Automating Microsoft Entra (Azure AD) Group Membership from Catalog Item Based on Checkbox Selection

Sirri
Tera Guru

3 weeks ago

Hello Community,

I am working on automating Microsoft Entra (Azure AD) group membership assignment from a Service Catalog request and would appreciate guidance or best practices from the community.

Current Setup

  • I have a Service Catalog item titled “EFB Suite Application Access Request”
  • Variables on the catalog item include:
    • select_users_for_access (List Collector on sys_user) – allows selection of multiple users
    • Individual checkbox (true/false) variables representing Entra security groups:
      • GRP-PRD-Jamf-Line-Pilot
      • GRP-PRD-OrlandoSSO-App Access
      • GRP-PRD-BoeingJeppesen-Captain
      • GRP-PRD-eWAS-SSO-App access

Current Process

  • After submission, a catalog task is generated
  • An agent manually reviews the request and adds the selected users to the corresponding Microsoft Entra groups

Requirement / Goal

I want to fully automate this process so that:

  • If a group checkbox is checked (true), all users selected in select_users_for_access are automatically added to the corresponding Microsoft Entra group
  • If the checkbox is not checked, no action should be taken for that group
  • This should work for multiple users and multiple groups within the same request
  • No manual catalog task should be required

What I’m Looking For

  • Recommended approach using Flow Designer, IntegrationHub, or REST (Microsoft Graph API)
  • Best place to handle the logic (Flow vs Business Rule vs Script Include)
  • How others are managing:
    • Mapping ServiceNow users to Entra object IDs
    • Error handling (user already a member, permissions, etc.)
  • Any reusable patterns or examples used in similar access automation scenarios

Any suggestions, design patterns, or sample implementations would be greatly appreciated.

Thank you in advance for your help!

0 Helpfuls
  • 1,150 Views
5 REPLIES 5

Tanushree Maiti
Mega Patron

3 weeks ago - last edited 3 weeks ago

Hi @Sirri 

 

1. Hope you have Microsoft Entra ID Spoke integration in place.

2. In your Flow, Use Look Up Records with appropriate conditions to filter and identify the users you want, then add those selected users to the AD group.

3. Use following Spoke's subflow , send the payload with required Inputs and configure Output attributes.

   

TanushreeMaiti_0-1776611543763.png

 

 

 

 

 

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:
0 Helpfuls

Sirri
Tera Guru
In response to Tanushree Maiti

3 weeks ago

@Tanushree Maiti 

 

Please can you explain the basic to Advance as per the requirement it will helpful to me.
 
Thank you 
0 Helpfuls

Tanushree Maiti
Mega Patron
In response to Sirri

3 weeks ago

Hi Srini,

 

Install the Microsoft Entra ID spoke.

Flow is given here.  refer: //How to add "users to azure groups" in flow designer 

Ensure integration service account have proper permission to add user at Azure end.

 

 

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:
0 Helpfuls

AndersBGS
Tera Patron

3 weeks ago

Hi @Sirri ,

 

there is an OTTB spoke for adding users to EntraID group, have you utilized that or haven’t you come that  far yet?

 

If my answer has helped with your question, please mark my answer as the accepted solution and give a thumbs up.

Best regards
Anders

Rising star 2024
MVP 2025
linkedIn: https://www.linkedin.com/in/andersskovbjerg/

0 Helpfuls