Case Study: Automating Employee Onboarding in a Hybrid Setup using Power Automate
Overview
In this tutorial, we’ll set up an automated onboarding solution to streamline the process of adding new employees to organizational systems. We will use AgroVisionLabs, a fictitious agricultural technology company, as a case study.
AgroVisionLabs frequently hires new employees across multiple locations, and their manual onboarding process for creating Active Directory (AD) accounts, assigning permissions, and synchronizing with Entra ID has become time-consuming for the IT department. This project will aim to automate this process using Power Automate and Azure Automation.
Prerequisites
To follow through with this article, you will need to have the following prerequisites:
Active Directory (AD): An existing on-premises AD environment.
Microsoft Entra: Integrated with the on-premises AD using Azure AD Connect.
An Azure subscription
Power Automate Premium License: Required for the Azure Automation connector.
What we would learn
Cloud services like Power Automation aren’t developed to work with on-prem environments. We will learn how to connect an on-prem server that runs local AD to access Azure cloud services.
Creating an automated workflow with Power Automate.
Writing and deploying PowerShell script for AD operations via Azure Runbook.
Sending email notifications to HR and the manager.
Architecture Workflow
Project Steps
Step 1: Create a Microsoft Form for Employee Onboarding
Create a simple form with fields like First Name, Last Name, Email, Job Title, Manager's Email, and Location - I have included location here because that will serve as the OU on local AD In the setup for AgroVisionlabs, OU is used to organize employees depending on their locations distinctively.
This form will trigger the automation workflow on Power Automate.
Step 2: Configure Azure Arc and Azure Automation
Assuming an existing on-premises AD environment, the next step is to establish connectivity between your on-prem server and Azure to successfully run PowerShell scripts from Azure, a cloud service, to your local AD seated on your on-prem environment. This is what Azure Arc does—it provides a secure bridge for running Azure services on local infrastructure.
Docs on Azure Arc-enabled servers
Azure Arc Setup:
Search for Azure Arc on Azure services
Click on Add/Create > Add machine
Select Windows Installer. Make sure you are installing the agent on the on-prem server to be used.
Your interface should look like the below after configuration:
Azure Automation Configuration:
The next step is to set up Azure Automation to create a PowerShell Runbook that will be deployed to our connected on-prem server that runs our local AD environment. To do this, you will need to configure a hybrid worker group to facilitate script execution on the on-prem server directly from Azure Automation.
In the Azure portal:
Navigate to your Automation Account.
Create a Hybrid Worker Group.
Add the on-prem server we previously connected to Azure Arc to this group.
Runbook Creation:
Once that is set up, the next thing is to have a script running on PowerShell Runbook.
- Navigate to your Automation Account. Click on Runbooks to create a new Runbook
Click on
Edit in portalto add the PowerShell script as seen below:
# List out the Params dynamically from form input param ( [Parameter(Mandatory = $true)][string]$FirstName, # First name of the new user [string]$Initials = "", # Middle Name of new user [Parameter(Mandatory = $true)][string]$LastName, # Last name of the new user [Parameter(Mandatory = $true)][string]$Mail, # Mail address of new user [Parameter(Mandatory = $true)][string]$Location, # Location/OU where the user will be created [Parameter(Mandatory = $true)][string]$TemplateEmail, # Email address of the template user [string]$Password = "Changepassword123", # Temporary password for the new user [Parameter(Mandatory = $true)][string]$JobTitle, # Job Title for the new user [Parameter(Mandatory = $true)][string]$ManagerEmail # Manager's email ) # Import the Active Directory module Import-Module ActiveDirectory # Define the OU based on the location $OU = "OU=$Location,DC=ad,DC=agrovisionlabs,DC=com" Write-Output "Target OU for new user: $OU" # Grab Template User's details using Email $TemplateUser = Get-ADUser -Filter {mail -eq $TemplateEmail} -Properties HomeDirectory, ScriptPath, mail if ($TemplateUser -eq $null) { Write-Output "Template user with email $TemplateEmail not found in Active Directory." exit } Write-Output "Template User Found: $($TemplateUser.SamAccountName)" # Get the groups that the template user is a member of $Groups = Get-ADPrincipalGroupMembership -Identity $TemplateUser Write-Output "Groups to be copied: $($Groups | ForEach-Object { $_.Name })" # Retrieve Manager details using email $Manager = Get-ADUser -Filter {mail -eq $ManagerEmail} -Properties mail if ($Manager -eq $null) { Write-Output "Manager with email $ManagerEmail not found." exit } # Introduce a brief delay before proceeding Start-Sleep -Seconds 10 # Construct the full name and user logon name $NewUserName = "$FirstName $LastName" $UPN = "$($FirstName.ToLower()).$($LastName.ToLower())@agrovisionlabs.com" # Define the parameters for New-ADUser $newUserParams = @{ GivenName = $FirstName Surname = $LastName Name = $NewUserName DisplayName = $NewUserName SamAccountName = "$($FirstName.ToLower()).