Automate External User Invitations Using Power Automate Adaptive Cards – Part 2

In our previous blog, we covered automating SharePoint guest access approvals for existing guests. In this follow-up, we’ll explore how to automate external user invitations for users who are not yet in your directory, using Power Automate and Adaptive Cards in Teams.

Granting guest access to SharePoint sites is a common scenario, especially when collaborating with external vendors, partners, or clients. Doing this manually can be cumbersome – it requires site admin privileges, verification of details, and accurate logging to ensure the right users get the right permissions.

To simplify this process, we have built a Power Automate flow that sends Adaptive Cards to Teams for guest access approvals.

Here’s how external users are invited and granted access to SharePoint:

1. A manager submits a SharePoint list form request with the details of the external user requesting access, including email ID, site URL, access level, etc.
2. Once the form is submitted, a new row is added to the SharePoint list automatically.
3. The addition of the new item triggers the workflow.
4. The workflow retrieves the approver automatically from an internal SharePoint list based on the requested site URL.
5. The workflow then sends an Adaptive Card in Teams to the identified approver containing all necessary details.
6. If the admin approves:
7. The workflow calls the Microsoft Graph API to get an authentication token.
8. It checks if the external user exists in the directory.
9. If the user exists in the directory:
   • The workflow adds the user to the respective SharePoint group.
   • Notifies the external user of access approval.
   • Updates the SharePoint list to reflect the approval status.

10. If the user does not exist in the directory:
    • The workflow sends an external invitation to the user’s email.
    • Once the invitation is accepted, the workflow adds the user to the SharePoint group.
    • Updates the SharePoint list to reflect the approved status.

Here’s how the complete flow looks in Power Automate:

Prerequisites for Automating the External Invitation Process

Before building the workflow, ensure the following prerequisites are met:

• Power Automate Premium: The flow uses a premium connector (HTTP), so a Power Automate Premium license is required. You can opt for a 90-day free Power Automate trial if needed.
• Role-Based Permissions:
  • Requester/Manager: Must be internal to your organization to submit the form.
  • Approver: Must have Site Owner or Admin permissions to approve requests.
  • Flow Creator: Must have access to the SharePoint list and Power Automate permissions to create and manage flows.
• Approvers Mapping List: This is a required component of the setup. It maps Site URL and Approver Emails, allowing the flow to automatically identify and notify the correct site owner/admin.

With these prerequisites in place, you’re ready to build the external user invitation workflow step by step.

Since this flow uses the HTTP action to call Microsoft Graph, Power Automate must authenticate securely before it can send external invitations or perform directory-level operations.

To enable this, you must register an application in Microsoft Entra ID and grant it the necessary Graph API application permissions (such as User.ReadWrite.All and Directory.ReadWrite.All). This registered app acts as the identity that Power Automate will use when requesting an OAuth access token, which is then included in each HTTP request to Microsoft Graph.

To do this, follow the steps below:

1. Go to the Microsoft Entra admin center.
2. Under Entra ID, navigate to App registrations -> New registration.
3. Provide a name for your application.
4. Under Supported account types, select:

“Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)”.

This ensures that any external user, regardless of whether they use a work, school, or personal Microsoft account can be authenticated.

5. Click Register.

6. From the left-hand menu, under Manage, select API Permissions.
7. Click Add a permission -> Microsoft Graph -> Application permissions.
8. Search for User and select:

1. User.Invite.All
2. User.Read.All

9. Click Add permission.

10. Click Grant admin consent for <Your Organization> and confirm by clicking Yes.

11. In the left-hand menu, select Certificates & secrets.
12. Click + New client secret.
13. Provide a description and expiry date.
14. Click Add.
15. After creation, copy the Value of the client secret.

⚠️Note: This is the only time it will be fully visible. Save it securely to be used later in the flow.

16. Now, we need to copy two more values. Go to the Overview tab and copy the Application (client) ID and Directory (tenant) ID.

Once these steps are complete, your application is ready, and you can start building your Power Automate flow with secure Graph API authentication.

