Skip to content

Act on group membership changes in Azure Active Directory

Did you ever want to act on a change in group membership in Azure AD, for example, when a user is added to or removed from a specific group? I have found an easy way to do this with the use of Power Automate. You can use this for a lot of use-cases.

What do we need?

For this solution, we use the Office 365 Groups connector in Power Automate that holds the trigger: ‘When a group member is added or removed‘. Now despite the connector being called Office 365 Groups (which should be renamed anyway), this will work with both Microsoft 365 groups and security groups in Azure AD. All we need is the ObjectId of the group. So this will be the trigger for our flow.

Now, this feature is not documented very well, so to determine whether a user is added or removed we have to use an expression. The reason for this is the limited response when a user is added.

So we are swooping in a condition and use the following expression:

empty(triggerBody()?['@removed']?['reason'])

When the result is true, the user is added, when the result is false, the user is deleted from the group.

We also want to grab some details about the user and group, so that we can use that in our further steps. The flow will look like this:

Now, in this case, we are sending an email to the affected user, but this can also be a chat message via Teams for example.

Download the example from Github

More info on the connector: Office 365 Groups – Connectors | Microsoft Docs

19 thoughts on “Act on group membership changes in Azure Active Directory”

    1. Good question, I don’t know the exact answer, but I assume it would be triggered when any supported object is added to the group.

  1. Dear All,
    Want to pick “all” your brains around the “When a group member is added or removed”.
    I have scenario where I have 30+ Security Groups to monitor and if a member is added to one the groups it should trigger the flow. With the current Trigger I would have to replicate my flow 30+ times which is a bit “cumbersome”.
    Would be awesome if there would be a way to have the trigger being trigger if Group ID is part of a list of Group ID’s.

    Any thoughts Jan or anyone else?

  2. Hi, the “when group member is added” connector does not show up in my list of Office 365 Group Connectors. Could this connector have been removed?

  3. @Jan, you posted this above….
    — You’ll need automation (Logic Apps) to create and refresh the subscriptions for groups, and a another endpoint to act as notificationUrl

    This is exactly what I need to figure out. When I go to create the subscription all is good with the following parameters
    $body = @{
    changeType = “updated”
    notificationUrl = $notificationUrl
    resource = $group
    expirationDateTime = $expirationDateTime
    latestSupportedTlsVersion = “v1_2”
    }

    However, “HOW” do you create the subscriptions that use a different Logic app URL endpoint to answer the following renew
    $params = @{
    expirationDateTime = (Get-Date).AddDays(29).ToString(“yyyy-MM-ddTHH:mm:ssZ”)
    }

    Update-MgSubscription -SubscriptionId $Id -BodyParameter $params

    It seems to always want to go to the notificationURL to renew.
    Is there another parameter during the creation of the subscription that makes this command point to the renew endpoint instead of the notificationURL?

    This is driving me nuts… All the help if appreciated!

    1. disregard the above….
      if you set up the single logic app as the notificationurl and just do an if condition that watches for incoming subscription renewals and set the the response to send back the validation token in plain text .. that portion works… my main issue that I have now resolved was that if it was a normal change notification it would go down the workflow and do the needful but would constantly loop through the same change over and over again. I found that you ALSO need to provide a response back to Microsoft acknowledging you received the regular change. Without that it will loop forever..

      What was weird was that if I removed the response action for renewals and just let it process normal changes… it would work WITHOUT me providing a response action for regular changes. With the renewal response added in … caused regular change notifications to think they weren’t received and kept sending them to me.

      NOW I have the response action for both… and works like a champ!!

  4. Hi,

    Great comment and walkthrough! I have basically copied your solution to manage geo-located exclusion for our users when they are travelling abroad.

    In my flow I also create a Sharepoint list item based on UPN for the user being added to the azure-group controlling our exclusion for geo-ip. All items in the sharepoint list are deleted when they are more than 15 days old, and the users membership in the azure-group removed. Works great!

    However I would need to build a corresponding action to the false-condition in the flow. Meaning when a user is removed from the azure-group it is also removed from the sharepoint-list. Do you have any suggestion on how to build this? Im getting stuck on the fact that the action “Delete item” for sharepoint requires the sharepoint list object id and I am not sure how to collect that from the sharepoint-list based on the user being removed from the azure-group.

  5. Nevermind, I solved it by simply using a “get items” with a filter query returning only the sharepoint item id of user being processed by the flow at the moment, and the deleting the item based on the id from the previous step.

    Thanks again!

  6. Hi,

    Thank you for this guide very helpful. I have 2 queries however:

    1. Why are you getting the group twice? You have the group id already so you can go straight to getting user id but instead you get the group again (but this time get group ID from entra as opposed to O365 remove or delete) and then get the user id from that. Not sure I follow why that is necessary?
    2. When a user id is ‘deleted’ from the group I am having trouble retrieving the details as it seems that is is deleted and therefore the object id of the user can no longer be queried. It seems to me with this flow you would never be able to identify which user has been removed/deleted instead only that some user has been deleted but we don’t know who

Leave a Reply

Your email address will not be published. Required fields are marked *