I'm quite new to SharePoint/Azure/PowerShell, so apologies if what I'm asking is a stupid question!
We currently have client SharePoint sites hosted on our O365 tenant, with access to each site to be rolled out to each of our respective clients shortly. Initially, only the senior management of each client will have access to the sites, however as time goes on it's likely we'll be adding everyone else too; To streamline the new user process and save us from having to add each individual staff member, we've been considering using a Flow to automate user access instead, with the goal of adding authenticated external users without much real input from administrators other than a simple approval/rejection process.
The overall plan is as follows:
Visio Outline<
Each Client site has a SharePoint Custom List, titled "Employee Access List". Said list will have the following columns: Request ID (Text), First Name (Text), Last Name (Text), Job Title (Text), Company (Text), Contact Number (Text), E-Mail (Text), SharePoint Access (Yes/No Boolean).
If a member of staff requires access to the SharePoint site, then their respective manager will add the staff member to the list and fill in all the above fields, setting the "SharePoint Access" item value to "Yes".
This will trigger the flow and an approval email to be sent to myself and another administrator, with said email detailing the user to be created, and who has submitted the request.
Script insertion somehow - This would then run if the request was approved, and set the user up with access.
Email notification is automatically then sent to the creator of SharePoint list item, notifying them that the user now has access.
Step 4 is where I'm a little stuck in regards to what to do if the request is approved - I've written a little PowerShell script below which nearly achieves what I'm going for, in that it creates an external user PnP Group and PnP Role Definition (If there isn't one already), pulls what's in the "E-mail" fields on the "Employee Access" list and runs Add-PnPUsertoGroup to pull the users to the PnP group, which then sends the users an email with a link to the SharePoint site, allowing them to access it. However:
The script I've written targets everyone on the SharePoint List, whereas ideally I would just want the script to target the sole user that's been newly added to the list/is listed in the approval email, and only them. I'm assuming that I'd have to pipe information from the Flow into a script, which I'm not even sure is possible, and if it is, I haven't got a clue how to do it.
I know that that Azure Functions and Azure Automation can be used to insert scripts into Flows, but I don't have experience of either so I'm not sure which is the more suitable option. Is there any guidance on how to insert PowerShell scripts with them, and how to pipe what's in a flow into said scripts?
PowerShell Script as follows:
Hope this all makes sense - Any guidance would be appreciated.
Thank you!
EDIT:
Just as a bit of extra information, here is the Flow as it currently is:
Flow Part 1
Flow Part 2
Flow Part 3
Have since found an answer to the above - whilst Azure Functions/Automation are an option, you don't necessarily need them or PowerShell scripts running from Flow, in this case my goal scenario was achieved using an MS Graph Invitation API, App Permissions and a HTTP SharePoint call instead.
See attached screenshots:
Flow Answer 1
Flow Answer 2
Flow Answer 3
Step 1: Set up an App with permissions to make calls to MS Graph - use this guide for help on how to do so - http://blogopaxio.azurewebsites.net/accessing-graph-api-from-microsoft-flow-using-application-permissions-2/
Step 2: Add HTTP to MS Graph and set parameters as in screenshot 1 of this post - this action will create guest user and invitation URL the user would need to sign in to the site.
Step 3: At this point, run the flow so that we can get the 'inviteRedeemURL' from the body of the Output for the HTTP step - you will need this particular URL to send separately in your email to the end user.
Step 4: Throw in a pause for a minute or 2 just to make sure that the information from the previous actions 'sticks' - provided it all works, at this point, the user will actually have their guest account created and you'll be able to see them under Users in your O365 admin centre, however they won't be aware of their account access yet (We'll notify them of this in our email at the end).
Step 5: Add the user to SharePoint security group with a "Send HTTP Request to SharePoint" action. Please note that the "sitegroups(19)" in the URI of this action refers to the ID number of the PnP group you're putting them in, so in my case the group ID was 19. If you're unsure of the ID of your group, connect to your SharePoint Site through PowerShell with PnP commands, then run Get-PnPGroup.
Step 6: Send the email to the invited user with the Outlook Send Email action - FYI -the "SharePoint Site" variable in my screenshot is actually the "inviteRedeemURL".
Hope this helps anyone else that's unsure of how to do this. If anyone has a better solution that achieves this by all means post it!
Thanks!
Related
I am working on setting up a few new bots for Hangouts Chat. Part of the effort involves using Hubot, which is working well. Another use case requires posting to user spaces based on external functions, which is done via a python command script. I have a project and separate service account setup for each bot, and the permissions for the bot service account appear to be the same. None of the bots have corresponding domain-wide delegation at the GSuite Security level.
