Solved: Re: Create on-premises Active Directory user with ...

ToniRantanen · ‎07-11-2018

Hi!

What would you suggest as a best workaround to create new user in on-premises Active Directory with Microsoft Flow? I understand that there is no direct connector in Flow to connect to on-premises AD but would for example On-Premises gateway or something like that be a solution for this?

Our target is to automate new employee process as much as possible.

Best regards,

Toni Rantanen

v-yamao-msft · ‎07-12-2018

Hi @ToniRantanen,

Currently, Microsoft flow doesn’t support On-Premise Active Directly, only On-Premise SharePoint and On-Premise SQL Server are supported.

If you need this feature, please submit an idea on the Flow Ideas Forum:

https://powerusers.microsoft.com/t5/Flow-Ideas/idb-p/FlowIdeas

Best regards,

Mabel Mao

Community Support Team _ Mabel Mao
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

kuingul · ‎07-12-2018

If you need automation for AD user provisioning, I believe you should be looking at 3rd party solutions that specialize in AD automation. Here's a good example of a solution for that: https://www.adaxes.com/active-directory_provisioning.htm

v-yamao-msft · ‎07-12-2018

Hi @ToniRantanen,

Currently, Microsoft flow doesn’t support On-Premise Active Directly, only On-Premise SharePoint and On-Premise SQL Server are supported.

If you need this feature, please submit an idea on the Flow Ideas Forum:

https://powerusers.microsoft.com/t5/Flow-Ideas/idb-p/FlowIdeas

Best regards,

Mabel Mao

Community Support Team _ Mabel Mao
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

ToniRantanen · ‎07-12-2018

Thanks @v-yamao-msft, I submitted the idea (https://powerusers.microsoft.com/t5/Flow-Ideas/Support-for-on-premise-Active-Directory/idi-p/135567 - please vote ).

ToniRantanen · ‎07-12-2018

Hi @kuingul,

Is it possible to trigger Adaxes Active Directory Provisioning with Microsoft Flow? I'm looking for a solution where for example HR would fill new employee's details to Microsoft Forms and then Microsoft Flow would take care rest of the routine tasks related to new employee start.

Best regards,

Toni Rantanen

CrankyNetGuy · ‎08-17-2018

I have created a way to trigger the creation of an AD User with the help of a gateway.

I have a list in Sharepoint when HR submits a new user. It takes those values and compiles it into a csv with the necessary fields required in powershell.

Once the csv is created I send it to my on-prem server with the gateway to a specific folder. I have a repeating task in task scheduler set to run a .bat which calls a powershell script to monitor the folder indefinitely. That powershell script will monitor that folder for any file ending in ".csv" being created. When it triggers it sets off my CreateUser.ps1 which will import the newly created csv and create the user based on that. Once the script is ran, due to the way I'm importing the csv, it will delete that csv from the folder (I had the flow create the csv in a sharepoint docs folder as backup as well).

I hope I explained that well.

Anonymous · ‎08-17-2018

Would you mind sending me the script that you used to do that? I've been thinking through this problem today - and I think this might be the best solution tbh. Great idea!

Were you able to take unique passwords for the users or were they all the same password for each user created?

CrankyNetGuy · ‎08-17-2018

I was able to create a unique password for each user. When creating the csv I used a randomly generated GUID and grabbed the first x number of characters and set that for the password field.

The script to monitor is fairly simple:

$folder =  # Enter the root path you want to monitor. 
$filter = '*.csv'  # You can enter a wildcard filter here. 

$fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{IncludeSubdirectories = $false;NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'}

Register-ObjectEvent $fsw Created -SourceIdentifier FileCreated -Action { 

Invoke-Item 'Folderpath.bat'
}

Since I am not logged onto a server 100% of the time I set a task schedule to call a .bat which will open up this script with a persistent window (as it requires an active PS window). That is done with a .bat (ran every 5 minutes through Event Scheduler to ensure it stays up)

Powershell.exe -noexit "& "Path.ps1

The "Folderpath.bat" mentioned in the first block of code with "Invoke-Item" is what invokes this

Powershell.exe -executionpolicy remotesigned -File Path-To-Create-User.ps1

That .ps1 is my create AD user script. You can find plenty of guides on how to customize that to your needs. The important parts (for this method anyway) is that you need it to run right as the .csv is entered and then delete the .csv as it pulls every csv in the folder. I'm sure you could do a foreach but I'm too lazy for that and this works perfectly fine as I have a backup of the csv in a SharePoint drive.

