Adding/Removing a user to a Microsoft Entra ID group with Siit via n8n

What you'll need

• A Siit workspace with workflow capabilities
• N8N instance (cloud or self-hosted)
• Microsoft Entra ID with admin permissions
• Microsoft Graph API access
• SMTP email account for notifications (Gmail, Outlook, SendGrid)

 

Overview

This guide shows you how to:

1. Set up a Microsoft Entra ID app registration with proper permissions
2. Configure N8N workflows to handle Microsoft Graph API calls (with ready-made templates)
3. Use Siit's branching feature to manage multiple groups from a single workflow
4. Automatically add or remove users from Entra ID groups based on request attributes

Quick Start: We provide two N8N workflow templates you can import directly - no need to build from scratch!

 

Step 1: Register an App in Microsoft Entra ID

1.1 Create App Registration

1. Go to Azure Portal
2. Navigate to Microsoft Entra ID → App registrations
3. Click New registration
4. Enter a name (e.g., "Siit Group Automation")
5. For Supported account types, select "Accounts in this organizational directory only"
6. Click Register

 

1.2 Configure API Permissions

1. In your app registration, go to API permissions
2. Click Add a permission → Microsoft Graph → Application permissions
3. Add these permissions:
   • GroupMember.ReadWrite.All - to add/remove group members
   • User.Read.All - to read user information
   • Group.Read.All - to read group information
4. Click Grant admin consent for your organization

 

1.3 Create Client Secret

1. Go to Certificates & secrets
2. Click New client secret
3. Add a description and set expiration
4. Copy the Value immediately (you won't see it again)
5. Also note your Application (client) ID and Directory (tenant) ID from the Overview page

 

Step 2: Map Your Microsoft Entra ID Groups

 

Create a reference list of the groups you want to automate. For each group:

1. In Azure Portal, go to Microsoft Entra ID → Groups
2. Find and open the group
3. Copy the Object ID - this is your Group ID
4. Note the group name or purpose

 

Example mapping:

• Security Team → 12345678-1234-1234-1234-123456789abc
• Developers → 87654321-4321-4321-4321-cba987654321
• HR Access → 11111111-2222-3333-4444-555555555555

You'll use these IDs in your Siit workflow branches.

 

Step 3: Set Up N8N Workflows

You'll create two N8N workflows:

1. Add User to Group - handles adding users
2. Remove User from Group - handles removing users

 

Option A: Import Ready-Made Templates (Recommended)

We've created production-ready N8N templates you can import and configure in minutes.

 

Download the Templates

 

Template 1: Add User to Group

n8n-add-json-download

• Copy the JSON from the "N8N Template - Add User to Entra ID Group" artifact
• Save as n8n-add-to-entra-group.json

 

Template 2: Remove User from Group

n8n-remove-json-download

• Copy the JSON from the "N8N Template - Remove User from Entra ID Group" artifact
• Save as n8n-remove-from-entra-group.json

 

Import into N8N

1. Log into your N8N instance
2. Click Workflows → Import from File
3. Upload n8n-add-to-entra-group.json
4. Repeat for n8n-remove-from-entra-group.json

 

Configure the Templates

 

1. Update Microsoft Credentials:

In the "Get Access Token" node of both workflows:

• Replace YOUR_TENANT_ID with your Directory (tenant) ID
• Replace YOUR_CLIENT_ID with your Application (client) ID
• Replace YOUR_CLIENT_SECRET with your client secret value

 

2. Set Up Webhook Authentication:

For security, generate a strong random token:

bash

openssl rand -base64 32

In N8N:

1. Go to Credentials → Create New → "Header Auth"
2. Configure:
   • Name: "Siit Webhook Auth"
   • Header Name: Authorization
   • Header Value: Bearer YOUR_GENERATED_TOKEN
3. Save the credential

In both workflow webhook nodes:

• Set Authentication to "Header Auth"
• Select the "Siit Webhook Auth" credential

Keep this token secure - you'll need it when configuring Siit webhooks.

 

3. Configure Email Notifications:

Set up SMTP credentials in N8N:

1. Go to Credentials → Create New → "SMTP"
2. Fill in your SMTP details:
   • Gmail: Host: smtp.gmail.com, Port: 587, enable 2FA and use app password
   • Outlook: Host: smtp.office365.com, Port: 587
   • SendGrid: Host: smtp.sendgrid.net, Port: 587, Username: apikey
3. Save the credential

 

In both workflows, update the email nodes:

• "Send Error Email" and "Send Success Email" nodes
• Set From Email to your sending address (e.g., automation@company.com)
• Set To Email to your team's address (e.g., it-team@company.com)
• Select your SMTP credential

 

4. Activate and Get URLs:

1. Save both workflows
2. Toggle each to Active
3. Click the webhook node to get the URLs:
   • Add: https://your-n8n.com/webhook/siit-entra-add
   • Remove: https://your-n8n.com/webhook/siit-entra-remove

 

Option B: Build Workflows Manually

If you prefer to build the workflows yourself, see the detailed manual setup instructions in our companion guide.

