image
Dave Herrell
Atlassian, Azure, Entra ID (Azure AD), Groups, Jira, Jira Service Management - JSM, MS Teams, MS365

Jira Cloud: Create MS Teams Group via Jira Automation and Azure Runbooks

In my previous post, I showed how to automate group membership and user provisioning in Microsoft 365 using Jira or Jira Service Management (JSM) and Azure Runbooks. Now, let’s explore automating Microsoft Teams group creation.

First, if you haven’t set up the Automation account, Click the Create An Azure Automation Account below for step-by-step instructions. 

One thing to note, when creating the name of your automation account, this will show in your Teams alert.  I'll show you an example of this at the end of this post.
  • Log in to the Azure Portal.
  • Navigate to Automation Accounts:
    • Search for “Automation Accounts” in the search bar.
    • Click + Create to set up a new Automation Account.
  • Provide the required details:
    • Subscription: Select your Azure subscription.
    • Resource Group: Choose or create a resource group.
    • Name: Enter a name for your Automation Account.
    • Region: Select your preferred region.
    • Click Next

  • Under Advanced, choose System Assigned under Managed Identities.  We will go over why this may be your best option later.
  • Networking tab, ensure you have public access enabled for your connectivity configuration.
  • Setup your Tags (Highly recommended for housekeeping).
  • Click Review + Create and then Create.

After your Automation Account has been created, Go to the resource.

 

Create Runbook

Now, to set up your new runbook.  Under the Process Automation blade, click the arrow to expand and choose Runbooks.

You can delete the two tutorial runbooks if you wish.  They are handy to look over for setup and ideas. 

  • Next, click + Create to create a new runbook.

Provide the needed details

  • Click Create new.
  • Enter a name for your runbook.
  • Select PowerShell as the runbook type.
  • Choose ‘Select from existing’ for the runtime environment and select PowerShell-7.2 (or the latest release). This will be necessary to use the MS Graph API.
  • Add a description for your runbook.
  • Optionally, add tags to categorize your runbook.
  • Click Review + Create.
  • Once validation is complete, click Create.
  • Allow 2-3 minutes for the runbook to be created.

Our runbook will need specific PowerShell modules that aren’t installed by default.

To add them:

  • Click the + Add a module button at the top.

  • Click ‘Browse from the gallery.’
  • Search for ‘Microsoft.Graph.Authentication’ in the module gallery.
  • Select the latest version of the module.
  • Click
  • Choose the latest runtime version for your module.
  • Click Import.

It might take a little while to import the Microsoft.Graph.Authentication module. You can check its progress by searching for it in the module gallery. Once it says Available, you’re ready to use it!

Due the complexity of Teams creation, email, ownership and membership, well need to add more modules.  Continue the same steps above to add the other modules below:

  • Microsoft.Graph
  • Microsoft.Graph.Teams
  • Microsoft.Graph.Users
  • Application.ReadWrite.All
  • ChannelSettings.ReadWrite.All
  • Microsoft.Graph.Groups

You should have a similar view:

To enable your runbook to create Teams, we need to grant it permissions:

  • Go to Account Settings, choose Identity.
  • You’ll see a system-assigned managed identity is already enabled.
  • Click Add role assignment.
  • Set the scope to your Azure subscription.
  • Assign the Contributor role (or create a custom role with necessary permissions which is recommended).

  • Click Save.
  • Copy the object ID of the managed identity for future reference. We’ll be using this coming up.

 

Setup permission for your Object ID

We have one more step: Give our new Managed identity permissions to create our Teams.  Ensure you have the Object ID from your Managed Identity from the steps above.

  • In a new tab, Go to the Azure portal.
  • Choose the Microsoft Entra ID blade
  • Expand Manage, choose Enterprise applications.
  • On the search bar, search for the Object ID you have copied.
  • An application should show up; click on the name.
  • Expand the Security area, choose Permissions, and you’ll notice there are no Permissions set for your application.

To successfully create our new Microsoft Team, we’ll need to provide this application with several Microsoft Graph permissions. These permissions are essential for adding team members, generating a unique team email address, and designating a team owner. While these permissions are necessary for the team’s functionality, it would be beneficial if Microsoft could simplify the process by consolidating some of these permissions. As it stands now, PowerShell is the sole method available for adding these permissions.

The easiest way to do this is to open the Cloud Shell at the top of your Azure portal.  

Run the following PowerShell Script. Make sure you replace **MYOBJECTID** with the Object ID of the application you just searched for.

				
					Install-Module Microsoft.Graph -Scope CurrentUser

Connect-MgGraph -Scopes Application.Read.All, AppRoleAssignment.ReadWrite.All, RoleManagement.ReadWrite.Directory

$managedIdentityId = "MYOBJECTID"
$roleNames = @("User.Read.All", "Team.Create", "Group.ReadWrite.All","TeamMember.ReadWrite.All","Application.ReadWrite.All","ChannelSettings.ReadWrite.All")

$msgraph = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

foreach ($roleName in $roleNames) {
    $role = $Msgraph.AppRoles | Where-Object {$_.Value -eq $roleName}

    if ($role) {
        New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentityId -PrincipalId $managedIdentityId -ResourceId $msgraph.Id -AppRoleId $role.Id
    }
    else {
        Write-Warning "Role $roleName not found in Microsoft Graph service principal roles."
    }
}

Disconnect-MgGraph

The Cloud console will run.

