Tutorial: Integrating Microsoft Entra Entitlement Management with Microsoft Teams using Custom Extensibility and Logic Apps
Scenario: Use custom extensibility and an Azure Logic App to automatically send notifications to end users on Microsoft Teams when they receive or are denied access to an access package.
In this tutorial, you learn how to:
- Adding a Logic App Workflow to an existing catalog.
- Adding a custom extension to a policy within an existing access package.
- Register an application in Microsoft Entra ID for resuming Entitlement Management workflow
- Configuring ServiceNow for Automation Authentication.
- Requesting access to an access package as an end-user.
- Receiving access to the requested access package as an end-user.
- A Microsoft Entra user account with an active Azure subscription. If you don't already have one, you can Create an account for free.
- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
Create a Logic App and custom extension in a catalog
Steps in this article may vary slightly based on the portal you start from.
Prerequisite roles: Global administrator, Identity Governance administrator, or Catalog owner and Resource Group Owner.
To create a Logic App and custom extension in a catalog, you'd follow these steps:
Navigate To Microsoft Entra admin center Identity Governance - Microsoft Entra admin center
In the left menu, select Catalogs.
Select the catalog for which you want to add a custom extension and then in the left menu, select Custom Extensions.
In the header navigation bar, select Add a Custom Extension.
In the Basics tab, enter the name of the custom extension and a description of the workflow. These fields show up in the Custom Extensions tab of the Catalog.
Select the Extension Type as “Request workflow” to correspond with the policy stage of the access package requested being created, when the request is approved, when assignment is granted, and when assignment is removed.
Another custom extension can be created for the Pre-Expiration workflow.
It shows as “Deploying”, and once done a success message will appear such as:
In Review and Create, review the summary of your custom extension and make sure the details for your Logic App call-out are correct. Then select Create.
This custom extension to the linked Logic App now appears in your Custom Extensions tab under Catalogs. You're able to call on this in the access package policies.
Configuring the Logic App
- The custom extension created will show under the Custom Extensions tab. Select the “Logic app” in the custom extension that will redirect you to a page to configure the logic app.
- On the left menu, select Logic app designer.
- Delete the Condition by selecting the 3 dots on the right side and select “Delete” and select “OK”. Once deleted, the page should have an option to add a new step.
- Select “New Step”, which will open a dialog box and then select All and expand the list of connectors.
- In the list that appears, search and select Microsoft Teams.
- In the list of actions, select “Post message in a chat or channel”.
- For Post as select “Flow Bot”, and for Post In select “Chat with Flow bot”.
- Selecting Recipient provides a pop up to select Dynamic Content. Select “ObjectID -Requestor-Objectid”.
- Add the email content in the message. You can also format plain text, or add dynamic content.
- Select inside “Add new Parameter” and check the “IsAlert” box to have the message show up on Microsoft Teams’s activity feed.
- Select Save to ensure your changes are stored. The Logic App is now ready to send emails when updates are made to an access package linked to it.
Add Custom Extension to a policy in an existing Access Package
After setting up custom extensibility in the catalog, administrators can create an access package with a policy to trigger the custom extension when the request has been approved. This enables them to define specific access requirements, and tailor the access review process to meet their organization's needs.
Prerequisite roles: Global administrator, Identity Governance administrator, Catalog owner, or Access package manager
In the Identity Governance portal, select Access packages.
Select the access package you want to add a custom extension (Logic App) to from the list of already created access packages.
Select Edit and under Properties change the catalog to one previously used in the section: Create a Logic App and custom extension in a catalog then select Save.
Change to the Policies tab, select the policy, and select Edit.
In the policy settings, go to the Custom Extensions tab.
In the menu below Stage, select the access package event you wish to use as trigger for this custom extension (Logic App). For our scenario, to trigger the custom extension Logic App workflow when an access package is requested, approved, granted, or removed, select Request is created, Request is approved, Assignment is Granted, and Assignment is removed.
Select Update to add it to an existing access package's policy.
Add Custom Extension to a new Access Package
In the Identity Governance portal, select Access packages and create a new access package.
Under the Basics tab, add the name of the policy, description and the catalog used in the section Create a Logic App and custom extension in a catalog.
Add the required Resource roles.
Add the required Requests.
Provide Requestor Information if needed.
Add Lifecycle details.
Under the Custom Extensions tab, in the menu below Stage, select the access package event you wish to use as trigger for this custom extension (Logic App). For our scenario, to trigger the custom extension Logic App workflow when an access package is requested, approved, granted, or removed, select Request is created, Request is approved, Assignment is Granted, and Assignment is removed.
In Review and Create, review the summary of your access package, and make sure the details are correct, then select Create.
Select New access package if you want to create a new access package. For more information about how to create an access package, see: Create a new access package in entitlement management. For more information about how to edit an existing access package, see: Change request settings for an access package in Microsoft Entra entitlement management.
To validate successful integration with Microsoft Teams, you'd add or remove a user to the access package created in the section Add Custom Extension to a new Access Package. The user receives a notification on Microsoft Teams from Power Automate.