Cloud FlowCloud FlowsIntermediate

New Employee Onboarding Access Setup

When a new employee record is added to a SharePoint list, auto-add them to a default O365 security group, send a personalized welcome email with onboarding resources, notify their manager, send an admin summary, and update the list item status.

SharePointOffice 365 OutlookHTTP with Microsoft Entra ID (Azure AD)

Unique name

flowLibsNewEmployeeOnboardingDemo

Publisher

FlowLibs (flowlibs)

Version

1.0.0.1

Components

7 env vars + 1 cloud flow

Request access

Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.

What it does

Overview

New Employee Onboarding Access Setup is an automated flow that fires the moment a new starter is added to the HR onboarding SharePoint list. It picks up the new employee's profile (name, email, manager, start date, department), adds them to a default Office 365 security group via Microsoft Graph, sends the new hire a personalized welcome email with links to onboarding resources, notifies their manager that the team has a new starter, sends an admin summary so IT/HR can audit the run, and finally writes back to the list item to mark the onboarding access setup as Complete. The flow is designed as a single, low-touch automation that replaces the manual checklist IT typically runs on a new hire's first day.

Why you'd use it

Use Case

Most onboarding processes still rely on a checklist that bounces between HR, IT, and the new hire's manager — security-group membership gets missed, welcome emails go out late, and there's no single record that the access step was actually completed. This flow gives HR and IT a one-step, repeatable onboarding pattern: the new starter goes into the SharePoint list, and within minutes they have baseline group access, a welcome email in their inbox, their manager is in the loop, and the audit trail is written back to the list. It is a good fit for organizations that want a lightweight, auditable Day-1 access provisioning workflow without standing up a full identity-governance product.

The flow is ideal for teams that:

HR and IT teams that share responsibility for new-hire Day-1 access provisioning.
Small and mid-size organizations that want a lightweight alternative to a full identity-governance tool.
Companies using a SharePoint-based onboarding tracker as the system of record for new hires.
Managers who want an automatic 'your new starter is provisioned' notification with no manual follow-up.

Step-by-step

Flow Architecture

When a new employee is added to the SharePoint list

When an item is created (SharePoint)

Fires whenever a new row is added to the 'New Hires' SharePoint list on the HR onboarding site. The trigger output contains the new employee's name, work email, manager email, department, and start date.

Initialize variables

Initialize variable

Sets up working variables for the new hire's display name, primary email, manager email, and the target security group id read from environment variables.

Add user to default O365 security group

HTTP (Microsoft Graph)

Calls Microsoft Graph: POST https://graph.microsoft.com/v1.0/groups/{group-id}/members/$ref with the new hire's user object id, granting baseline access (mailbox, Teams, SharePoint sites the group owns) in a single call.

If the group-membership call succeeded

If condition

Branches on the Graph response so the welcome email is only sent once baseline access is confirmed and any failure is escalated to IT.

If true (group membership added)2 actions run in series

Send welcome email to new employee (V2) — Sends a personalized welcome email to the new hire with their start date, links to onboarding resources, IT support contact, and the first-day agenda.
Send manager notification (V2) — Emails the new hire's manager to let them know the employee is provisioned, includes the start date and a link back to the SharePoint list item.

If false (group membership failed)

Send admin summary email

Send an email (V2)

Emails the IT/HR admin distribution list a one-page summary of the onboarding run: new hire name, manager, security group added, welcome email sent (yes/no), and the SharePoint list-item link for the audit trail.

