Here’s how we can automatically create a new Active Directory user from a Microsoft Form, which will trigger a LogicApp to execute an Automation Runbook powershell script which creates the user.
Microsoft Form
Create a Microsoft Form with the new user fields desired.
Azure Automation Account
Create an Azure Automation Account
I’ve installed the extension-based worker, which deploys an extension into my Azure DC. This is done when you add the server into the hybrid worker group. However, you have options for agent-based installs for on premises servers too.
Create a runbook in the Automation Account under ‘Process Automation’.
Add the onboarding script to the runbook by editing and publishing it when complete.
In my example, I’ve created a simple New-ADUser script for illustration. However, you can extend this to your necessary onboarding processes and include other steps for on premise or hybrid environments.
Param
(
[parameter(Mandatory=$true)]
[string] $firstname,
[parameter(Mandatory=$true)]
[string] $lastname,
[parameter(Mandatory=$true)]
[string] $city,
[parameter(Mandatory=$true)]
[string] $phone,
[parameter(Mandatory=$true)]
[string] $pw
)
$displayname = $firstname + " " + $lastname
$upn = "$firstname.$lastname" + "@rios.engineer"
New-ADUser -Name $displayname `
-SamAccountName "$firstname.$lastname" `
-UserPrincipalName $upn `
-DisplayName $displayname `
-GivenName $firstname `
-Surname $lastname `
-City $city `
-OfficePhone $phone `
-AccountPassword (ConvertTo-SecureString $pw -AsPlainText -Force) `
-Enabled:$true `
-Server az-dc-01 `
-Path "OU=Employees,DC=rios,DC=ad" `You can test your runbook to troubleshoot errors such as permissions or syntax problems by clicking the ‘Start’ button on the runbook.
Add the domain service account into the Automation Account Credentials. Importantly, use domain\user as shown below.
Configure the Hybrid worker Group to utilise the run as account when executing.
Hybrid worker groups > Settings > toggle Run As to Custom and select the credential from the drop down.
On Premises Server
Check the virtual machine has access for Azure Automation to function
Install the ActiveDirectory PowerShell module on the Hybrid worker server.
Delegate the service account rights in Active Directory so that it can create new users:
- Right click the organisational unit folder you want to delegate permission > Delegate Control.. > Select the service account > Tick Create, delete, and manage user accounts > Finish
Logic App
Create a Logic App in Azure and add the below actions. Personally, I like creating an item in a SharePoint list for auditing and tracking purposes.
Furthermore, you can also get creative at this stage of the Logic app. For example, waiting for approvals or sending an notification email informing the account is ready for use on completion, etc.
Search for ‘Azure Automation’ and add ‘Create job’ action, then fill out the parameters. (Note: be sure to include the Hybrid Automation Worker Group in the parameters)
Lastly, to test, fill out the form and the flow of everything put together should create the user in Active Directory.
Summary
There’s a few ways to achieve this end goal, particularly if you do not rely on hybrid AD for workflows. For example, you can include the create AD action in the LogicApp itself for Azure AD.
However, this is a solid way to build out some great automation processes with the help of Azure as the concept above can be used for various different automation scenarios.
My takeaway is that Azure Automation and LogicApps can prove to be a very powerful tool, not only for automation, but to help keep uniformity for processes.
This is excellent, thanks for sharing Dan. We use Forms at various clients for new starters, where the client completes the information (name, start date, access required, etc.) and the form generates a ticket for us to follow. Looks like we can extend that to actually create the AAD/AD user – very nice!
Hi David, great to hear from you. Hope you’ve been keeping well.
Thanks for the feedback on this. Indeed a very powerful toolset! It definitely becomes even sleeker when the client is cloud only due to the AAD Create User connector available to use in the flow, eliminating the steps for hybrid agents and runbooks.
Dan
Ничего настолько не радует, как отменная статеечка. Благодарю
Thank you!
Hello Dan. This was a wonderful article. I was wondering if you have seen an instance where following these steps you may get the exception Incomplete String Token? I confirmed I can successfully run test powershell scripts through runbooks by creating a file on the C drive. I cannot however use the script to create new users. If you can point me in the right direction that would be wonderful!
Hi Morgan. Thanks for your kind words, mate!
I would probably look at running the new user script locally on the server, if it works there it should definitely work when triggering through the run book in Azure.
Also, is the Active Directory PS Module installed onto the server as well?
Dan
Thank you for such a quick reply! The script works just fine on the local server, AD PS module is installed, I rebooted everything overnight and starting the Runbook manually creates a user now! Though now I am getting some actual errors I can work through.
When submitting new user through Forms the Runbook spits out the error “The term ‘New-ADUser’ is not recognized” So I will start troubleshooting that piece and let you know what I find out.
Hello Dan I got it working! Again thank you for this article. Its not a handhold guide ,but it points you in the right direction to do the research for yourself which is exactly what I needed. To anyone else out there reading this in the future my issue was setting the account back to default, AND I missed the “Hybrid Automation Work Group” in the Logic App. Using Event logs in folders Microsoft-Automation and Microsoft-SMA on my worker allowed me to follow the error trail and find the solution in the Microsoft article linked below.
https://docs.microsoft.com/en-us/azure/automation/troubleshoot/runbooks#diagnose-runbook-issues
Great to hear! I will update the article to mention this – as it may not be clear enough from the screenshots for other. Thanks.
The toolset has such a wide use case and different approaches I wanted the article to cover the basic overview. That way people can use the concept and be able to apply their own use cases into it 🙂 Happy automating!
Hi I have tried this but I am getting the error that -accountpassword doesn’t exist. i am trying to run a runbook with already filled out variables for testing any ideas?
Hey Jamie.
Sounds like it’s not picking up the password variable for whatever reason.
You could try running the script on the target server itself via Powershell ISE first to check the code is good. Maybe a hidden symbol at play causing an issue or syntax problem.
Also check the target sever has the AD ps module installed.
Dan