cancel
Showing results for 
Search instead for 
Did you mean: 

How to provision team with Flow?

Teams are rapidly replacing traditional SharePoint workspaces. If and when this happens, we need a tool for end-users to order different teams for different purposes. 

Fortunately, Microsoft Graph has plenty of useful APIs for managing Teams. In this blog post we build simple Teams provisioning solution using:

  • PowerApps
  • SharePoint
  • Flow
  • Microsoft Graph

In our solution:

  • The user can subscribe to either a project team or "regular" team (= we have two Teams template)
  • The user will be also the owner of the new team 
  • The user may nominate other team owners and members when placing the request
  • If the user requests a private team, she/he must justify why this team has to be private (our example organization wants all communication to be transparent)
  • Private teams will be manually approved/rejected before they are created. Public teams are automatically created

And all of this without writing a single line of code!

 

Step 1 - Creating templates

We create two new teams (Template_Team and Template_Project) which will act as templates. Let's make the following changes to them.

  • Add typical channels
  • Delete Wiki site link for each channel (I just don't like them)

 

teams teamplates.png

 

When we clone an existing team, we can pick (in REST API call) which part of the source team will be copied to the new team. Choices are

  • members
  • tabs 
  • apps 
  • settings
  • channels 

Template owners are always copied to a new team. Don't be worried, they can be automatically removed during the process.

 

Step 2 - SharePoint list for the requests

We need a place where to store all team requests. SharePoint list is an excellent choice for that. Let's create a one with the following columns.

  • Title (name of the team)
  • Template id 
  • Template name
  • Description
  • isPrivate 
  • Comments for privacy (why this team should be private)
  • Owners 
  • Members 
  • Status 

 

teams requests list.png

 

We need also another list having information about used team templates (name and id). 

 

teams teamplates list.png

 

Wait a minute, where i can find those team id's?

 

You can always use Microsoft's excellent Graph ExplorerSign in with your account and execute joined teamsquery. From the response, you find all the teams you have been joined (also those two templates we just created).

From there you can find also that team id we are looking for.

 

get teams id.png

 

Step 3 - Order form (PowerApps)

How end users start the provisioning process? With PowerApps of course!

Just create an empty PowerApps and add the form on it. Attach the form to the SharePoint list we just created. After quick restructuring, our PowerApps looks like this.

 

teams order powerapps.png

 

I skip the details (this is not a PowerApps community) but after a few minutes of cleaning and building some logic to the form fields PowerApps looks like this.

 

teams order powerapps ready.png

 

If you are not familiar with PowerApps, don't stop here. You can skip PowerApps part and start with manually entering requests on the SharePoint list.

Let's make a few requests with PowerApps.

 

teams orders.png

 

Seems to be working. Now we can start the hard part of this exercise.

 

Step 4 - Register Azure AD Application 

We will use Microsft Graph API in our Flow for creating and updating teams. For that, we have to somehow authenticate our REST API calls. This can be easily done by using Azure AD Application.

First, we need to create a new Application in Azure AD (Azure Active Directory -> App registrations -> New application registration ).

 

azure ad step 1.png

 

After that we have to require permissions for the Application (Settings -> Required permissions -> Add - > Microsoft Graph).

Just pick the right ones from the list

  • Group.ReadWrite.All
  • Directory.ReadWrite.All
  • User.ReadWrite.All

Names are of course different from those used in the Microsoft documentation (above). No worries, they still can be found there.

 

Screenshot 2018-11-21 at 18.34.46.png

 

Finally, the Administrator must approve the requested rights. Usually, you can't do this by yourself but we you have to ask an administrator to grant permissions. 

This time I can perform self-acceptance.

 

azure ad step 3.png

 

Then we create a secret. The key of the secret and application id are the pair we use in authenticating.

 

azure ad step 4.png

 

We need also Tenant id. It can be found, for example, in Azure Ad properties (directory id).

 

azure ad step 5.png

 

Azure AD part is ready. We can move on to build the actual workflow.

 

Step 5 - Use Flow to create a team

The new team is created with Flow starting every time when a new item is created on our request list. 

At the beginning of the workflow, we initialized variables for storing necessary stuff to use Microsoft Graph API

  • Tenant Id
  • Client Id
  • Secret

And one extra variable to store the privacy setting of the team. The default value for it is "Public". 

 

flow.png

 

Approval of the request (private team)

If the user has requested a private team, we start an approval process. 

  • Update the request status to "waiting for approval"
  • Start the approval workflow
  • If the request is rejected
    • Send an email about rejection to the requester 
    • Update the request status to "fail"
    • Stop workflow (with Terminate operation)
  • Update the team visibility to the private

 

flow-21.png

 

The process above is skipped entirely if the requested team will be public.

 

Creating a team

Next, we create the requested team. In fact, we create a copy of the matching team template.

This is done in a very simple HTTP call. In the body, there is all needed information in place.

 

Screenshot 2018-11-21 at 18.48.42

 

However, the team will be not created immediately. This will cause a little bit more effort because we are not finished yet. The aim is to add more owners and members to the team.

After the REST API call, we add Parse JSON function. It makes easier to handle all the information the REST API call returns.

Among the returned fields we found locationIt is URL address from where we can ask whether a team is ready and what GUID it has.

Nex we just wait for 5 minutes before we continue. Actually, we should build a loop for polling team creation status. Maybe next time.

 

flow4.png

 

Now the team has been created. Next, we get (with Microsoft Graph and Parse JSON) GUID for the created team.

 

Screenshot 2018-11-21 at 18.56.31.png

 

Adding owners

At last, we can finalize the team we have created.

We add requester as an owner for the team. For that, we need the id of requester user account. This is done with Microsoft Graph API (of course). After that, we can add the user to the owners group.

 

Screenshot 2018-11-21 at 18.59.27.png

 

In the same way, we add other owners (requester listed in the request form).  

 

Screenshot 2018-11-21 at 19.01.45.png

 

Adding members

This starts to be a little bit boring. Members (requester listed in the form) are added exactly the same way than owners.

The only small difference is in the URL we use. Word "owners" is replaced with "members".

 

https://graph.microsoft.com/v1.0/groups/{teamguid}/members/$ref

 

Screenshot 2018-11-21 at 19.05.21.png

 

Removal of the (template) original owner

The new team has the same owners than the team where it has been cloned from. We want to remove those ones.

Hardly comes as a surprise that this is done by REST API call to the Microsoft Graph.

 

Screenshot 2018-11-21 at 19.25.48.png

 

Summary

Our solution can be used as a base for the provisioning solution.  It can create different teams according to what the user has requested. It also can add owners and members of the created team. 

Clone function is pretty handy. It makes easier to understand what templates actually looks like. An alternative way is to build the whole team from the scratch (add channels, change settings, add apps etc) in the Flow.

Comments

how do I get the GUID for the created team from the JSON?

Could you share your flow?

@DanielF

 

Parse the respond from the clone request like this:

 

Content should be set to 'Header'

 

Scheme

 

{
    "type": "object",
    "properties": {
        "request-id": {
            "type": "string"
        },
        "client-request-id": {
            "type": "string"
        },
        "x-ms-ags-diagnostic": {
            "type": "string"
        },
        "Strict-Transport-Security": {
            "type": "string"
        },
        "Cache-Control": {
            "type": "string"
        },
        "Date": {
            "type": "string"
        },
        "Location": {
            "type": "string"
        },
        "Content-Length": {
            "type": "string"
        },
        "Content-Type": {
            "type": "string"
        }
    }
}​

 

 

Next step is to use a GET request to aquire the GUID from the new Team using the location variable like this, where LOCATION is the variable aquired in the previous step.

 

https://graph.microsoft.com/v1.0[LOCATION]

@TimoPertila 

@pauldredge

@amepani 

@TIba 

Hello guys, would any of of you be so kind of re sharing the flow?

I know it has been asked a million times but I tried all the links and they already expired.

 

Tks

HugoR

@TimoPertila 

@pauldredge

@amepani 

@TIba 

 

Is there anyone who has skills with PowerApps? 

Maybe one of you can Export the "PowerApp"

 

All other's works fine for me. (Flow / Sharepoint ....)

 


Thank you very much!!

 

@hugo7sep1 

@MaierJosef 

 

I cannot share my Flow or PowerApp since it's owned by my employer. If you can be more specific where you are stuck then maybe I can help you out.

@TIba 

Tks man, Indeed, Im kind of new on this type of process, so I´m not really sure who to build or fill out the variables used 😞, so I was hoping to actually see the flow so I can learn/see how this is done right... in few words, I wanted to see how every step of flow is fill out.

 

If you can not share it, do think you can download a copy, delete ur company information and send it over?

 

or maybe @TimoPertila be so kind or re sharing the flow :D!

 

Tks

HReyes

I'm continuously getting a 403 Forbidden error on the HTTP action in Flow. I've followed this exactly but for some reason cannot win with Graph API.

 

If I use another account directly on the Graph site I can create a Team clone. But with another account I cannot. There is a permission issue somewhere. Would you be able to assist?

Good day 

Can you provide full detail to the entire solution. I cannot complete this project and this would help myself immensely 

@ScottM1

 

Maybe this example can help you out:

https://laurakokkarinen.com/provisioning-teams-with-a-site-design-flow-and-microsoft-graph/ 

 

I am using a secret key to allow the flow to use the API. This key can be made in the Azure Portal.

 

 

 

 

Hi @TimoPertila 

Is it possible for you to share the flow link again.  Sorry I know you have shared a number of times, and the links you have shared are now expired.  It would be much appreciated if you could again as we have started to move across to Teams as an organisation and are currently working through how to provision team with flow and your link would be very helpful.  Thanks in advance. 

 

Hi @TimoPertila ,

 

Thanks for your great article.

 

But can you share the flow again pls?

 

Kind Regards!!

 

Lars 

When we call HTTP action using graph API to get the details of the created by from Azure AD, we get this error. We made sure we have Azure AD access:

 

 
    "code""Authorization_RequestDenied",
    "message""Insufficient privileges to complete the operation.",
   
 

@Priya19821

 

Hi @priya, it seem you do not have the right permission (privileges) to do such an operation. Just being able to log in is not enough.

 

Clone a team- Required permission 

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

TABLE 1 Permission type Permissions (from least to most privileged)
Delegated (work or school account)Group.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account)Not supported.
ApplicationGroup.ReadWrite.All, Directory.ReadWrite.All

 

I hope this will point you in the right direction.

Just another request to share maybe shre the flow again? 

 

Also, I do wonder for licensing if this kind of flow should actually be made in Azure Logic Apps?   If I can get it, I intend to try it in there and pay Microsoft their small cost per run.  https://docs.microsoft.com/en-us/azure/logic-apps/export-from-microsoft-flow-logic-app-template

@TimoPertila @TIba ,

@pauldredge

@amepani 

Hello Everyone,

 

Can Anyone please share this FLow one more time or please provide details on how to delete previous owner? 

I am getting below error while deleting previous Owner who is part of a Team Template. 

code""Request_ResourceNotFound",
 
I am running delete owner step at the end of the FLow where it will delete based up on below details from newly created Teams

https://graph.microsoft.com/v1.0/groups/@{body('Parse_JSON_2')?['targetResourceId']}/owners/@{body('...
 

Hi @TimoPertila ,

thank you for your work.  Can you please share the link for your flow again?

Thanks

 

Hi Timo,

 

Any chance you could share the flow please?

 

 

Many thanks

Hi!

 

Exported Flow can be downloaded from GitHub: https://github.com/tpertila/TeamProvisioningWithFlow

And please remind that this is implemented 2 years ago. Some details might be changed after that and for example now Team Templates are released. Might be reasonable to use those instead (https://docs.microsoft.com/en-us/microsoftteams/get-started-with-teams-templates).

And yes, from licensing point of view it might be wise to build this with Logic Apps.

But anyhow I hope this article helps you when you start to build your own provisioning. 

Meet Our Blog Authors
  • Experienced Consultant with a demonstrated history of working in the information technology and services industry. Skilled in Office 365, Azure, SharePoint Online, PowerShell, Nintex, K2, SharePoint Designer workflow automation, PowerApps, Microsoft Flow, PowerShell, Active Directory, Operating Systems, Networking, and JavaScript. Strong consulting professional with a Bachelor of Engineering (B.E.) focused in Information Technology from Mumbai University.
  • Encodian Owner / Founder - Ex Microsoft Consulting Services - Architect / Developer - 20 years in SharePoint - PowerPlatform Fan
  • Cambridge UK Power Platform User Group Leader, Technical evangelist and speaker. Always says yes to coffee! #LetsGetCoffee
  • Passionate #Programmer #SharePoint #SPFx #Office365 #MSFlow | C-sharpCorner MVP | SharePoint StackOverflow, Github, PnP contributor
  • I am building business processes and applications that are easy for users' to stick to, so they can follow and understand them. In overall I transform processes to be more reliable and effortless. I am a proud co-organizer of SharePoint Saturday Warsaw and active community member, blogger and international speaker.