Automating Microsoft Entra (Azure AD) Group Membership from Catalog Item Based on Checkbox Selection

Sirri
Tera Guru

‎04-19-2026 03:25 AM

Hello Community,

I am working on automating Microsoft Entra (Azure AD) group membership assignment from a Service Catalog request and would appreciate guidance or best practices from the community.

Current Setup

  • I have a Service Catalog item titled “EFB Suite Application Access Request”
  • Variables on the catalog item include:
    • select_users_for_access (List Collector on sys_user) – allows selection of multiple users
    • Individual checkbox (true/false) variables representing Entra security groups:
      • GRP-PRD-Jamf-Line-Pilot
      • GRP-PRD-OrlandoSSO-App Access
      • GRP-PRD-BoeingJeppesen-Captain
      • GRP-PRD-eWAS-SSO-App access

Current Process

  • After submission, a catalog task is generated
  • An agent manually reviews the request and adds the selected users to the corresponding Microsoft Entra groups

Requirement / Goal

I want to fully automate this process so that:

  • If a group checkbox is checked (true), all users selected in select_users_for_access are automatically added to the corresponding Microsoft Entra group
  • If the checkbox is not checked, no action should be taken for that group
  • This should work for multiple users and multiple groups within the same request
  • No manual catalog task should be required

What I’m Looking For

  • Recommended approach using Flow Designer, IntegrationHub, or REST (Microsoft Graph API)
  • Best place to handle the logic (Flow vs Business Rule vs Script Include)
  • How others are managing:
    • Mapping ServiceNow users to Entra object IDs
    • Error handling (user already a member, permissions, etc.)
  • Any reusable patterns or examples used in similar access automation scenarios

Any suggestions, design patterns, or sample implementations would be greatly appreciated.

Thank you in advance for your help!

0 Helpfuls
  • 1,367 Views
5 REPLIES 5

Tanushree Maiti
Tera Patron

‎04-19-2026 08:13 AM - edited ‎04-19-2026 08:14 AM

Hi @Sirri 

 

1. Hope you have Microsoft Entra ID Spoke integration in place.

2. In your Flow, Use Look Up Records with appropriate conditions to filter and identify the users you want, then add those selected users to the AD group.

3. Use following Spoke's subflow , send the payload with required Inputs and configure Output attributes.

   

TanushreeMaiti_0-1776611543763.png

 

 

 

 

 

Please Accept the solution if it assisted you with your question & Mark this response as Helpful.
Regards
Tanushree Maiti
ServiceNow Technical Architect
LinkedIn: https://www.linkedin.com/in/tanushreemaiti
0 Helpfuls

Sirri
Tera Guru
In response to Tanushree Maiti

‎04-19-2026 04:41 PM

@Tanushree Maiti 

 

Please can you explain the basic to Advance as per the requirement it will helpful to me.
 
Thank you 
0 Helpfuls

Tanushree Maiti
Tera Patron
In response to Sirri

‎04-19-2026 06:56 PM

Hi Srini,

 

Install the Microsoft Entra ID spoke.

Flow is given here.  refer: //How to add "users to azure groups" in flow designer 

Ensure integration service account have proper permission to add user at Azure end.

 

 

Please Accept the solution if it assisted you with your question & Mark this response as Helpful.
Regards
Tanushree Maiti
ServiceNow Technical Architect
LinkedIn: https://www.linkedin.com/in/tanushreemaiti
0 Helpfuls

AndersBGS
Tera Patron

‎04-19-2026 12:15 PM

Hi @Sirri ,

 

there is an OTTB spoke for adding users to EntraID group, have you utilized that or haven’t you come that  far yet?

 

If my answer has helped with your question, please mark my answer as the accepted solution and give a thumbs up.

Best regards
Anders

Rising star 2024
MVP 2025
linkedIn: https://www.linkedin.com/in/andersskovbjerg/

0 Helpfuls