflow and collect data from the run history. To get started, remove a user from this group, then trigger the workflow with the Run Trigger > Run selection.
Go back to Insight Azure logic app page and open the Execution history.
Click on the top item in the list, which should take you to a new page with indicators for the execution status of each action. Click on the When a group member is added or removed trigger. Scroll down for the The exits section and look for a labeled area Body.
Perform the same process again after adding a user to the group to see the difference in the Body section.
This investigative work shows us that if the @deleted property exists and is not empty, the user has been deleted.
Return to Azure Logic App and convert it to a conditional statement.
Open the Condition action in the workflow and click Choose a valuethen click on the Expression tab in the pop-up window.
In the Expression box, paste the following:
empty(triggerBody() ?[‘@removed’])
This refers to the @deleted property found earlier in the trigger body. Use the empty() expression to return true if empty or false if not. Then select Choose a value on the Condition action on the right.
Navigate to the Expression tab again and type true and knock OKAY. The complete condition statement should look like the screenshot in Figure 8.
Now whenever the trigger runs and finds that a user has been added to the group, the expression will return true and all shares placed in the True the section will be executed.
How to add the user to a team in Microsoft Teams
In the True condition statement section add in Microsoft Teams Add a member to a team stock.
For the team, click in the box and search for the team to add the user. In the A user AAD ID that the user can add to the team zone, reference the user ID from the trigger.
Now when a user is added to the group, they will be added to that team in Microsoft Teams.
Provision access to a folder in SharePoint Online
To add the user to a folder in SharePoint, you need two things: the user’s email address and the folder ID in SharePoint. Use the SharePoint connector to create the workflow.
To get the user’s email address, use the Get user profile (V2) action and find the user based on the trigger user ID. To add mail to Select fields setting.
Then use the SharePoint>Get Folder Metadata option to search folder ID; you need two things: the site address for the SharePoint site in the format https://domain.sharepoint.com/sites/sitename and the folder path in the format /Folder/Folder. The example shown in Figure 11 uses the Integration documents folder in the Shared documents library.
If you don’t know the folder path, click the folder icon and browse for the folder to find it.
Then use the SharePoint > Grant access to an item or folder action with the same site address. With this information in action, you can then search for the List or library name by clicking on the drop-down menu.
Next, we need the folder ID. Select Item ID from Get folder metadata stock.
Then for the Recipientsselect Mail of Get user profile (V2).
Click on to safeguard to complete the workflow construction process.
How to Test SharePoint Online Automated Workflow
To test the workflow, add a user to the group and wait for the time defined in the trigger or start the workflow with the Run trigger button. You can either wait on the same page for a few seconds or check the execution history to see the status of the workflow. If successful, the run should have green checkmarks at each step in the Azure Logic App.
How to configure automated notifications with Azure Logic Apps
Apart from provisioning access with a group change, you can also send an email notification whenever a group change occurs. This is useful for tracking important group membership changes, such as a group used to assign the global administrator role.
Using the same trigger and condition we created earlier, add an action on either side of the condition and move the Get user profile (V2) above condition. For this tutorial, use Office 365 Outlook > Send Email (V2).
In the True and Fake blocks, add the notification action and fill in the parameters. This example sends an email to [email protected] with information indicating whether the user was added or deleted.
Completed Azure Logic Apps workflow now automatically audits group changes.
Azure Logic Apps paves the way for more automation possibilities
These Azure Logic Apps samples should help you follow the steps and triggers to create an automated workflow suitable for your organization. For more inspiration, it’s worth looking at the full list of connectors on Microsoft’s site to browse the triggers and actions for each platform.
