Copilot - Graph Connectors vs Custom Agent Connectors with ServiceNow

 You started using Copilot and your organization is interested in agent solutions to address purpose built agent solutions to help with organizational data for specific use cases. Ever been confused on which agent model to use, or which connector would be the best for your scenario ? 

This is where intentional architecture matters.

Microsoft offers a wide variety of tools and choices, which can feel overwhelming at first, but ultimately enables better response accuracy, richer agent experiences, and more efficient cost management.

End users are becoming more comfortable with AI-powered search and retrieval solutions, while technical teams are eager to move further into custom-built experiences. Enter Copilot Studio — a low-code platform that makes agent development accessible and fast. However, ease of use can sometimes create blind spots, leading to architectural missteps if foundational planning isn’t addressed early.

Before jumping in, consider a few key questions:

• Is your Power Platform governed correctly and supported with ALM-ready environments?

• Do you truly need a Custom Engine agent or custom connectors, or would a Microsoft Graph connector meet the requirement more efficiently?

• Are users already licensed for M365 Copilot, and could leveraging Graph connectors help manage cost while still delivering secure data access?

I frequently see the excitement around Copilot Studio spark immediate building — which is great — but without proper planning, this can quickly introduce unnecessary cost, confusion for end users, and complex licensing gaps between fully licensed and pay-as-you-go users.

In this post, we’ll explore connector strategies along with the architectural considerations you should validate before building your first agent. We’ll compare these decisions through the lens of the ServiceNow ecosystem, which is equally robust and full of solution design possibilities.

Real world scenario with ServiceNow:

To set the stage: your organization is using M365 Copilot Chat — adoption may be growing, but not yet universal. You know valuable insights live inside ServiceNow, across Knowledge Bases, tickets and incidents, and service catalogs. The natural next step is figuring out how to bring that value into Copilot experiences — intentionally. 

As a builder, you’re aware there’s no shortage of paths to take — and one of your primary starting points lives right inside the M365 Admin Center under Copilot, where you can configure access, licensing, and foundational settings.

And naturally, curiosity leads you to explore Copilot Studio—an exciting space full of possibilities, but also one that can quickly increase confusion if the roadmap isn’t clear.

You might be wondering: Why are there three different Graph connector options, and how do they compare to the ServiceNow connectors available in Copilot Studio?

To clarify this, we’ll walk through Graph Connector–based agents vs. Custom Connector–based agents, which will make it easier to understand the purpose and value of each Graph connector type.

Graph Connector – Integrates ServiceNow data into Microsoft 365 Copilot experiences (e.g., search, summarization, answers) by indexing ServiceNow content through Microsoft Graph. This enables enterprise search-driven intelligence without requiring direct API calls during each interaction.

Custom Connector – Enables a custom agent to call ServiceNow APIs in real time, supporting workflow actions, transactional operations, and deeper conversational logic. Because it executes API calls on demand during each interaction, it does not rely on Graph indexing and requires consistent API availability and performance.

Both approaches are secure, but they rely on different permission models and can drive different cost implications depending on how data is accessed and used. The three Graph connector options help accommodate these varying permission scopes and governance requirements.

Comparison - M365 Copilot with Graph connector vs Custom Agent connector

Lets start with Knowledge Base research.

Using M365 Copilot Chat with Graph connector enabled - lets search for any articles related to Apple products.

The same prompt leveraging a Copilot Studio agent with custom connector and API call. (Demonstrated using Copilot Studio test pane to review the connector steps and the generative orchestration enabled through the agent configuration)

While both approaches provide helpful responses, there are some key differences. The Studio agent calls the connector and directly queries the ServiceNow API, generating a more condensed set of responses. In contrast, the M365 Copilot Chat experience leverages Graph index data and generative orchestration to provide richer, more detailed answers within the conversation while also including reference links to the ServiceNow source.