$($LastName.ToLower())" UserPrincipalName= $UPN Path = $OU AccountPassword = (ConvertTo-SecureString $Password -AsPlainText -Force) Enabled = $true Title = $JobTitle EmailAddress = $Mail Manager = $Manager.DistinguishedName # Assign manager Description = $JobTitle # Set description as the job title } # Only add Initials if provided if ($Initials) { $newUserParams["Initials"] = $Initials } # Create the new user $newUser = New-ADUser @newUserParams # Wait for 1 minute to ensure the user object is created in AD Start-Sleep -Seconds 60 # Retrieve the newly created user to ensure it exists $newUser = Get-ADUser -Identity "$FirstName.$LastName" if ($newUser -eq $null) { Write-Output "Failed to retrieve the newly created user. $SamAccountName may not have been created successfully." exit } Write-Output "New user created successfully: $($newUser.SamAccountName)" # Copy the groups of the template user to the newly created user foreach ($group in $Groups) { Add-ADGroupMember -Identity $group -Members $newUser Write-Output "Added $NewUserName to group $($group.Name)" } # Output success message Write-Output "User $NewUserName created and added to all groups successfully." # Trigger Azure AD Connect sync immediately after user creation Invoke-Command -ScriptBlock { Start-ADSyncSyncCycle -PolicyType Delta } -ComputerName DC # Assign home folder and logon script # Retrieve template user's home folder $HomeFolder = $TemplateUser.HomeDirectory if ($HomeFolder) { # Construct the new user's home folder path $NewHomeFolder = $HomeFolder -replace "$($TemplateUser.SamAccountName)", "$($newUser.SamAccountName)" # Assign home folder Set-ADUser -Identity $newUser -HomeDirectory $NewHomeFolder -HomeDrive "U" Write-Output "Assigned home folder: $NewHomeFolder" # Create the home folder on the file server if (!(Test-Path -Path $NewHomeFolder)) { New-Item -ItemType Directory -Path $NewHomeFolder Write-Output "Home folder created: $NewHomeFolder" # Grant full control to the new user $acl = Get-Acl $NewHomeFolder $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$($newUser.SamAccountName)", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow") $acl.SetAccessRule($accessRule) Set-Acl -Path $NewHomeFolder -AclObject $acl Write-Output "Set permissions for $NewHomeFolder" } else { Write-Output "Home folder already exists: $NewHomeFolder" } } else { Write-Output "Template user does not have a home folder set. Skipping home folder assignment." } # Retrieve template user's logon script $LogonScript = $TemplateUser.ScriptPath if ($LogonScript) { # Assign logon script to the new user Set-ADUser -Identity $newUser -ScriptPath $LogonScript Write-Output "Assigned logon script: $LogonScript" } else { Write-Output "Template user does not have a logon script set. Skipping logon script assignment." }Save and publish the runbook.
This is what the script does »
Parameter Input: Collect user details (e.g., name, email, location, job title) and manager information from the Microsoft form created earlier.
Template Retrieval: Fetch the template user's attributes (home directory, logon script, group memberships).
Manager Verification: Ensure the provided manager email corresponds to an existing AD user.
User Creation: Create a new Active Directory user with defined attributes (e.g.,
DisplayName,JobTitle,Manager).Group Assignment: Add the new user to the same groups as the template user.
Home Folder Setup: Assign and create a personalized home folder with appropriate permissions.
Logon Script Assignment: Copy and apply the template user's logon script.
Azure AD Sync: Trigger an immediate Azure AD sync to propagate changes.
Step 4: Implement the Power Automate Workflow
Now that we have established connectivity from Azure services to the on-prem server and set up a runbook script that is executed on the on-prem server directly from Azure Automation, the next step is to configure the workflow on Power Automate.
Trigger Setup:
The workflow is configured to be triggered when someone from HR ideally fills out the Microsoft Form. Response is parsed and is used as input parameters in script deployment.
Run Script:
Add the "Create Job" action using the Azure Automation connector (a premium feature). Pass parsed form inputs as parameters to the Runbook using the ‘Get response details connector’
I have included a delay of 3 minutes to allow the script to run and create a user on local AD with immediate sync back to Entra ID. I’d say this is important as I found out it takes approximately that amount of time to have the script deployed successfully.
Data Parsing:
Use the Data Operation connector to parse output responses from the creation of the user as JSON. This is needful to have dynamic content populated for example, in the Sharepoint workflow, or populating dynamic fields in sending emails.
Store User’s Details on Sharepoint (Optional)
This is optional but you can update a SharePoint list with details of new users, like the employee name, role, location, etc
Notifications:
The last item in the workflow is to send emails to required stakeholders in Org. For example:
User’s Manager: An email with new user details.
HR: Confirmation of onboarding.
Results
Submit test data via the Microsoft Form
Power automate is triggered to start workflow and run the script on Power Automate
Workflow is completed successfully
The user account is created on local AD as well as the login script and home folder. The account is also synced back to Entra.
Email notifications are also sent to the manager and the HR dept
The user is also populated on the Sharepoint list added to the workflow on Power Automate
Conclusion
This solution automates the onboarding process for new employees, reducing manual effort and routine tasks for IT administrators. Further items can be added to the workflow, for example, a connector that creates a ticket for the IT team. I hope this helps!