Follow the steps one by one to execute the external user invitation workflow successfully:

1. Prepare your SharePoint lists form to collect responses
2. Build the Power Automate cloud flow for external user requests
3. Automatically retrieve approver details from list
4. Send guest access requests to approvers using adaptive cards in Teams
5. Verify if external user access approval is accepted
6. Get Microsoft Graph API access token in Power Automate
7. Extract OAuth token details for Graph API requests
8. Check if the guest user already exists in Entra ID
9. Determine whether to send a new external invitation
10. Send external user invitation via Microsoft Graph API (true branch)
11. Add delay to ensure new guest user is synchronized
12. Retrieve the associated SharePoint groups
13. Configure the flow to handle different SharePoint access levels
14. Automatically add guest user to the appropriate SharePoint group
15. Mark request as approved in SharePoint list automatically

Before creating the Power Automate flow, you need a SharePoint list to capture guest access requests from. In our previous blog, the manager entered the details directly into the list, but this required them to have access to the site, which isn’t always practical.

To overcome this, we have used the Lists form. You can create a Lists form, where responses submitted through the form will automatically be added to the list. This list will act as the trigger for your flow and store key details such as guest name, email, company, site URL, access level, and more.

Note: If you want external users to submit their own access requests, you could use Microsoft Forms instead of a Lists form, as Forms allows creating anonymous links. However, this approach has risks:

• You cannot automatically verify if the submitter belongs to a trusted organization.
• There’s a higher chance of incorrect or malicious entries.
• Integrating dynamic content into the Adaptive Card workflow becomes more complex.

For these reasons, we prefer using a SharePoint Lists form, which ensures submissions are made only by internal users and simplifies automation with Power Automate.

1. Navigate to your desired SharePoint site and click + New -> Lists form.
2. Give your lists form a name -> Click Create.
3. Add form title and add logo optionally.
4. Add the following columns to your list. Make all fields required:

Field Name	Type	Notes / Choices
GuestName	Single line of text
GuestEmail	Single line of text
GuestCompany	Single line of text
SiteName	Single line of text
SiteURL	Single line of text
AccessLevel	Choice	Read Only, Edit, Full Control
AccessDurationInDays	Number
RequestStatus	Choice	Pending, Approved, Rejected

• Once the form is ready, click Send form -> Copy link to share it.
• Anyone in your organization, even if not part of the site, can submit responses using this link.

⚠️ Important: Ensure that the field values exactly match those above, as they will be referenced in the Adaptive Card JSON in your flow.

1. Sign in to Power Automate.
2. Select Create -> Automated cloud flow.
3. Name your flow, then select the trigger When an item is created (SharePoint) -> Create.
4. For the selected node, configure the action by selecting the Site Address and the Lists form name (the one you just created) from the dropdown menu.

1. Click the + icon below the trigger.
2. Search for and select the “Get items – SharePoint” action.
3. Configure the action as follows:

• Site Address: Select the site where the approver mapping list is stored.
• List Name: Choose the approver mapping list you created.
• Under Advanced Options, set the Filter Query to: SiteUrl eq ‘@{triggerBody()?[‘SiteURL’]}’

This ensures that only the approver assigned to the current site is retrieved.

• Click the + icon below the previous action.
• Select “Apply to Each” action.
• In the Select an output from previous steps field, choose the value output from the “Get items – SharePoint” action.

This will loop through each approver retrieved from the mapping list for the current site.

1. Click the ‘+’ icon below the ‘Apply to each’.
2. Search and select the action Post adaptive card and wait for a response from the list. This action requires installing the Workflows app in your Teams environment.
3. Configure the fields as:

• Post as: Flow bot
• Post in: Chat with Flow bot
• Message: Paste the following JSON code for your adaptive card:

• Recipient: items(‘Apply_to_each’)?[‘ApproverEmail’]

The request details are sent directly to the designated approver’s chat, allowing them to approve or reject access instantly. You can customize the Adaptive Card using the Adaptive Card Designer for a visual experience.

⚠️ Important Note: In the steps that follow, some action names have been renamed for clarity and easier understanding of the flow. When referencing dynamic content from a previous action, use the updated names if you renamed them. If you did not rename an action, keep the default name, otherwise the flow may fail.

