Event Grid Tenant Lifecycle to Provisioning
Subscribed to Event Grid events for resource-group or subscription creation (and custom tenant-onboarding events), the flow runs standardized provisioning - apply tags/policies, create baseline resources, set RBAC, and record the new tenant in Dataverse. Automates consistent landing-zone setup from creation events.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow turns Azure tenant-lifecycle events into automated, standardized landing-zone provisioning. It subscribes (via Azure Event Grid) to resource-group / subscription creation events and, for each genuine resource-group creation, runs a consistent provisioning routine: apply mandatory governance tags, create a hardened baseline storage account, assign baseline RBAC, record the new tenant in a Dataverse inventory table, and notify the platform team in Teams.
Why it matters: manually configuring every new environment is slow and inconsistent. Event-driven provisioning enforces standards from the moment a resource group exists, giving the platform team a complete, auditable inventory of every landing zone.
Ships Off (demo).
Use Case
A platform/landing-zone team wants every new resource group (or subscription) to auto-configure to an organizational standard the instant it is created - tags for cost/ownership governance, a baseline diagnostics storage account, a baseline RBAC grant, and an inventory record - with a real-time Teams notification.
Flow Architecture
When a Resource Creation Event Occurs
Azure Event Grid - CreateSubscription (webhook)Subscribes at subscription scope filtered to ResourceWriteSuccess and ResourceActionSuccess; splitOn runs one instance per event.
Initialize Trace & Config
Initialize variableMints a correlation id, loads config from fourteen env vars, parses event type/subject/operation, derives the RG name and a deterministic storage name, and mints a role-assignment guid.
Guard: Resource Group Created?
ConditionRestricts work to true resource-group creations (subject contains /resourcegroups/ and is the RG itself, not a nested resource).
Apply Tags & Create Baseline Storage
Azure Resource Manager - Resources_CreateOrUpdateByIdPUTs governance tags to the RG and creates a hardened StorageV2 account (Standard_LRS, TLS1_2, no public blob).
Assign Baseline RBAC
Azure Resource Manager - Resources_CreateOrUpdateByIdCreates a roleAssignments grant (default Reader) for the configured principal.
Record & Notify
Microsoft Dataverse - CreateRecord + Microsoft Teams - PostMessageToConversationWrites the landing-zone inventory row and posts a provisioning summary to the platform team channel; non-RG events are logged and skipped.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_AzureSubscriptionId | String | <your-subscription-id> | Target Azure subscription id. |
| flowlibs_EventGridResourceType | String | Microsoft.Resources.Subscriptions | Event Grid resource type for the trigger. |
| flowlibs_TeamsGroupId | String | <your-team-id> | Teams team (group) id. |
| flowlibs_RequiredTags | String | owner,costcenter,environment | CSV of mandatory tag keys (governance reference). |
| flowlibs_BaselineTagsJson | String | {"Environment":"Standard","ManagedBy":"FlowLibs-TenantLifecycle","CostCenter":"IT-Shared"} | JSON tags applied to every new RG. |
| flowlibs_BaselineTemplateUri | String | https://your-storage.blob.core.windows.net/templates/landingzone.json | Landing-zone ARM template for extension. |
| flowlibs_TenantInventoryTable | String | flowlibs_tenantlandingzones | Dataverse entity set of the inventory table. |
| flowlibs_BaselineLocation | String | eastus | Azure region for baseline resources. |
| flowlibs_TagsApiVersion | String | 2021-04-01 |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Azure Event Grid | shared_azureeventgrid | CreateSubscription (trigger) |
| Azure Resource Manager | shared_arm | Resources_CreateOrUpdateById |
| Microsoft Dataverse | shared_commondataserviceforapps | CreateRecord |
| Microsoft Teams | shared_teams | PostMessageToConversation |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Tags / policy
- Edit the baseline tags JSON; extend Apply Required Tags or add an Azure Policy assignment via another Resources_CreateOrUpdateById to policyAssignments.
- Baseline resources
- Swap or add resources with more Resources_CreateOrUpdateById actions, or deploy the full baseline template via a Deployments_CreateOrUpdate action.
- RBAC
- Change the role definition GUID (e.g. Contributor) and the principal id.
- Scope filter
- Adjust the trigger includedEventTypes or the guard condition to target subscriptions or specific providers.
- Approval gate
- Insert an Approvals StartAndWaitForAnApproval before production provisioning.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01RG-create guard
Accepts only events whose subject is the resource group itself.
EXPR.02Unique storage name
Deterministic globally-unique lowercase storage name (<=24 chars).
EXPR.03Role assignment body
ARM body for the baseline role assignment.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.