Generate a avaiable UPN based on first and last name with Microsoft Flow
Out the box we can create a new Azure AD user directly with Microsoft Flow. But if we pick a UPN that already exists in the Azure directory we going to have problem
First, we want to construct a UPN based on first and last name together with a UPN suffix. Then we will make calls to Microsoft Graph API to check if the user already exists. If the user exists, the flow will loop and add a number after the base UPN. This number will increment every time the loop is running. If the user not exists the loop will exit and move forward. Now we have the UPN that we can use to create a new Azure AD user
Before we can begin with Microsoft Flow we need to register a Azure application that we later will use to authenticate with Microsoft Graph API
Register a Azure application to call Graph API
We can do this in menny ways. Here is one way to do it. Go to https://apps.dev.microsoft.com and sign-in with a global admin account
Click on Add an app
Pick a Application Name and click Create
Under Application Secrets, click Generate New Password
Under Platforms, click Add Platforms
Click on Web
Add Rederict URLs and Logout URL
Under Microsoft Graph Permission, Application Permissions, click Add
Under Select Permission, select User.Read.All and click Ok
Add Home page URL, Terms of Service URL, Privacy Statement URL
Note: Some of this settings is optional
Click on Save to complete the registration
Lets begin with Microsoft Flow
Start by creating a empty flow and add manually trigger to it
Next we need to initialize the variables we are going to use in the flow
Note: To to easily keep track of our variables and actions we want to rename them as we go
Before we can call Microsoft Graph API we must first construct the UPN. Add a Compose action and paste the expression and click OK
toLower(concat(variables('FirstName'), string('.'), variables('LastName'), string('@'), variables('UPNSuffix')))
From the output of the Compose action we will initialize a variable for the BaseUPN
Here we will set up the HTTP action to the Microsoft Graph API to check if the UPN exists
We need to initialize some variables that is going to be used in the Condition and Loop actions becuase it can only be at a toplevel
Beacuase the HTTP action will give us a 404 error if the UPN not exist we need to change the next action (Initialize variable – StatusCode) to run after both is sucessful and has failed. Click on the ellipsis and then Configure run after. Check has failed and click Done
Here we will check if the response status code from the HTTP action is 200. If Yes, the UPN exists and we need run our Loop action. If No, we can go forward and use the UPN to create a Azure AD user
Note: The Status code is not the initials variable we created for the Loop action. Is the response from the first HTTP action
If No we can set the variable for UserPrincipalName and go forward and create the Azure AD user
If Yes we need to loop until we got a UPN that not already exists in the Azure directory. For that we going to use the variabel for StatusCode we initialize earlier. The HTTP action will give us 200 as response status code as long the UPN exists. But if the UPN not exists HTTP action will give us 404 as response status code.
For every loop we increment the value for Index variable we initialze earlier so we can use it when we construct the new UserPrincipalName
Add a Compose action and paste the expression as we did earlier
concat(first(split(variables('BaseUPN'), '@')), variables('Index'), string('@'), variables('UPNSuffix'))
From the output of the Compose action we will set the variable for UserPrincipalName
Here we will set up a new HTTP action to the Microsoft Graph API to check if the UPN exists
Note: We will use the variabel for UserPrincipalName at the end of the URI in the HTTP action
Last thing we need to set the StatusCode variabel we initiliaze erlier with the responde from the HTTP action so that when we got a 403 status code responde the loop will exit and go forward
Note: The Status code is the responde from the second HTTP action
As before, beacuase the HTTP action will give us a 404 error if the UPN not exist we need to change the next action (Set variable – StatusCode) to run after both is sucessful and has failed. Click on the ellipsis and then Configure run after. Check has failed and click Done
Now we got a UPN and can go forward and create the Azure AD user
Summary
This is not a optimal solution because sometimes we need take care of diacritic characters or want a more complex compose function when we construct the UPN
We can instead do all the heavy lifting in a Azure Function and the only thing we need to do in the flow is passing the first and the last name to function as a HTTP action and get the UPN as a respond
If we need to create a synced AD user Flow can not do this out of the box. But instead we can use Azure Automation and install a Hybrid Worker to run the code localy. We can then call the Runbook with a Webhook from Flow and passing the variables. If we not want to pass the variables we can save them to a SharePoint list and let the Runbook get them