Microsoft Entra ID Action Block

What it does: Manage users and groups in Microsoft Entra ID (formerly Azure Active Directory) as part of your workflow automation.

🛡️

In simple terms: Automate identity management -- create user accounts, manage group memberships, and maintain your organization's directory from workflows.

When to Use This

Use the Entra ID action when you need to:

✅ Automate user provisioning and deprovisioning
✅ Manage group memberships based on workflow events
✅ Synchronize user data between Entra ID and external systems
✅ Automate onboarding and offboarding processes
✅ Query directory information for use in workflow logic

Example: When HR approves a new hire, create the user account in Entra ID, add them to the appropriate department group, and trigger subsequent onboarding workflows.

Features

OAuth2 Authentication: Secure Microsoft identity platform connection
User Management: Full CRUD operations on user accounts
Group Management: Create, modify, and delete security and Microsoft 365 groups
Membership Control: Add and remove users from groups programmatically
Directory Queries: Search and list users and groups with filters
Variable Support: Use workflow variables for dynamic user attributes

Setup

1. Connect Your Microsoft Account

Click Connect Microsoft Account in the block settings
Sign in with a Microsoft 365 account that has directory admin privileges
Grant the requested permissions (Directory.ReadWrite.All)
Your account will be linked securely via OAuth2

⚠️

The Entra ID block requires the Directory.ReadWrite.All permission scope, which is a high-privilege scope. Your Microsoft 365 Global Administrator must consent to this scope for your application. This is typically done through Azure Portal under Enterprise Applications.

2. Configure Settings

Select the desired Action from the dropdown (e.g., Create User, Add User to Group)
Fill in the required fields for that action
Optionally map response values to workflow variables

Supported Actions

User Operations

Action	Description
Create User	Create a new user account with display name, email, and password
Get User	Retrieve a user's profile by ID or user principal name
Get All Users	List all users in the directory with optional filters
Update User	Modify user profile attributes (name, job title, department, etc.)
Delete User	Remove a user account from the directory

Group Operations

Action	Description
Create Group	Create a new security or Microsoft 365 group
Get Group	Retrieve group details by ID
Get All Groups	List all groups in the directory with optional filters
Update Group	Modify group properties (name, description)
Delete Group	Remove a group from the directory

Membership Operations

Action	Description
Add User to Group	Add a user as a member of a group
Remove User from Group	Remove a user from a group's membership

Using Variables

You can use workflow variables in any Entra ID field:

Create User:

Display Name: {{employee.firstName}} {{employee.lastName}}
User Principal Name: {{employee.email}}
Mail Nickname: {{employee.username}}
Department: {{employee.department}}
Job Title: {{employee.jobTitle}}
Password: {{generated.tempPassword}}

Add User to Group:

User ID: {{entra.userId}}
Group ID: {{department.groupId}}

Get All Users (Filter):

department eq '{{filter.department}}'

Response Mapping

Map results from Entra ID actions to workflow variables:

Available Values (User):

User ID: Unique identifier (GUID)
Display Name: Full display name
User Principal Name: Login email address
Mail: Primary email address
Department: Department name
Job Title: Job title
Account Enabled: Whether the account is active
Created DateTime: Account creation timestamp

Available Values (Group):

Group ID: Unique identifier (GUID)
Display Name: Group name
Description: Group description
Group Types: Security, Microsoft 365, etc.
Member Count: Number of members

Example Mapping:

User ID → {{entra.userId}}
Display Name → {{entra.displayName}}
Group ID → {{entra.groupId}}

Common Use Cases

1. Automated Employee Onboarding

Trigger: HR system new hire event Entra ID Actions: Create User, then Add User to Group

Step 1 - Create User:
  Display Name: {{hire.fullName}}
  User Principal Name: {{hire.email}}
  Department: {{hire.department}}
  Job Title: {{hire.title}}
  
Step 2 - Add to Department Group:
  User ID: {{entra.userId}}
  Group ID: {{department.entraGroupId}}

2. Employee Offboarding

Trigger: Termination approved Entra ID Actions: Update User (disable), Remove from Groups

Step 1 - Disable Account:
  User ID: {{employee.entraId}}
  Account Enabled: false

Step 2 - Remove from All Groups:
  Loop through {{employee.groups}} and remove membership

3. Department Transfer

Trigger: HR department change event Entra ID Actions: Update User, Remove from old group, Add to new group

Update User:
  Department: {{transfer.newDepartment}}
  
Remove from: {{transfer.oldDepartmentGroupId}}
Add to: {{transfer.newDepartmentGroupId}}

4. User Directory Sync

Trigger: Schedule (Nightly) Entra ID Action: Get All Users

Filter: department eq 'Engineering'

Then sync the results to an external system or database.

Best Practices

Security

✅ Use the principle of least privilege -- only request Directory.ReadWrite.All if you need write access
✅ Generate strong temporary passwords for new users and require password change on first login
✅ Audit all user creation and deletion actions through workflow logs
✅ Never store user passwords in workflow variables after account creation
✅ Use dedicated service accounts for directory operations

User Management

✅ Always set forceChangePasswordNextSignIn to true for new user accounts
✅ Validate email formats before creating user principal names
✅ Check if a user already exists before creating to avoid duplicates
✅ Disable accounts before deleting to allow a grace period

Group Management

✅ Use security groups for access control and Microsoft 365 groups for collaboration
✅ Document group naming conventions and enforce them in workflows
✅ Verify group membership changes with a follow-up Get Group call

Troubleshooting

User Creation Fails

Check:

The user principal name is unique and follows the correct format (user@domain.com)
The mail nickname is unique and contains no special characters
Required fields (displayName, accountEnabled, passwordProfile) are all provided
Your account has sufficient directory permissions

Permission Denied

Solutions:

Verify the OAuth scope includes Directory.ReadWrite.All
Ask your Global Administrator to grant admin consent for the application
Check if Conditional Access policies are blocking the API call
Reconnect the Microsoft account to refresh the token

Cannot Add User to Group

Check:

Both the user ID and group ID are valid GUIDs
The user is not already a member of the group
The group type supports the membership operation (some dynamic groups do not allow manual members)

Limitations

Delegated Permissions: Some operations may require application-level permissions rather than delegated user permissions
Dynamic Groups: Cannot manually add or remove members from dynamic membership groups
License Assignment: User license management is not supported through this block
Password Policies: Password complexity requirements are enforced by your tenant policy and cannot be overridden
API Rate Limits: Microsoft Graph API throttling applies (directory operations have stricter limits)
Guest Users: Creating external/guest user accounts requires additional configuration

💡

Tip: For large-scale user provisioning, consider batching operations and adding delays between requests to avoid Microsoft Graph API throttling.

Related Blocks

Microsoft To Do: Create onboarding tasks for new users
Outlook Trigger: React to emails from specific directory users
SharePoint: Set up team sites for new groups
Condition: Add logic based on user attributes
Set Variable: Prepare user data before directory operations

Microsoft To Do Dynamics 365