Office365 User Onboarding – MS Forms, Flow, SharePoint Online and Azure Automation

Office365 User Onboarding – MS Forms, Flow, SharePoint Online and Azure Automation

WARNING! This is a long post…

User onboarding is something IT department’s have been doing for years, with the move to Office 365 the process have change a little bit.

This post present a guide on how to automate this process for Office 365.

Thanks to my #awesome colleague Tom-Inge Larsen for his #magical skill with PowerShell | https://blog.codesalot.com/

Thanks to Stefan Stranger, who shared the right way to start a Automation Runbook with webhook |  https://blogs.technet.microsoft.com/stefan_stranger/2017/03/18/azure-automation-runbook-webhook-lesson-learned/

Goal:

Create a “low code” solution using Out of the Box services in Office 365 and Azure, to simplify the operational task of creating user accounts and assigning lisenses.

Technology involved:

  • A valid Microsoft Office 365 and Azure subscription
  • MS Forms | A free tool use to capture data from simple forms and quiz
  • MS Flow | Is a service that helps you create automated workflows between your favorite apps and services to synchronize files, get notifications, collect data and more
  • SharePoint Online | SharePoint helps you create portals as intranet, extranet to securely collaborate and share informations
  • Azure Automation | An Azure service used to configure and automate operational tasks across Azure and on-premises environment
  • Azure Automation Hybrid Runbook Worker | Hybrid Runbook Worker feature is used to run runbooks directly on a on-premises computer that’s hosting the role and against local ressources.
  • PnP PowerShell | Community driven SharePoint Patterns and Practices (PnP) contains a library of PowerShell commands (PnP PowerShell) that allows you to perform complex provisioning and artifact management actions towards both SharePoint on-premises and Online.
  • PowerShell, PowerShell, PowerShell | PowerShell helps system administrators and power-users rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes.

Steps involved:

  1. Creating MS Form
  2. Creating MS SharePoint List
  3. Creating MS Flow to collect responses from Forms
  4. Create an Azure Automation Account
  5. Deploy an Azure Automation Hybrid runbook Worker
  6. Create your PowerShell Runbook
  7. Create MS Flow to send web hook data to Azure Automation runbook
  8. Test your solution

Creating the MS Form

The use case for MS Form is often connected to a requirement for anynomous data collection.

Logg in to https://forms.office.com/ with your Office 365 credentials.

Create your form, when done click Share | choose how user can respond and copy the url

Creating SharePoint List

In SharePoint create a custom list “Employee Information” with the minimun of columns as your MS Form, this list will contain all responses collected through MS Forms

Creating our first Flow

While in the “Employee Information” list using the menu click Flow | Create a flow

Our first flow will be used to collect responses, in the flow management search for “SharePoint” or “Forms” choose the template named “Record form responses in SharePoint”

Validate the connections and click Continue

Name your flow | then configure it to connect to the form Id from step one

For each response capture the results then create a new SharePoint list item in the “Employee Information” list.

Save your flow and verify that it works by creating a few responses using the MS Form.

Creating Azure Automation Account

Before you can create an Azure Automation Account, you will need an active Azure Subscription, if unsure use a trial subscription.

Log in to https://portal.azure.com using your Office 365 global admin account, and subscribe to Azure.

Choose to Create a resource | Management Tools | Automation

Add required details and choose Create

When the Automation account is ready, you can start creating runbooks that will do the “heavy lifting”.

There is a couple of different runbook types you can choose from dependent on the use case, details here: https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types

For this solution we will use PowerShell Runbooks

You will also need to create a Automation Credentials to be used by the PowerShell scripts, the automation credential account is a service account and it needs Delegated Permission to create users in AD, assigning mailbox, start Azure AD synch, assigning licenses in Office 365. Dependent on the use case this account might need more or less delegated permissions.

Deploy the Hybrid runbook worker

The “Hybrid runbook worker” is the server on premises that’s doing the “heavy lifting”

The minimum requirements for a Windows Hybrid Runbook Worker:

Windows Server 2012 or later.

Windows PowerShell 5.1 or later (download WMF 5.1).

.NET Framework 4.6.2 or later.

Two cores.

4 GB of RAM.

Port 443 (outbound).

To deploy the Hybrid worker, follow the guide from Microsoft here: https://docs.microsoft.com/en-us/azure/automation/automation-windows-hrw-install

.\New-OnPremiseHybridWorker.ps1 -AutomationAccountName <NameofAutomationAccount> -AAResourceGroupName <NameofResourceGroup>`

-OMSResourceGroupName <NameofOResourceGroup> -HybridGroupName <NameofHRWGroup> `

-SubscriptionId <AzureSubscriptionId> -WorkspaceName <NameOfLogAnalyticsWorkspace>

Since we will be doing operational task against Office 365 and SharePoint Online you also need the following PowerShell and tools installed on the server:

For connectivity to Office 365 follow this Guide: https://docs.microsoft.com/en-us/office365/enterprise/powershell/connect-to-office-365-powershell

Install SharePoint Online PowerShell Module: https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-online/connect-sharepoint-online?view=sharepoint-ps

Last but not least, SharePoint PnP module: https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-pnp/sharepoint-pnp-cmdlets?view=sharepoint-ps

When the Hybrid worker is ready you will find it in your Azure Automation Account:

Creating your PowerShell Runbook

To create a new runbook navigate in your Automation Account, create a new PowerShell type runbook

Add your code, save and publish when ready

 

#### Sample code for creation of local AD user and assign Office 365 licenses

## Replace values below with your tenant values

param

([object]$WebhookData)

$VerbosePreference = ‘continue’

#region Verify if Runbook is started from Webhook.

