Microsoft Entra ID Component
Manage users, groups, and applications in Microsoft Entra ID (formerly Azure Active Directory).
Component key: ms-entra-id · Changelog ↓Description
Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management service from Microsoft that helps employees sign in and access resources.
Use the Microsoft Entra ID component to manage users, groups, and applications.
API Documentation
This component was built using the Microsoft Graph REST API v1.0.
Connections
OAuth 2.0
key: msEntraIdOauth2This authentication method may be used when an App requires granting admin consent to API permissions, in addition to authorizing the integration with the App's configured client credentials.
The Microsoft Entra ID component authenticates requests through the Microsoft Graph API.
Prerequisites
- A Microsoft Azure account with access to the Microsoft Entra Admin Center or Microsoft Azure Portal
- Permissions to create App Registrations in the tenant
Setup Steps
- Navigate to App Registrations.
- When creating the application, select Supported account types.
- Select Accounts in any organizational directory (Any Azure AD directory - Multitenant).
- Navigate to Redirect URI and add the Web platform. Enter the redirect URI as
https://oauth2.prismatic.io/callback. - Select Register to complete.
- In the App, navigate to Certificates & Secrets and select New client secret. Copy and save the Value for use in the connection configuration of the integration (the value will not be shown again).
- Next, navigate to the Overview section and copy the Application (client) ID.
- Navigate to the API Permissions section to assign the proper permissions for the integration. Select Add Permission and select all permissions that are required for the desired integration. A full list of scopes can be found on the Microsoft Graph API documentation.
- Recommended scopes for Active Directory can be found in Microsoft Graph > Delegated permissions:
Group.ReadWrite.All GroupMember.ReadWrite.All Application.ReadWrite.All User.Read.All offline_access
Configure the Connection
Supply the following values to the OAuth 2.0 connection:
- Client ID: The Application (client) ID from the App Registration.
- Client Secret: The Value provided from Certificates & Secrets (not the Secret ID).
- Scopes: The assigned API permissions. The default value is set to:
Group.ReadWrite.All GroupMember.ReadWrite.All Application.ReadWrite.All User.Read.All offline_access - Authorize URL: The OAuth 2.0 authorization endpoint. Defaults to
https://login.microsoftonline.com/common/oauth2/v2.0/authorize. If Multitenant was not selected when creating the App, replace with a tenant-specific URL. - Token URL: The OAuth 2.0 token endpoint. Defaults to
https://login.microsoftonline.com/common/oauth2/v2.0/token. If Multitenant was not selected, replace with a tenant-specific URL.
| Input | Notes | Example |
|---|---|---|
| Authorize URL | The OAuth 2.0 authorization endpoint for Microsoft Entra ID. | https://login.microsoftonline.com/common/oauth2/v2.0/authorize |
| Client ID | The Client ID from the App Registration in the Azure Portal. | |
| Client Secret | The Client Secret from the App Registration in the Azure Portal. | |
| Scopes | Space-separated list of OAuth permission scopes to request. | Group.ReadWrite.All GroupMember.ReadWrite.All Application.ReadWrite.All User.Read.All offline_access |
| Token URL | The OAuth 2.0 token endpoint for Microsoft Entra ID. | https://login.microsoftonline.com/common/oauth2/v2.0/token |
Triggers
Group Changes
Receive group change notifications from Microsoft Entra ID. Automatically creates and manages a webhook subscription for groups when the instance is deployed, and removes the subscription when the instance is deleted. | key: groupTrigger
| Input | Notes | Example |
|---|---|---|
| Change Type | The type of change on the subscribed resource that triggers a notification. 'Created / Updated / Soft Deleted' covers created, updated, and soft-deleted events. 'Permanently Deleted' covers permanent deletion. | updated |
| Connection | The Microsoft Entra ID connection to use. | |
| Expiration Date Time | The date and time when the trigger subscription expires. If not specified, the subscription defaults to 29 days from the current date and time. This trigger must be reactivated after expiration. | 2016-11-20T18:23:45.9356913Z |
This trigger receives change notifications from Microsoft Entra ID when groups are created, updated, or deleted. Unlike the manual Webhook trigger, this trigger automatically manages the subscription lifecycle.
How It Works
When this trigger is used in a flow:
- On Instance Deploy: The trigger automatically creates a subscription in Microsoft Graph for group change notifications, pointing to the instance's unique webhook URL. If a subscription with the same URL already exists, it updates the existing subscription's expiration instead of creating a duplicate.
- On Instance Deletion: The trigger automatically removes all subscriptions associated with the instance's webhook URL.
The trigger uses two branches to handle incoming requests:
- URL Validation: Automatically responds to Microsoft Graph's validation handshake when the subscription is created or renewed.
- Notification: Routes all group change notification payloads for processing.
Configuration
Configure the following inputs:
- Connection: The OAuth 2.0 connection to Microsoft Entra ID.
- Change Type: The types of changes to monitor. Select "Created / Updated / Soft Deleted" for standard change tracking, or "Permanently Deleted" for hard-delete notifications.
- Expiration Date Time: Optional. The date and time when the subscription expires. If not specified, defaults to 29 days from creation. The subscription must be reactivated after expiration.
Event Types
Supported Change Types (2)
| Change Type | Description |
|---|---|
updated | Group is created, updated, or soft deleted |
deleted | Group is permanently deleted |
Refer to the Microsoft Graph change notifications documentation for additional details on group change notifications.
