Zendesk Onboarding Ticket Provisioning
When an onboarding-type Zendesk ticket is created, the flow kicks off provisioning steps — create accounts via Azure AD, assign licenses, add to groups, and post progress — then updates the ticket and notifies the requester as each task completes. Turns IT onboarding tickets into automated provisioning.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow turns onboarding-type Zendesk tickets into automated, role-based account provisioning. When a new ticket is created and carries the configured onboarding tag, the flow creates a Microsoft Entra ID account, grants the role's group memberships and license, writes an audit record to Dataverse, updates the Zendesk ticket, posts a public comment to notify the requester, and posts progress to a Teams channel.
Why it matters: Manual onboarding is slow and inconsistent. Driving it from the ticket speeds time-to-productivity and leaves a complete audit trail keyed by a correlation id.
Status: Built via API-first deployment (workflow-table path). Ships Off — going live requires only connection authorization and environment-variable configuration.
Use Case
IT receives onboarding requests through Zendesk and wants standardized accounts provisioned automatically, with every run recorded for audit and the requester kept informed on the ticket.
Flow Architecture
When_an_onboarding_ticket_is_created
Zendesk GetOnNewItemsV2 (poll, splitOn)Fire per new Zendesk ticket
Initialize_varCorrelationId
Init (string, guid())Trace the run end-to-end
Initialize_varRoleGroupMap
Init (string)Load role→group/license JSON map
Initialize_varOnboardTag
Init (string)Tag identifying onboarding tickets
Initialize_varRole
Init (string)Onboarding role (demo: default env var)
Initialize_varNewHireName
Init (string)Derive display name from ticket subject
Initialize_varMailNickname
Init (string)Lowercased dotted mail nickname
Initialize_varUpn
Init (string)New user UPN (nickname@domain)
Initialize_varRoleConfig
Init (object)Resolve role's groups + license SKU
Initialize_varGroupsAssigned
Init (string)Accumulator for audit log
Check_If_Onboarding_Ticket
Condition (If)Provision only tagged tickets
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_RoleGroupMap | String | {"GeneralStaff":{"groups":[...],"licenseSkuId":"..."},...} | Role → Entra group ids + license SKU (JSON) |
| flowlibs_OnboardTicketTag | String | onboarding | Tag marking an onboarding ticket |
| flowlibs_ZendeskTicketsTable | String | tickets | Zendesk dataset table (reused) |
| flowlibs_ItChannelId | String | 19:...@thread.tacv2 | Teams channel for progress posts |
| flowlibs_NewUserDomain | String | your-tenant.onmicrosoft.com | UPN domain suffix |
| flowlibs_TempPassword | String | (placeholder) | Initial temp password for new accounts |
| flowlibs_DefaultRole | String | GeneralStaff | Fallback role |
| flowlibs_ZendeskSubdomain | String | (reused) | Zendesk subdomain for REST comment |
| flowlibs_ZendeskAuthHeader | String | (reused, Basic …) | Zendesk REST auth header |
| flowlibs_TeamsGroupId | String |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Zendesk | shared_zendesk | GetOnNewItemsV2 PatchItem |
| Microsoft Entra ID | shared_azuread | CreateUser AddUserToGroup |
| Microsoft Teams | shared_teams | PostMessageToConversation |
| Microsoft Dataverse | shared_commondataserviceforapps |
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Map real ticket data
- Replace the demo subject-parsing and default-role logic with the onboarding ticket's custom fields (new hire name, role, department) once the Zendesk form schema is known.
- Approval gate
- Add an Approvals StartAndWaitForAnApproval before Create_User for manager sign-off.
- Hardware / assets
- Branch to an asset-request action after provisioning.
- Offboarding twin
- Build a reverse flow that disables the account and removes group/license on departure.
- Role map
- Extend flowlibs_RoleGroupMap with more roles, each listing its Entra group ids and license SKU id.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Onboarding gate
Provision only tickets carrying the onboarding tag
EXPR.02Role config lookup
Resolve the role's group/license config from the JSON map
EXPR.03Group loop source
Iterate the role's group ids (empty array fallback)
EXPR.04UPN build
Build the new user's UPN from nickname + domain
EXPR.05License HTTP body
Graph assignLicense request body
EXPR.06Created user id (downstream)
Reference the created user's object id downstream
Customize & download
Generate a ready-to-import copy of this solution with your environment-variable values baked in — available on Base, Pro, or Team.
Upgrade to customize
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.