Overview
This automation process is designed to streamline the creation of a security group in Microsoft Entra (Azure AD) from an existing Microsoft 365 (M365) group and replicate its membership. This is particularly useful when you want to apply security policies, access control, or role-based access management using security groups while leveraging existing organizational structures defined in M365 groups.
This automation is built in Power Automate and leverages:
· HTTP connector (for Graph API calls)
· Microsoft Entra (Azure AD)
· Office 365 Groups
· Dynamic expressions for content parsing and transformation.
Use Case
Organizations often use Microsoft 365 groups for collaboration (Teams, Outlook, Planner, etc.), but Entra security groups are required for administrative control, role assignments, or integration with external systems. Manual replicating groups and their members can be time-consuming and error prone. Automating this process saves time and ensures consistency.
Process Outline
The automation performs the following steps:
· Trigger the flow manually or based on an event.
· Get details of the source M365 group using Microsoft Graph.
· Extract the group’s display name and ID.
· Create a security group in Entra using the same naming convention (with cleaned mailNickname).
· Fetch all members of the source M365 group.
· Loop through the members and add each member to the new security group.
· Provide logging or output summary of success or errors.
Step-by-Step Breakdown
Step 1: Trigger the Flow
The flow can be manually triggered, scheduled, or integrated with another system or form input (e.g., a Power App or SharePoint list). In this example, a manual trigger is used to start the process with minimal user input.
Step 2: Generate Access Token For the service principal created, use its token id, client id, client key and scope to generate the ‘Access Token’. This access token will be used for authorization purposes in further steps.
Step 3: Get M365 Group Details
Use the HTTP connector to call Microsoft Graph and retrieve group metadata. The following parameter can be for the same:
GET <Microsoft Graph API url>?$filter=groupTypes/any(c:c eq ‘Unified’).
This call returns a list of M365 groups. You can use a Compose action to extract the group name for later use.
first(body(‘<output of previous step>’)?[‘value’])?[‘displayName’]
Step 4: Clean the Display Name for mailNickname
The mailNickname must follow strict naming rules (no spaces or special characters). You use Power Automate expressions to transform the display name into a valid alias:
replace(outputs(‘Compose’), ‘ ‘, ”)
This creates a prefix (sec-) and removes any spaces from the group name.
Step 5: Create the Security Group
Use the HTTP POST method to create a security group in Entra:
POST <Microsoft Graph API url>
Headers:
Authorization: Bearer <token>
Content-Type: application/json
Body:
{
“displayName”: “<Group Name>”,
“mailNickname”: “<Nick Name of your choice”,
“mailEnabled”: false,
“securityEnabled”: true
}
This call creates a mail-disabled, security-enabled group. You capture the returned id of the new group for further operations.
Step 6: Fetch Members of the M365 Group
Using the original M365 group’s ID, call the Graph API to retrieve all members:
GET <Microsoft Graph API url> /v1.0/groups/{group-id}/members
This returns an array of member objects, including their IDs.
Step 7: Loop Through Members and Add to Security Group
Use an ‘Apply to each’ loop to iterate through each member object returned in the previous step.
Inside the loop, use another HTTP POST call:
POST <Microsoft Graph API url> /{security-group-id}/members/$ref
Body:
{
“@odata.id”: “<Microsoft Graph API url> /v1.0/directoryObjects/{member-id}”
}
This adds the user to the security group by referencing their directory object ID. You can add error-handling logic here to catch issues like disabled accounts or existing membership.
Step 8: Output Results
Use Compose or Append to string variable actions to log member additions, errors, or time taken. Optionally, send a final email with the summary or store it in a SharePoint list or Excel sheet.
Key Considerations
Authentication
The HTTP connector uses OAuth 2.0 authentication with a registered app in Entra (Azure AD). Make sure:
· The app has Group.ReadWrite.All, User.Read.All, and Directory.ReadWrite.All permissions.
· You’ve granted admin consent.
· The token is correctly generated and passed in the Authorization header.
Error Handling
Implement try-catch patterns using Scope, Configure Run After, and Terminate actions for robust error handling, especially:
· If group creation fails
· If adding a member fails
· If the source group is empty
Benefits of This Automation
· Time-Saving: Automates repetitive, manual IT tasks.
· Accuracy: Reduces human errors during group replication.
· Consistency: Ensures naming conventions and group structures are followed.
· Integration Ready: Can be triggered by service requests, apps, or other flows.
Conclusion
This Power Automate flow provides an efficient and scalable way to replicate Microsoft 365 groups into Entra security groups, ensuring consistent access control and centralized user management. With Graph API, expressions, and robust logic, it’s a perfect example of how automation can enhance IT processes while aligning with enterprise security and compliance goals.
Addend Analytics is a leading Power BI consulting services provider and Microsoft Power BI partners based in Mumbai, India. In addition to Power BI implementations, we specialize in providing end-to-end solutions like Business Central with Power BI to unlock actionable insights. Our expertise also extends to Microsoft Fabric consulting, offering competitive Microsoft Fabric pricing to meet your business needs.
We have successfully delivered Power BI for Manufacturing industry, with real-time Power BI manufacturing dashboards. Having successfully completed over 100 projects across industries such as financial services, banking, insurance, retail, sales, real estate, logistics, and healthcare. Whether you’re exploring Business Central implementation cost or seeking advanced data analytics, Addend Analytics is here to help.Get a free consultation now by emailing us at kamal.sharma@addendanalytics.com.