In practice, even though this difference may not be immediately obvious, the user experience can be quite similar. For many scenarios—such as retrieving knowledge base articles—direct API calls aren’t always necessary. Using the Graph connector to index ServiceNow data can be more responsive and cost-effective, requiring only configuration of the connector without the need to build a fully interactive agent.

Using Graph-indexed data can optimize the experience when the source content is relatively static and not constantly changing. Knowledge base articles or reference materials are ideal candidates for this approach. In contrast, tickets, incidents, or catalog items tend to be more dynamic, frequently updated, or require additional user interaction to reach the correct information. In these cases, direct API queries via a custom connector or Studio agent may provide more accurate and timely responses.

Additionally, ticket or incident data may require different user permissions to ensure that critical or sensitive information isn’t inadvertently shared across the organization. Proper access controls and governance are essential when exposing dynamic or confidential data through either Graph-indexed solutions or custom connectors.

Topic integration for advanced scenarios like ServiceNow Catalogs

Where Copilot Studio agents truly shine is in their flexibility—for example, when working with catalog knowledge in ServiceNow. While catalogs can be accessed through both Graph-indexed data and custom connectors, the combination of Topics and Tools in Studio allows for a more intuitive and interactive end-user experience. This approach enables users to navigate complex catalogs more naturally and complete tasks with fewer steps.

In this example, the end user may not know which catalogs or catalog items are available through M365 Copilot Chat. Studio agents, with their flexible combination of Topics and Tools, can surface relevant options more intuitively, guiding users to the right catalog items without requiring prior knowledge of what’s available.

Copilot Chat typically responds with a list of items, requiring the user to read through the options to determine which catalog or topic is most appropriate. This is an example where a more targeted or extensive prompt could produce a more direct answer, helping the user reach the desired information faster and with less effort.

A custom-built agent in Copilot Studio can be designed to deliver a more intuitive sequence, guiding users efficiently and aligning responses more closely with their specific needs using generative orchestration.

Using a Topic to steer the conversation to the appropriate tool (GetCatalogs):

The end user is asked what information (catalog) are they interested in.

Once the catalog is selected - the topic calls an additional tool (GetCatalogItems) to gather the inventory and provide links to each catalog item.

To support an intuitive user flow, the agent is structured and designed in the following way:

The Topic guides the conversation flow between the ServiceNow connector tools and generative orchestration, while instructions define how the final output should be formatted for the end user. In this example, variable management (Set Variable Value Expression) is also leveraged to dynamically present the available catalog list directly within the agent’s chat experience, creating a more interactive and personalized workflow.

When working with multiple catalogs and large, detailed inventories, an interactive agent experience can significantly improve user satisfaction by helping users navigate options more efficiently and reach the right information with less friction.

Cost comparison - M365 Copilot with Graph connector vs Custom Agent connector

When using M365 Copilot with a Graph connector, licensing is straightforward — Copilot is priced at $30 per user per month, and Graph-based queries are included in that cost. For organizations with active M365 Copilot adoption, this becomes a predictable, all-inclusive experience.

In contrast, Copilot Studio agents that rely on custom connectors call external APIs (such as ServiceNow) during each conversation. Users who do not have an M365 Copilot license will consume pay-as-you-go (PAYG) credits, introducing variable usage-based costs. This can be very cost-effective at low usage but may scale significantly in high-volume scenarios.

---

Example Cost Model (at time of writing)

Copilot Studio is billed using Copilot Credits, the universal currency for agent execution.