# If runbook was called from Webhook, WebhookData will not be null.

if ($WebHookData){

# Collect properties of WebhookData

$WebhookName = $WebHookData.WebhookName

$WebhookHeaders = $WebHookData.RequestHeader

$WebhookBody = $WebHookData.RequestBody

# Collect individual headers. Input converted from JSON.

$From = $WebhookHeaders.From

$Input = (ConvertFrom-Json -InputObject $WebhookBody)

Write-Verbose “WebhookBody: $Input”

Write-Output -InputObject (‘Runbook started from webhook {0} by {1}.’ -f $WebhookName, $From)

}

else

{

Write-Error -Message ‘Runbook was not started from Webhook’ -ErrorAction stop

}

#endregion

$employment = $Input.EmploymentStatus

Write-Output $employment

#Check Employment status

if($employment -eq “New”){

#Updating SharePoint list item status

$SPListItemID = $Input.ListItemID

$spoconn = Connect-PnPOnline –Url https://tenant.sharepoint.com/sites/site –Credentials (Get-AutomationPSCredential -Name ‘AzureAdmin’) -ReturnConnection -Verbose

$itemupdate = Set-PnPListItem -List “Employee Information” -Identity $SPListItemID -Values @{“Status” = “In Progress”} -Connection $spoconn

#Local AD OU

$Path = “OU=Employees,OU=Company,DC=domain,DC=com”

$TemPass = “TempPass” + “$SPListItemID”

Write-Output $TemPass

$ADsplat = @{

SamAccountName = $Input.FirstName

UserPrincipalName = “$($Input.FirstName)`@domain.com”

DisplayName = “$($Input.FirstName) $($Input.LastName)”

Name = “$($Input.FirstName) $($Input.LastName)”

GivenName = $Input.FirstName

SurName = $Input.LastName

ChangePasswordAtLogon = $true

Description = “Created by Azure Automation”

MobilePhone = $Input.Mobilephone

AccountPassword = ConvertTo-SecureString $TemPass -AsPlainText -Force

Department = $Input.Department

Enabled = $true

Path = $Path

}

$SamAccountName = $ADsplat.SamAccountName

$upn = $ADsplat.UserPrincipalName

#Creating account in local AD

New-ADUser @Adsplat

#Updating List Item Title using PnP

$itemupdate = Set-PnPListItem -List “Employee Information” -Identity $SPListItemID -Values @{“Title” = $upn} -Connection $spoconn

#Enable remoe mailbox in Office 365

asnp *exchange*

Enable-RemoteMailbox $SamAccountName -RemoteRoutingAddress $upn

#Gruppemedlemsskap lokal AD

Add-AdGroupMember -Identity “All Users” -Members $SamAccountName

sleep 90

# Start AAD Connect Synch

Start-ADSyncSyncCycle -PolicyType Delta

#Assigning Licenses

Write-Output “Wait Azure AD Sync”

sleep 100

Connect-MsolService -Credential (Get-AutomationPSCredential -Name ‘AzureAdmin’)

Set-MsolUser -UserPrincipalName $upn -UsageLocation NO

Set-MsolUserLicense -UserPrincipalName $upn -AddLicenses “subscription:LisensePack”

#Remove Yammer from User license

$LO = New-MsolLicenseOptions -AccountSkuId “subscription:LisensePack” -DisabledPlans “SWAY”

Set-MsolUserLicense -UserPrincipalName $upn -LicenseOptions $LO

$Endcode = “Completed”

#Update list item using PnP

$itemupdate = Set-PnPListItem -List “Employee Information” -Identity $SPListItemID -Values @{“Status” = “$Endcode”; “EmploymentStatus” = “Current”} -Connection $spoconn

Write-Output “Done…”

}

elseIf($employment -eq “Terminated”){

$user = Get-ADUser -Identity $Input.FirstName

Disable-ADAccount -Identity $user

Move-ADObject -Identity $user.ObjectGUID -TargetPath “OU=Terminated,OU=Company,DC=domain,DC=com”

Write-Output “User Account Disabled”

}

else{

Write-Output “Nothing to do..moving on…”

}

###### END Sample code

 

After you have saved and published your runbook you need to create a webhook endpoint.

In Azure choose your runbook, in the left menu choose “Webhooks” | “Add Webhook
Give your webhook a name and take a copy of the URL and Saves it in a safe place, because this URL contains authentication token and is gone after you create it.

On the parameter blade leave the Webhookdata field blank, but the “Run Setting” should be set to “Hybrid Worker” and the correct worker group.

 

Create your second Flow to send data to the Webhook

Now go back to our SharePoint Employee Information list and create a second flow, the second flow should invoke the webhook and magic should happen.

The important things to remember here is the “Webhook URI” and the json content in body wich will be sent to Azure Automation Runbook.

Test your runbook by creating a new response and verify that the new account is created in local AD then synched to Office 365.

Have Fun with Azure Automation and Office 365, 🙂

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s