Automating Microsoft Entra (Azure AD) Group Membership from Catalog Item Based on Checkbox Selection

Hello Community,

I am working on automating Microsoft Entra (Azure AD) group membership assignment from a Service Catalog request and would appreciate guidance or best practices from the community.

Current Setup

• I have a Service Catalog item titled “EFB Suite Application Access Request”
• Variables on the catalog item include:
  • select_users_for_access (List Collector on sys_user) – allows selection of multiple users
  • Individual checkbox (true/false) variables representing Entra security groups:
    • GRP-PRD-Jamf-Line-Pilot
    • GRP-PRD-OrlandoSSO-App Access
    • GRP-PRD-BoeingJeppesen-Captain
    • GRP-PRD-eWAS-SSO-App access

Current Process

• After submission, a catalog task is generated
• An agent manually reviews the request and adds the selected users to the corresponding Microsoft Entra groups

Requirement / Goal

I want to fully automate this process so that:

• If a group checkbox is checked (true), all users selected in select_users_for_access are automatically added to the corresponding Microsoft Entra group
• If the checkbox is not checked, no action should be taken for that group
• This should work for multiple users and multiple groups within the same request
• No manual catalog task should be required

What I’m Looking For

• Recommended approach using Flow Designer, IntegrationHub, or REST (Microsoft Graph API)
• Best place to handle the logic (Flow vs Business Rule vs Script Include)
• How others are managing:
  • Mapping ServiceNow users to Entra object IDs
  • Error handling (user already a member, permissions, etc.)
• Any reusable patterns or examples used in similar access automation scenarios

Any suggestions, design patterns, or sample implementations would be greatly appreciated.

Thank you in advance for your help!