MS Teams provisioning with MS Flow and MS Graph

Microsoft Teams provide a great platform for collaboration. Depending on organisational requirements or even phase of MS Teams’ implementation we often come across a requirement to limit MS Teams creation potential and, instead of giving everyone within organisation permission to freely create MS Teams, we’re asked to provide a request and approval process. In this blog, I’ll outline one of the option for implementing such a process.

The idea is simple – use SharePoint list to record user’s request, configure MS Flow to act on this request. Put an Approval process in the middle.

Step 1. SharePoint List

Create a SharePoint list and add columns to capture required information. In my example, I ask for Team name, Description, Public or Private and Team Owner.

I also configured the list with the following settings – “Read items that were created by the user” and “Create items and edit items that were created by the user”

Step 2. Accounts, Licenses and Permissions

In my example I used a “Service Account” to build the flow and granted this account access to SharePoint site. I also gave the account “Override List Behaviors” permission and assigned Flow Plan 1 license (required for HTTP premium action). Lastly, I created a new app registration, a corresponding secret in Azure AD and granted the app the following permissions: Directory.ReadWrite.All, Group.ReadWrite.All, User.Read.All. Copied Tenant ID, Client ID and Secret for further use with the Flow.

Step 3. MS Flow

For the purpose of this demonstration, I created the following Flow. It has all the basic elements and can be further enhanced with logging steps back to the list, additional notifications etc.

A few things to mention:

  • The account used to build the Flow needs Flow Plan 1 license
  • The account used to access the data in SharePoint List needs “Override List Behaviors” permission
  • I used a beta Graph request in the http action, the endpoint is likely to change when in GA

To summarise the process – user requests a new MS Team by submitting a request via SharePoint list; approval process is started, notification to the approver is sent. Depending on the approver’s decision the process either notifies the requestor that the request is rejected or if approved, Graph API is used to provision MS Team; notification is sent to the requestor. Done.

This simple implementation can be further enhanced by using PowerApps instead of a list form, adding additional validation and notification processes, auto-approval in certain scenarios and much more.

About the author