Rate Options
Prepaid Pack: 25,000 credits for $200/month
PAYG: $0.01 per credit
Estimated Credit Use (ServiceNow-integrated agent)
Generative response: 2 credits
External API call (ServiceNow): 5 credits per call
Assume ~3 API actions per conversation → (3 × 5) + 2 = 17 credits per conversation

---

Sample Monthly Scenario

2,000 conversations × 17 credits = 34,000 credits / month

Component	Cost
Prepaid 25,000-credit pack	$200
Remaining 9,000 credits (PAYG @ $0.01)	$90
Total Estimated Monthly Cost	~$290

Take a look at the agent usage estimator for more detail: Microsoft agent usage estimator

Closing

In short, choosing between Graph connectors and custom connectors in Copilot Studio isn’t just a technical decision — it’s a strategic one. Graph connectors let you securely bring ServiceNow data into Microsoft 365 Copilot experiences, while custom connectors unlock direct API-driven workflows, richer dialogues, and real-time actions. Each has its own security, permission, and cost trade-offs — and Microsoft’s three Graph connector variants give you flexibility to align with your governance and usage model. From a cost standpoint, leveraging existing M365 Copilot licenses can be very efficient, but building in Studio with custom connectors may introduce pay-as-you-go consumption for non-licensed users,  that needs to be managed carefully.

If you want to dive deeper, here are a few great resources:

• Copilot Studio licensing guide on Microsoft Learn
• Configuring ServiceNow knowledge with Graph connectors
• How to use prepaid Copilot Credit packs for Copilot Chat and SharePoint agents
• A technical walkthrough video: Mastering Copilot Studio + ServiceNow Connectors

Stay tuned - in the next article I will walk through Topic building in the canvas editor, vs Code View - and the nuances between Power FX and YAML formatting when building agents in Copilot Studio.

Copilot Studio and VS Code - Start using the Copilot Studio Extension

Getting started with Copilot Studio is fast and approachable. Whether you begin by using the Describe interface to chat with the Studio Agent or dive straight into Configure, you can spin up your first agent framework in just minutes. The user experience in Copilot Studio is designed to be intuitive, but sometimes you may want more visibility into the agent’s structure—or the flexibility to design faster with AI-powered assistance. That’s where Visual Studio Code, the Copilot Studio extension, and GitHub Copilot come together to supercharge your workflow. 

With Copilot Studio’s ease of use paired with the added flexibility of VS Code and GitHub Copilot, you don’t need to be a pro coder to take your agents further—these tools can help you refine, customize, and build with confidence. Let’s explore how you can get started step by step.

To begin, in Copilot Studio create a basic agent out of the box—simple and ungrounded, with no knowledge sources, topics, or defined scope yet. This clean starting point gives you the flexibility to shape the agent exactly how you need it.

Ready to see it in action? Start by adding the Copilot Studio Extension to VS Code.

You may be working in multiple tenants or environments, quick tip to define your default identity to ensure access to the desired Copilot Studio environment.

Next - lets connect to the tenant and clone the agent locally to VS Code. (this process is very similar to Github development)

The command palate in VS code presents environment selected based on the default account identity we defined earlier

Now we can select the Agent initially started in Copilot Studio

Pick a local folder to clone the agent configuration. Additional tip - be aware if selecting a cloud storage location, you may not want agent configuration details to by synced to OneDrive or other cloud storage.

Now from the explorer tab we can see the agent structure, settings, topics and knowledge sources ... and we have access to Github Copilot within VS Code's IDE.

When changes are made in the Copilot Studio interface - similar to Github, source control allows for synchronization of remote changes.

Now we see the remote addition of a knowledge source. I recommend adding one knowledge source as a reference, in order to provide Github Copilot a refence format for naming and file structure.

From Studio to Code: Unlocking More with GitHub Copilot

The real magic happens when you bring the Copilot Studio extension into VS Code and pair it with GitHub Copilot’s agentic support. Together, they make enhancing your agent simple and approachable. For example, here’s a straightforward prompt that adds three new knowledge sources with ease.

(Notice I added the file reference in the prompt using the #file.name format).

The result:

What would have taken 5-10 minutes in Copilot Studio, now complete within seconds using Github Copilot Agent mode (in my example using Claude Sonnet 4 from Anthropic)

From here we can review the knowledge source format and select "Keep" from the chat window.

