Azure AD - Get New Users
Workflow #0036
This workflow checks for users that were created within the past X hours in Microsoft Azure (the timeframe is configurable). If any results are found, the user list is aggregated and a Webex message is sent. Required Graph API permissions: AuditLog.Read.All
Change Log
Date | Notes |
---|---|
Jun 29, 2021 | - Initial release |
Sep 10, 2021 | - Updated to use the new system atomics |
Sep 7, 2022 | - Minor updates to naming and descriptions |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- Webex - Post Message to Room
- Webex - Search for Room
- The following atomic actions must be imported before you can import this workflow:
- Microsoft Graph - Get Access Token (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- (Optional) Cisco Webex
- Microsoft Azure Active Directory
- Microsoft Azure App Registration with the
AuditLog.Read.All
API permission
Workflow Steps
- Fetch global variables
- Get an access token for the Graph API
- Calculate and format the start date
- Fetch audit log events for user creation
- Check if the request was successful:
- If not, return an error message
- If it was, parse the event JSON and aggregate the list of new users in text form for Webex. If there’s anything to report, send a Webex message
Configuration
- If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
- Set the
Azure Tenant ID
local variable to the Azure tenant to run the report for - Set the
Hours to Check
to how many hours ago you want the workflow to look for events (default: 24 hours). If you’re using a schedule to run this workflow, make sure the schedule’s interval matches this timeframe - See this page for information on configuring the workflow for Webex
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Microsoft Graph | HTTP Endpoint | Protocol: HTTPS Host: graph.microsoft.com Path: /v1.0 | None | |
Microsoft Graph Token | HTTP Endpoint | Protocol: HTTPS Host: login.microsoftonline.com Path: None | Microsoft Graph API | |
Webex Teams | HTTP Endpoint | Protocol: HTTPS Host: webexapis.com Path: None | None | Not necessary if Webex activities are removed |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
Microsoft Graph API | HTTP Basic Authentication | Username: Client ID Password: Client Secret |