Solution config

Environment Variables

Schema name	Type	Default	Description
flowlibs_OnboardingSharePointSiteUrl	String	https://your-tenant.sharepoint.com/sites/<configure>	SharePoint site that hosts the 'New Hires' onboarding list the trigger watches and writes back to.
flowlibs_OnboardingSharePointListName	String	New Hires	Display name of the SharePoint list that stores each new hire's profile and onboarding status.
flowlibs_DefaultSecurityGroupId	String	<configure>	Azure AD / Microsoft Entra security group id that every new hire should be added to for baseline access. Find this in Entra admin center under Groups > All groups > Object Id.
flowlibs_AdminSummaryEmail	String	alerts@yourcompany.com	Distribution list or mailbox that receives the per-run onboarding summary email.
flowlibs_ITFailureAlertEmail	String	alerts@yourcompany.com	Mailbox that receives an alert when the group-membership Graph call fails so an admin can finish provisioning manually.
flowlibs_OnboardingResourcesUrl	String	https://your-tenant.sharepoint.com/sites/<configure>/SitePages/Onboarding.aspx	Link to the welcome/resources page surfaced in the new hire's welcome email.
flowlibs_GraphApiBaseUrl	String	https://graph.microsoft.com/v1.0	Base URL for Microsoft Graph calls. Override only when targeting a sovereign cloud (e.g. graph.microsoft.us).

Auth dependencies

Connectors & Connections

Connector	API name	Actions used
SharePoint	shared_sharepointonline	OnNewItems (trigger) PatchItem (Writes back the onboarding status and provisioned-on date)
Office 365 Outlook	shared_office365	SendEmailV2 (Welcome email to new hire, manager notification, admin summary, and IT failure alert)
HTTP with Microsoft Entra ID (Azure AD)	shared_httpwithazureadtoken	InvokeHTTP (Adds the new hire to the default security group via Microsoft Graph)

Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.

Tweaks & variations

Customization Guide

Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.

Add role-based group assignment: Instead of a single default security group, branch on the new hire's Department or Role column and add them to a department-specific group (Sales, Engineering, Finance). Store the mapping in a small SharePoint list or in additional environment variables so HR can update the mapping without editing the flow.
Include license assignment: Extend the Graph branch to call POST /users/{id}/assignLicense after the group add, so the new hire also gets the right Microsoft 365 license SKU on Day 1. Read the SKU id from a new flowlibs_DefaultLicenseSkuId environment variable.
Schedule the welcome email for start date: Replace the immediate welcome email with a Delay until action keyed off the new hire's Start Date so the email lands the morning they actually begin, not the day HR created the record.
Post a Teams welcome message: Add a Teams 'Post message in a chat or channel' action after the welcome email to post an introduction in the team's 'general' channel, tagging the new hire and their manager. Keeps the rest of the team in the loop without HR having to remember.
Retry the Graph call on transient failures: Wrap the group-membership HTTP action in a Scope with a Configure run-after that retries on 429 / 5xx responses before falling through to the failure branch. Microsoft Graph occasionally throttles bulk onboarding runs.

Helpers & literals

Key Expressions

The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.

EXPR.01Graph add-to-group request body

Body sent to POST /groups/{group-id}/members/$ref — references the new hire's Entra user object id from the SharePoint list row.

workflow definition language

{ "@odata.id": concat(parameters('flowlibs_GraphApiBaseUrl'), '/directoryObjects/', triggerOutputs()?['body/EmployeeUserId']) }

EXPR.02Group-add URL

Builds the Graph endpoint that adds a member to the default security group, using the configurable base URL and group id.

workflow definition language

concat(parameters('flowlibs_GraphApiBaseUrl'), '/groups/', parameters('flowlibs_DefaultSecurityGroupId'), '/members/$ref')

EXPR.03Status writeback value

Used in the Update item action to set the Onboarding Access Status column based on whether the Graph call returned HTTP 204 No Content (success).

workflow definition language

if(equals(outputs('Add_user_to_default_O365_security_group')?['statusCode'], 204), 'Complete', 'Failed - Review')

New Employee Onboarding Access Setup

Overview

Use Case

Flow Architecture

When a new employee is added to the SharePoint list

Initialize variables

Add user to default O365 security group

If the group-membership call succeeded

Send admin summary email

Environment Variables

Connectors & Connections

Customization Guide

Key Expressions

EXPR.01Graph add-to-group request body

EXPR.02Group-add URL

EXPR.03Status writeback value

Update SharePoint list item status

Comments