On August 11, 2023, Cisco announced that Cisco SecureX will go end-of-life on July 31, 2024. The content in this Github repository will not be actively maintained following this announcement.

Azure AD - Get New Users

Workflow #0036

This workflow checks for users that were created within the past X hours in Microsoft Azure (the timeframe is configurable). If any results are found, the user list is aggregated and a Webex message is sent. Required Graph API permissions: AuditLog.Read.All


Change Log

Date Notes
Jun 29, 2021 - Initial release
Sep 10, 2021 - Updated to use the new system atomics
Sep 7, 2022 - Minor updates to naming and descriptions

See the Important Notes page for more information about updating workflows


  • The following system atomics are used by this workflow:
    • Webex - Post Message to Room
    • Webex - Search for Room
  • The following atomic actions must be imported before you can import this workflow:
  • The targets and account keys listed at the bottom of the page
  • (Optional) Cisco Webex
  • Microsoft Azure Active Directory
  • Microsoft Azure App Registration with the AuditLog.Read.All API permission

Workflow Steps

  1. Fetch global variables
  2. Get an access token for the Graph API
  3. Calculate and format the start date
  4. Fetch audit log events for user creation
  5. Check if the request was successful:
    • If not, return an error message
    • If it was, parse the event JSON and aggregate the list of new users in text form for Webex. If there’s anything to report, send a Webex message


  • If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
  • Set the Azure Tenant ID local variable to the Azure tenant to run the report for
  • Set the Hours to Check to how many hours ago you want the workflow to look for events (default: 24 hours). If you’re using a schedule to run this workflow, make sure the schedule’s interval matches this timeframe
  • See this page for information on configuring the workflow for Webex


Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Microsoft Graph HTTP Endpoint Protocol: HTTPS
Host: graph.microsoft.com
Path: /v1.0
Microsoft Graph Token HTTP Endpoint Protocol: HTTPS
Host: login.microsoftonline.com
Path: None
Microsoft Graph API  
Webex Teams HTTP Endpoint Protocol: HTTPS
Host: webexapis.com
Path: None
None Not necessary if Webex activities are removed

Account Keys

Account Key Name Type Details Notes
Microsoft Graph API HTTP Basic Authentication Username: Client ID
Password: Client Secret