We obtain the spaceid for each user via one Hubot that saves their spaceid to a database, and the python script can then lookup the user and obtain that id.
However, only one of the 5 projects appears to be able to post a message to a user space. All others get a 403 error and fail to post. The same python script is used for any of the 'bots' with the only difference being the json file used for authentication.
Not sure this is enough information. But, I wonder what could be causing this problem if not permissions?
I figured it out. The spaceid I was registering via another bot is not the same as the spaceid associated with the bot/user communication for any other bot. In other words, it appears that the spaceid a bot sees for a user is unique to its communication with the user. I will need to have users register with the bot that needs to send the message instead of a common registration bot
We have a Powershell script that creates some guest users using the New-AzureADMSInvitation cmdlet, and its return value has a handy-dandy InviteRedeemUrl property that we include in a nice welcome email to the user to get them started with setting their account up and using our application. This works fine when inviting individual or small numbers of users.
However, we'll need to do this for many users, and carefully control when the emails go out, and I can't see any other way of retrieving this URL after-the-fact... the only option seems to be the "Resend invitation" button on the guest user in AD, which sends a Microsoft-branded email from "Microsoft Invitations" with the redeem URL, which is kind of a problem... For marketing reasons we need to put the invite redeem URL in our own welcome email, so we don't want Microsoft sending out those emails.
Is there any way to retrieve or calculate that invitation URL after the guest user had already been invited? I know I could delete and recreate the invitation itself, but that's still a manual process and I'd like to be able to create guest users in bulk first, and then retrieve those URLs in bulk once we're ready to send out emails. Especially since Azure AD itself seems to be able to fetch the redeem URLs later on via the "Resend invitation" button.
Alternatively , you can think of adding you company branding in the verification and invitation mails in azure AD.
Here is something similar you can find:-
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs#how-do-i-customize-verification-emails-the-content-and-the-from-field-sent-by-azure-ad-b2c
Basically you need to change the company branding in Azure active directory to have your custom logo and text.
Hope it helps.
We ended up modifying the AD invitation script to store the InviteRedeemUrl value in our CRM as a field on the customer record. Then later on when our Marketing team wants to start their email campaigns, they could include a reference to this field in the email template just like they would any other field. This way, we got all our analytics on click/open rates and retained complete control over the emails, including where each batch was being sent from (so customers could reply to the correct support staff member for their segment).
I have generated the codes with app script in order to send emails automatically if users changed some values in google spreadsheet, which is working fine.
Now I am sharing my google spreadsheet with the app script to two more person (e.g: PersonA, PersonB). Thus, I want whoever changes anything on google spreadsheet will be sending an email under his/her own account. E.g: [All of us needs to edit within the google spreadsheet itself, without going to the "current web app url", (thanks Cameron Roberts for the clarification] if PersonA changes anything, then an email will be sent out under PersonA's account, and an email will be sent out under PersonB's account if PersonB changes anything.
I did something based on the advice from user2970721 and Cameron Roberts. I adjusted "Deploy web App" as "User accessing the web app". e.g:
I also asked PersonA & PersonB to do the same under their accounts and made sure they have triggered the script at least once. e.g:
My issue is that after I have done all these mentioned above, no matter who changes anything on google spreadsheet, emails were always sent out from PersonB's account (my best guess is that I messed up something and PersonB was the last one who triggered the script).
Does the "Project version" need to be different for me, PersonA, and PersonB, or anything else I need to change? Any help would be greatly appreciated!
First, Your project versions do not need to be different for each user.
I'm assuming you are using the On Change event, rather than a web-app. If that's the case, you should disable the WebApp entirely, as it's not needed.
When PersonA creates an On Change trigger, that will be triggered anytime any user (eg PersonA or PersonB) edits the spreadsheet. When it is triggered the code will execute as PersonA , because PersonA created the trigger. As a result, the email will be sent from PersonA's account.
For the scenario you describe, where both PersonA and PersonB have created OnChange triggers and authorised the script. I would expect emails to be sent from both accounts that have created triggers.
To send only one email, from the account that did the edit, I think you would need to do a check to determine if the user who did the edit matches the user under who's authority the script is running. I've never done this before and the docs don't really make it clear if it's possible.
Try checking the User object (Eg e.user) included with the Change event, and see if that email address is reflecting the different users making the edits.