Choose A for Yes to All to install all the required Graph modules.  This will run for a few minutes.

It will then prompt you to Sign into a web browser and enter a code.   Simply copy the URL (or you can click the URL) and type the code into your browser.

  • Enter the code to allow access. Click Next.

  • The next screen will ask you to sign into your account to verify.
  • After you log in, you will need to consent on behalf of your company to give permissions to the Graph Command Line Tools. If you are okay with this, click Accept.

You can now close the tab where you granted admin consent. Return to the tab where your Azure Cloud Shell is running. The permission grant process should be complete, and your cloud shell should be disconnected from Microsoft Graph.

To verify that the permissions have been added successfully:

  • Navigate back to the Permissions tab of your enterprise application.
  • You should now see the new application permissions listed, with admin consent already granted. 

Ok, let’s go back to our runbook that we created.  Click the runbook and make sure you’re in the runbooks Overview view.

To edit your runbook:

  • Navigate to our runbook in the Azure portal.
  • Click ‘+ Edit’ and choose Edit in the portal.
  • Expand the Runbooks section on the left and select the correct runbook.
  • We’re ready to add our PowerShell script.
				
					[CmdletBinding()]
param(
    [Parameter(Mandatory=$false)][string]$Owner,
    [Parameter(Mandatory=$false)][string]$Members,
    [Parameter(Mandatory=$false)][ValidateSet('Private', 'Public')][string]$Visibility = 'Private',
    [Parameter(Mandatory=$false)][string]$TeamName,
    [Parameter(Mandatory=$false)][string]$TeamDescription,
    [Parameter(Mandatory=$false)][string]$ChannelEmail
)

try {
    Import-Module Microsoft.Graph.Authentication
    Connect-MgGraph -Identity
    
    if (-not $TeamName -or -not $Owner) { throw "TeamName and Owner are required" }

    $ownerUser = Get-MgUser -Filter "userPrincipalName eq '$Owner'"
    if (-not $ownerUser) { throw "Owner not found" }
    
    $memberIds = @()
    if ($Members) {
        $memberIds = ($Members -split ',').Trim() | ForEach-Object {
            (Get-MgUser -Filter "userPrincipalName eq '$_'").Id
        } | Where-Object { $_ }
    }

    $group = @{
        displayName = $TeamName
        description = $TeamDescription
        groupTypes = @("Unified")
        mailEnabled = $true
        mailNickname = $ChannelEmail.Split('@')[0]
        securityEnabled = $true
        visibility = $Visibility
        "owners@odata.bind" = @("https://graph.microsoft.com/v1.0/users/$($ownerUser.Id)")
    }

    if ($memberIds) {
        $group["members@odata.bind"] = @($memberIds | ForEach-Object { "https://graph.microsoft.com/v1.0/users/$_" })
    }

    $newGroup = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/groups" -Body ($group | ConvertTo-Json -Depth 10)
    Write-Host "Created group: $($newGroup.id)"
    
    Start-Sleep -Seconds 30
    
    $team = @{
        memberSettings = @{ allowCreateUpdateChannels = $true }
        messagingSettings = @{ allowUserEditMessages = $true; allowUserDeleteMessages = $true }
        funSettings = @{ allowGiphy = $true; giphyContentRating = "Strict" }
    }
    
    $teamResponse = Invoke-MgGraphRequest -Method PUT -Uri "https://graph.microsoft.com/v1.0/groups/$($newGroup.id)/team" -Body ($team | ConvertTo-Json)
    Write-Host "Team created successfully"

    if ($ChannelEmail) {
        Start-Sleep -Seconds 30
        $channels = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/teams/$($newGroup.id)/channels"
        $generalChannel = ($channels.value | Where-Object { $_.displayName -eq "General" })
        
        if ($generalChannel) {
            # Get current email settings
            $channelUri = "https://graph.microsoft.com/v1.0/teams/$($newGroup.id)/channels/$($generalChannel.id)/email"
            $currentEmail = Invoke-MgGraphRequest -Method GET -Uri $channelUri
            Write-Host "Email is configured as: $($currentEmail.email)"
        }
    }
}
catch {
    Write-Error "Failed to create/configure team: $_"
}
finally {
    Disconnect-MgGraph
}

Click Save.  Click Publish.  If you dont Publish the runbook it will stay in edit mode, Automation will not be able to work with the runbook.

 

Test Runbook

Before proceeding, we should test our runbook to ensure it works as expected. After all, if it doesn’t work here, the Jira automation definitely wont work.  

  • In the runbook editor, navigate to the Test pane.
  • Fill in the necessary parameters for the runbook to execute.
  • Click the Start button to initiate the test.
  • Please allow up to 3-5 minutes for the test to complete.
  • Once the test finishes, review the output to verify that it ran successfully and without errors.

Within the Azure Portal, expand the Microsoft Entra bade, expand Manage, and choose Groups.  Narrow down the filter to Microsoft 365 Groups.  There, you will find your newly created Microsoft Team from your test run.

 

Setting up Jira Automation

Ok, we have set up and tested our Azure runbook.  Now, let’s move on to the easier part of setting up the Jira Automation.  But first, what’s the scenario in this situation?

Our Scenario

A new Microsoft Teams Request ticket has been created in Jira. The ticket creator has already filled in the information needed to create the channel. A member of the Helpdesk reviews the ticket and transitions the ticket from Review to Create Team. This triggers the Jira automation which runs the Azure runbook which creates the new Teams group along with all the info given within the ticket.
  • Click your Project settings and go to Automation.
  • Choose Create Rule.
  • Our trigger will be when the Issue is Transitioned; select this option.
    • Our criteria are from status: Review to status Create Team.
    • Click Next.

Let’s add another condition to ensure the issue type is Microsoft Teams Request.

  • Add the IF: Add a condition
  • Choose Issue fields condition.
    • Under Field, we choose the Issue Type.
    • Condition, equals
    • Value is Microsoft Teams Request
    • Click Next.

Let’s add a branch component to work only off the issue that triggered it.  Choose FOR EACH: Add a branch, and select the Branch rule / related issues.   Choose Current Issue (default) on the next screen and click Next.

  • Click the Add to branch under your new Branch. Select the THEN: add an action. 
  • Search or scroll down to the Start runbook in Azure and choose it.
  • Next, we need to Connect our Azure account to our Jira account. Click the Connect   This will open a new window.
  • Sign in to your MS365 account if you’re not already signed in.
  • Review and approve the permissions request on behalf of your organization. Click
  • This tab should close out, taking you back to your Jira Automation

a screenshot of a phone

  • Within Jira Automation, Select your Azure Subscription name
  • Select the Resource Group that has your automation account.
  • Select the Automation account that holds your runbook.
  • Lastly, select the runbook we just set up.

The last thing we need to do is bind the Key-value pairs so the payload we send to Azure has the information to give to our runbook script.

In our simple example, we’re going to map Team name, Team email, Owner, Members, Team Visibility and Team Description.  These are all custom fields that our ticket uses. 

Table below depicts how we’ll be mapping our key-value pairs.

Owner

String

{{issue.customfield_10074.emailAddress}}

Members

String

{{issue.customfield_10075.emailAddress}}

Visibility

String

{{issue.customfield_10072}}

TeamName

String

{{issue.customfield_10076}}

TeamDescription

String

{{issue.customfield_10077}}

ChannelEmail

String

{{issue.customfield_10073}}

Note, for the Owner and Members field, we are using Jira’s custom User picker fields.   We are only using the email address of that user, which is our UPN name within Microsoft Entra ID.

You must insert the custom field IDs that your ticket uses.  Check out the handy guide here if you need help finding the Jira custom field IDs.

Once you’ve added all your key-value pairs, select Next.

Last we’re going to add a comment to the ticket to let the ticket reporter know it’s being created.   Since this script can take some time, we’ll ask the user to wait up to 5 minutes.   To create this,  select the THEN: add an action and search for add comment. 

You can use Jira short codes to make this comment more personal.  Here is my example: 

Last step, click the Rule Details at the top.

  • Name your rule
  • Set a description.
  • Set the Automation Owner.
  • Set the Actor (typically Automation for Jira)
  • Select if you want an email if this rule errors out.
  • Who can edit the rule?
  • Lastly, click Turn on Rule.

 

Let’s Test It!

The last thing to do is test our automation and runbook!  We’ll test with the newly created Microsoft Teams Request test ticket with the required Teams information filled out. 

Per our requirements, we’re going to transition the ticket from Review to Create Team to trigger the automation.

If we go to our Jira Automation rule and click the Audit log, we can see the runbook request was submitted.

Back in the Azure portal, if we open our runbook, we should see our runbook either running or completed already. If you click the Completed Status, you will see our Inputs, Errors, etc.

If we look at our ticket, there should be a comment left by our automation. 

And of course, if we check out our Entra ID Groups, we should see our newly created group along with the members and owner we set. 

If you have it setup, Teams will send a welcome to all the new members you added to the new group.  They will get an alert within Teams saying so they have been added as well.  This is where setting the name of the Azure Automation account needs to be thought about.  You will see the Automation name has added you to the new group alert.  Simliar to this: 

And that’s it!  You have created a new Microsoft Teams group using an Azure runbook that was triggered and fed information from Jira automation. 

By integrating Jira Cloud Automation with Azure Runbook, you can automatically create new Microsoft Teams in Microsoft Entra ID whenever changes occur in Jira Cloud. This automated solution minimizes manual intervention, improves efficiency, and enhances overall system management.

I hope you found this helpful!

Pull Azure runbook script from my GitHub Entra ID Repo
Pull Azure runbook script from my Bitbucket Entra ID Repo