A while ago, my buddy and I presented Power Automate and used it with Microsoft Graph to create Teams and Groups with Approvals. The idea is simple. Creating Teams is boring for administrators, so let’s automate it using Power Automate, Microsoft Forms, and Microsoft Graph. So let’s see how to create a team automatically with approvals.
It’s a lot of technology, but since we have all these cool toys to play let’s use them.
The idea is simple.
- Someone needs a team
- Submits the details of the team.
- Someone approves.
- The team gets created.
Simple right? No need to go to the administrator, submit tickets or lose more time than necessary.
So how do we do it?
To build the Flow, we need to get the necessary permissions to perform the calls. Without these permissions, our Flows won’t work, and for a good reason.
The Azure AD
All permissions are controlled in Azure AD, so let’s check how to do it.
First, let’s go to the Azure Active Directory admin center.
We have to do two things. First, we need to register a new application. It may sound strange to create an application since we’re not actually creating one, but we need to do it since we’re using API calls. To do it:
You’ll see something like this:
Please give it a name. Please avoid using special characters since they may trigger some unexpected issues. After that, we have the account types. These are the ways that your “application” will be able to authenticate to the AD. Since we’re using Power Automate, we don’t need anything else outside our tenant. The redirect URL is optional, and it provides a link to where the AD will redirect as soon as the authentication is validated. The process will always go to a Microsoft page to ensure the integrity of the authentication workflow. In our case, we don’t need this part, so we’ll leave it blank.
Press register, and you’ll have a new application:
The second part is to add permissions to it. To do that, select “API permissions.”
You’ll find only one permission to read Microsoft Graph.
To add permissions:
Select “Application Permissions” since we’ll use Power Automate to do the actions for us.
We’ll need read and write permissions to:
- Groups – since we’re dealing with teams
- Directory – to fetch information from the directory
- User – to add users to the team automatically
To add permissions, you can search for them and select the boxes. Then, select all the boxes you need before pressing “Add permissions.”
After you confirm, you’ll see the permissions granted.
Go back to the app but don’t close this page yet. We’ll need it.
By far the easiest part of the whole process.
We need 3 things:
- The name of the team
- The description of the team – it’s important to have a description of the team’s objective so that other people know when they are added.
- The email of the owner – who will manage the team?
That’s it. We’ll catch the information in the Flow and create the team.
Still with me? 😀
It looks complex, but it’s not. There are some steps to consider, but when you think about it, they make sense.
Now let’s check the Flow on how to create a team automatically with approvals.
We have a few steps:
- Get the Form information
- Fetch the details of the person who submitted
- Create the Group in Azure AD
- Create the Team
We’ll use the “When a new response is submitted” trigger and the “Get response details” action to fetch all information submitted by the requester.
After this, we’ll define 3 variables with the information that we need to call Microsoft Graph’s API. We’ll need:
- Application ID
- Tenant ID
You’ll find these 3 elements in the Azure AD page that you didn’t close in the previous steps 😀. So if you did, no worries:
- Go to https://aad.portal.azure.com/
- Azure Active Directory
- App registrations
- Select the one that you created
You’ll find the first and the second on the main screen:
As for the 3rd, you need to create a new secret.
Copy it and insert it in the “Secret” variable:
You can close it now. We’re close, I promise.
Now let’s set up the authorization. To do it, we’ll use the “Start and wait for an approval” action and check if it’s approved with the Condition Action. Here we’ll add the approval part to the “team automatically with approvals” :).
After that, we can create the group in Azure AD using the “Create group” action.
You’ll notice that I’m not inserting the email “as is.” This is because it’s inserted by the user, and I want to remove the spaces. The formula is simple:
Now the part that I really don’t like but it’s necessary. Azure AD can take a few seconds to create the Group, so if we create the team right away, we can get errors because the group may not be created yet. To solve that, we need to insert a small delay to give Azure AD time to finish the tasks. You can use the “Delay” action to do this.
Finally, let’s create the team. To do it, you need to use the HTTP action.
We’ll use the group that we created before generating the HTML to send the request. The “displayName” and “description” both come from the Form. But something is missing. Where’s the authentication part? To do this, you need to “Show advanced options,” and you’ll get the following:
We’ll use the 3 variables that we defined in the beginning, and we’re all set.
It’s a lot of steps; I’ll give you that. But if you think about it, we’re doing:
- Opening the doors for a new application with the correct permissions.
- Ask the user for information
- Send the approval request to someone.
- Create the team
Now you can have teams created with a click on an email. How awesome is it to create a team automatically with approvals?
Photo by Andrea Bertozzini on Unsplash
3 thoughts on “How to create a team automatically with approvals using Power Automate?”
Hi, Manuel. Thanks for sharing this. I’m working on a similar solution and I’m curious about two things in your creation:
1) Did you have a reason for choosing to create the unified Group first and then do the Team creation instead of using the Graph API’s Create Team method? (https://docs.microsoft.com/en-us/graph/api/team-post?view=graph-rest-1.0&tabs=http) Your way is the way I see most examples do it (and MSFT doc’s even say that is the suggested way, though they don’t say why). But it seems easier to use the Create Team method and let it take care of building the M365 Group (and the other group goodies like ShPt site, mailbox). I’m worried I’m overlooking something and the easier method will end up biting me in the butt. Thoughts?
2) I don’t see anything in your post that address the group membership. How does the person who requested the new Team get access to it if they are not a member of the group or an owner/member of the team?
Finally, thanks for all the other PApp/PAuto posts on your site. First time I found your site but it’s great and I will be digging in.
Interesting question. At the time, this looked like the best solution, but you’re correct. It makes sense to use the “Create Team.” I need to revisit this and look a bit into more detail.
Great catch! Well done!
Figured that one out the hard way. I took the easy way and used the Teams connector to create the team and add member and then channels. But when you visit the SharePoint site that’s created together with the team the folders in the Shared Documents library are not connected to Teams. You first have to go into the teams channel and open the files tab and then the folder association starts. Looks like creating the team makes the sharepoint artifacts provisioning (at least creating the association with the location for channels) Teams driven. Searching for a solution I stumbled upon this article. So many thanks Manual for publishing this. @Derondisme also much obliged you sharing the link to technical documentation!