If it is, you can compare it with the effective user and send the email if they match.
https://developers.google.com/apps-script/reference/base/user
https://developers.google.com/apps-script/reference/base/session#getEffectiveUser()
Finally, it might be simpler to just include the address of the person making the edit in your email subject, and just have all the emails send from one account. That way you know who made the edit, but don't need to have every user create a trigger and do all the extra checking.
I'm trying to use the Add-AzureAccount command that's part of the Azure PowerShell tools (August 2014, v0.8.6), and although various examples on the web lead me to expect that it will let me use either an organizational account or a Microsoft Account to log in, in practice, it seems to be requiring an organizational account.
When I execute the command, it opens a hosted browser window as expected, but the prompt says Sign in with your organizational account followed by a username and password. There seems to be no way to tell it that no, I actually need to use a Microsoft Account.
(As it happens, my email address is associated with both an organizational account, and also a Microsoft Account. This may not be helping.)
I could create a completely separate organizational account in an Azure Active Directory, make that a co-admin, and log in with that, but it seems like this shouldn't be necessary.
Is there some way to force it to offer me both options?
I was able to resolve this problem through trial-and-error. As Paul points out in his post, you can load your subscription info into PowerShell using the following sequence:
1. Get-AzurePublishSettingsFile
This will open a browser to a special page that lets you download your profile settings file.
Note: If you have multiple subscriptions, you must use the dropdown to select the one that contains the Azure components you want to manage. For instance, I have a BizSpark subscription that I use for my own company, and a separate MSDN subscription that my clients use (adding me as an administrator). Both subscriptions show up on my management portal page, so I needed to download 2 separate publishsettings files.
2. Import-AzurePublishSettingsFile my-subscription.publishsettings
In my case, I renamed the settings files to "BizSpark.publishsettings" and "MSDN.publishsettings", so I ran this command twice.
3. Get-AzureSubscription
This will list all of the subscriptions that have been imported into PowerShell, showing the subscription name and the other properties.
4. Select-AzureSubscription -SubscriptionName "my-subscription"
You can now use the subscription name to select the subscription you want to use. This allows you to switch back and forth between subscriptions and work with the Azure components you need to manage.
Use #outlook.com instead of the organizational address and you will be directed to the Microsoft Account login.
Azure can be signed up with either Microsoft Account or Organizational Account. Add-AzureAccount will display a message like "Sign in with your organizational account" in the browser window, but actually if you input your Microsoft Account email address into the box and move focus out, the page will redirect to Microsoft Account sign page automatically, and then you can sign in.
Sometimes you may meet some error like "The cache contains multiple tokens satisfying the requirements". You can try to clean all the existing Azure Accounts firstly and then try to sign in again.
To clean up, run Get-AzureAccount | Remove-AzureAccount.
I have a similar problem. Using Add-AzureAccount with my Microsoft Account result in adding my organizational account.
For example I run Add-AzureAccount, in the form I type davideicardi#hotmail.com (my Microsoft account) but the resulted account is davide.icardi#mycompany.com (my organizational account).
I solved by deleting all the Azure account registered on Power Shell (also the one not related to my account, using Remove-AzureAccount), then I have deleted IE cookies (not sure it this is important...), closed the powershell console and executing again Add-AzureAccount.
I suspect that there is a bug somewhere...
I work for a large company, which uses MS Exchange for Email. We have a distribution list for people to post questions, where anyone can answer. I am looking for a way to maintain a copy of this distribution list so that anyone can search it. Ideally, this would be searchable from within Outlook as well as by going to a webpage, but I will take either one. Someone has proposed to create a dummy email account, which just gets the distribution list traffic. Everyone interested in this distribution list could then attach this account. While this may work, there are several challenges with this approach:
1) It becomes problematic when you have several hundred people attaching a single email Inbox/account.
2). I need this account to be read-only, so someone doesn't accidentally delete an email from this account, thinking that it is in their personal account.
3). Our company has an auto-archive policy. This account would need to be exempt from that policy.
Any ideas?
Thanks
GS
The dummy mailbox is not a bad idea. You can give the people appropiate permissions to the Inbox folder of that mailbox.
To work around the permission issue you could either
1) create a transport agent which monitors the mailflow and dumps all messages to a database or CMS/SharePoint/whatever.
2) Create the dummy mailbox and setup a service which monitors this mailbox using push/pull/streaming notifications and dump the messages to a database/CMS/SharePoint/whatever.
The SharePoint solution would make the search option a piece of cake. But if you don't already have a SharePoint instance up and running this might be overkill.