 

Step 4: Configure Siit Workflows with Branching

Now you'll create workflows in Siit that use branching to handle multiple groups.

 

4.1 Create "Add to Groups" Workflow

 

Create the Workflow

1. Go to Settings → Workflows in Siit
2. Click Create workflow
3. Name it: "Add to Entra ID Groups"

 

Set the Trigger

Choose a trigger that fits your use case:

• Request submitted - for new access requests
• Approval granted - after manager approval
• Tag added - when a specific tag is applied

Example: Trigger: Request submitted with Condition: Service = "Group Access"

 

Add Branching for Multiple Groups

Use Siit's Paths feature to handle different groups:

1. Click Add action → Paths
2. Create a path for each group

 

Path 1: Security Team

• Condition: Tag = "Security-Team"

 

Path 2: Developers

• Condition: Tag = "Developer-Access" OR Department = "Engineering"

 

Path 3: HR Access

• Condition: Tag = "HR-Access"

 

Path 4: Default (Fallback)

• Condition: None (catches unmatched requests)
• Action: Add note "Manual review required", Set status to "Waiting"

 

Configure Webhook in Each Path

For each path (except the default), add a Call webhook action:

URL: https://your-n8n.com/webhook/siit-entra-add

Method: POST

Authentication - Add Header:

1. Click Add Header

2. Set Header Name: Authorization

3. Set Header Value: Bearer YOUR_SECRET_TOKEN (from Step 3)

Body (JSON) for Path 1 - Security Team:

json

{

"requestId": "",

"userEmail": "",

"userName": "",

"groupId": "12345678-1234-1234-1234-123456789abc",

"groupName": "Security Team",

"requestedBy": ""

}

Body (JSON) for Path 2 - Developers:

json

{

"requestId": "",

"userEmail": "",

"userName": "",

"groupId": "87654321-4321-4321-4321-cba987654321",

"groupName": "Developers",

"requestedBy": ""

}

Repeat for each path with the corresponding groupId from Step 2.

Important: The authentication token must match exactly between Siit and N8N.

 

Add Follow-up Actions

After the webhook in each successful path:

• Add a note: "User added to Entra ID group"
• Set status: Resolved
• Send a reply: "Your access to has been granted"

 

4.2 Create "Remove from Groups" Workflow

Follow the same pattern for removal:

 

Create the Workflow

1. Go to Settings → Workflows
2. Click Create workflow
3. Name it: "Remove from Entra ID Groups"

 

Set the Trigger

Choose:

• End date (People trigger) - for off-boarding
• Tag added - when "Revoke-Access" tag is applied
• Request submitted - for removal requests

 

Add Branching

Create paths for each group:

Path 1: Remove from Security Team

• Condition: Tag = "Remove-Security"

Path 2: Remove from Developers

• Condition: Tag = "Remove-Developer"

Path 3: Off-boarding (Remove from All)

• Condition: Trigger = "End date"
• Action: Call webhook multiple times for each critical group

 

Configure Webhook in Each Path

URL: https://your-n8n.com/webhook/siit-entra-remove

Method: POST

Headers:

• Authorization: Bearer YOUR_SECRET_TOKEN

Body (JSON):

json

{

"requestId": "",

"userEmail": "",

"userName": "",

"groupId": "12345678-1234-1234-1234-123456789abc",

"groupName": "Security Team",

"requestedBy": ""

}

Add Follow-up Actions

After each webhook:

• Add a note: "User removed from Entra ID group"
• Set status: Resolved
• Send a reply: "Your access to has been revoked"

 

Step 5: Test Your Automation

 

5.1 Test Adding Users

1. Test Security Team path:
   • Create a request in Siit with Tag = "Security-Team"
   • Verify the workflow triggers and calls the N8N webhook
   • Check your email for a success notification
   • Confirm the user appears in the Security Team group in Azure
2. Test Developers path:
   • Create a request with Department = "Engineering"
   • Verify it triggers the Developers path
   • Check email and Azure for confirmation
3. Test authentication:
   • Try submitting without the auth header (should fail)
   • Verify the webhook is properly secured
4. Test error handling:
   • Create a request with an invalid group ID
   • Check email for an error alert with details

 

5.2 Test Removing Users

1. Create a test request with Tag = "Remove-Security"
2. Verify the Remove workflow triggers
3. Check email for success notification
4. Confirm user was removed from the group in Azure

 

5.3 Verify in Azure

1. Go to Azure Portal → Microsoft Entra ID → Groups
2. Open each test group
3. Check Members to confirm changes

 

5.4 Monitor Email Notifications

Your email inbox will show:

• ✅ Success notifications with user details
• ❌ Error alerts with error messages and request IDs

This gives your team real-time visibility without monitoring multiple systems.

