My flowbies! I want to trigger a Flow based on someone being added to an Azure AD Group. This doesn’t appear to be possible currently, as the Azure AD connector has no triggers. Am I correct?
Andrew Bibby
Hold my beer
Microsoft Graph API contains the subscription feature where you can create subscriptions where a listener application receives notifications when the changes occur in the specified resource.
The process involves the following steps:
- Create the notification endpoint Flow
- Create an app in Azure AD
- Create a subscription
Let’s dig in.
Notification endpoint Flow
Creating a subscription requires a notification endpoint that must satisfy certain validation requirements, namely return a validationToken passed as a query parameter.
![](https://crmtipoftheday.com/wp-content/uploads/2019/05/image-5-1024x677.png)
- Use HTTP request as a trigger. When the flow is saved, the trigger will contain a unique URL that we will need later.
- validationToken expression is triggerOutputs()?[‘queries’]?[‘validationToken’]. queries gives us access to the query string and then straight to the validationToken.
- When the token is passed as a query parameter, we are in the validation stage, actual notifications won’t have the parameter. So here we split our execution.
- We are asked to validate. As per requirements, return the token value in the plain text body. Flow takes care of all the required decoding.
- We are receiving a notification. For now we simply quickly return 202 response (Accepted). (If Microsoft Graph does not receive a 2xx code, it will retry the notification).
App in Azure AD
Creating app in Azure AD is very straightforward – just follow the documentation. Since we are subscribing to the group, we need to add Group.ReadAll permission for Graph API.
Subscriber Flow
I wish I could claim the technique of creating a subscription using Flow but the formidable John “Flow Ninja” Liu described the technique over a year ago :O. Just follow the steps and you’ll be all set. For a change, I decided to use Postman.
The easiest way to deal with authentication is to create a collection and set all requests within the collection to inherit the authentication token.
![](https://crmtipoftheday.com/wp-content/uploads/2019/05/image-6.png)
You’ll find all of the parameters in the app properties in Azure AD. And yes, callback URL does not really matter here but it’s required.
Once Postman has a token, sending request to subscribe to groups changes is a breeze:
![](https://crmtipoftheday.com/wp-content/uploads/2019/05/image-7.png)
You need to use Flow URL from step 1 as a notificationUrl, and set expirationDateTime to something in the future but not too far (less than 3 days). Note that times are in UTC.
Testing
After adding a user to one of the groups in Azure AD, you’ll see two
(hopefully) successful runs for the notification Flow. First one is a validation run (you can drill into it and check the validation token that was passed in). Second one is the real McCoy containing the following data in HTTP request body:
[
{
"changeType": "updated",
"clientState": "MaSekreet",
"resource": "Groups/deadbeef-dead-beef-dead-beef00000075",
"resourceData": {
"@odata.type": "#Microsoft.Graph.Group",
"@odata.id": "Groups/deadbeef-dead-beef-dead-beef00000075",
"id": "deadbeef-dead-beef-dead-beef00000076",
"organizationId": "deadbeef-dead-beef-dead-beef00000077",
"eventTime": "2019-05-07T11:08:15.4245258Z",
"sequenceNumber": 636928240954245200,
"members@delta": [
{
"id": "deadbeef-dead-beef-dead-beef00000088"
}
]
},
"subscriptionExpirationDateTime": "2019-05-07T15:37:48+00:00",
"subscriptionId": "deadbeef-dead-beef-dead-beef00000069",
"tenantId": "deadbeef-dead-beef-dead-beef00000096"
},
{
"changeType": "updated",
"clientState": "MaSekreet",
"resource": "Groups/deadbeef-dead-beef-dead-beef00000075",
"resourceData": {
"@odata.type": "#Microsoft.Graph.Group",
"@odata.id": "Groups/deadbeef-dead-beef-dead-beef00000075",
"id": "deadbeef-dead-beef-dead-beef00000076",
"organizationId": "deadbeef-dead-beef-dead-beef00000077",
"eventTime": "2019-05-07T11:08:15.4245258Z",
"sequenceNumber": 636928240954245200
},
"subscriptionExpirationDateTime": "2019-05-07T15:37:48+00:00",
"subscriptionId": "deadbeef-dead-beef-dead-beef00000069",
"tenantId": "deadbeef-dead-beef-dead-beef00000096"
}
]
That’s a lot to digest but members@delta is the magic data that tells us that a user has been added to the group. I’ll save digesting this json for another day.
Here you go, Andy!
Cover photo by Lance Anderson
[…] Subscribe to AD changes using Flow […]
What does it mean when a user is added to a group, but I don’t get the “members@delta” – it doesn’t even exist in the request? I’ve been trying to figure it out for weeks now…