How To Invite External Users Using Microsoft Flow and Microsoft Graph API
Timlin recently helped a customer automate the creation of new SharePoint site collections designed for external sharing. Prior to our work, the client had a number of manual steps that included completing a PDF form, manually logging and tracking the request, spinning up the site and associated security, and manually inviting the external users. With the new automated process, the client simply fills out a Power Apps form that allows them to specify email addresses for the external access, and all the remaining steps are fully automated.
When looking for the underlying solution to automate this process, we decided on Microsoft Graph API. We needed to be able to authenticate with Microsoft Graph API and execute actions against it via Microsoft Flow. We have used this for many of our solutions, and in this post, we will detail just what is needed to authenticate with Microsoft Graph API and how to use its Invite API to invite guest users to your tenant.
Setting Up an Azure AD App Registration
The main requirement for this process to work is the Azure Active Directory App Registration. This App Registration serves as the authentication handshake between Microsoft Flow and Microsoft Graph API. You will need an elevated level of privilege to create the app registration and assign it the permissions we need in this example.
First, navigate to your Azure Portal (https://portal.azure.com) and click on Azure Active Directory.
If Azure Active Directory is not present in your quick links section, simply search for it and click on it from there. Next, navigate to “App Registrations” on the left-hand navigation menu and then “New Registration”.
You can name this Registration whatever you’d like, leave the rest of the settings as they stand and click “Register”.
Authentication and Permissions for our Azure AD App Registration
Now that we have our App Registration created, we need to setup two things: our App Secret and the required App Permissions.
First, navigate to “Certificates & secrets” and click on “New Client Secret”.
We can call our Secret anything we’d like. In this instance, we’ll just name it “Secret”. The expiration date is up to you but keep in mind if you select an expiration date other than “Never” that you will need to update this Secret key down the line in order for your functionality to continue working.
You should now have a Secret key appear. Make sure to copy and save the key somewhere safe as you will only see it this one time.
Next, we need to give our App Registration a single permission called “User.Invite.All”. This gives the App Registration access to invite guest users to our tenant. To do so, navigate to “API Permissions” and click on “Add a Permission”.