Auto-Add Users to Group from Form
When a user submits a request form, validate their department and auto-add them to the appropriate Office 365 Group.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow listens for new submissions in a Microsoft Form where users request access to a department-specific Office 365 Group. When a response is received, the flow looks up the submitter's profile in Azure AD / Microsoft 365, validates that their department matches one of the supported groups, and (if valid) adds them as a member of the corresponding Office 365 Group. The requestor receives a confirmation email; if the department doesn't match an approved value, the request is rejected with an explanatory message. The pattern is intentionally simple so IT teams can clone it and point it at any internal access-request form.
Use Case
Onboarding and access-request workflows often pile up in an admin's inbox: someone fills out a form, an IT admin reads it, looks up the person, adds them to the right group, and emails them back. This flow removes that manual step entirely for low-risk, attribute-gated groups (e.g. departmental distribution lists, project Teams, intranet site memberships). By keying group membership off the requestor's existing department attribute, the flow self-enforces the policy 'you only get into the group that matches who you already are' without the admin having to look anything up.
The flow is ideal for teams that:
- IT teams running self-service group enrollment for distribution lists or Teams
- Operations teams onboarding new hires into department-specific Office 365 Groups
- Admins replacing manual 'please add me to X' email queues with a Forms-driven workflow
- Organizations standardizing access requests behind a single, auditable form
Flow Architecture
New form response submitted
When a new response is submitted (Microsoft Forms)Fires whenever a user submits the access-request form. The trigger only carries a response ID; the flow fetches the full answers in the next step.
Get response details
Get response details (Microsoft Forms)Reads the submitted form answers, including the requestor's email/UPN and the group they're requesting access to.
Look up the requestor
Get user profile (V2) (Office 365 Users)Pulls the requestor's Azure AD profile (department, display name, UPN, mail) so the flow can validate the request against their existing attributes.
If department matches an approved group
If conditionChecks that the requestor's Azure AD 'department' value matches the group they asked to join (the form's group choice is keyed to a department name).
- Add member to group (Office 365 Groups) — Adds the requestor's UPN as a member of the matching Office 365 Group.
- Send approval email (Office 365 Outlook) — Emails the requestor confirming they've been added and linking to the group/Teams resource.
The requested group doesn't match the requestor's department.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_FormId | String | <configure> | The Microsoft Forms form ID that hosts the access-request form. Find it in the form's share URL. |
| flowlibs_ApprovedGroupMap | String | {"Sales":"<group-id>","Engineering":"<group-id>"} | JSON object that maps an Azure AD department value to the Office 365 Group ID the flow should add the requestor to. |
| flowlibs_NotificationFromAddress | String | alerts@yourcompany.com | Mailbox used to send the approval/rejection emails. The connection owner must have Send-As rights on this address. |
| flowlibs_RejectionContact | String | alerts@yourcompany.com | Who to point rejected requestors at for an exception (typically an IT admin or HRBP alias). |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Microsoft Forms | shared_microsoftforms | OnNewResponseReceived (trigger) GetFormResponse |
| Office 365 Users | shared_office365users | UserProfile_V2 |
| Office 365 Groups | shared_office365groups | AddMemberToGroup |
| Office 365 Outlook | shared_office365 | SendEmailV2 |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Swap the gating attribute
- The reference flow validates on Azure AD 'department'. To gate on jobTitle, office location, or a custom extension attribute, change the condition expression and the Approved Group Map keys to match the attribute you prefer.
- Add approval routing for high-risk groups
- For groups that grant elevated access (e.g. SharePoint admins), insert an 'Start and wait for an approval' action between the condition's true branch and the 'Add member to group' action so an owner has to approve before the membership change is made.
- Log every request to a SharePoint list
- Append a Create item action after the trigger writing requestor, requested group, decision, and timestamp to a SharePoint list so you have an audit trail outside of Microsoft Forms' response history.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Department-to-group lookup
Resolves the Office 365 Group ID that matches the requestor's Azure AD department. Returns null when the department isn't in the map, which the condition treats as a rejection.
EXPR.02Department-matches-requested-group check
Case-insensitive comparison used in the If condition.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.