Hey,
How are you?
Now, don't get scared about the title. Yes, I know licensing can bring out the dread in the best of us, but this post is more about how we can automate the provisioning of licensing to a user.
Don't want to read the post, well you can watch the video instead:
Introduction to Automating license assignment with Power Automate
What is the requirement?
Great question. We are automating license assignment with Power Automate.
Let's write a couple of user stories for it:
As an M365 admin, I want to be able to automate the approved assignment of a license to a user, so that the user in question has the access they require.
We can also write another one from the perspective of the end user:
As a user, I want to be able to request the provisioning of a license which goes through an approval process, so that when approved I get access to the item I have requested.
I have a couple of things to call out here:
We are going to need somewhere to store our license requests.
As admins, we will want to be able to see the progress of these requests.
As a user we want them to be able to submit a request for a license.
As a user we want to be able to be notified that the approval/license request has been approved/rejected.
Storing the license requests
Let's jump over to https://make.powerapps.com and create a solution to host all of this. Let's call it License Assignment:
Inside that solution, let's create a table and call it License Assignment.
Now that the table has been created, we need to create a few extra columns:
Approval Status - a choice field with New, In Progress, Approved and Rejected as options
User - a lookup field to the Azure Active Directory User (AAD User) table to be able to assign users to license assignment requests.
License Assignment ID - An autonumber, optional field, to store the ID of the request.
Viewing license requests
We also need to create Model Driven app, let's call this License Assignments and then choose the License Assignment Dataverse table.
Configure the view and the form with the elements above.
View:
Form:
Creating the Azure AD Security group
Head over to https://entra.microsoft.com, this is the one-stop shop for all your identity and security needs. It is here we are going to create the Security group, that can have the license attached and can then have members added to it.
Go to Groups > All Groups and then click on New Group.
Group Type = Security
Group Name = Whatever group name you want to give it, I would prefix it with SG-
Group Description: Add a description
Ensure you or an admin are the group owner, then click create.
Once the security group is created, open the group up, click on Licenses on the left-hand side and click on +Assignments in the ribbon.
Choose the license you want to give to members of this group and click save:
Microsoft Form to submit requests
Head over to https://forms.microsoft.com and create a very basic form (keeping it simple in this case) to capture the fact the person wants a license.
For example:
Also, ensure in the settings of the form the "Only people in my organization can respond" is checked.
Power Automate Cloud Flow
Head back over to our solution in https://make.powerapps.com and click on New > Automation > Cloud Flow > Automated.
For the name, call the flow - "Assign Power Platform Security Group". For the first step, choose "When a new response is submitted" - part of the Microsoft Forms connector.
Choose the form you created above as the Form ID:
Add a new step, the "Get Response details" action, and choose the same form again for Form ID and the Response ID, select that from the dynamic content:
Next, we need to get some more details about the user. Add another step and search for the "Get user profile (v2)". Select it, and for the User (UPN) choose the Respondent's email from the dynamic content:
Next, click new step and add an "Add a row" from the Dataverse connector step. Rename the step to "Add a new row to the License Assignment table". Choose the License Assignments table, and set the Approval Status drop down to In Progress.
We need to populate the User (AAD Users) field, as this is a lookup, we need to reference the entity set name followed by the ID coming from the Get User Profile (v2), please see the screenshot below:
Next, we need to create the approval step. Click New Step and search for "Start and Wait for an approval", complete the parts as shown in the screenshot below, remember for testing pop your email address in the Assigned to field:
Next, we need a condition to check to see if the Approval has been approved.
The next steps are going to be in the Yes branch of the condition.
Add an "Update a row" Dataverse step, and choose the License Assignments table. For the Row ID, choose the unique reference from the initial Dataverse step - License Assignment, set the Approval Status to Approved.
Next, we need to add an "Add user to group" Azure AD step. In the Group ID, copy the object ID from the Security Group overview page, and paste it in here. For simplicity, I have hardcoded the group ID.
For the User ID, use the ID field in Dynamic Content coming from the "Get User profile (v2)" step:
Next, we can send an email to the user to say that they have access to the license and resource.
For the No branch of the condition. Add an "Update a Row" Dataverse action, to set the record's Approval Status to Rejected, and also send an email to the user to say their request has been rejected:
The final step is to remove the user from the AD group.
Thanks a lot for reading, I hope this may have helped you.
If you have any questions, please reach out:
jon@jondoesflow.com