Question

PA Create Guest Users Azure

  • 15 July 2022
  • 6 replies
  • 180 views

Userlevel 1
Badge

Hi,

i would like to be able to let users create a ticket/request in FS to invite a user to our Azure AD for sharing with said guest user. Im able to do it via MS Forms and PA. But i do not know how to build something like that with FS.

Any help is much appreciated!

 

Kind regards,

Ralf


6 replies

Userlevel 7
Badge +16

Wow @RGHD! What a solid solution. Great job! And thank you for sharing. I know this will help a number of users. Take care!

Userlevel 1
Badge
#It´s obviously Powershell, as we´re a Windows Shop.
#I´ve anonymized variables and custom messages. It´s in Capslock.


$GuestUserName=$args[0]
$GuestUserMail=$args[1]
$InviterUserMail=$args[2]
$InviterUserName=$args[3]



$clientID = "YOUR_CLIENT_ID"
$Clientsecret = "YOUR_SECRET"
$tenantID = "YOUR_TENANT_ID"


$InviteMessage = "INSERT CUSTOM MESSAGE LIKE YOU HAVE BEEN INVITED BY $($InviterUserName)"
$InviteRedirectURL= "https://YOUR WANTED REDIRECT I.E. COMPANY WEBSITE"



$tokenBody = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
Client_Id = $clientID
Client_Secret = $Clientsecret
}

$tokenResponse = Invoke-RestMethod -Uri https://login.microsoftonline.com/$tenantID/oauth2/v2.0/token -Method POST -Body $tokenBody
$headers = @{
"Authorization" = "Bearer $($tokenResponse.access_token)"
"Content-type" = "application/json"
}



$URL = "https://graph.microsoft.com/v1.0/invitations"
$Method = "POST"

$body = @"

{
"invitedUserEmailAddress":"$GuestUserMail",
"inviteRedirectUrl":"$InviteRedirectURL",
"invitedUserDisplayName":"$GuestUserName",
"sendInvitationMessage": true,
"invitedUserMessageInfo": {
"messageLanguage": null,
"ccRecipients": [
{
"emailAddress": {

"address": "$InviterUserMail"
}
}

],

"customizedMessageBody": "$InviteMessage",
"messageLanguage": "de-DE"

}

}

"@



Invoke-RestMethod -Method $Method -Uri $URL -Body $body -Headers $headers

Place this script on your orchestration host and make it executable.

 

Next step ist to create a Powershell Execute command in the automation workflow. Maybe you have to edit the name of the variables on your instance. As you can see, because Graph has issues with Umlauts, we´re parsing them in FS and replace them accordingly.

c:\PATH_TO_SCRIPT.ps1  "{{ticket.ri_43_cf_guestdisplayname | replace: "ä", "ae" | replace: "Ä", "Ae" | replace: "ö", "oe" | replace: "Ö", "Oe" | replace: "ü", "ue" | replace "Ü", "Ue" |replace: "ß", "ss"}}" "{{ticket.ri_43_cf_guestmail}}" "{{ticket.from_email}}" "{{ticket.requester.name | replace: "ä", "ae" | replace: "Ä", "Ae" | replace: "ö", "oe" |replace: "Ö", "Oe"| replace: "ü", "ue" | replace: "Ü", "Ue" | replace: "ß", "ss"}}"

Now if the automator runs it calls the script with arguments, passes requester etc to the Graph API to create the invite.

That´s it. 

 

@jpnhs 

@zachary.king thank you very much! Looks like i should have explained it better. 

We want that our users create a SR via FS to create a guest user for AzureAD to be able to share files via OneDrive with them as we want to lockdown our environment. To improve governance and our security posture.

I´ve solved it right now. Just ironing some quirks out.

The solution right now:

Script for calling the Graph API with parameters to be able to call it with info from the created SR.

Said script needs to be placed on the Orchestration Server.

SR with topic Guestaccess and the fields GuestName and GuestMail gets created.

If both fields are not empty the automator gets triggered, calls the script and passes the value of said fields to the script as parameters. 

The guest get´s an e-mail and the requester is in cc. 

 

Hi  RGHD - are you able to share the script please?

Userlevel 7
Badge +16

@RGHD Sounds like a great solution. Glad you were able to get it figured out!

Userlevel 1
Badge

@zachary.king thank you very much! Looks like i should have explained it better. 

We want that our users create a SR via FS to create a guest user for AzureAD to be able to share files via OneDrive with them as we want to lockdown our environment. To improve governance and our security posture.

I´ve solved it right now. Just ironing some quirks out.

The solution right now:

Script for calling the Graph API with parameters to be able to call it with info from the created SR.

Said script needs to be placed on the Orchestration Server.

SR with topic Guestaccess and the fields GuestName and GuestMail gets created.

If both fields are not empty the automator gets triggered, calls the script and passes the value of said fields to the script as parameters. 

The guest get´s an e-mail and the requester is in cc. 

Userlevel 7
Badge +16

@RGHD Have you tried creating a service item in the service catalog and letting them make the request through the support portal? If the guest is initiating the request and can’t access the support portal, you could have them submit an email to a support mailbox that creates a ticket. If you need specific information at the time they make the request, you can keep your MS Form and leverage power automate to create the ticket mapping form fields to ticket fields. Just a couple ideas.

Create a Freshservice Ticket when a form is submitted with Microsoft Forms

Hope that helps!

Reply