cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Guero
Level: Powered On

Automating SharePoint Online access for External Users

Hi, I'm quite new to SharePoint/Azure/PowerShell, so apologies if what I'm asking is a stupid question!

 

We currently have client SharePoint sites hosted on our O365 tenant, with access to each site to be rolled out to each of our respective clients shortly. Initially, only the senior management of each client will have access to the sites, however as time goes on it's likely we'll be adding everyone else too; To streamline the new user process and save us from having to add each individual staff member, we've been considering using a Flow to automate user access instead, with the goal of adding authenticated external users without much real input from administrators other than a simple approval/rejection process.

 

This is the Flow as it currently is:

Flow 1.png

 

Flow 2.png

 

Flow 3.png

The overall plan is as follows:Visio Outline.png

 

  1. Each Client site has a SharePoint Custom List, titled "Employee Access List". Said list will have the following columns: Request ID (Text), First Name (Text), Last Name (Text), Job Title (Text), Company (Text), Contact Number (Text), E-Mail (Text), SharePoint Access (Yes/No Boolean).
  2. If a member of staff requires access to the SharePoint site, then their respective manager will add the staff member to the list and fill in all the above fields, setting the "SharePoint Access" item value to "Yes".
  3. This will trigger the flow and an approval email to be sent to myself and another administrator, with said email detailing the user to be created, and who has submitted the request.
  4. Script insertion somehow - This script would run if the request was approved, and set the user up with access.
  5. Email notification is automatically then sent to the creator of SharePoint list item, notifying them that the user now has access.

Step 4 is where I'm a little stuck in regards to what to do if the request is approved - I've written a little PowerShell script below which nearly achieves what I'm going for, in that it creates an external user PnP Group and PnP Role Definition (If there isn't one already), pulls what's in the "E-mail" fields on the "Employee Access" list and runs Add-PnPUsertoGroup to pull the users to the PnP group, which then sends the users an email with a link to the SharePoint site, allowing them to access it. However:

 

  • The script I've written targets everyone on the SharePoint List, whereas ideally I would just want the script to target the sole user that's been newly added to the list/is listed in the approval email, and only them. I'm assuming that I'd have to pipe information from the Flow into a script, which I'm not even sure is possible, and if it is, I haven't got a clue how to do it.
  • I know that that Azure Functions and Azure Automation can be used to insert scripts into Flows, but I don't have experience of either so I'm not sure which is the more suitable option.

 

Is there any guidance on how to insert PowerShell scripts with Functions/Automation, and how to pipe what's in a Flow into said scripts?

 

PowerShell Script as follows:

 

Script.png

 

Hope this all makes sense - Any guidance would be appreciated.

Thank you!

1 ACCEPTED SOLUTION

Accepted Solutions
efisher
Level: Powered On

Re: Automating SharePoint Online access for External Users

Hey there, 

you don't need azure functions or powershell scripts running from flow, your case scenario can be achieved with MS Graph Invitation API, App Permissions and HTTP SharePoint call

 

attached is screen of Approved and User is not in Azure AD leg of the flow that's been running as expected since November

step 1: set up App with permissions to make calls to MS Graph - you can find directions here http://blogopaxio.azurewebsites.net/accessing-graph-api-from-microsoft-flow-using-application-permis...

step 2: add HTTP to MS Graph and set parameters as below (green step) - this action will create guest user and invitation url they would need to sign in to the site. 

step 3: parse Json of the HTTP call to get invitedUserURL you will need it to send email to end user

step 4: Pause for a couple of min to make sure info from step 2 "sticks"
step 5: add user to SharePoint security group

step 6: send email to the invited user

 

 

Image of the flow

 

View solution in original post

3 REPLIES 3
Highlighted
Super User
Super User

Re: Automating SharePoint Online access for External Users

You can accomplish this with PowerShell and Azure Functions as you spoke about, or you can utilize SharePoint's REST API instead. @Byrdwatcher1966 wrote about this in a blog post, Setting SharePoint item list permissions with Flow.

Pretty much everything you can do with the API, you can do with PowerShell and viceversa. As an example, here's a Manage SharePoint Item Level Permissions using PowerShell blog post that shows how to accomplish the above with PowerShell. Here's some SharePoint related documenation that may be helpful: 

Which way you go is kind of up to you. If you use SharePoint all the time, getting to know it's API is really important, but if you see the jobs expanding over time, it may be better off to go with scripts and Azure Functions. It all depends on your workload. 

Both ways are fully supported, and both ways accomplish pretty much the same thing - so the decision rests soley in you and your team's hands. Here's more documentation that may help you decide which way to go:

If this reply has answered your question or solved your issue, please mark this question as answered. Answered questions helps users in the future who may have the same issue or question quickly find a resolution via search. If you liked my response, please consider giving it a thumbs up. THANKS!

efisher
Level: Powered On

Re: Automating SharePoint Online access for External Users

Hey there, 

you don't need azure functions or powershell scripts running from flow, your case scenario can be achieved with MS Graph Invitation API, App Permissions and HTTP SharePoint call

 

attached is screen of Approved and User is not in Azure AD leg of the flow that's been running as expected since November

step 1: set up App with permissions to make calls to MS Graph - you can find directions here http://blogopaxio.azurewebsites.net/accessing-graph-api-from-microsoft-flow-using-application-permis...

step 2: add HTTP to MS Graph and set parameters as below (green step) - this action will create guest user and invitation url they would need to sign in to the site. 

step 3: parse Json of the HTTP call to get invitedUserURL you will need it to send email to end user

step 4: Pause for a couple of min to make sure info from step 2 "sticks"
step 5: add user to SharePoint security group

step 6: send email to the invited user

 

 

Image of the flow

 

View solution in original post

Guero
Level: Powered On

Re: Automating SharePoint Online access for External Users

Hi,

 

Thank you for your suggestion, I tested it yesterday and using a graph worked perfectly!

 

Much appreciated!

Helpful resources

Announcements
thirdimage

Power Automate Community User Group Member Badge

Fill out a quick form to claim your user group badge now!

firstImage

Incoming: New and improved badges!

We've given our badges an overhaul and also added some brand new ones!

fifthimage

Microsoft Learn

Learn how to build the business apps that you need.

sixthImage

Power Platform World Tour

Find out where you can attend!

seventhimage

Webinars & Video Gallery

Watch & learn from the Power Automate Community Video Gallery!

Top Kudoed Authors
Users Online
Currently online: 419 members 6,183 guests
Please welcome our newest community members: