Office 365 Modern Provisioning with Bot, Flow, Azure Function and SharePoint Framework

In this article I'd like to talk about a very common enterprise scenario, where basically a user is able to request a new SharePoint site (Team site, Communications site) or Microsoft Teams by starting a workflow process where a kind of architecture on Azure looks like as below:

Giuliano De Luca | Blog | delucagiuliano.com

I decided to share my experience about that by presenting a solution where every user can leverage the capabilities of a Bot, which has a great benefit from my point of view, that it’s everywhere, depending of course from the channels that are enabled:

This sounds really comfortable from a user experience perspective because basically, the user has not to find the entry point in order to submit the request. In fact, the user can ask directly to the Bot from the software where is working on, to present his request, that could be for example Teams, Skype, Direct Line (Web App), Cortana, Email and so on. The Bot will save the request in a SharePoint list by consuming the Microsoft Graph API with the App Only permission, after that through Microsoft Flow the admin will receive an email that a new request should be approved, when the admin will approve it, in automatically will trigger Flow, the latter will call an Azure Function in order to start the provisioning. When the provisioning process is ended the Azure Function will return a response with an HTTP status 200 to Flow which will notify to the admin and the end user that the SharePoint site or Teams is ready to go.

When to use this pattern?

This sample is suitable when you want to implement a typical enterprise scenario in order to request and approving the creation of a new SharePoint site or Microsoft teams.

Let’s start to build the solution.

1- Setup the Azure AD Application

The Bot makes use of Microsoft Graph API (App Only), you need to register a new app in the Azure Active Directory behind your Office 365 tenant using the Azure portal:

Go to https://portal.azure.com log in and register a new application assigning a key secret:
Add the Application Permission for Microsoft Graph Read and Write All Groups and Read and write items in all site collections:
Keep in mind that if you have to work with the user's context you will need to change the permission in Delegated Permission and of course you will need to change the Bot code in order to handle the sign-in and redirect with the token.

2- Create the Node.js Bot in Azure

The prerequisite is an Azure subscription in order to go forward, therefore create the Azure Node.js Bot:

Click on build in your Azure Bot page and after "Open online code editor"
Click on build in your Azure Bot page and after "Open online code editor":
Replace the content of the files app.js and package.json with the sample contained in VeronicaBot folder (app.js, package.json)
The last step regards the configuration, remember to set up properly the variables in the Application Settings:

3- Create the SharePoint list, tenant properties and the SPFx Application Customizer

The Bot will cover multiple scenarios Teams, Direct Line, Skype, Cortana, Email, Slack…. However, if you plan to make use of Direct Line you can install the SPFx application customizer react-provisioning-bot as scope your tenant or specific site collection.

The SPFx reads the following tenant properties bag:

private readonly ENTITYKEY_BOTID = "PnPGraphBot_BotId";
private readonly ENTITYKEY_DIRECTLINESECRET = "PnPGraphBot_BotDirectLineSecret";
private readonly CONVERSATION_ID_KEY = "PnPGraphBot_ConversationId";

Therefore, you have to run the script set-tenant-properties.ps1 in the folder ProvisioningArtifacts to save these properties. There is a SharePoint list which is required in order to store the users’s requests, therefore run the Powershell script create-sharepoint-list.ps1, if you have not installed on your machine the PnP cmdlets please install it. I suggest you install the list in the root site collection of the tenant, conceptually it make sense dedicates this site to the admins, but naturally you are free to install it where you prefer. The folder react-provisioning-bot contains a SharePoint Framework extension application customizer which allow the user to interact with the Bot from SharePoint through the direct line:

It’s up to you if install it tenant wide or only on a specific site collection.

4- Azure Function

The engine of this solution is a c# Azure Function Modern.Provisioning.Async.Function which makes use of PnP to create a new SharePoint site (Team or Communication) or a new Microsoft Teams according to the user’s request. Just to clarify, the Azure Function uses the admin credentials, the password is encrypted into a Azure Key Vault. In order to consume properly the Azure Function please don’t forget to configure the application settings:

Key	Description
spAdminUser	tenant admin email
KeyVaultSecret	The key secret value after having created the key vault
TokenEndpoint	The token endpoint that you can retrieve from your Office 365 tenant Azure portal
listName	for this sample is SitesRequest
ClientId	Client Id App Only registered in order to consume Microsoft Graph and already used by the Bot
ClientSecret	Client Secret App Only registered in order to consume Microsoft Graph and already used by the Bot

The SharePoint sites are created across PnP
The Microsoft Teams are created with Graph

5- Microsoft Flow

Last but not least, there is a Microsoft Flow to implement, which basically performs the following steps:

send an email to the admin when a user's request has been saved in the list SitesRequest
When the admin approves the request the Azure Function is called to start the provisioning
When the process is concluded an email notify the user that the request has been solved