Forum Discussion

tjson's avatar
tjson
Copper Contributor
Nov 19, 2024

Adding users to an AD group with Azure Functions/Logic Apps

I want to add users to an Entra ID/Azure AD group. The list of users will be retrieved from a REST API call with Azure Functions, and then saved into a database, probably Azure SQL. I'm planning on then using Azure Logic Apps to connect the database to the AD group. How can I make the script run every time the REST API changes? Can I add users to the AD group from SQL? Is there a better way to go about this?

AD groups
Automation & Control
Data + Storage
Entra ID
Functions
Logic App
  • Chris_toffer0707's avatar
    Chris_toffer0707
    Brass Contributor
    Nov 19, 2024

    What would your source of origin be the for users, since you are not using Entra ID as your source of authority? 

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Nov 20, 2024

    Referring this:

     

    Azure function:

     

    [FunctionName("GetUsersFromAPI")]

    public static async Task<IActionResult> Run( [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,

    ILogger log) 

    {

    // Call REST API and get user data

    var users = await GetUsersFromAPI();

    // Save users to Azure SQL Database await SaveUsersToDatabase(users); return new OkResult();

    }

     

    Adding Users to Azure AD Group from SQL:

     

    -- Add user to Azure AD group

    EXEC sp_addrolemember 'db_datareader', 'email address removed for privacy reasons';

     

     

    Create and utilize Microsoft Entra server logins - Azure SQL Database & Azure SQL Managed Instance & Azure Synapse Analytics | Microsoft Learn

     

    Set up Microsoft Entra authentication for SQL Server - SQL Server | Microsoft Learn

    • LainRobertson's avatar
      LainRobertson
      Silver Contributor
      Nov 20, 2024

      The following is incorrect:

       

      -- Add user to Azure AD group
EXEC sp_addrolemember 'db_datareader', 'email address removed for privacy reasons';

       

      sp_addrolemember adds a server login or database user to a database role.

       

      It does not add a user to an external directory services (be that Active Directory or Azure Active Directory) group - which to answer your question, tjson , is not directly possible from SQL itself.

       

      Cheers,
      Lain

  • balasubramanim's avatar
    balasubramanim
    Iron Contributor
    Nov 20, 2024

    tjson 

    Please try the below steps.

    1. Fetch Users with Azure Function

    Use an Azure Function (triggered by a timer or webhook) to fetch users from the REST API.
    Save the user data into an Azure SQL database, ensuring only new/updated users are stored.
    Sync with Azure AD Using Logic Apps

    2. Use an Azure Logic App to
    Query the database for new users.
    Add users to the Azure AD group using the Azure AD connector.

    3. Make It Reactive

    If the REST API supports notifications, trigger the Azure Function directly on changes. Otherwise, run it on a schedule.

     

Resources