Create user in Azure Active Directory with NITRO Workflows using Microsoft Graph API

Applies to: SharePoint Online


This article describes the steps to create a user in Azure Active Directory using Microsoft Graph API in NITRO Workflows using Invoke web service action. This can be used in scenarios where new users need to be created in on-boarding type of flows. SharePoint application site will have a list with details of the user like name, email, telephone number, and other attributes. Workflow will read these attributes and connect to Azure AD to create the user.

For more details regarding Invoke Web Service action in NITRO Workflows, please refer to this article.


  1. User should be an administrator of O365 subscription.
  2. Should have full control permissions on the SharePoint site where workflow is to be configured.

Summary of Steps

  1. App Registration in Azure Active Directory (Azure AD)
    • Create a new app registration.
    • Grant API permissions.
    • Generate client secret.
  2. Configuration of NITRO Workflow

Detailed Steps

App Registration in Azure Active Directory

Azure AD app is needed to get the required access to create the user in AD. App credentials are stored as part of workflow settings in your SharePoint site and Crow Canyon does not have access to this information.

Create new app registration in Azure AD

Go to Office 365 Admin Center -> Azure Active Directory -> App Registrations -> New Registration

Direct URL:

For more details regarding app registration in Azure AD, please refer to this article:

Copy Client Id and Tenant Id after registering the App as shown in image below. These will be used later in the NITRO Workflow.

Grant API Permissions

As shown in image above, click “API Permissions” link.

Click Add a permission -> Microsoft Graph -> Application Permissions -> Add below permission levels for “Delegated” and “Application” type of permissions.

  • User.ReadWrite.All
  • Directory.ReadWrite.All

After adding permissions, click ‘Grant admin consent for ‘

Generate the client secret

Go to Certificates and secrets -> New client secret -> Add a client secret. You can give any description for the secret. Select the appropriate expiry duration for the certificate. Secret will need to be regenerated after expiry and workflow needs to be updated with new secret.

After adding client secret, copy the client secret.

Configuration of NITRO Workflow

Go to the site where we want to configure workflow to create user in Azure AD. Workflow is to be configured on the list that has the required user attributes information. Though workflow can be used with hard-coded values for user attributes, usually that will not be the case.

S. No.Column NameColumn Internal NameDescription
1First NameFirstNameSpecifies first name of the user
2Last NameLastNameSpecifies last name of the user
3Display NameDisplayNameSpecifies display name of the user
4EmailEmailSpecifies email address of the user
5PhonePhoneSpecifies mobile phone number of the user
6DepartmentDepartmentSpecifies department of the user

Go to Site Settings -> Crow Canyon NITRO Apps -> NITRO Workflows and configure the workflow as shown below:

Action1: Get Access Token

Configure invoke web service action to get access token as shown below:


In the above URL, replace “{{tenantId}}” with your tenant id that was copied in “Create new app registration” section above.






In the above, replace {{ClientId}} and {{ ClientSecretId}} that we have copied earlier.

Action2: Create AD User

Create invoke web service action to create user in azure active directory.



Select Bearer Token authentication


In “GetAccessToken##Value”, if you are using a different name for action to get token, replace ‘GetAccessToken’ with name you have specified for that action.


“accountEnabled”: true,
“displayName”: “[[UserName]]”,
“mailNickname”: “[[mailNickName]]”,
“userPrincipalName”: “[[UserPrincipleName]]”,
“passwordProfile” : {
“forceChangePasswordNextSignIn”: false,
“password”: “[[Password]]”
In above data, replace the placeholders:
[[UserName]]: Specify the name to display in the address book for the user.
[[mailNickName]]: Specify the mail alias for the user.
[[UserPrincipleName]]: Specify user principle name
[[Password]]: Specify the password profile for the user.

Example with direct values:

  "accountEnabled": true,
  "displayName": "Michael Ross",
  "mailNickname": "Michael",
  "userPrincipalName": "",
  "passwordProfile" : {
    "forceChangePasswordNextSignIn": false,
    "password": "abc123!"

Example with column placeholders from the list:

  "accountEnabled": true,
  "displayName": "%%[DisplayName|Display Name]%%",
  "mailNickname": "%%[FirstName|First Name]%%",
  "userPrincipalName": "%%[Email|Email]%%",
  "passwordProfile" : {
    "forceChangePasswordNextSignIn": false,
    "password": "abc123!"

Note: We can add other properties in JSON format in “Data” container in the above workflow action. For more properties, refer “Properties” section in below article:

Example with other properties in JSON format:

   "accountEnabled": true,
  "displayName": "Michael Ross",
  "mailNickname": "Michael",
  "userPrincipalName": "",
  "passwordProfile" : {
    "forceChangePasswordNextSignIn": false,
    "password": "abc123!"
  "companyName": "Crow Canyon",
  "department": "IT",
 "city": "Hyderabad",
 "mobilePhone": "9874563210"

Troubleshooting Scenarios:

  1. If Azure AD app credentials are not valid (Client Id and Secret), then workflow will show below error in the logs.

2. Azure AD credentials are valid, but permissions are not granted to the App.

3. If user with same username already exists in the Azure AD.

For #2 and #3, workflow will show below error in the logs.