Dear community,
Last time we had a closer look at
Stopping non-critical SAP systems as an integral part of any cloud practice to leverage resources efficiently in terms of capacity, cost, and self-service developer empowerment. Today I want to place the cherry on top (cake is probably eaten already) and put some more automation on the spot.
To distribute an app like our SAP start/stop controller efficiently you need to abstract access rights from the individual user. For the PowerPlatform that means Azure AD groups.
Once you have that, how do we onboard new “SAP snoozers” to the PowerApp? We need a process that collects user identity attributes like email, assigns them to the user-group and notifies the new end-user with the link to access the app. To top it all off an approval process might be required.
There are multiple ways to implement this. For instance, an SAP BTP focused approach with a custom UI5 app on CloudFoundry could integrate with the
SAP workflow service to collect user info, assign the Azure AD group via the Microsoft Graph, send an adaptive card via Email for the approval process and notify the new user. Have a look at
this post from
harald.schubert for some more details.
For our internal SAP lab environment at FastTrack for Azure we implemented a PowerAutomate-based solution.
Fig.0 Overview of onboarding automation
Let’s look at the moving parts
Onboarding process is started from
Microsoft Forms with a simple free text question to explain to the approver why you want access. A "Forms" can be created with a couple of clicks and published/shared within the whole organisation, selected users or anyone. We chose within our org.
Fig. 1 Screenshot of onboarding form on mobile
Once you hit submit the attached PowerAutomate cloud flow is kicks off. It retrieves the user’s email address to get its UPN from Azure AD (see third step “Get user”). We need the UPN as inpit for the built-in approval process step.
Fig.2 Screenshot from PowerAutomate on first user-onboarding steps
The approval step (see last step in fig.2) creates requests in a dedicated standard Teams app and pushes notifications to the approvers Teams Client.
Fig.3 Screenshot from approval request
You can see the provided justification and mapped user from the Forms request. Finally, you can provide a comment and approve/reject. That action is identified in the subsequent steps on PowerAutomate.
Fig.4 Screenshot of complete PowerAutomate flow for user onboarding
The left branch becomes active on interaction from the Teams app. In case of approval the user gets added to an Azure AD group, that is assigned to the SAP snoozing PowerApp and the associated Azure VMs for SAP with Reader rights.
The user requesting access gets a Teams push notification with the result of his request and the access link to the PowerApp if needed.
Fig.5 Screenshot from Teams notification after successful approval
In my case I was already part of that Azure AD group, so I got a reminder and bugged the “approvers” for no reason
😉
The approvers get a list of all requests they acted upon within Teams. This might be interesting to check the history of denied requests or approvals for compliance efforts.
Fig. 6 Screenshot from approval request list in Teams app
Nicely integrated, isn’t it? Like I said at the beginning there are multiple ways of achieving such an automated user onboarding process. For BTP focused solutions I encourage you to look at the
SAP workflow service as well. The
Microsoft Graph exposes the necessary APIs leveraged by PowerAutomate.
Final Words
Great, we used some more low code development regarding the SAP snoozing efforts on Azure to simplify the user onboarding in a scalable manner. Distributing the Microsoft Forms or highlighting its link somewhere prominent remains a task though. What about an internal portal, Intranet web page or Sharepoint?
From there the process is smooth due to the existing setup of Azure AD groups and built-in approval processes.
Find the PowerAutomate flow "SignUpUsers2SAPController" on our SAP snoozing
GitHub repos.
As always feel free to leave or ask lots of follow-up questions.
Best Regards
Martin