Logic app to automatically invite Azure AD synchronized users to B2B collaboration.
To deploy the template you will need the service principal id of 'Microsoft Graph Change Tracking'
# Connect to Azure AD
Connect-AzureAD
# Get the ObjectId of 'Microsoft Graph Change Tracking'
Get-AzureADServicePrincipal -Filter "AppId eq '0bf30f3b-4a52-48df-9a82-234910c4a086'" | Select-Object -ExpandProperty ObjectIdDeploy the solution via the Azure Resource Manager (ARM) template.
The solution is composed of different components:
- EventHub: to recieve user change notifications from Azure AD
- KeyVault: to hold the reference of the eventhub for the Azure AD notification
- A managed identity: this identity will be assigned to the logic app to give them appropriate rights to Azure AD
- Subscription Logic App: this logic app is scheduled every day to renew the notification subscription
- Invitation Logic App: this logic app does the invitation of accounts that needs to be invited
The logic apps will be disabled from the start. Before enabling them you will neede to provide the necessary rights (bellow).
The logic Apps will run under a common managed identity. This managed identity will need to be assigned the guest inviter role. The id of the managed identity is given by the deployement.
# Connect to Azure AD
Connect-AzureAD
# Get the Guest Inviter role
$role = Get-AzureADMSRoleDefinition -Filter "DisplayNAme eq 'Guest Inviter'"
# Set the role to the managedIdentity ID recovered in the deployement
New-AzureADMSRoleAssignment -RoleDefinitionId $role.Id -PrincipalId $managedIdentityId -ResourceScope "/"For the workflows to work you will need to enable them.
- Enable the subscription workflow so that changes are sent to event hub
- Enable the invite workflow to invite users