Lastly we go back to source control, to push our knowledge source additions from VS Code back to Copilot Studio.

Back in Copilot Studio

The new knowledge sources are available and ready to test in the Test Pane.

Give it a try

Adding knowledge sources is just the beginning—and as you’ve seen, it’s quick and straightforward in Copilot Studio. Once you’re comfortable, you can build on this foundation to tackle more complex scenarios like managing topics, handling multi-turn conversations, enabling agent-to-agent interactions, and triggering actions.

I hope this walkthrough was helpful—especially if you’re already familiar with working in VS Code. Now it’s your turn to explore the possibilities and see how far you can take your agents.

Copilot Enablement Options - Using Pay as You Go to share Copilot Agents

  Ever wished you could spin up your own Copilot agent without committing to a full subscription? Now you can, thanks to Copilot Pay-As-You-Go! This flexible option lets you create and share custom agents or simply enable users to tap into Copilot chat—while keeping costs predictable through Azure billing. No more over-provisioning or worrying about unused licensing; you pay only for what you use. It’s perfect for teams experimenting with AI or scaling solutions without upfront commitments.

While users with the M365 Copilot license will enjoy the most feature-rich experience, you may also want to empower your entire organization with a custom AI agent. This agent can be tailored to your needs—grounded in critical SharePoint content, trained on specific internal documents, and secured with enterprise-grade data protection.

I also want recommend following Dewain Robinson for great content and guidance on all things Copilot and agent development in Copilot Studio

In this post, we’ll guide you through enabling and managing Copilot with a pay-as-you-go model—ideal for organizations looking to extend AI capabilities without committing to full M365 Copilot licensing. Whether you're an IT admin, business leader, or platform owner, this guide is designed to help you get started quickly and confidently.

Here's what we'll cover:

• Who this post is for – Understand the roles and scenarios where pay-as-you-go Copilot makes sense
• Enabling pay-as-you-go – Step-by-step guidance for activating pay-as-you-go for Copilot Studio and Copilot users
• Usage reporting and cost control – How to gain visibility into usage, monitor consumption, and manage costs effectively
• Understanding message costs – A breakdown of how message-based billing works and what to expect
• Creating and sharing a custom Copilot agent – How to build a custom AI agent grounded in your organization’s content, and share it within Copilot and Teams

By the end, you’ll have a clear path to delivering powerful AI experiences to your users—securely, flexibly, and at your own pace.

Who is this for?

• IT admins and Power Platform admins who need clear prerequisites, steps, and knobs to manage risk and spend.
• Makers & developers who want the fastest path to publish agents and let Azure pick up the bill only when users engage.
• Finance & ops folks who live in Azure Cost Management and want budgets/alerts for AI usage.

Architecture at a glance

M365 Copilot Chat & SharePoint agents PAYG → Create a billing policy in Microsoft 365 admin center, scope it to users or groups, then connect it to services like Copilot Chat or SharePoint agents. Set up Microsoft 365 Copilot pay-as-you-go for IT admins | Microsoft Learn

Copilot Studio PAYG → Attach a billing plan to one or more environments in PPAC; agent message usage flows to your Azure subscription as metered consumption. Set up a pay-as-you-go plan - Power Platform | Microsoft Learn

Governance stays centralized: Integrated Apps (app/agent lifecycle) + PPAC (capacity & usage) + Azure Cost Management (billing). View usage and billing for pay-as-you-go plan - Power Platform | Microsoft Learn

Prerequisites & roles

• Azure: An Azure subscription + resource group (Owner/Contributor on both). Set up PAYG for M365 Copilot · Set up PAYG plan (PPAC)
• Admin roles: Global Admin, Billing Admin, or AI Admin (M365), Power Platform Admin/Environment Admin (PPAC). M365 roles for setup · PPAC permissions
• Terms: M365 PAYG ToS and service availability constraints. PAYG terms of service

Getting Started

Enable M365 Copilot Chat & SharePoint agents (PAYG) in M365 admin center - enabling users create/use agents in Copilot Chat or on SharePoint sites without seat licenses.