Returned Data
Example Notification Payload
{
"value": [
{
"changeType": "updated",
"clientState": "secretClientValue",
"resource": "groups/00000000-0000-0000-0000-000000000000",
"resourceData": {
"@odata.type": "#Microsoft.Graph.Group",
"@odata.id": "groups/00000000-0000-0000-0000-000000000000",
"id": "00000000-0000-0000-0000-000000000000"
},
"subscriptionId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
"subscriptionExpirationDateTime": "2026-03-20T18:23:45.9356913Z",
"tenantId": "11111111-2222-3333-4444-555555555555"
}
]
}
Notes
- Group subscriptions have a maximum lifetime of 29 days (41,760 minutes). The trigger sets this as the default expiration when no custom value is provided.
- The subscription is automatically renewed on each instance deploy, extending the expiration window.
User Changes
Receive user change notifications from Microsoft Entra ID. Automatically creates and manages a webhook subscription for users when the instance is deployed, and removes the subscription when the instance is deleted. | key: userTrigger
| Input | Notes | Example |
|---|---|---|
| Change Type | The type of change on the subscribed resource that triggers a notification. 'Created / Updated / Soft Deleted' covers created, updated, and soft-deleted events. 'Permanently Deleted' covers permanent deletion. | updated |
| Connection | The Microsoft Entra ID connection to use. | |
| Expiration Date Time | The date and time when the trigger subscription expires. If not specified, the subscription defaults to 29 days from the current date and time. This trigger must be reactivated after expiration. | 2016-11-20T18:23:45.9356913Z |
This trigger receives change notifications from Microsoft Entra ID when users are created, updated, or deleted. Unlike the manual Webhook trigger, this trigger automatically manages the subscription lifecycle.
How It Works
When this trigger is used in a flow:
- On Instance Deploy: The trigger automatically creates a subscription in Microsoft Graph for user change notifications, pointing to the instance's unique webhook URL. If a subscription with the same URL already exists, it updates the existing subscription's expiration instead of creating a duplicate.
- On Instance Deletion: The trigger automatically removes all subscriptions associated with the instance's webhook URL.
The trigger uses two branches to handle incoming requests:
- URL Validation: Automatically responds to Microsoft Graph's validation handshake when the subscription is created or renewed.
- Notification: Routes all user change notification payloads for processing.
Configuration
Configure the following inputs:
- Connection: The OAuth 2.0 connection to Microsoft Entra ID.
- Change Type: The types of changes to monitor. Select "Created / Updated / Soft Deleted" for standard change tracking, or "Permanently Deleted" for hard-delete notifications.
- Expiration Date Time: Optional. The date and time when the subscription expires. If not specified, defaults to 29 days from creation. The subscription must be reactivated after expiration.
Event Types
Supported Change Types (2)
| Change Type | Description |
|---|---|
updated | User is created, updated, or soft deleted |
deleted | User is permanently deleted |
Refer to the Microsoft Graph change notifications documentation for additional details on user change notifications.
Returned Data
Example Notification Payload
{
"value": [
{
"changeType": "updated",
"clientState": "secretClientValue",
"resource": "users/00000000-0000-0000-0000-000000000000",
"resourceData": {
"@odata.type": "#Microsoft.Graph.User",
"@odata.id": "users/00000000-0000-0000-0000-000000000000",
"id": "00000000-0000-0000-0000-000000000000"
},
"subscriptionId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
"subscriptionExpirationDateTime": "2026-03-20T18:23:45.9356913Z",
"tenantId": "11111111-2222-3333-4444-555555555555"
}
]
}
Notes
- User subscriptions have a maximum lifetime of 29 days (41,760 minutes). The trigger sets this as the default expiration when no custom value is provided.
- The subscription is automatically renewed on each instance deploy, extending the expiration window.
Webhook
Receive and validate webhook requests from Microsoft Entra ID for manually configured webhook subscriptions. | key: webhook
This trigger receives and validates change notification webhook requests from Microsoft Entra ID for manually configured webhook subscriptions.
Unlike the Group Trigger and User Trigger (which manage subscriptions automatically), this trigger requires manual subscription creation through the Create Subscription API or the component's subscription actions.
How It Works
This trigger uses two branches to handle incoming requests:
- URL Validation: When Microsoft Graph creates or renews a subscription, it sends a validation request with a
validationTokenquery parameter. The trigger automatically responds with the token to confirm the endpoint, completing the subscription validation handshake. - Notification: All subsequent change notification payloads are routed to this branch for processing.
The trigger automatically detects which type of request is received and routes it to the correct branch.
Configuration
This trigger has no additional inputs. Point the manually created subscription's notificationUrl to the flow's webhook URL.
Event Types
The events received depend on the subscription configuration. Microsoft Graph supports change notifications for a wide range of resources.
Common Resources (5)
| Resource | Description |
|---|---|
users | User profile changes (create, update, delete) |
groups | Group changes (create, update, delete, membership) |
contacts | Organizational contact changes |
devices | Device registration and property changes |
applications | Application registration changes |
Refer to the Microsoft Graph change notifications documentation for the complete and up-to-date list of supported resources.
Returned Data
Example Notification Payload
{
"value": [
{
"changeType": "updated",
"clientState": "secretClientValue",
"resource": "users/00000000-0000-0000-0000-000000000000",
"resourceData": {
"@odata.type": "#Microsoft.Graph.User",
"@odata.id": "users/00000000-0000-0000-0000-000000000000",
"id": "00000000-0000-0000-0000-000000000000"
},
"subscriptionId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
"subscriptionExpirationDateTime": "2026-03-20T18:23:45.9356913Z",
"tenantId": "11111111-2222-3333-4444-555555555555"
}
]
}
Notes
- Subscriptions have a maximum lifetime that varies by resource type. Refer to the subscription resource documentation for expiration limits.
- Consider using the Group Trigger or User Trigger instead for automatic subscription lifecycle management.