This condition checks whether the admin selected Approve in the Adaptive Card and directs the flow accordingly.

1. Click the ‘+’ (New step) icon below your Adaptive Card action.
2. Search for and select the Condition control.
3. Configure the AND operation in the action as follows:

• Choose a value: Click inside the field. Two icons will appear — select the Insert expression (fx) icon and paste the following expression: outputs(‘Post_adaptive_card_and_wait_for_a_response’)?[‘body/data/action’]
• Condition: is equal to
• Choose a value: approve

Under the False branch, click + and add the “Update item – SharePoint” action. Configure it as follows:

• Site Address: Select the site containing your list from the trigger.
• List Name: Choose the SharePoint list used for the form.
• Columns: Fill all required columns (such as ID, GuestName, etc.) using dynamic content from the trigger.
• Advanced Parameters -> Title: Set the Title field.
• RequestStatus Value: Set to Rejected.

This step ensures that if the approver rejects the request, the RequestStatus column is updated to Rejected.

Optionally, you can also add a “Send an email (V2)” action to notify the manager about the rejection by setting them as the recipient.

Under the True branch, add the HTTP premium connector to obtain an authentication token. Configure it as follows:

• URI: https://login.microsoftonline.com/<tenant ID>/oauth2/v2.0/token
  (Replace <tenant ID> with your tenant ID.)
• Method: POST
• Headers:
• Content-Type: application/x-www-form-urlencoded
• Body:

grant_type=client_credentials&client_id=<Client ID>&client_secret=<Client secret value>&scope=https://graph.microsoft.com/.default

(Replace <Client ID> and <Client secret value> with your application credentials.)

This action retrieves the authentication token required to interact with Microsoft Graph in the workflow.

After the HTTP action, click + and search for the Parse JSON action.

Configure it as follows:

• Content: Select the dynamic value body from the HTTP action.
• Schema: Copy and paste the JSON schema below:

This action extracts the access token and other details from the HTTP response, making them available for use in later steps.

Now that we’ve retrieved the access token and parsed it successfully, the next step is to verify whether the guest already exists in your Entra ID tenant. This action searches Entra ID to determine if the guest email from the SharePoint request already exists.

1. Click the + icon below the Parse JSON action.
2. Add a new HTTP action and configure it as follows:

• URI: https://graph.microsoft.com/v1.0/users?$filter=mail eq ‘@{triggerBody()?[‘GuestEmail’]}’
• Method: GET
• Headers: Authorization: Bearer @{body(‘Parse_Token_Body’)?[‘access_token’]}

Add a Condition action below the HTTP step and configure it as follows:

• Choose a value: Add an expression as length(body(‘Check_if_User_Exists_in_Directory’)?[‘value’])
• Condition: is equal to
• Choose a value: 0

If the value is 0, it means the user does not exist in the directory. When this condition is true, the flow will continue to create the user and then invite them.

Under the True branch, add another HTTP action to send the guest invitation.
Configure it as follows:

• Uri: https://graph.microsoft.com/v1.0/invitations
• Method: POST
• Headers: Authorization: Bearer @{body(‘Parse_Token_Body’)?[‘access_token’]}
• Content-Type: application/json
• Body:

{

“invitedUserEmailAddress”: “@{triggerBody()?[‘GuestEmail’]}”,

“inviteRedirectUrl”: “@{triggerBody()?[‘SiteURL’]}”,

“sendInvitationMessage”: true

}

This request creates an invitation for the external user and sends them the standard Microsoft invitation email. The user is then added as a guest in your directory after accepting the invitation.

Add a Delay action and configure it as:

• Count: 10
• Unit: Second

You can also modify the values if required.

This delay is required after the external user accepts the invitation. When the guest accepts, Entra ID begins provisioning the new account, and it may take a few seconds before the user becomes searchable in the directory.

Without this short delay, the flow may fail to find the newly created guest account in Entra ID, causing the “add to SharePoint group” step to fail.

