I’m considered as a citizen developer and I know the ways to get some automation happening when it needed the most. This is one of them. This has been in my head for a while and I’ve seen this happening many times. SO thought to do some findings, playing around with the tools to come up with some automation.
Sometime ago I wrote about the Group Based Licensing and how to use the feature. Check here to find out more on that if you are new to Group Based Licensing.
Table of Content
- Group Based Licensing Feature
- The Problem
- MS Graph and Power Automate to the Rescue!
- MS Graph API Permissions
- Setup Power Automate
- Testing the Solution
- Check the Group for Issues
- Final Thought
Group Based Licensing Feature
Microsoft very cleverly introduced the group based licensing feature some time ago that helps the IT admins to assign licenses to Azure AD groups and the users who are in them will get those licenses assigned. Pretty neat way to standardize the license assignment workflows and helps to manage users in a better way.
The problem however is the notification. Well I’m still thinking Microsoft could have added a “notify” section with an option to enter an email address, but that’s not the case here.
Systems Admin or the 1st level support admin added the user to the AD group that is synced with Azure AD which has the Group Based Licensing feature is using. OR admin adds the user to the cloud group.
User complains they still can’t use the desired service that the license should be able to provision.
User is in the relevant group, the group suppose to assign the license. However, the number of licenses allocated to this group has all used. Meaning, has been assigned to other users in the same group and there is an error in the licensing blade if you go to that specific group.
There are no notifications, you have to basically wait until someone complains. Also you may have more licensing issues in the groups where you don’t have any visibility.
MS Graph and Power Automate to the Rescue!
As MS Graph can do if you keen to go in that rabbit hole and once it’s combined with Power Automate? Magic. Well not really, but you can automate workflows and proven to be a must have set of tools in the Admin’s toolbox. I will be using MS Graph and Power Automate for this scenario and will be using Microsoft Teams Flow Bot to notify the admin.
Spoiler Alert. Your end result will look like this.
Handy right? Lets dig in!
The main prerequisite that’s required is to sort out the MS Graph API permissions in Azure AD and other connector setup in Power Automate for this process.
MS Graph API GET Request
MS Graph uses the below GET request to get results on the groups that has licensing issues. I will be using that for my experiment. If you running this in your tenants MS Graph Explorer tool, make sure you have provided access to the account you are running this request from
MS Graph API Permissions
For this workaround to work, MS Graph Should have access over the Azure AD groups. To achieve that, an app should be registered in Azure AD and must be provided with Group Read access for MS Graph API which in return will be used in the Power Automate flow.
Create the Azure AD App
For later activities you need to perform in Power Automate using MS Graph, you ned to make sure Power Automate is registered as an app by providing the consent. You need Global Admin access to perform this action.
Go to Azure AD portal > App registrations > New Registration > Provide the app name (eg: Power_Automate_Graph_API) Supported Account Types: Accounts in this organizational directory only Press Register
Now go to API permissions Go to Add a permission > select MS Graph > select Application permissions
Ideally this app requires Read Only access to groups. So lets provide Group.Read.All
Make sure you provide the Admin Consent for the tenant as well
Create the App Secret
Go to Certificates and Services > New Client Secret > Set the name and expiration period note down the Secret (Value)
This concludes the app creating, secret and consent.
Note down the Azure AD Tenant ID, app’s Client ID and the Secret
Setup Power Automate
Lets go to Power Automate now. We will be creating a simple flow and connect Teams into it to get the results. This is my flow at a glance.
- Start the flow with a trigger. I gave a recurrence. Maybe 3 times a day as a start?
Then I move to my 1st action. That is to run the GET request to find out the groups with issues
Click on Show advanced options feature and set the parameters we noted from the Azure AD app registration part
- Now, the result that the GET request gives is in the JSON format. We need to find a way to get the information we only require for the next steps. For this, I will be using the JSON Parse action which will cleanup and gives actionable parameters. To get the Generate from sample, go to Graph Explorer, run the same request and get the results and paste it here so it will create the Schema for you.
As an example, I got the below reply from the Graph Explorer.
- Now that we have actionable parameters parsed, let’s take the displayName parameter from top and create the next section. This action is basically allowing Teams to Post message in a chat or channel.
The Teams section would look like below. I’m using the Flow Bot to post messages without using another user account. I’m just posting a simple message. You can add instructions to check the next steps if you need.
Testing the Solution
You can run the Flow to see if there are any errors and fix them 1st.
If you have a subscription you can start testing the behavior. If you don’t have any issues, there will be no messages. This will only spit out the messages if there are issues in the groups.
If you have issues in more than 1 group. The results will be as below
Check the Group for Issues
So now that you have been notified. Next thing is to go and fix the issues.
For this, go to the Azure AD group > Licenses blade and you will see as below.
Click on the Warning and it will take you to the users with errors. It also shows the reason for failure.
To find out which License SKU is in error, click on the user and it will take you to user’s license blade and will show you which licenses has issues.
You can start troubleshooting the license issues now starting with adjusting your license seats, removing licenses from users who are not using the services anymore etc.
This quick workaround will give a small nudge to the IT admins or the admins who are responsible for user licensing and then can take action proactively well not 100% proactively, but sooner rather than later. Also I wish Microsoft will improve the the license blade from their end by adding a notification feature in the future.
Feature Image from: Notify Vectors by Vecteezy