Data Sources
Select Application
Select an application from a picklist. | key: selectApplication | type: picklist
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. |
Select Group
Select a group from a picklist. | key: selectGroup | type: picklist
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. |
Select Group Member
Select a group member from a picklist. | key: selectGroupMember | type: picklist
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. | |
| Group ID | The unique identifier of the group. | b320ee12-b1cd-4cca-b648-a437be61c5cd |
Select Subscription
Select an active subscription from a picklist. | key: selectSubscription | type: picklist
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. |
{
"result": [
{
"label": "/users",
"key": "example-subscription-id-123"
}
]
}
Select User
Select a user from a picklist. | key: selectUser | type: picklist
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. |
{
"result": [
{
"label": "Example User",
"key": "example-user-id-123"
}
]
}
Actions
Add Member to Group
Add a member to a group. | key: addMemberToGroup
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. | |
| Group ID | The ID of the group to add the member to. | b320ee12-b1cd-4cca-b648-a437be61c5cd |
| Group Member OData ID | The @odata.id property with a reference by ID to a supported group member object type. | https://graph.microsoft.com/v1.0/directoryObjects/12345678-1234-1234-1234-123456789012 |
{
"data": {
"success": true
}
}
Create Application
Creates (registers) a new application. | key: createApplication
| Input | Notes | Example |
|---|---|---|
| Additional Properties | Additional properties that are not covered by the other inputs. This should be a JSON object and will be merged with the other inputs. See Create Application API. | |
| Connection | The Microsoft Entra ID connection to use. | |
| Display Name | The display name of the application. | My Application |
{
"data": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications/$entity",
"id": "03ef14b0-ca33-4840-8f4f-d6e91916010e",
"deletedDateTime": null,
"isFallbackPublicClient": null,
"appId": "631a96bc-a705-4eda-9f99-fdaf9f54f6a2",
"applicationTemplateId": null,
"identifierUris": [],
"createdDateTime": "2019-09-17T19:10:35.2742618Z",
"displayName": "Display name",
"isDeviceOnlyAuthSupported": null,
"groupMembershipClaims": null,
"optionalClaims": null,
"addIns": [],
"publisherDomain": "contoso.com",
"samlMetadataUrl": "https://graph.microsoft.com/2h5hjaj542de/app",
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [],
"tokenEncryptionKeyId": null,
"api": {
"requestedAccessTokenVersion": 2,
"acceptMappedClaims": null,
"knownClientApplications": [],
"oauth2PermissionScopes": [],
"preAuthorizedApplications": []
},
"appRoles": [],
"publicClient": {
"redirectUris": []
},
"info": {
"termsOfServiceUrl": null,
"supportUrl": null,
"privacyStatementUrl": null,
"marketingUrl": null,
"logoUrl": null
},
"keyCredentials": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"requiredResourceAccess": [],
"web": {
"redirectUris": [],
"homePageUrl": null,
"logoutUrl": null,
"implicitGrantSettings": {
"enableIdTokenIssuance": false,
"enableAccessTokenIssuance": false
}
}
}
}
Create Group
Create a new group. It can be a Microsoft 365 group, dynamic group, or security group. | key: createGroup
| Input | Notes | Example |
|---|---|---|
| Additional Properties | Additional properties that are not covered by the other inputs. This should be a JSON object and will be merged with the other inputs. See Create Group API. | |
| Connection | The Microsoft Entra ID connection to use. | |
| Display Name | The name to display in the address book for the group. | Marketing Team |
| Group Types | The type of group and its membership. | Unified |
| Mail Enabled | When true, the group is mail-enabled. | true |
| Mail Nickname | The mail alias for the group, unique for Microsoft 365 groups in the organization. This property can contain only characters in the ASCII character set 0 - 127 except the following: @ () \ [] " ; : <> , SPACE. | MarketingTeam |
| Security Enabled | When true, the group is security-enabled, including Microsoft 365 groups. Groups created using the Microsoft Entra admin center or the Azure portal always have securityEnabled initially set to true. | true |
{
"data": {
"id": "b320ee12-b1cd-4cca-b648-a437be61c5cd",
"deletedDateTime": null,
"classification": null,
"createdDateTime": "2018-12-22T00:51:37Z",
"description": "Self help community for library",
"displayName": "Library Assist",
"groupTypes": [
"Unified"
],
"mail": "library7423@contoso.com",
"mailEnabled": true,
"mailNickname": "library",
"onPremisesLastSyncDateTime": null,
"onPremisesSecurityIdentifier": null,
"onPremisesSyncEnabled": null,
"preferredDataLocation": "CAN",
"proxyAddresses": [
"SMTP:library7423@contoso.com"
],
"renewedDateTime": "2018-12-22T00:51:37Z",
"resourceBehaviorOptions": [],
"resourceProvisioningOptions": [],
"securityEnabled": false,
"visibility": "Public",
"onPremisesProvisioningErrors": []
}
}
Create Subscription
Create a subscription to receive notifications when changes occur in the specified object. | key: createSubscription
| Input | Notes | Example |
|---|---|---|
| Additional Properties | Additional properties that are not covered by the other inputs. This should be a JSON object and will be merged with the other inputs. See Create Subscription API. | |
| Change Type | Indicates the type of change in the subscribed resource that raises a change notification. The supported values are: created, updated, deleted. Multiple values can be combined using a comma-separated list. | created |
| Connection | The Microsoft Entra ID connection to use. | |