 

Example Workflow Structures

 

Workflow 1: Add to Entra ID Groups

Trigger: Request submitted

↓

Condition: Service = "Group Access"

↓

[Paths]

├─ Path 1: Security Team

│ Condition: Tag = "Security-Team"

│ Actions:

│ • Call webhook → Add User (groupId: 12345...)

│ • Add note: "Added to Security Team"

│ • Set status: Resolved

│ • Send reply: "Access granted"

│

├─ Path 2: Developers

│ Condition: Tag = "Developer-Access"

│ Actions:

│ • Call webhook → Add User (groupId: 87654...)

│ • Add note: "Added to Developers group"

│ • Set status: Resolved

│

├─ Path 3: HR Access

│ Condition: Tag = "HR-Access"

│ Actions:

│ • Call webhook → Add User (groupId: 11111...)

│ • Add note: "Added to HR Access"

│ • Set status: Resolved

│

└─ Path 4: No Match (Default)

Condition: (none)

Actions:

• Add note: "Manual review required"

• Set status: Waiting

• Notify admin inbox

Workflow 2: Remove from Entra ID Groups

Trigger: End date OR Tag = "Revoke-Access"

↓

[Paths]

├─ Path 1: Remove from Security Team

│ Condition: Tag = "Remove-Security"

│ Actions:

│ • Call webhook → Remove User (groupId: 12345...)

│ • Add note: "Removed from Security Team"

│ • Set status: Resolved

│

├─ Path 2: Remove from Developers

│ Condition: Tag = "Remove-Developer"

│ Actions:

│ • Call webhook → Remove User (groupId: 87654...)

│ • Add note: "Removed from Developers"

│ • Set status: Resolved

│

└─ Path 3: Off-boarding (Remove All)

Condition: Trigger = End date

Actions:

• Call webhook → Remove from Security (groupId: 12345...)

• Call webhook → Remove from Developers (groupId: 87654...)

• Call webhook → Remove from HR (groupId: 11111...)

• Add note: "All access removed for off-boarding"

• Set status: Resolved

Understanding Paths in Siit

Paths allow you to create multiple conditional branches in a single workflow. This is perfect for managing multiple Entra ID groups because:

• One workflow, many groups: Instead of creating separate workflows for each group, use paths to handle all groups in one place
• Clear logic: Each path has its own conditions (tags, services, departments) and actions
• Easy maintenance: Update group mappings in one central workflow
• Fallback handling: Add a default path to catch requests that don't match any group

 

Path Evaluation Order

Siit evaluates paths in order from top to bottom and executes the first matching path. Structure your paths from most specific to least specific:

1. Most specific conditions (exact tag matches, specific services)
2. Broader conditions (department-based, team-based)
3. Default/fallback path with no conditions (catches everything else)

Email Notifications

 

Success Notification Format

Subject: ✅ User added to Entra ID group - Security Team

Body includes:

• User email
• Group name
• Request ID
• Timestamp

 

Error Alert Format

Subject: ❌ Failed to add user to Entra ID group - Security Team

Body includes:

• User email
• Group name
• Request ID
• Error details
• Timestamp

 

Customizing Notifications

Edit the Send Email nodes in N8N to:

• Change recipients based on error severity
• Add more context (department, environment)
• Include direct links to Siit requests
• Forward critical errors to on-call systems

Set up email filters:

• "❌ Failed" → mark as important, forward to PagerDuty
• "✅ User added" → move to "Automation Logs" folder
• Mobile notifications for error emails only

 

Practical Multi-Group Scenarios

 

Scenario 1: Department-Based Access

Use Case: Automatically add new employees to their department's Entra ID group

Siit Workflow:

• Trigger: Start date (People trigger)
• Path 1: Department = "Engineering" → Add to Developers group
• Path 2: Department = "Sales" → Add to Sales Tools group
• Path 3: Department = "Finance" → Add to Finance Systems group
• Path 4: Default → Notify HR for manual assignment

 

Scenario 2: Role-Based Application Access

Use Case: Grant application access based on role or seniority

Siit Workflow:

• Trigger: Request submitted (Service = "App Access")
• Path 1: Tag = "Admin-Tools" AND Seniority = "Manager" → Add to Admin Tools group
• Path 2: Tag = "CRM-Access" → Start approval → Add to CRM Users group
• Path 3: Tag = "Analytics" AND Department = "Marketing" → Add to Analytics group

 

Scenario 3: Off-boarding with Multiple Removals

Use Case: Remove access from all groups when employee leaves

Siit Workflow:

• Trigger: End date (People trigger)
• Path 1: Employment type = "Employee" → Remove from all employee groups
• Path 2: Employment type = "Contractor" → Remove from contractor groups only
• Multiple webhook calls to remove from: Security, Developers, HR, Finance groups

 

Scenario 4: Temporary Access

Use Case: Grant temporary project access that auto-expires

Workflow 1 - Addition:

• Trigger: Request submitted (Tag = "Temp-Access")
• Action: Add to group, add tag "Auto-Remove-30d", snooze for 30 days

Workflow 2 - Removal:

• Trigger: Snooze expired
• Condition: Tag = "Auto-Remove-30d"
• Action: Remove from group, notify requester

 

Troubleshooting

 

Common Issues

"Insufficient privileges" error

• Verify API permissions include GroupMember.ReadWrite.All
• Ensure admin consent was granted in Azure
• Check the app has Application permissions (not Delegated)
• Check email for full error details

"Resource not found" error

• Verify the Group ID is correct (Object ID from Azure)
• Check the group ID matches in the Siit webhook body
• Ensure the user exists in Entra ID
• Verify email format matches exactly

Webhook authentication fails (401)

• Verify Authorization header format: Bearer YOUR_TOKEN
• Check token matches exactly between Siit and N8N
• Ensure no extra spaces or line breaks
• Test with curl:

bash

curl -X POST https://your-n8n.com/webhook/siit-entra-add \

-H "Authorization: Bearer YOUR_TOKEN" \

-H "Content-Type: application/json" \

-d '{"userEmail":"test@company.com","groupId":"xxx"}'

Webhook not triggering

• Verify N8N workflow is Active
• Check webhook URL is correct in Siit
• Verify Authorization header is set
• Review Siit workflow conditions

Email notifications not arriving

• Check SMTP credentials in N8N
• Verify email addresses are correct
• Check spam/junk folders
• For Gmail: Enable 2FA and use app password
• Review N8N execution logs for errors

 

Path-Specific Issues

Wrong group ID sent to N8N

• Review path conditions - ensure they're mutually exclusive
• Check path order - first matching path wins
• Verify group ID in each path's webhook body

Request doesn't match any path

• Check if default/fallback path exists
• Review tags, services, conditions used
• Verify requester attributes are populated

Path always goes to default

• Conditions may be too specific or incorrect
• Check spelling of tags (case-sensitive)
• Verify requester attributes exist

 

Best Practices

 

Workflow Design

1. Use Paths Effectively: Group related requests in one workflow rather than creating separate workflows
2. Clear Naming: Name paths descriptively ("Security Team - Add" vs "Path 1")
3. Order Strategically: Most specific conditions first, default path last
4. Add Fallback Paths: Always include a default path for unexpected requests

Security & Access

1. Secure Authentication: Use strong random tokens, rotate periodically
2. Service Accounts: Create dedicated accounts for API access
3. Rotate Secrets: Set client secret expiration, rotate regularly
4. Least Privilege: Only grant necessary permissions
5. Audit Logging: Enable in both Siit and Entra ID
6. Add Approvals: For sensitive group additions

Monitoring & Reliability

1. Email Filtering: Set up rules to organize by severity
2. Review Daily: Monitor inbox for error patterns
3. Alert on Critical Errors: Forward to on-call systems
4. Test Regularly: Monthly test requests
5. Track Metrics: Monitor success/failure rates
6. Review Weekly: Check error patterns

Testing & Maintenance

1. Test in Dev: Use test groups first
2. Verify Each Path: Test independently
3. Tag Consistency: Clear conventions
4. Document Mappings: Keep group ID reference
5. Review Quarterly: Audit automated groups
6. Scale Gradually: Start with 2-3 groups

 

Next Steps

• Add more group paths to your workflows
• Create approval flows for sensitive groups
• Set up conditional access based on department/role
• Build temporary access with auto-expiration
• Integrate with HRIS for automated onboarding/off-boarding
• Monitor and optimize based on email notifications

 

Need Help?

• Microsoft Graph API documentation
• N8N documentation
• Contact Siit support through the help center