top of page

Automating license assignment with Power Automate

Updated: Jul 11, 2023


A man with his thumbs up and images of Azure, Power Automate and Microsoft Entra


Hey,


How are you?


Now, don't get scared about the title. Yes, I know licensing can bring out the dread in the best of us, but this post is more about how we can automate the provisioning of licensing to a user.


Don't want to read the post, well you can watch the video instead:





Introduction to Automating license assignment with Power Automate


What is the requirement?


Great question. We are automating license assignment with Power Automate.


Let's write a couple of user stories for it:


As an M365 admin, I want to be able to automate the approved assignment of a license to a user, so that the user in question has the access they require.


We can also write another one from the perspective of the end user:


As a user, I want to be able to request the provisioning of a license which goes through an approval process, so that when approved I get access to the item I have requested.


I have a couple of things to call out here:


  1. We are going to need somewhere to store our license requests.

  2. As admins, we will want to be able to see the progress of these requests.

  3. As a user we want them to be able to submit a request for a license.

  4. As a user we want to be able to be notified that the approval/license request has been approved/rejected.



Storing the license requests


Let's jump over to https://make.powerapps.com and create a solution to host all of this. Let's call it License Assignment:



Screenshot of Solutions in Dataverse

Inside that solution, let's create a table and call it License Assignment.


Now that the table has been created, we need to create a few extra columns:


  • Approval Status - a choice field with New, In Progress, Approved and Rejected as options

  • User - a lookup field to the Azure Active Directory User (AAD User) table to be able to assign users to license assignment requests.

  • License Assignment ID - An autonumber, optional field, to store the ID of the request.


Viewing license requests


We also need to create Model Driven app, let's call this License Assignments and then choose the License Assignment Dataverse table.


Configure the view and the form with the elements above.


View:



Screenshot of a view in a Model Driven App


Form:



Screenshot of a form in a Model Driven App


Creating the Azure AD Security group


Head over to https://entra.microsoft.com, this is the one-stop shop for all your identity and security needs. It is here we are going to create the Security group, that can have the license attached and can then have members added to it.


Go to Groups > All Groups and then click on New Group.


Group Type = Security

Group Name = Whatever group name you want to give it, I would prefix it with SG-

Group Description: Add a description


Ensure you or an admin are the group owner, then click create.



Screenshot of the New Group setup in Microsoft Entra

Once the security group is created, open the group up, click on Licenses on the left-hand side and click on +Assignments in the ribbon.


Choose the license you want to give to members of this group and click save:



Selecting licenses in Microsoft Entra to be applied to the newly created Security group

Microsoft Form to submit requests


Head over to https://forms.microsoft.com and create a very basic form (keeping it simple in this case) to capture the fact the person wants a license.


For example:



Microsoft Form setup

Also, ensure in the settings of the form the "Only people in my organization can respond" is checked.


Power Automate Cloud Flow


Head back over to our solution in https://make.powerapps.com and click on New > Automation > Cloud Flow > Automated.


For the name, call the flow - "Assign Power Platform Security Group". For the first step, choose "When a new response is submitted" - part of the Microsoft Forms connector.


Choose the form you created above as the Form ID:



Power Automate - When a new response is submitted trigger

Add a new step, the "Get Response details" action, and choose the same form again for Form ID and the Response ID, select that from the dynamic content:



Power Automate - get response details action

Next, we need to get some more details about the user. Add another step and search for the "Get user profile (v2)". Select it, and for the User (UPN) choose the Respondent's email from the dynamic content:



Power Automate - get user profile action

Next, click new step and add an "Add a row" from the Dataverse connector step. Rename the step to "Add a new row to the License Assignment table". Choose the License Assignments table, and set the Approval Status drop down to In Progress.


We need to populate the User (AAD Users) field, as this is a lookup, we need to reference the entity set name followed by the ID coming from the Get User Profile (v2), please see the screenshot below:




Power Automate - Add a row Dataverse action


Next, we need to create the approval step. Click New Step and search for "Start and Wait for an approval", complete the parts as shown in the screenshot below, remember for testing pop your email address in the Assigned to field:


Power Automate - Start and wait for an approval action

Next, we need a condition to check to see if the Approval has been approved.



Power Automate - conditional logic

The next steps are going to be in the Yes branch of the condition.


Add an "Update a row" Dataverse step, and choose the License Assignments table. For the Row ID, choose the unique reference from the initial Dataverse step - License Assignment, set the Approval Status to Approved.




Power Automate - Update a row Dataverse action

Next, we need to add an "Add user to group" Azure AD step. In the Group ID, copy the object ID from the Security Group overview page, and paste it in here. For simplicity, I have hardcoded the group ID.


For the User ID, use the ID field in Dynamic Content coming from the "Get User profile (v2)" step:



Power Automate - Add user to a group Azure AD action

Next, we can send an email to the user to say that they have access to the license and resource.



Power Automate - Send an email action


For the No branch of the condition. Add an "Update a Row" Dataverse action, to set the record's Approval Status to Rejected, and also send an email to the user to say their request has been rejected:



Power Automate - update a row, Dataverse action


The final step is to remove the user from the AD group.


Thanks a lot for reading, I hope this may have helped you.


If you have any questions, please reach out:


jon@jondoesflow.com

668 views0 comments

Comments


bottom of page