| Expiration Date Time | Specifies the date and time when the webhook subscription expires. The time is in UTC, and can be an amount of time from subscription creation that varies for the resource subscribed to. Format: ISO 8601 (e.g., 2016-11-20T18:23:45.9356913Z). | 2016-11-20T18:23:45.9356913Z |
| Header | A list of headers to send with the request. | User-Agent: curl/7.64.1 |
| Notification URL | The URL of the endpoint that receives the change notifications. | https://webhook.azurewebsites.net/api/send/myNotifyClient |
| Resource | The resource that will be monitored for changes. See supported resources for a full list. | /users |
{
"data": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#subscriptions/$entity",
"id": "7f105c7d-2dc5-4530-97cd-4e7ae6534c07",
"resource": "me/mailFolders('Inbox')/messages",
"applicationId": "24d3b144-21ae-4080-943f-7067b395b913",
"changeType": "created",
"clientState": "secretClientValue",
"notificationUrl": "https://webhook.azurewebsites.net/api/send/myNotifyClient",
"expirationDateTime": "2016-11-20T18:23:45.9356913Z",
"creatorId": "8ee44408-0679-472c-bc2a-692812af3437",
"latestSupportedTlsVersion": "v1_2",
"notificationContentType": "application/json"
}
}
Create User
Create a new user. | key: createUser
| Input | Notes | Example |
|---|---|---|
| Account Enabled | When true, the account is enabled. | true |
| Additional Properties | Additional properties that are not covered by the other inputs. This should be a JSON object and will be merged with the other inputs. See Create User API. | |
| Connection | The Microsoft Entra ID connection to use. | |
| Display Name | The display name of the user. | Adele Vance |
| Domain | The domain for the user, this must be an existing domain in the tenant. | domain.onmicrosoft.com |
| Force Change Password Next Sign In | When true, the user is required to change their password on the next sign-in. | true |
| Password | The initial password for the user account. Must meet the tenant's password complexity requirements. | Jaka889740 |
| User Principal Name | The user principal name (UPN) for the account, in the format alias@domain. The domain must be a verified domain in the tenant. | AdeleV@contoso.com |
{
"data": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"id": "87d349ed-44d7-43e1-9a83-5f2406dee5bd",
"businessPhones": [],
"displayName": "Adele Vance",
"givenName": "Adele",
"jobTitle": "Product Marketing Manager",
"mail": "AdeleV@contoso.com",
"mobilePhone": "+1 425 555 0109",
"officeLocation": "18/2111",
"preferredLanguage": "en-US",
"surname": "Vance",
"userPrincipalName": "AdeleV@contoso.com"
}
}
Delete Application
Deletes an application object. | key: deleteApplication
| Input | Notes | Example |
|---|---|---|
| Application Object ID | The ID of the application to delete. | 03ef14b0-ca33-4840-8f4f-d6e91916010e |
| Connection | The Microsoft Entra ID connection to use. |
{
"data": {
"success": true
}
}
Delete Group
Deletes a group object. | key: deleteGroup
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. | |
| Group ID | The ID of the group to delete. | b320ee12-b1cd-4cca-b648-a437be61c5cd |
{
"data": {
"success": true
}
}
Delete Instanced Subscriptions
Delete all webhooks that point to a flow in this instance. | key: deleteInstancedSubscriptions
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. |
{
"data": {
"subscriptionsRemoved": [
"26ebd1e9-c54a-4bbe-9583-fc05974952a4",
"b9b27172-ee2e-4248-86df-fc98cb71d914"
]
}
}
Delete Subscription
Deletes a subscription object. | key: deleteSubscription
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. | |
| Subscription ID | The ID of the subscription to delete. | 12345678-1234-1234-1234-123456789012 |
{
"data": {
"success": true
}
}
Delete User
Deletes a user. | key: deleteUser
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. | |
| User ID | Unique Identifier for the user to delete. This can be the user's id or userPrincipalName. | d36894ae-94ae-d368-ae94-68d3ae9468d3 |
{
"data": {
"success": true
}
}
Get Application
Read properties of an application object. | key: getApplication
| Input | Notes | Example |
|---|---|---|
| Application Object ID | The ID of the application to read. | 03ef14b0-ca33-4840-8f4f-d6e91916010e |
| Connection | The Microsoft Entra ID connection to use. |
{
"data": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications/$entity",
"id": "03ef14b0-ca33-4840-8f4f-d6e91916010e",
"deletedDateTime": null,
"isFallbackPublicClient": null,
"appId": "631a96bc-a705-4eda-9f99-fdaf9f54f6a2",
"applicationTemplateId": null,
"identifierUris": [],
"createdDateTime": "2019-09-17T19:10:35.2742618Z",
"displayName": "Display name",
"isDeviceOnlyAuthSupported": null,
"groupMembershipClaims": null,
"optionalClaims": null,
"addIns": [],
"publisherDomain": "contoso.com",
"samlMetadataUrl": "https://graph.microsoft.com/2h5hjaj542de/app",
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [],
"tokenEncryptionKeyId": null,
"api": {
"requestedAccessTokenVersion": 2,
"acceptMappedClaims": null,
"knownClientApplications": [],
"oauth2PermissionScopes": [],
"preAuthorizedApplications": []
},
"appRoles": [],
"publicClient": {
"redirectUris": []
},
"info": {
"termsOfServiceUrl": null,
"supportUrl": null,
"privacyStatementUrl": null,
"marketingUrl": null,
"logoUrl": null
},
"keyCredentials": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"requiredResourceAccess": [],
"web": {
"redirectUris": [],
"homePageUrl": null,
"logoutUrl": null,
"implicitGrantSettings": {
"enableIdTokenIssuance": false,
"enableAccessTokenIssuance": false
}
}
}
}
Get Group
Read properties of a group object. | key: getGroup
| Input | Notes | Example |
|---|---|---|
| Select | A comma-separated list of OData properties to include in the response, reducing payload size. | givenName,surname |
