Here’s how we can automatically create a new Active Directory user from a Microsoft Form, which will trigger a LogicApp to execute an Automation Runbook powershell script which creates the user.
Microsoft Form
Create a Microsoft Form with the new user fields desired.
Azure Automation Account
Create an Azure Automation Account
I’ve installed the extension-based worker, which deploys an extension into my Azure DC. This is done when you add the server into the hybrid worker group.
Create a runbook in the Automation Account under ‘Process Automation’.
Add the onboarding script to the runbook by editing and publishing it when complete.
In my example, I’ve created a simple New-ADUser script for illustration. However, you can extend this to your necessary onboarding processes and include other steps for on premise or hybrid environments.
Param
(
[parameter(Mandatory=$true)]
[string] $firstname,
[parameter(Mandatory=$true)]
[string] $lastname,
[parameter(Mandatory=$true)]
[string] $city,
[parameter(Mandatory=$true)]
[string] $phone,
[parameter(Mandatory=$true)]
[string] $pw
)
$displayname = $firstname + " " + $lastname
$upn = "$firstname.$lastname" + "@rios.engineer"
New-ADUser -Name $displayname `
-SamAccountName "$firstname.$lastname" `
-UserPrincipalName $upn `
-DisplayName $displayname `
-GivenName $firstname `
-Surname $lastname `
-City $city `
-OfficePhone $phone `
-AccountPassword (ConvertTo-SecureString $pw -AsPlainText -Force) `
-Enabled:$true `
-Server rios-dc-01 `
-Path "OU=Employees,DC=rios,DC=ad"You can test your runbook to troubleshoot errors such as permissions or syntax problems by clicking the ‘Start’ button on the runbook.
Add the domain service account into the Automation Account Credentials. Importantly, use domain\user as shown below.
Configure the Hybrid worker Group to utilise the run as account when executing.
Hybrid worker groups > Settings > Select ‘Custom’ for the Hybrid Worker Credentials, and select the AD DS credential from the drop down.
On Premises Server
Check the virtual machine has access for Azure Automation to function
- Install the ActiveDirectory PowerShell module on the Hybrid worker server. This can be done via PowerShell quickly:
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online 2. Delegate the Active Directory service account rights in Active Directory so that it can create new users:
- Right click the organisational unit folder you want to delegate permission > Delegate Control.. > Select the service account > Tick Create, delete, and manage user accounts > Finish
Logic App
Create a Logic App in Azure and add the below actions. Personally, I like creating an item in a SharePoint list for auditing and tracking purposes.
Furthermore, you can also get creative at this stage of the Logic app. For example, waiting for approvals or sending an notification email informing the account is ready for use on completion, etc.
Search for ‘Azure Automation’ and add ‘Create job’ action, then fill out the parameters. (Note: be sure to include the Hybrid Automation Worker Group in the parameters)
Lastly, to test, fill out the form and the flow of everything put together should create the user in Active Directory.
Summary
There’s a few ways to achieve this end goal, particularly if you do not rely on hybrid AD for workflows. For example, you can include the create AD action in the LogicApp itself for Azure AD.
However, this is a solid way to build out some great automation processes with the help of Azure as the concept above can be used for various different automation scenarios.
My takeaway is that Azure Automation and LogicApps can prove to be a very powerful tool, not only for automation, but to help keep uniformity for processes.
This is excellent, thanks for sharing Dan. We use Forms at various clients for new starters, where the client completes the information (name, start date, access required, etc.) and the form generates a ticket for us to follow. Looks like we can extend that to actually create the AAD/AD user – very nice!
Hi David, great to hear from you. Hope you’ve been keeping well.
Thanks for the feedback on this. Indeed a very powerful toolset! It definitely becomes even sleeker when the client is cloud only due to the AAD Create User connector available to use in the flow, eliminating the steps for hybrid agents and runbooks.
Dan
Ничего настолько не радует, как отменная статеечка. Благодарю
Thank you!
Hello Dan. This was a wonderful article. I was wondering if you have seen an instance where following these steps you may get the exception Incomplete String Token? I confirmed I can successfully run test powershell scripts through runbooks by creating a file on the C drive. I cannot however use the script to create new users. If you can point me in the right direction that would be wonderful!
Hi Morgan. Thanks for your kind words, mate!
I would probably look at running the new user script locally on the server, if it works there it should definitely work when triggering through the run book in Azure.
Also, is the Active Directory PS Module installed onto the server as well?
Dan
Thank you for such a quick reply! The script works just fine on the local server, AD PS module is installed, I rebooted everything overnight and starting the Runbook manually creates a user now! Though now I am getting some actual errors I can work through.
When submitting new user through Forms the Runbook spits out the error “The term ‘New-ADUser’ is not recognized” So I will start troubleshooting that piece and let you know what I find out.
Hello Dan I got it working! Again thank you for this article. Its not a handhold guide ,but it points you in the right direction to do the research for yourself which is exactly what I needed. To anyone else out there reading this in the future my issue was setting the account back to default, AND I missed the “Hybrid Automation Work Group” in the Logic App. Using Event logs in folders Microsoft-Automation and Microsoft-SMA on my worker allowed me to follow the error trail and find the solution in the Microsoft article linked below.
https://docs.microsoft.com/en-us/azure/automation/troubleshoot/runbooks#diagnose-runbook-issues
Great to hear! I will update the article to mention this – as it may not be clear enough from the screenshots for other. Thanks.
The toolset has such a wide use case and different approaches I wanted the article to cover the basic overview. That way people can use the concept and be able to apply their own use cases into it 🙂 Happy automating!
Hi I have tried this but I am getting the error that -accountpassword doesn’t exist. i am trying to run a runbook with already filled out variables for testing any ideas?
Hey Jamie.
Sounds like it’s not picking up the password variable for whatever reason.
You could try running the script on the target server itself via Powershell ISE first to check the code is good. Maybe a hidden symbol at play causing an issue or syntax problem.
Also check the target sever has the AD ps module installed.
Dan
Hey Dan!
Amazing article, with which account has you configured the ‘Create Job’ action in order to run the Azure Automation, and which type of permissions are you assigning it.
Thanks you in advanced!
Hey there 👋 thanks! In this example the create job connector was running under my own user context. From memory as long as that account has access to the automation account resource it should be fine.
Ultimately a service account dedicated for the logic app connectors may be preferred.
The article is very old now I need to update it. Let me know if you hit any issues! Glad you found it useful.
Wondering whether you’ll get a chance to update this excellent article except using managed identities now that ‘Run as” account has been deprecated?
I’m working on it as we speak, hope to have something in the next few days. I’ll reply when it’s live!
Hi Kito,
I’ve updated the article now. This actually still works, you continue to use ‘Credentials’ which are assigned to a Hybrid Worker Group. When running the Runbook you can run as the hybrid worker group using that credential, no need for RunAs. I just tested it end to end and this works.
Dan
Much appreciated I’ll have a re-read
Appreciate your article which is amazing!! Just would like to ask about cost effectiveness, how to manage Logic Apps (Resources) at the lowest cost in the scenario of user account and user access creation/deletion script for hundreds of user a month. Thank you!
Thank you for the feedback Jan!
I think this will depend on how long the workflow executes for, as consumption logic apps are charged on an execution base, plus any connectors.
You get 4,000 actions free too – it will likely be one of the most cost effective methods to do it and should be quite cheap even with hundreds of executions a month, see: (https://azure.microsoft.com/en-us/pricing/details/logic-apps/)