The following material is a technical deep dive into an automation solution provided by two of our Intelligent Workplace experts, Tudor Ispas and Catalin Palfi. For any further details concerning how this can help your business, do not hesitate to get in touch with us by filling in the contact form.
Automating user creation in the context of Microsoft 365 Cloud and an on-prem AD infrastructure with Azure AD Sync can be a tedious job. In this article, we will present how we automated the process of creating specific users, such as test users, service accounts and admin accounts using Nintex Forms for SharePoint Online, Power Automate and a PowerShell script running against the domain.
This process hits all the requirements of any business:
- a unified naming convention
- proper license assignment
- comprehensive tracking (owners, requested dates, purpose)
At a high-level glance, the process encompasses the following:
- Accounts are requested via a Nintex form in a SharePoint Online list
- Requestors fill in the required details based on the account type: service accounts, administrator accounts or test accounts
- All requests go through an approval process
- Accounts are created in Active Directory with the corresponding details (name, description etc.), placed in the owner's domain and in the correct OU
- Service accounts are excluded from Conditional Access policies
- If needed, test accounts are licensed in Office 365
- All approved requests log via an API call a CR in the ticketing system
- Once created, the account details are sent to the owner
- Approved accounts are logged to three distinct SharePoint Online lists based on their type and removed from the initial list
• Rejected accounts are moved to a specific list
As is applicable to any intricate process, breaking it down by thoroughly describing the steps and requirements can help better understand why it is important and, subsequently, how organizations can benefit from applying it to their enterprise IT management.
The solution requirements and steps
SharePoint Online lists:
a. The main SharePoint Online list is where the Nintex form resides and where users have access to log their requests.
b. Another 4 lists are needed for tracking (service accounts, admin accounts, test accounts and rejected requests)
These lists have specific columns:
The Nintex Form
The form enforces via regular expressions naming convention based on account type and double-checks the existence of users to avoid duplicates. It also populates dynamically certain fields which are relevant to an account type.
Service account form:
Test account form
Admin account form:
Power Automate workflow
The workflow is triggered every time a new item is added; it processes the information provided in the form and pushes via a Gateway a .csv file on the VM.
- Approvals are needed for all requests
- If the request is rejected the flow will send an email to the requestor, move the item to the rejected tracking list and then terminate the workflow
- All account details that compile the parameters for account creation in AD are initialized as variables and changed along the way based on the account type
- If a license is needed a condition sets the extensionAttribute1 to Licensed and the Email value of the account
- The flow then pushes the .csv file on a specific path on the server with all the details needed for the account: FirstName, LastName, DisplayName, Username, UPN, Email, extensionAttribute1(licensing), AccountDescription, AccountOU, EmployeeType, AccountOwner, OwnerEmail, RequestorEmail, OwnerDisplayName
- A Change Request is logged in the ticketing system on behalf of the requestor and closed automatically with an API call
- After 2 hours the flow removes the request and moves the item to the corresponding list: service, test, or admin
The complete folder structure on the server where the account creation script runs.
- Archive: location where all processed csv files are moved
- Create: location where the script adds headers to the csv files
- Drop: location where the workflow pushed the csv files
- EmailTemplate: location for the email template
- Error: location where all failed processed csv files are stored
- Logs: location for storing all logs
Once the csv file is pushed on the server via a Gateway, it gets picked up by a Scheduled task running each half an hour
- Starts the logging process
- Generates a random password
- Picks up all files stored on under the Drop folder
- Adds headers to all the csv files and moves the files to the Create folder
- Sets the parameters based on the csv
- Interrogates the global catalogue for the account owner domain so that it can place the requested account under the same domain
- Creates the user based on the parameters, and sets the extension attributes (extensionAttribute1 and extensionAttribute2) and the accountType
- In case of failure due to duplicate accounts it sends an email notification to the requestor and to IT, while the csv file is moved to the Error folder
- In case of failure due to other reasons, IT is informed, and the csv file is moved to the Error folder
- Once the user is created successfully, the script sends an email to the owner with the username and password in an HTML format
- The processed files are moved to the Archive
- Logs are sent to IT
After the process is completed and the users are synchronized to Azure AD, they are added to Office 365 groups as follows:
- If the test user’s extensionAttribute1 is set to Licensed the user is added to an Office 365 security group dynamically and licensed
- If the service account’s extensionAttribute2 is set to SVC, the user is added to an Office 365 security group dynamically and excluded from CA
If you are interested in more automations for your IT infrastructure to create a truly intelligent workplace for your team, our experts would love to help.