| Connection | The Microsoft Entra ID connection to use. | |
| Group ID | The unique identifier of the group. | b320ee12-b1cd-4cca-b648-a437be61c5cd |
{
"data": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups/$entity",
"id": "02bd9fd6-8f93-4758-87c3-1fb73740a315",
"deletedDateTime": null,
"classification": null,
"createdDateTime": "2017-07-31T18:56:16Z",
"description": "Welcome to the HR Taskforce team.",
"displayName": "HR Taskforce",
"expirationDateTime": null,
"groupTypes": [
"Unified"
],
"isAssignableToRole": null,
"mail": "HRTaskforce@contoso.com",
"mailEnabled": true,
"mailNickname": "HRTaskforce",
"membershipRule": null,
"membershipRuleProcessingState": null,
"onPremisesDomainName": null,
"onPremisesLastSyncDateTime": null,
"onPremisesNetBiosName": null,
"onPremisesSamAccountName": null,
"onPremisesSecurityIdentifier": null,
"onPremisesSyncEnabled": null,
"preferredDataLocation": null,
"preferredLanguage": null,
"proxyAddresses": [
"SMTP:HRTaskforce@contoso.com",
"SPO:SPO_896cf652-b200-4b74-8111-c013f64406cf@SPO_dcd219dd-bc68-4b9b-bf0b-4a33a796be35"
],
"renewedDateTime": "2020-01-24T19:01:14Z",
"resourceBehaviorOptions": [],
"resourceProvisioningOptions": [
"Team"
],
"securityEnabled": false,
"securityIdentifier": "S-1-12-1-45981654-1196986259-3072312199-363020343",
"serviceProvisioningErrors": [],
"theme": null,
"visibility": "Private",
"onPremisesProvisioningErrors": []
}
}
Get Subscription
Read properties of a subscription object. | key: getSubscription
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. | |
| Subscription ID | The ID of the subscription to read. | 12345678-1234-1234-1234-123456789012 |
{
"data": {
"id": "7f105c7d-2dc5-4530-97cd-4e7ae6534c07",
"resource": "me/messages",
"applicationId": "24d3b144-21ae-4080-943f-7067b395b913",
"changeType": "created,updated",
"clientState": "secretClientValue",
"notificationUrl": "https://webhook.azurewebsites.net/api/send/myNotifyClient",
"lifecycleNotificationUrl": "https://webhook.azurewebsites.net/api/send/lifecycleNotifications",
"expirationDateTime": "2016-11-20T18:23:45.9356913Z",
"creatorId": "8ee44408-0679-472c-bc2a-692812af3437",
"latestSupportedTlsVersion": "v1_2",
"encryptionCertificate": "",
"encryptionCertificateId": "",
"includeResourceData": false,
"notificationContentType": "application/json"
}
}
Get User
Reads the properties and relationships of a user object. | key: getUser
| Input | Notes | Example |
|---|---|---|
| Select | A comma-separated list of OData properties to include in the response, reducing payload size. | givenName,surname |
| Connection | The Microsoft Entra ID connection to use. | |
| User ID | Unique Identifier for the user to get. This can be the user's id or userPrincipalName. | d36894ae-94ae-d368-ae94-68d3ae9468d3 |
{
"data": {
"businessPhones": [
"+1 425 555 0109"
],
"displayName": "Adele Vance",
"givenName": "Adele",
"jobTitle": "Retail Manager",
"mail": "AdeleV@contoso.com",
"mobilePhone": "+1 425 555 0109",
"officeLocation": "18/2111",
"preferredLanguage": "en-US",
"surname": "Vance",
"userPrincipalName": "AdeleV@contoso.com",
"id": "87d349ed-44d7-43e1-9a83-5f2406dee5bd"
}
}
List Applications
Retrieve the list of applications in the organization. | key: listApplications
| Input | Notes | Example |
|---|---|---|
| Count | When true, retrieves the total count of matching resources. Requires 'Eventual Consistency Level Header' to be enabled. | false |
| Expand | A comma-separated list of OData relationships to expand and include in the response. | members |
| Filter | An OData filter expression to narrow results. For example: startswith(givenName,'J'). | startswith(givenName,'J') |
| Order By | An OData expression to sort results, such as 'displayName desc' or 'createdDateTime asc'. | displayName desc |
| Search | An OData search expression to return results matching the criteria. Requires Eventual Consistency Level Header. | pizza |
| Select | A comma-separated list of OData properties to include in the response, reducing payload size. | givenName,surname |
| Top | The maximum number of items to return in the result set (OData $top). | 10 |
| Connection | The Microsoft Entra ID connection to use. | |
| Eventual Consistency Level Header | When true, adds the ConsistencyLevel: eventual header to the request. Required for some OData query parameters such as $count and $search. | false |
| Get All Paginated Results | When true, automatically fetches all pages of results using pagination. Ignores the 'Top' input. | false |
{
"data": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications",
"value": [
{
"appId": "00000000-0000-0000-0000-000000000000",
"identifierUris": [
"http://contoso/"
],
"displayName": "My app",
"publisherDomain": "contoso.com",
"signInAudience": "AzureADMyOrg"
}
]
}
}
List Changes
Retrieves a list of changes in an object and its children over time. | key: listChanges
| Input | Notes | Example |
|---|---|---|
| Delta Token | A state token returned in the @odata.deltaLink URL of the previous delta function call for the same user collection, indicating the completion of that round of change tracking. | deltatoken |
| Filter | An OData filter expression to narrow results. For example: startswith(givenName,'J'). | startswith(givenName,'J') |
| Select | A comma-separated list of OData properties to include in the response, reducing payload size. | givenName,surname |
| Skip Token | A state token returned in the @odata.nextLink URL of the previous delta function call, indicating there are further changes to be tracked in the same user collection. | skiptoken |
| Connection | The Microsoft Entra ID connection to use. | |
| Delta URL | The URL to track changes in an object and its children over time. Use @odata.nextLink or @odata.deltaLink to get the next set of changes. | /users/delta |
