Workflow Add Several User to Group

Hello i would like to build a workflow that

- Use Trigger "Add Member to Group"  > TriggerGroup01

- All User that are added to trigger group should be added to a second AD Group > TargetGroup01

- Would like to execute a script to add the user to an Azure AD Group

This lets me add one User at a time to my trigger group, but if a add two at same time only one user works with the workflow

Workflow: Adding a user to a specific group and execute a script - Forum - Active Roles Community - One Identity Community

Is it possible to build a workflow that will execute this for several added members to a trigger group or would it be even the right tool for this. It seems that its not practiable to add several user to a group this way, maybe its easier to create a auto group cloned from trigger group

It seems like after i do a user search and find the members i cant check if user is already member of desired group but i think doing a user search and than save object is the only way to do a "ForEach"


it seems like you can do a "start trigger add group" > "User Search get member from Trigger Group" > "save search" > IF Member from "add to group" does not contain user from save search"

Top Replies

  • The way i got around this was to do a search within the workflow.  It triggers on "add member" then does a search for who was added and processes each added member.

    My search criteria is as follows:

    Use this activity to :  Search the group for its members

    Find "users"  In "workflow Target"

    Thats it, then i do an if/else and see if the Added member has the group already or not.

  • Hi  

    There are other ways to do this, other than via a workflow.

    However from a workflow point of view, you could:

    1) Configure the start conditions for add to group, and have filter conditions to limit the workflow to the trigger group

    2) The workflow steps would appear on the post side, with first a "Save Object Properties" activity step, followed by a "Update" workflow Activity Step


    2a) The "Save Object Properties" activity step should target the Workflow Target Object, with the only target property we require being "Members"

    2b) The "Update" activity step would target the Target Group, and the target property to update is the "members" property from the "Save Object Properties" activity step above

    To set the value as the members field from the trigger group, choose "Object identified by DN-value rule expression" from the drop down

    Click Add Entry and select "Property of object from workflow data context"

    From the Target Object drop down, select "More choices"

    Select "Saved Object Properties" from the left hand pane, and chose the activity created in 2a

    From the Target Property drop down, select "More choices"

    From the Select object property select members

    3) Save you workflow.

    4) Test

    This works when adding multiple users/objects to a group, it will not however remove the users/groups when they are removed from the trigger group, then somone else is added to the trigger. 

    An easier method would either be to turn the Target Group into a Dynamic Group, or create a Dynamic Group which you add to the target group (I'm going to use the intermediately group example)

    Create the group then convert to be dynamic, the new membership rule should be "Include Group Members"

    Select the Trigger Group are the object the members are going to be managed from

    Hope this helps


  • thank you i will test this, its seems easier.

    I already noticed that for removing you need a diffrent logic. With my aproach you compare the trigger group with the "Add to group" but when you remove user they are no longer member of the trigger group and wont be compared. so you would need to compare "add to group" with the trigger group.

    i thought about using dynamic groups but i need to execute a script to ad the user to an azure ad group ( i guess is not possible with workflow tools, i know you can do it via gui but we want to avoid to write down instructions where poeple see in which X Groups the user needs to be added) so i need an tigger group, not sure if it would work with dynamic groups.

    its basically our access configuration to Mircosoft Dynamic CRM, for this a user needs to be added to an OnPrem Group wich for Permission on a Mailbox and a Azure AD Security Group.

  • its basically our access configuration to Mircosoft Dynamic CRM, for this a user needs to be added to an OnPrem Group wich for Permission on a Mailbox and a Azure AD Security Group.

    Why don't you "master" your Azure AD Security and mailbox permissions groups from on-premises?  That way, when they are added to the on-premises groups, AADC will add them to their Cloud equivalents.

  • If I can make a suggestion for an alternate method that is, I feel, both simpler and more robust:

    The biggest drawback here is that Change Workflows can only be triggered by an Active Roles client. If some other Active Directory client or process adds a user to a group, nothing will happen.

    Instead, I would implement an Automation Workflow that periodically scans the members of the group. The Workflow finds all members that are not stamped with a specific Virtual Attribute value and then stamps them.

    Automation Workflows can fire Change Workflows. Have a Change Workflow triggered by stamping the Virtual Attribute, which fires your script to perform your desired operation.

    You can use a second Automation Workflow to find users who are not a member of the group but who have the specific Virtual Attribute set. These are users who have been removed from the group. This Automation Workflow can clear their Virtual Attribute.

    A second Change Workflow would be triggered by clearing the Virtual Attribute value, which runs a different script and takes care of the operation that you want to fire when a user is removed from the group.

    This process is easier to follow, easier to troubleshoot, and easier to implement. The only drawback is that it is not a real-time change, but you can adjust the schedule if you need to. Since you are looking for a specific Virtual Attribute value, it should be fairly lightweight.

  • Theoretically this is possible, but it is not yet part of our Active Directory concept. We sync all Exchange OnPrem groups because it is important for Exchange Online but we have many OnPrem access groups that we do not need in the cloud. Here we would have to develop an area for cloud access groups. It is also interesting in which direction Active Roles will develop with regard to O365.

  • thank you for your input i will try to test this

  • Yes - I would suggest you put these "special" groups into a separate OU that is included into the scope of AADC.

    Active Roles support for Cloud-Only objects is improving with each release.  I just wish it supported direct management of Cloud-only Distribution Groups. However, I can understand why this might not have been given priority initially because Microsoft themselves did not seem too keen on people using them.  But I think they (Msft) may be turning the corner on this so hopefully, we will see this in Active Roles soon.  It would help ease customers in making the transition to using Active Roles to manage Exchange Online exclusively in the Cloud.