Enterprise Resource Planning Blogs by Members
Gain new perspectives and knowledge about enterprise resource planning in blog posts from community members. Share your own comments and ERP insights today!
Showing results for 
Search instead for 
Did you mean: 
Active Contributor
0 Kudos
Dear community,

Last time we had a closer look at Stopping non-critical SAP systems as an integral part of any cloud practice to leverage resources efficiently in terms of capacity, cost, and self-service developer empowerment. Today I want to place the cherry on top (cake is probably eaten already) and put some more automation on the spot.

To distribute an app like our SAP start/stop controller efficiently you need to abstract access rights from the individual user. For the PowerPlatform that means Azure AD groups.

Once you have that, how do we onboard new “SAP snoozers” to the PowerApp? We need a process that collects user identity attributes like email, assigns them to the user-group and notifies the new end-user with the link to access the app. To top it all off an approval process might be required.

There are multiple ways to implement this. For instance, an SAP BTP focused approach with a custom UI5 app on CloudFoundry could integrate with the SAP workflow service to collect user info, assign the Azure AD group via the Microsoft Graph, send an adaptive card via Email for the approval process and notify the new user. Have a look at this post from harald.schubert for some more details.

For our internal SAP lab environment at FastTrack for Azure we implemented a PowerAutomate-based solution.

Fig.0 Overview of onboarding automation

Let’s look at the moving parts

Onboarding process is started from Microsoft Forms with a simple free text question to explain to the approver why you want access. A "Forms" can be created with a couple of clicks and published/shared within the whole organisation, selected users or anyone. We chose within our org.

Fig. 1 Screenshot of onboarding form on mobile

Once you hit submit the attached PowerAutomate cloud flow is kicks off. It retrieves the user’s email address to get its UPN from Azure AD (see third step “Get user”). We need the UPN as inpit for the built-in approval process step.

Fig.2 Screenshot from PowerAutomate on first user-onboarding steps

The approval step (see last step in fig.2) creates requests in a dedicated standard Teams app and pushes notifications to the approvers Teams Client.

Fig.3 Screenshot from approval request

You can see the provided justification and mapped user from the Forms request. Finally, you can provide a comment and approve/reject. That action is identified in the subsequent steps on PowerAutomate.

Fig.4 Screenshot of complete PowerAutomate flow for user onboarding

The left branch becomes active on interaction from the Teams app. In case of approval the user gets added to an Azure AD group, that is assigned to the SAP snoozing PowerApp and the associated Azure VMs for SAP with Reader rights.

The user requesting access gets a Teams push notification with the result of his request and the access link to the PowerApp if needed.

Fig.5 Screenshot from Teams notification after successful approval

In my case I was already part of that Azure AD group, so I got a reminder and bugged the “approvers” for no reason 😉

The approvers get a list of all requests they acted upon within Teams. This might be interesting to check the history of denied requests or approvals for compliance efforts.

Fig. 6 Screenshot from approval request list in Teams app

Nicely integrated, isn’t it? Like I said at the beginning there are multiple ways of achieving such an automated user onboarding process. For BTP focused solutions I encourage you to look at the SAP workflow service as well. The Microsoft Graph exposes the necessary APIs leveraged by PowerAutomate.

Final Words

Great, we used some more low code development regarding the SAP snoozing efforts on Azure to simplify the user onboarding in a scalable manner. Distributing the Microsoft Forms or highlighting its link somewhere prominent remains a task though. What about an internal portal, Intranet web page or Sharepoint?

From there the process is smooth due to the existing setup of Azure AD groups and built-in approval processes.

Find the PowerAutomate flow "SignUpUsers2SAPController" on our SAP snoozing GitHub repos.

As always feel free to leave or ask lots of follow-up questions.


Best Regards


Labels in this area