| Return Minimal | When true, returns only the object properties that have changed since the last round when using @odata.deltaLink. | false |
{
"data": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",
"@odata.nextLink": "https://graph.microsoft.com/v1.0/users/delta?$skiptoken=pqwSUjGYvb3jQpbwVAwEL7yuI3dU1LecfkkfLPtnIjsXoYQp_dpA3cNJWc",
"value": [
{
"businessPhones": [
"+1 425 555 0109"
],
"displayName": "Adele Vance",
"givenName": "Adele",
"jobTitle": "Retail Manager",
"mail": "AdeleV@contoso.com",
"mobilePhone": "+1 425 555 0109",
"officeLocation": "18/2111",
"preferredLanguage": "en-US",
"surname": "Vance",
"userPrincipalName": "AdeleV@contoso.com",
"id": "87d349ed-44d7-43e1-9a83-5f2406dee5bd"
}
]
}
}
List Group Members
Retrieves the direct members of a group. | key: listGroupMembers
| Input | Notes | Example |
|---|---|---|
| Count | When true, retrieves the total count of matching resources. Requires 'Eventual Consistency Level Header' to be enabled. | false |
| Expand | A comma-separated list of OData relationships to expand and include in the response. | members |
| Filter | An OData filter expression to narrow results. For example: startswith(givenName,'J'). | startswith(givenName,'J') |
| Search | An OData search expression to return results matching the criteria. Requires Eventual Consistency Level Header. | pizza |
| Select | A comma-separated list of OData properties to include in the response, reducing payload size. | givenName,surname |
| Top | The maximum number of items to return in the result set (OData $top). | 10 |
| Connection | The Microsoft Entra ID connection to use. | |
| Eventual Consistency Level Header | When true, adds the ConsistencyLevel: eventual header to the request. Required for some OData query parameters such as $count and $search. | false |
| Get All Paginated Results | When true, automatically fetches all pages of results using pagination. Ignores the 'Top' input. | false |
| Group ID | The unique identifier of the group. | b320ee12-b1cd-4cca-b648-a437be61c5cd |
{
"data": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
"value": [
{
"id": "11111111-2222-3333-4444-555555555555",
"mail": "user1@contoso.com"
}
]
}
}
List Groups
List group objects and their properties. | key: listGroup
| Input | Notes | Example |
|---|---|---|
| Count | When true, retrieves the total count of matching resources. Requires 'Eventual Consistency Level Header' to be enabled. | false |
| Expand | A comma-separated list of OData relationships to expand and include in the response. | members |
| Filter | An OData filter expression to narrow results. For example: startswith(givenName,'J'). | startswith(givenName,'J') |
| Order By | An OData expression to sort results, such as 'displayName desc' or 'createdDateTime asc'. | displayName desc |
| Search | An OData search expression to return results matching the criteria. Requires Eventual Consistency Level Header. | pizza |
| Select | A comma-separated list of OData properties to include in the response, reducing payload size. | givenName,surname |
| Top | The maximum number of items to return in the result set (OData $top). | 10 |
| Connection | The Microsoft Entra ID connection to use. | |
| Eventual Consistency Level Header | When true, adds the ConsistencyLevel: eventual header to the request. Required for some OData query parameters such as $count and $search. | false |
| Get All Paginated Results | When true, automatically fetches all pages of results using pagination. Ignores the 'Top' input. | false |
{
"data": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups",
"value": [
{
"id": "45b7d2e7-b882-4a80-ba97-10b7a63b8fa4",
"deletedDateTime": null,
"classification": null,
"createdDateTime": "2018-12-22T02:21:05Z",
"description": "Self help community for golf",
"displayName": "Golf Assist",
"expirationDateTime": null,
"groupTypes": [
"Unified"
],
"isAssignableToRole": null,
"mail": "golfassist@contoso.com",
"mailEnabled": true,
"mailNickname": "golfassist",
"membershipRule": null,
"membershipRuleProcessingState": null,
"onPremisesLastSyncDateTime": null,
"onPremisesSecurityIdentifier": null,
"onPremisesSyncEnabled": null,
"preferredDataLocation": "CAN",
"preferredLanguage": null,
"proxyAddresses": [
"smtp:golfassist@contoso.com",
"SMTP:golfassist@contoso.com"
],
"renewedDateTime": "2018-12-22T02:21:05Z",
"resourceBehaviorOptions": [],
"resourceProvisioningOptions": [],
"securityEnabled": false,
"theme": null,
"visibility": "Public",
"onPremisesProvisioningErrors": []
},
{
"id": "d7797254-3084-44d0-99c9-a3b5ab149538",
"deletedDateTime": null,
"classification": null,
"createdDateTime": "2018-11-19T20:29:40Z",
"description": "Talk about golf",
"displayName": "Golf Discussion",
"expirationDateTime": null,
"groupTypes": [],
"isAssignableToRole": null,
"mail": "golftalk@contoso.com",
"mailEnabled": true,
"mailNickname": "golftalk",
"membershipRule": null,
"membershipRuleProcessingState": null,
"onPremisesLastSyncDateTime": null,
"onPremisesSecurityIdentifier": null,
"onPremisesSyncEnabled": null,
"preferredDataLocation": "CAN",
"preferredLanguage": null,
"proxyAddresses": [
"smtp:golftalk@contoso.com",
"SMTP:golftalk@contoso.com"
],
"renewedDateTime": "2018-11-19T20:29:40Z",
"resourceBehaviorOptions": [],
"resourceProvisioningOptions": [],
"securityEnabled": false,
"serviceProvisioningErrors": [],
"theme": null,
"visibility": null,
"onPremisesProvisioningErrors": []
}
]
}
}
List Subscriptions
Retrieves a list of active subscriptions. | key: listSubscriptions
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. | |
| Get All Paginated Results | When true, automatically fetches all pages of subscriptions. | false |
{
"data": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#subscriptions",
