Microsoft Flow

This may seem trivial, but if you want to create a Flow, that is parameterized, where a name of a group and list of members is passed as the request parameters then it turns out it is not that straightforward. 

In Microsoft Flow there is a set of actions, that allow to work with Office 365 Groups. There is also one dedicated to adding new members (only “Members”. There is no way currently to add “Owners”).

“Add member to group” action

I don’t know since when this action is available, but I think it was added this year, as questions related to adding O365 Group members using Flow, posted on forum, dated 2017 are answered as “do it using PowerShell”.

The action requires two parameters to run:

  1. Group Id – this property can be selected from a dropdown, but this way you cannot parameterize your flow. You can pass that ID as a variable, however you have to know it. Since most of us knows only group’s name, or group’s email, providing it is not enough. But even when providing group’s e-mail causes an error (400 Bad Request). And I realized, it actually have to be O365 Group GUID.
  2. User’s Email – this one is simple.

Throttling

Read carefully and keep below in mind!

Be aware, that calling O365 Groups from your Flow is throttled. After making 100 calls during a single connection, it will need to wait a minute to make another call (source). So in case you’d like to add more than 100 members, you have to add a “pause” action after making 100 calls. Just keep that in mind.

How to obtain O365 Group ID from Flow?

You need to call Microsoft Graph API of course! I’m doing it using the “HTTP” action, with a “GET” request to the following URL:

https://graph.microsoft.com/v1.0/groups?$filter=mailNickname eq '@{body('Parse_input_body')?['groupName']}'

Where “body(‘Parse_input_body’)?[‘groupName’]” is the name of a group (from the e-mail, before @), passed via the flow’s trigger request.

Action authenticates itself using Active Directory OAuth. To get data for such authentication you need to register a new application in Azure Active Directory, copy required IDs and paste them in action’s configuration:

HTTP action configuration to get O365 Group ID

Read below how to register app and get all required IDs.

Register application in AAD to call Graph API

  1. Open Azure Active Directory service and click “App registrations”, then click “New application registration” button.

    Create new app registration in AAD
    Type in its name and type “http://localhost” as its “Sign-on URL”.
    This is crucial – if you type other URL, not accessible for your Flow (ex. a site that requires authentication) it will result in disallowing Flow to obtain OAuth token.
  2. Then click your created App’s name and on its details blade click “Settings” icon and then “Required permissions” –> “Add”:

    Grant Azure AD app permissions
  3. Then click “Select an API” and from there choose “Microsoft Graph”. Next “Select Permissions” and choose from the “APPLICATION PERMISSIONS” group the below permissions (source):
    1. Read and write all groups
    2. Read and write directory data
  4. Next go back to the “Settings” blade and open “Keys”. Type in key’s name, select proper duration and hit “Save”. After key is saved it will be generated in the “Value” column. Copy it.
    Note, that once you leave this blade, you won’t be able to read that key’s value again!

    Generate APP's secret key

  5. Go back to the “Settings” blade and copy the “Application ID” value.
  6. Open “Azure Active Directory” service blade, then “Properties” and copy “Directory ID”.

Next steps

Next action is used to extract group ID from the response body. I’m using a “Compose” action to get value from the path: “body(‘Get_group_data’)?[‘value’]?[0]?[‘id’]“.

Next I’m splitting list of users to be added using a delimiter (it is a coma in my case) and then for each I am calling the “Add member to group” action, providing its id and the e-mail.

Remember also to set the “Response” action (or whatever your flow will do after adding users to group) to be executed even if “for each” action ends up with error (it may ex. if a user flow is trying to add is already a member of a group – it will then return 400 bad request):

Flow action configure "Run after"Flow action configure "Run after"

In the end my flow looks like below:

Add user as a O365 Group member Flow

How do you like it? Leave your comments below!