Skip to main content
Matrix42 Self-Service Help Center

Assigning AAD accounts to an AAD group via provisioning


If your instance of Matrix42 Enterprise Service Management is integrated with Azure Active Directory, you can assign AAD accounts to AAD groups by using Service Catalog services.

To use this feature, you need to install the Provisioning Workflow - Assign Azure Active Directory Group package from the Extension Gallery. This package contains the Provisioning - Assign AAD Group workflow that allows assigning AAD accounts to AAD groups in Azure Active Directory.

For more data on integration with Azure Active Directory, refer to Azure Active Directory / Office365.


Provisioning Workflow - Assign Azure Active Directory Group uses Microsoft Graph API. Calling this API requires one of the following permissions. 

Permission type Permissions (in ascending order of privilege)
Delegated (work or school account) GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
For application GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All

To add members to a role-assignable group, you must also assign the RoleManagement.ReadWrite.Directory permission to the calling user or application.

How to configure a service for assigning accounts to an AAD group

After you have installed the Provisioning Workflow - Assign Azure Active Directory Group package, you will need to configure a corresponding service:

  1. Open the Service Catalog application.
  2. Create a service with the "Assign to AAD Group" name.
  3. On the General tab, select Operational in the Status field.
  4. On the Provisioning tab, fill in the following fields:
  • In the Provisioning Workflow lookup, select the Provisioning - Assign AAD Group workflow. 

As a result, the Target Type field value will change to AD Account and two additional fields will appear.

  • In the Azure Active Directory Group lookup, select an AAD group to which accounts will be assigned.
  • In the Configuration lookup, choose the AAD data provider configuration. The workflow uses this data to retrieve the service connection and connect to Azure Active Directory.


  1. Save the dialog.

Now you can use the Self Service Portal application and the Assign Service action in the Service Catalog application in order to add AAD accounts to the selected AAD group.

The unassignment of service can be made by returning the service on Self Service Portal and by using the Unassign Service action.

On ordering and returning services via Self Service Portal, see Ordering Services and Returning Services.

To check which AAD accounts belong to which AAD group, open Groups > AD Groups in the Master Data application and review member accounts for the selected group.


    • Was this article helpful?