Here’s how we can automatically create a new Active Directory user from a Microsoft Form, which will trigger a LogicApp to execute an Automation Runbook powershell script which creates the user.
Create a Microsoft Form with the new user fields desired.
Azure Automation Account
Create a runbook in the Automation Account under ‘Process Automation’.
Add the onboarding script to the runbook by editing and publishing it when complete.
In my example, I’ve created a simple New-ADUser script for illustration. However, you can extend this to your necessary onboarding processes and include other steps for on premise or hybrid environments.
Param ( [parameter(Mandatory=$true)] [string] $firstname, [parameter(Mandatory=$true)] [string] $lastname, [parameter(Mandatory=$true)] [string] $city, [parameter(Mandatory=$true)] [string] $phone, [parameter(Mandatory=$true)] [string] $pw ) $displayname = $firstname + " " + $lastname $upn = "$firstname.$lastname" + "@rios.engineer" New-ADUser -Name $displayname ` -SamAccountName "$firstname.$lastname" ` -UserPrincipalName $upn ` -DisplayName $displayname ` -GivenName $firstname ` -Surname $lastname ` -City $city ` -OfficePhone $phone ` -AccountPassword (ConvertTo-SecureString $pw -AsPlainText -Force) ` -Enabled:$true ` -Server az-dc-01 ` -Path "OU=Employees,DC=rios,DC=ad" `
You can test your runbook to troubleshoot errors such as permissions or syntax problems by clicking the ‘Start’ button on the runbook.
Add the domain service account into the Automation Account Credentials. Importantly, use domain\user as shown below.
Configure the Hybrid worker Group to utilise the run as account when executing.
Hybrid worker groups > Settings > toggle Run As to Custom and select the credential from the drop down.
On Premises Server
Install the ActiveDirectory PowerShell module on the Hybrid worker server.
Delegate the service account rights in Active Directory so that it can create new users:
- Right click the organisational unit folder you want to delegate permission > Delegate Control.. > Select the service account > Tick Create, delete, and manage user accounts > Finish
Furthermore, you can also get creative at this stage of the Logic app. For example, waiting for approvals or sending an notification email informing the account is ready for use on completion, etc.
Search for ‘Azure Automation’ and add ‘Create job’ action, then fill out the parameters. (Note: be sure to include the Hybrid Automation Worker Group in the parameters)
Lastly, to test, fill out the form and the flow of everything put together should create the user in Active Directory.
There’s a few ways to achieve this end goal, particularly if you do not rely on hybrid AD for workflows. For example, you can include the create AD action in the LogicApp itself for Azure AD.
However, this is a solid way to build out some great automation processes with the help of Azure as the concept above can be used for various different automation scenarios.
My takeaway is that Azure Automation and LogicApps can prove to be a very powerful tool, not only for automation, but to help keep uniformity for processes.