• Set up A billing policy scoped to all users or a security group, then connect it to Copilot Chat and/or SharePoint agents

• Select Services and include M365 Copilot Chat and SharePoint Agents
• Set budget limits and users - users can be scoped to an Entra security group as needed.

Enable Copilot Studio (PAYG) in PPAC (optional | required for building and sharing through Studio) - enabling building/hosting agents across channels with low‑code + integrations.

This step allows defined users/builders to create custom agents in Copilot Studio, and share with others who wish to interact with the custom agent - who may not have an M365 Copilot license.

In setting up this option, we align the Pay-as-you-go Billing plan to an existing Azure subscription and resource group. We also define the target Power Platform environment for agent development and sharing.

Important Note - Common Pitfall

If this is your first time managing environments in Power Platform Admin Center (PPAC) - the only existing environment is "default". The default environment is not eligible for pay-as-you-go capacity, only Sandbox and Production environments can be used. It is recommended to create a new environment, scoped to users for pay-as-you-go capacity. If you followed the above steps, and notice the Target Environments field is blank, or you are unable to select an environment during setup - this is your problem. (more detail HERE )

Building and Sharing a Custom Agent

Here is where the fun begins, now that you have your environment enabled for pay-as-you-go. Proceed to https://copilotstudio.microsoft.com/

Pitfall 2 - Be sure to select the defined environment previously configured for pay-as-you-go capacity, in the upper right hand corner of the Studio UX.

Once Environment and New Agent is selected - Copilot Studio presents the ability to create an agent by chatting with the "builder agent" describing your intent or you can proceed directly to configure.

I wont go into depth regarding all of the options, and capabilities when creating a custom agent for your organization - the possibilities are endless.

Try out building with Chat by describing your agent, and compare to direct configuration options.

A quick and easy agent to start with, a SharePoint-grounded knowledge finder:

I recommend selecting Generative Orchestration which enriches the agents capability to navigate through the knowledge sources. Also note you can define the response model used by your agent. This can be edited later, and defined in the overall Copilot Studio Generative AI settings.

Under the Knowledge section, select a few SharePoint sites important for your users. Also note the option to include or exclude Web Search

 Enabling web search allows the agent to traverse your defined content grounding, and leverage public web search if results are not available. Disabling web search only allows the agent to reason over the defined knowledge locations.

Give it a test in the test pane:

Share your agent for others to co-develop or begin using:

Before you can share, the agent need to be published.

Here you can define who has access to your agent, or co-authors you wish to edit with, and options to publish the agent to Teams and Copilot Agent Store (Get Agents in M365 Copilot)

When selecting "show to everyone in my org" - this will trigger an approval process in M365 admin Center - for approval before making the agent available in Copilot Agent Store. Pending approvals appear here:

If you want to share your agent directly with users before publishing to the Agent Store - Copy the link and share in Teams Chat. (shown above)

Invite co-authors to help test and edit in Copilot Studio - note these users must also be in the security group defined with access to the Pay-as-you-go capacity defined in the initial setup steps.

The Copy Link on this page - shares a direct link to the agent builder in Copilot Studio. Note - the copy link in Manage Sharing will share the agent directly - the copy link in the image above shares the link to Studio.