"value": [
{
"id": "7f105c7d-2dc5-4530-97cd-4e7ae6534c07",
"resource": "me/messages",
"applicationId": "24d3b144-21ae-4080-943f-7067b395b913",
"changeType": "created,updated",
"clientState": "secretClientValue",
"notificationUrl": "https://webhook.azurewebsites.net/api/send/myNotifyClient",
"lifecycleNotificationUrl": "https://webhook.azurewebsites.net/api/send/lifecycleNotifications",
"expirationDateTime": "2016-11-20T18:23:45.9356913Z",
"creatorId": "8ee44408-0679-472c-bc2a-692812af3437",
"latestSupportedTlsVersion": "v1_2",
"encryptionCertificate": "",
"encryptionCertificateId": "",
"includeResourceData": false,
"notificationContentType": "application/json"
}
]
}
}
List Users
Retrieve a list of user objects. | key: listUsers
| Input | Notes | Example |
|---|---|---|
| Count | When true, retrieves the total count of matching resources. Requires 'Eventual Consistency Level Header' to be enabled. | false |
| Expand | A comma-separated list of OData relationships to expand and include in the response. | members |
| Filter | An OData filter expression to narrow results. For example: startswith(givenName,'J'). | startswith(givenName,'J') |
| Order By | An OData expression to sort results, such as 'displayName desc' or 'createdDateTime asc'. | displayName desc |
| Search | An OData search expression to return results matching the criteria. Requires Eventual Consistency Level Header. | pizza |
| Select | A comma-separated list of OData properties to include in the response, reducing payload size. | givenName,surname |
| Top | The maximum number of items to return in the result set (OData $top). | 10 |
| Connection | The Microsoft Entra ID connection to use. | |
| Eventual Consistency Level Header | When true, adds the ConsistencyLevel: eventual header to the request. Required for some OData query parameters such as $count and $search. | false |
| Get All Paginated Results | When true, automatically fetches all pages of results using pagination. Ignores the 'Top' input. | false |
{
"data": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",
"value": [
{
"businessPhones": [
"+1 425 555 0109"
],
"displayName": "Adele Vance",
"givenName": "Adele",
"jobTitle": "Retail Manager",
"mail": "AdeleV@contoso.com",
"mobilePhone": "+1 425 555 0109",
"officeLocation": "18/2111",
"preferredLanguage": "en-US",
"surname": "Vance",
"userPrincipalName": "AdeleV@contoso.com",
"id": "87d349ed-44d7-43e1-9a83-5f2406dee5bd"
}
]
}
}
Raw Request
Send raw HTTP request to Microsoft Entra ID. | key: rawRequest
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. | |
| Data | The HTTP body payload to send to the URL. | {"exampleKey": "Example Data"} |
| Debug Request | Enabling this flag will log out the current request. | false |
| File Data | File Data to be sent as a multipart form upload. | [{key: "example.txt", value: "My File Contents"}] |
| File Data File Names | File names to apply to the file data inputs. Keys must match the file data keys above. | |
| Form Data | The Form Data to be sent as a multipart form upload. | [{"key": "Example Key", "value": new Buffer("Hello World")}] |
| Header | A list of headers to send with the request. | User-Agent: curl/7.64.1 |
| Max Retry Count | The maximum number of retries to attempt. Specify 0 for no retries. | 0 |
| Method | The HTTP method to use. | |
| Query Parameter | A list of query parameters to send with the request. This is the portion at the end of the URL similar to ?key1=value1&key2=value2. | |
| Response Type | The type of data you expect in the response. You can request json, text, or binary data. | json |
| Retry On All Errors | If true, retries on all erroneous responses regardless of type. This is helpful when retrying after HTTP 429 or other 3xx or 4xx errors. Otherwise, only retries on HTTP 5xx and network errors. | false |
| Retry Delay (ms) | The delay in milliseconds between retries. This is used when 'Use Exponential Backoff' is disabled. | 0 |
| Timeout | The maximum time that a client will await a response to its request | 2000 |
| URL | Input the path only (/users), The base URL is already included (https://graph.microsoft.com/v1.0). For example, to connect to https://graph.microsoft.com/v1.0/users, only /users is entered in this field. | /users |
| Use Exponential Backoff | Specifies whether to use a pre-defined exponential backoff strategy for retries. When enabled, 'Retry Delay (ms)' is ignored. | false |
Remove Member From Group
Removes a member from a Microsoft 365 group or a security group. | key: removeMemberOfGroup
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. | |
| Group ID | The ID of the group to remove the member from. | b320ee12-b1cd-4cca-b648-a437be61c5cd |
| Member ID | The ID of the member to remove from the group. | 12345678-1234-1234-1234-123456789012 |
{
"data": {
"success": true
}
}
Update Subscription
Updates a subscription expiration time for renewal and/or updates the notificationUrl for delivery. | key: updateSubscription
| Input | Notes | Example |
|---|---|---|
| Connection | The Microsoft Entra ID connection to use. | |
| Expiration Date Time | Specifies the date and time when the webhook subscription expires. The time is in UTC, and can be an amount of time from subscription creation that varies for the resource subscribed to. Format: ISO 8601 (e.g., 2016-11-20T18:23:45.9356913Z). | 2016-11-20T18:23:45.9356913Z |
| Notification URL | The URL of the endpoint that receives the change notifications. | https://webhook.azurewebsites.net/api/send/myNotifyClient |
| Subscription ID | The ID of the subscription to update. | 12345678-1234-1234-1234-123456789012 |
{
"data": {
"id": "7f105c7d-2dc5-4530-97cd-4e7ae6534c07",
"resource": "me/messages",
"applicationId": "24d3b144-21ae-4080-943f-7067b395b913",
"changeType": "created,updated",
"clientState": "secretClientValue",
"notificationUrl": "https://webhook.azurewebsites.net/api/send/myNotifyClient",
"lifecycleNotificationUrl": "https://webhook.azurewebsites.net/api/send/lifecycleNotifications",
"expirationDateTime": "2016-11-20T18:23:45.9356913Z",
"creatorId": "8ee44408-0679-472c-bc2a-692812af3437",
"latestSupportedTlsVersion": "v1_2",
"encryptionCertificate": "",
"encryptionCertificateId": "",
"includeResourceData": false,
"notificationContentType": "application/json"
}
}
Update User
Update the properties of a User object. | key: updateUser
| Input | Notes | Example |
|---|---|---|
| Account Enabled | When true, the account is enabled. | |
| Additional Properties | Additional properties that are not covered by the other inputs. This should be a JSON object and will be merged with the other inputs. See Update User API. | |
| Connection | The Microsoft Entra ID connection to use. | |
| Display Name | The display name of the user. | Adele Vance |
| Domain | The updated domain for the user, this must be an existing domain in the tenant. Required if 'User Principal Name' input is provided. | domain.onmicrosoft.com |
| First Name | The updated first name of the user. | John |
| Job Title | The updated job title of the user. | Software Engineer |
| Last Name | The updated last name of the user. | Doe |
| User ID | Unique Identifier for the user to update. This can be the user's id or userPrincipalName. | d36894ae-94ae-d368-ae94-68d3ae9468d3 |
| User Principal Name | The updated user principal name of the user. Required if 'Domain' input is provided. | AdeleV@contoso.com |
{
"data": {
"success": true
}
}
Upsert Application
Create a new application if it doesn't exist, or update the properties of an existing application. | key: upsertApplication
| Input | Notes | Example |
|---|---|---|
| Additional Properties | Additional properties that are not covered by the other inputs. This should be a JSON object and will be merged with the other inputs. See Upsert Application API. | |
| Connection | The Microsoft Entra ID connection to use. | |
| Display Name | The display name of the application. | My Application |
| Unique Name | The unique name of the application to update or create. | MyApplication |
| Use as Upsert | When true, creates a new application if it does not exist. When false, only updates an existing application. | true |
{
"data": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications/$entity",
"id": "03ef14b0-ca33-4840-8f4f-d6e91916010e",
"deletedDateTime": null,
"isFallbackPublicClient": null,
"appId": "631a96bc-a705-4eda-9f99-fdaf9f54f6a2",
"applicationTemplateId": null,
"identifierUris": [],
"createdDateTime": "2019-09-17T19:10:35.2742618Z",
"displayName": "Display name",
"isDeviceOnlyAuthSupported": null,
"groupMembershipClaims": null,
"optionalClaims": null,
"addIns": [],
"publisherDomain": "contoso.com",
"samlMetadataUrl": "https://graph.microsoft.com/2h5hjaj542de/app",
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [],
"tokenEncryptionKeyId": null,
"api": {
"requestedAccessTokenVersion": 2,
"acceptMappedClaims": null,
"knownClientApplications": [],
"oauth2PermissionScopes": [],
"preAuthorizedApplications": []
},
"appRoles": [],
"publicClient": {
"redirectUris": []
},
"info": {
"termsOfServiceUrl": null,
"supportUrl": null,
"privacyStatementUrl": null,
"marketingUrl": null,
"logoUrl": null
},
"keyCredentials": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"requiredResourceAccess": [],
"web": {
"redirectUris": [],
"homePageUrl": null,
"logoutUrl": null,
"implicitGrantSettings": {
"enableIdTokenIssuance": false,
"enableAccessTokenIssuance": false
}
}
}
}
Upsert Group
Create a new group if it doesn't exist, or update the properties of an existing group. | key: upsertGroup
| Input | Notes | Example |
|---|---|---|
| Additional Properties | Additional properties that are not covered by the other inputs. This should be a JSON object and will be merged with the other inputs. See Upsert Group API. | |
| Connection | The Microsoft Entra ID connection to use. | |
| Display Name | The name to display in the address book for the group. | Marketing Team |
| Group Types | The type of group and its membership. | Unified |
| Mail Enabled | When true, the group is mail-enabled. | |
| Mail Nickname | The mail alias for the group, unique for Microsoft 365 groups in the organization. This property can contain only characters in the ASCII character set 0 - 127 except the following: @ () \ [] " ; : <> , SPACE. | MarketingTeam |
| Security Enabled | When true, the group is security-enabled, including Microsoft 365 groups. Groups created using the Microsoft Entra admin center or the Azure portal always have securityEnabled initially set to true. | |
| Unique Name | The unique name of the group to update or create. | MarketingTeam |
| Use as Upsert | When true, creates a new group if it does not exist. When false, only updates an existing group. | true |
{
"data": {
"success": true
}
}
Changelog
2026-03-13
Updated trigger names and actions for improved usability:
- Removed the Debug Request input from all actions; debug logging is now controlled internally
- Added documentation for Webhook, Group Changes, and User Changes triggers
- Renamed Group Trigger to Group Changes and User Trigger to User Changes
- Renamed List Group to List Groups and Remove Member of Group to Remove Member From Group
2026-03-05
Added inline data sources for subscriptions, users, and group members to enhance data selection capabilities
2026-02-24
Added inline data source for Group ID input to enhance data selection capabilities
2026-01-20
Made Authorize URL and Token URL configurable as inputs in the OAuth 2.0 connection type