Just start the create-user.ps1 like this:

Import-Module ActiveDirectory

$CSVPath = Get-ChildItem C:\Path-To-Folder-With-CSV -Filter *.csv | select -ExpandProperty FullName
$User = Import-Csv -Delimiter "," -Path $CSVPath

And do a

Remove-Item -Path $CSVPath

To delete the csv that was just created.

I hope that is clear enough to follow, I'd be happy to clarify or help further if I can.

Anonymous · ‎08-20-2018

Thank you so much!! This is great.

Do you know how you ensure that a csv isn't deleted in the case of 2 simultaneous users created in the SharePoint form?

How do you make sure it only deletes the csv for the user you just created?

CrankyNetGuy · ‎08-20-2018

At least in my situation only one user can be submitted at a time so the CSV will only be created for a single user. Since the script runs right when the csv is put into the folder you'd have to have 2 users submitted something at exactly the same second which is highly unlikely. If you can control the situation I would highly recommend only one user per form.

For deleting the csv you just created that will be with the $CSVPath variable as that is what it imports from.

pobblebonk · ‎07-29-2019

Hi,

You should be able to use powershell CSOM scripting using a package like PnP-PowerShell to wathc the sharepoint list and update the list item status once processed and also provide direct feedback if there were any issues.

Hope this helps.

Mat

jeckard · ‎12-17-2019

I know this is late but we do this by having Flow kick off a run book from a Sharepoint List and Sharepoint feeds the run book several Parameters for the AD account.

ysugrad2013 · ‎12-17-2019

@jeckard how did you do it.

jkeckard007 · ‎12-17-2019

Our Flow does a lot including auto generating an employee ID. I will share the part that I think will be helpful.

For the Run book script I will have to get that for you from the AD guys they created that part. We run the Flow on a every four hour time frame to get all items created since the last run and the account column is No

There is loop that runs for each item and then updates each item to account Yes so they won't create another item the next time it runs. It also update the Request with the output of the Runbook which in our case is the email address. We have the flow sending an email to our HR department with the new EEID and email address to put in the New Hire Information. The Run Book is a premium connector so the account that runs the flow has a Power Automation plan. Currently there is no way to do it with out that connector that I know of.

Anonymous · ‎04-24-2020

This is absolutely possible, but you do need to do a little bit of programming - in Powershell is fine.

Create a custom gateway on your target on-premise server. On this server, run a web-server (local to the server is fine - no external access) and this web server will host your AD actions. That's the programming part. I used POSH webserver. Just make sure that instead of returning txt/html you return application/JSON and set the correct response content-type. Return whatever you want (e.g. Get-ADUser x y z | ConvertTo-Json). Build the custom gateway interface in the configuration tool (using Swagger or via the UI).

Then set up your flow to call this custom gateway and set the correct JSON return types. Flow seems finicky about return types. [ my custom gateways all just return 'string' and I put the correct definition in the flow ParseJSON or flow Response action.]

Anyways, then flow is happy and can make calls through the gateway to my on-premise server which is itself making calls to AD.

Finally build a Canvas PowerApp and call the flows to get a user list or to set attributes in AD. The turn-around time on calls is maybe 1 to 2 seconds - not super snappy - but it works!

I can document further if there is interest.

Anonymous · ‎06-02-2020

Hello,

I am new to PowerShell and connecting it with Power automation. I want help in below scenario:

I have a SharePoint List (List name - emp_info) which have following fields -

name	manager	department	designation

when employee want any update in their profile, they fill a form and their entries will store in emp_info list.

A new entry in emp_info list will be the starting point for MS Flow. Flow will get started and run PowerShell script which contain the code to update properties (manager, department, designation) of that particular user (name) in on - premises Active Directory.

Please help me with this and writing PowerShell script. Also share your document and explain what other application is required for this automation.

Let me know if any other explanation is needed. Thank you.

ashiqf · ‎06-16-2020

On-premise resources can be accessed via cloud services. This also includes active directory, the following post might help to create AD account in Onpremise

https://ashiqf.com/2020/05/27/automate-the-provision-of-on-premise-ad-account-part-2/