Cost Management and Observability

Copilot Studio (PAYG)

• PAYG: $0.01 per message (metered). Copilot Studio licensing · Billing rates & scenarios
• Message packs: $200/pack for 25,000 messages/month (pooled). Manage messages & capacity

Microsoft 365 Copilot Chat & SharePoint Agents (PAYG)

• SharePoint agents: billed at $0.01/message; a “successful interaction” typically uses ~12 messages. M365 PAYG pricing
• Copilot Chat agents: enable metered consumption for users without an M365 Copilot license; licensed users aren’t charged for eligible agent events. Agents in Copilot Chat · Billing scenarios

Additional resources

• Azure Cost Management to track billed amounts per meter/policy; budgets + alerts for proactive control. View usage & billing
• PPAC downloadable usage reports for who/which environment drove consumption. View usage & billing
• SharePoint agent usage monitoring (file statistics, site usage, audit, and soon SharePoint Advanced Management insights). Monitor SharePoint agent usage · SharePoint Agent Insights

Thanks much to my rockstar peer Brandon Marcurella for guidance and help along the way.

Closing

Find your agent, if you published and approved, in Teams and the M365 Copilot 

Happy "agenting" in Copilot

 

For a list of FAQ's regarding this objective: FAQ for Copilot Studio billing and licensing - Microsoft Copilot Studio | Microsoft Learn

Here is a set of useful links to bookmark:

Copilot Studio licensing — what’s included, PAYG vs packs, pricing: Learn

Billing rates & message scenarios — exactly what burns messages: Learn

Set up PAYG (PPAC) — billing plans & environment linking: Learn

Manage messages & capacity (PPAC) — allocation & monitoring: Learn

Set up PAYG for M365 Copilot (MAC) — billing policy + budgets: Learn

Set up or disconnect PAYG for Copilot services — end‑to‑end guide: Learn

Agents in Copilot Chat — enable, author, manage: Learn

M365 PAYG pricing for SharePoint agents — rate card: Learn

Manage agents (Integrated Apps) — centralized governance: Learn

PAYG overview (Power Platform) — how meters/policies work: Learn

View usage & billing — Azure Cost Management + PPAC reports: Learn

Azure Automation for Shared Calling Enablement

Automating Enterprise Voice Enablement for Teams Shared Calling: A Journey in Iteration

This one’s a long read—because the work was iterative, the scope deceptively simple, and the edge cases... well, they were not shy.

The goal? Automate Enterprise Voice (EV) enablement for users in Microsoft Teams Shared Calling scenarios. Many organizations are adopting Shared Calling to provide basic PSTN access to all users while reserving DIDs and calling plans for high-volume users. It’s cost-effective, scalable, and flexible. But there’s a catch: even with group-based licensing and policy assignment in Entra ID, Teams doesn’t automatically flip the Enterprise Voice bit. That still requires PowerShell or a manual toggle in the Teams Admin Center.

So I built an automation to do just that.

Why This Matters

This model—what we affectionately call a “reverse migration” (credit to Matt Edlhuber)—lets organizations enable outbound and auto-attendant-based inbound calling for everyone. Then, based on usage or cost analysis, they can selectively assign DIDs and calling plans when porting timelines align. It’s a way to decouple enablement from carrier constraints.
The Setup

Picture this: you’ve just migrated hundreds of users to Shared Calling using PowerShell. High-fives all around. But now you need to ensure they’re EV-enabled. Manually? No thanks.

Here’s the stack I used:

• Entra ID: Security group membership drives license and policy assignment.
• Microsoft Graph API: Subscribes to group membership changes.
• Azure Logic App: The orchestration layer.
• Webhook Trigger: Fires on group updates.
• Azure Automation Account: Hosts the PowerShell runbook.
• Runbook: Validates license and applies EV enablement.

The Obvious Path

Iteration 1: Sure, I could’ve scheduled a daily PowerShell job or used Power Automate to trigger the runbook. Shoutout to Laure Vanderhauert for the excellent documentation that got me started.
But I wanted near-real-time enablement. Why wait a day when we can act in minutes?

Challenge #1: Detecting Deltas
The first hurdle: how do we detect only the new users added to the group? Most orgs already automate license and policy assignment, but EV enablement is often manual. I needed a way to isolate just the new additions.

I’d previously worked with Graph API subscriptions and Azure Event Grid in Call Record Insights, so I figured I could apply a similar pattern here.

