Automating Azure AD B2B Invites with Approval Workflow

Let’s wrap things up

We now have an object (possibly blank) that we can use to determine if the user exists. We need to add a Condition Control to split our Flow depending on the result. Add an expression and use the definition below to check if the returned object is empty.

empty(body('Parse_User_Check')?['value'])

In the No branch, we’ll just send the requester a notification since the user already exists. I’m using the Office 365 Send an Email action to send emails.

In the Yes branch, we’ll kick off the rest of our Flow. In my approval process, I send the approval request to the requester’s manager. So, we need to request an object for their manager. Add another HTTP action.

Then of course, we need to parse the response so we can work with the values. Add another Parse JSON action, using the Body of the Get Requester’s Manager action.

{
    "type": "object",
    "properties": {
        "@@odata.context": {
            "type": "string"
        },
        "@@odata.type": {
            "type": "string"
        },
        "id": {
            "type": "string"
        },
        "businessPhones": {
            "type": "array",
            "items": {
                "type": "string"
            }
        },
        "displayName": {
            "type": "string"
        },
        "givenName": {
            "type": "string"
        },
        "jobTitle": {},
        "mail": {
            "type": "string"
        },
        "mobilePhone": {},
        "officeLocation": {},
        "preferredLanguage": {
            "type": "string"
        },
        "surname": {
            "type": "string"
        },
        "userPrincipalName": {
            "type": "string"
        }
    }
}

Let’s go ahead and setup an approval condition. Add a Start and wait for an approval action. The mail value in Assigned to is parsed from the Manager object.

Next, let’s add another Condition Control to branch our Flow depending on the approval outcome. We’re checking if the Response value from the Get Manager Approval action is Approve.

In the NO branch, we’ll just send the requester an email saying they’ve been DENIED!

In the YES branch, we’ll finish off our Flow. We’re almost done! Add a new HTTP action. This will be an API call to the Microsoft Graph API to send an invite to the guest email address. Body content provided below, just replace the <> values with dynamic values like shown below. Make sure to also set the appropriate redirect URL.

{
  "inviteRedirectUrl": "https://www.yourdomain.tld",
  "invitedUserEmailAddress": "",
  "sendInvitationMessage": true,
  "invitedUserDisplayName": "",
  "invitedUserMessageInfo": {
    "customizedMessageBody": "Hello , You have been invited by  as a guest.  Continuing will allow you to collaborate and access data shared with you."
  }
}

Now, once again, let’s parse the invite response. Add a new Parse JSON action and use the body from the HTTP action above as the content.

{
    "properties": {
        "@@odata.context": {
            "type": "string"
        },
        "id": {
            "type": "string"
        },
        "inviteRedeemUrl": {
            "type": "string"
        },
        "inviteRedirectUrl": {
            "type": "string"
        },
        "invitedUser": {
            "properties": {
                "id": {
                    "type": "string"
                }
            },
            "type": "object"
        },
        "invitedUserDisplayName": {},
        "invitedUserEmailAddress": {
            "type": "string"
        },
        "invitedUserMessageInfo": {
            "properties": {
                "ccRecipients": {
                    "items": {
                        "properties": {
                            "emailAddress": {
                                "properties": {
                                    "address": {},
                                    "name": {}
                                },
                                "type": "object"
                            }
                        },
                        "required": [
                            "emailAddress"
                        ],
                        "type": "object"
                    },
                    "type": "array"
                },
                "customizedMessageBody": {},
                "messageLanguage": {}
            },
            "type": "object"
        },
        "invitedUserType": {
            "type": "string"
        },
        "sendInvitationMessage": {
            "type": "boolean"
        },
        "status": {
            "type": "string"
        }
    },
    "type": "object"
}

Finally, we just need to send the requester an email letting them know that their request was approved and processed. We’ll use an Office 365 Send an Email action.

To test, fill out the form.

Your manager (or whoever you decide to assign the approval to) should get a request to approve.

If approved, you should see the new account show up in Azure AD as an “Invited User”.

Once the user completes the invitation, that will change to whatever account type that user has.