In this step, the flow retrieves the site’s associated SharePoint groups — Owners, Members, and Visitors — to automatically assign the correct access level to the guest user. This step is executed directly if the user already exists in the directory, ensuring they are added to the appropriate SharePoint group without needing a new invitation.

Under the Delay action:

1. Click the ‘+’ icon. This step should be added using the + icon outside the condition branches, so it applies correctly regardless of whether the user already exists or is being invited.
2. Search for and select ‘Send an HTTP request to SharePoint.’
3. Configure the action as follows:

• Site Address: Select Enter custom value, then click the Dynamic content icon and choose SiteURL from the trigger action (If the list isn’t created with headers first, its properties won’t appear in dynamic content).
• Method: GET
• URI: _api/web?$expand=AssociatedOwnerGroup,AssociatedMemberGroup,AssociatedVisitorGroup
• Advanced Parameters -> Headers: Accept: application/json;odata=nometadata

After this step, click the ‘+’ icon and add a Compose action. This allows you to view and verify the response returned from SharePoint before proceeding further.

• In the Inputs field, click Dynamic content and select Body under the Send an HTTP request to SharePoint.

This setup ensures the flow handles each access level (Edit, Full Control, Read) separately, allowing you to define specific actions for every permission type.

1. Click the ‘+’ icon under the previous Compose action.
2. Search for and select the Switch control.
3. In the On field, select AccessLevel Value from Dynamic content.

Under the Switch control, click the ‘+’ (Add a case) button to create three separate cases. The Default case acts as a fallback option – it runs if none of the specified cases (Read Only, Edit, Full Control) match the value in the AccessLevel field.

In each case, configure the Equals field under Parameters as follows:

• Case 1: Read Only
• Case 2: Edit
• Case 3: Full control

📌 Note: Make sure to give the case names exactly as they appear in the SharePoint list access value names.

For each case created under the Switch action, click ‘+’ ->Add an action and choose Send an HTTP request to SharePoint. Now, to let the flow add the guest into the respective SharePoint group defined by the manager, use the following configuration for each access level.

All parameters remain the same except the URI for all 3 cases, which changes based on the access type (Read Only, Edit, or Full Control):

1. Site Address: Select Enter custom value -> click Dynamic content -> choose SiteURL from the trigger.
2. Method: POST
3. URI:

• Case 1: Read Only -> _api/web/AssociatedVisitorGroup/users
• Case 2: Edit -> _api/web/AssociatedMemberGroup/users
• Case 3: Full Control -> _api/web/AssociatedOwnerGroup/users

4. Headers: Accept: application/json;odata=verbose
   Content-Type: application/json;odata=verbose

5. Body: {
   “__metadata”: { “type”: “SP.User” },
   “LoginName”: “i:0#.f|membership|@{triggerBody()?[‘GuestEmail’]}”
   }

Finally, add the ‘Update item’ action under the cases to mark the request as Approved in the SharePoint list.

1. Site Address: Choose the same site where your request list is located.
2. List Name: Choose your requests list.
3. Id: Select the ID dynamic content from the trigger.
4. Columns: Fill all required columns (such as ID, GuestName, etc.) using dynamic content from the trigger. Follow the same configuration as step 4.
5. Title: Select the dynamic content ‘Title’ from the trigger.
6. RequestStatus Value: Approved.

That’s it! Save the flow and run a test to ensure everything works as expected.

Flow result:

When a manager submits the list form, a new row is created in the SharePoint list, triggering the Power Automate flow automatically.

An Adaptive Card is instantly delivered to the admin’s Teams chat, displaying all the request details as shown below.

The flow then verifies whether the external user mentioned in the form already exists in the directory or not. Once the admin approves the request, the flow automatically adds the guest user to the appropriate SharePoint group, sends a confirmation email, and updates the SharePoint list item to “Approved.”

We hope this blog helped you set up the step-by-step flow to automate external user invitations and access approvals with ease. Power Automate can also simplify other admin tasks like onboarding, offboarding, password expiry reminders, and much more.

Thanks for reading! If you have questions or suggestions, feel free to drop them in the comments below.