Skip to main content

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part One

Happy June folks! I come to you with another post, but this time I wanted to change it up and show you something else I have just finished working on. As a SysAdmin, one of the most common issues we run into is managing licenses. Working at a post-secondary institution makes this an even greater challenge, as you have both students, staff and faculty constantly coming as well as going. Managing to keep up with this constant change can introduce great administrative overhead which takes away time from important upkeep of other systems and initiatives. You may also notice this same issue in large corporations or in other government organizations. To help combat this, I wanted to create a flow that can do the following:

  • Get the user and their licenses
  • Determine their last sign-in and the date
  • Conditional to determine if the user is past the "cutoff" date
  • Remove the user from a group where the license is assigned
The only problem with doing this is that Power Automate does not have the capability (as of writing) to get the user's last sign-in with a pre-made connector. To get around this, I had to create my own custom connector using Microsoft Graph to gather the user's last sign-in details. Here is the details of the custom connector:

General Information

  • Scheme: HTTPS
  • Host: graph.microsoft.com
  • Base URL: /v1.0

Security

This part is a bit tricky. To proceed with this, you must make an enterprise application and app registration. Additionally, the enterprise app must have the following API permissions to work:
  • AuditLog.Read.All
  • Directory.Read.All
  • User.ReadWrite.All
Now I know what you're thinking- why are you not using least privilege? In this case, I tried to but I found that there were difficulties in doing so as this flow is required to read a group and get information from the directory. In all cases, practice least privilege when you can and ensure that only the people who require these roles get access. You can also use Privileged Identity Management and govern the roles that have these attributes or the attributes themselves.


Once you have that squared away, it is just a matter of then creating a new secret and then applying it to the connector with the following parameters:
  • Authentication Type: OAuth 2.0
  • Identity Provider: Azure Active Directory
  • Client ID: add your Client ID
  • Client secret: add your secret that you generated from the app registration
  • Authorization URL: https://login.microsoftonline.com
  • Tenant ID: add your tenant ID. This can be found in the Azure Portal under "Tenant Properties"
  • Resource URL: https://graph.microsoft.com
  • Enable on-behalf-of login: false
  • Scope: Directory.Read.All User.ReadWrite.All AuditLog.Read.All
  • Redirect URL: this will be generated when you save the custom connector.

Creating the Definitions

This is the part that will actually call on the Microsoft Graph API to carry out the functions we need. With this in mind I should note that the Operation ID could be unique to your tenant, in which you may be required to find your own. For this, visit Microsoft Graph Explorer and use the following GET request:

https://graph.microsoft.com/v1.0/users/{userId}/licenseDetails

This in turn will give you the following result:

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users()/licenseDetails",
    "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET users('<guid>')/licenseDetails?$select=servicePlans,skuId",
    "value": [
        {
            "id": "gHe4LsjI706Gy7mIO8jPohyUoe1PPJVJtevoWkIXWrk",
            "skuId": "eda1941c-3c4f-4995-b5eb-e85a42175ab9",
            "skuPartNumber": "POWERAUTOMATE_ATTENDED_RPA",
            "servicePlans": [
                {
                    "servicePlanId": "375cd0ad-c407-49fd-866a-0bff4f8a9a4d",
                    "servicePlanName": "POWER_AUTOMATE_ATTENDED_RPA",
                    "provisioningStatus": "Success",
                    "appliesTo": "User"
                }..............

The ID that is highlighted is the operation ID that is required to complete this action. Take note of it, and then create a new action with the following information:

  • Summary: License PA Connector - Get Licenses
  • Description: This request retrieves all licenses for the user account.
  • Operation ID: Insert the Operation ID provided
  • Visibility: none
Now that we have the general information down, we now have to create a GET request. Using the GET request we made to Graph Explorer, add a GET request with that link. It should automatically populate the path and query accordingly. 

Additionally, we will need to create another definition and API request for gathering the sign-ins of the user. To do this, we will send another GET request to Graph Explorer:

https://graph.microsoft.com/v1.0/users/{userId}

This should result in us being able to get the other operation ID which we can then insert into our second action with the following parameters:

  • Summary: License PA Connector - Get Last Sign In
  • Description: This request retrieves user's last sign-in
  • Operation ID: Insert the Operation ID provided

The path and $select should also populate automatically. If not, then ensure that the path and query fields contain the following:

  • Path: userId
  • Query: $select (this will be useful later)

Tying it all together

We can now begin saving and testing our connector. To do so, go to the "Test" section and attempt to connect. If all is well, you should be prompted to sign-in and the connector should work correctly. We must then take the redirect URL that is generated and add it to our app registration. This can be found at the bottom of the "Security" tab. When this is all said and done, we can now begin working on our Power Automate flow.

What's Next?

Given that this post is already getting pretty long, I am going to end it here for now. I hope that this article has helped you on the right track to be able to implement this in your own environment. It is a bit of a setup, but as you work with it, everything should tie together and you'll have the first leg of the process done. Should you have any questions, feel free to put them in the comments or contact me directly. I also hope to make a full YouTube video on this as well in case you don't want to read this whole post. Until next time!

Labels:

test

Making a SharePoint Knowledge Base Part One: Getting Our Ducks in a Row

Howdy everyone, it's great to be back again for another post! As a matter of fact, this is our very first post on this blog. Amazing! For this post, I am going to help you create an intuitive Knowledge Base in SharePoint that your department or company can use as a whole. We'll also use Power Automate to notify us when our team adds to our Knowledge Base. So with this in mind, let's get started! Why a Knowledge Base? This idea comes from a recent SharePoint migration I did in my own workplace. I wanted to create a centralized resource for our team to find knowledge articles, troubleshooting steps, and guides. This helps us share knowledge across our team as well as with our end-users. For those of you who do not know what a Knowledge Base is, it is as simple as this: A centralized resource to share knowledge and provide self-help to users.  Now that you're privy to what it is, we can begin to build ourselves a Knowledge Base! We'll start with our foundational assets...
Read more

Responsible AI and Academia

Hello everyone, hope you are all well on this cold Winter's day! I wanted to talk about something that has been brought up in conversation and is a concern not only for IT professionals working in Education but a concern for all in Education: Artificial Intelligence. Oftentimes when we put these two things together, you get a mixed reaction of both favour and disagreement. However, I think that it is important to discuss this in further detail and explain my opinions and views on the whole matter. In this post, I'll be talking about my views on AI in the Education sector, and how AI such as Copilot can be used responsibly to promote education and trust amongst instructors and students. So what is Responsible AI exactly? Well, the meaning is in the title itself. It is the concept of using Artificial Intelligence responsibly and in a fashion that protects business concerns, employees, and the organization as a whole. In Education however, this definition changes slightly- not onl...
Read more

SharePoint Hackathon 2025: Developing an Emergency Management Portal - Part One

Howdy everyone! It's that time of year again folks! It is time for SharePoint Hackathon 2025. This year's challenge will incorporate SharePoint portals, SharePoint Agents, and SPFx extensibility. It is certainly looking like a great lineup this year, and it is also the first time I will be competing in this lovely competition. With this in mind, I want to take you all on my journey, documenting what I will be developing and the successes as well as lessons learned along the way. We'll be building a beautiful portal, integrating with Power BI and Power Automate, and expanding on our understanding of lists. My hope is that with this short series you'll gain some inspiration to make your own portal similar to what I have done. SharePoint is a versatile tool that really is limited by your imagination. This contest allows for your creativity and skill to soar, which we will be putting to the test over the next couple of weeks. Enough chit-chat, let's get into what we...
Read more