Spoiler: Event Grid doesn’t give you the delta. It tells you a group changed, but not how. No user info in the payload = no go.

Enter Copilot(s)

This is where GitHub Copilot and M365 Copilot saved me hours. I’ll write more soon about using Claude Sonnet 4 in Agentic vs Ask mode in VS Code. TL;DR: Agentic mode is powerful, but Ask mode gave me the iterative control I needed to learn as I built.
Iteration 2: Build the Runbook First

I started with the end in mind: a runbook that accepts a user ID and group ID, validates licensing, and enables EV. I tested it locally in VS Code, then manually in the Azure Portal. It worked.

Then life happened. I paused.
Iteration 3: Logic App + Graph Subscription

Back at it, I wired up the Logic App to the Graph subscription. It worked—until it didn’t.

Challenge #2: Add ≠ Remove
Turns out, Graph fires on any group membership change. Add or remove. My Logic App didn’t discriminate, so it happily re-enabled users who had just been removed. Oops.

Fix: I added logic to filter for additions only. Most orgs remove licenses and policies when users leave the group, so I focused on the “add” path.

Challenge #3: Bulk Adds
What happens when multiple users are added at once? Is the payload an array? Do we get one notification per user? I had to build logic to handle both cases.

Challenge #4: The Subscription That Multiplies

When testing your Graph subscription and Logic App flow, it’s surprisingly easy to accidentally create multiple subscriptions. And when you do? Each one will happily fire off its own webhook, triggering your Logic App and runbook multiple times.


I’ll go deeper into subscription setup in the next section, but this one deserves a spotlight.
Here’s the key:

• Make sure you only have one active subscription.
• Only monitor the resource: /groups/{group-id}/members

That last part—members—is critical. If you subscribe to just /groups/{group-id}, you’ll get notified on any group change (like metadata updates), not just membership changes. That’s a fast track to unintended runbook executions and potential chaos.
So, before you hit “Deploy,” double-check:You’re not stacking subscriptions.
You’re watching the right resource.
You’re not about to create a webhook-triggered infinite loop.

Trust me, your future self will thank you.

The Build: Where the Magic Happens

Let’s talk about the build. The real magic lies in the Graph API subscription and the Azure Logic App with a webhook trigger. But first, let’s set the scene.

Graph Subscription: Your Digital Bouncer

Imagine you’re the bouncer at Club Entra. You don’t want to stand at the door all night checking who’s coming and going from the VIP group (say, “Teams Voice Users”). So you hire Microsoft Graph to do it for you.

A Graph API subscription is your way of saying:

“Hey Graph, tap me on the shoulder whenever someone joins or leaves this group.”

Here’s what that looks like in practice:

POST https://graph.microsoft.com/v1.0/subscriptions
{
  "changeType": "updated",
  "notificationUrl": "https://yourlogicapp.azurewebsites.net/api/notify",
  "resource": "/groups/{group-id}/members",
  "expirationDateTime": "2025-07-07T11:00:00Z",
  "clientState": "secretSauce123"
}

What’s Going On Here?

• changeType: "updated" — You care about membership changes.
• resource: The Entra ID group you’re watching.
• notificationUrl: Where Graph sends the “Yo, something changed!” message.
• clientState: A secret handshake to verify the message is legit.

Graph will first validate your notificationUrl to make sure it’s not a prank. Once that handshake is done, you’re officially subscribed.

When someone joins or leaves the group, Graph sends a POST to your notificationUrl with a payload like this:

{
  "value": [
    {
      "subscriptionId": "...",
      "changeType": "updated",
      "resource": "groups/{group-id}/members",
      "resourceData": {
        "id": "user-id"
      }
    }
  ]
}

It’s like getting a text that says, “Someone just walked into the VIP room,” and then checking the security cam to see who it was.

Azure Logic App: Your Always-On Concierge

Your Logic App is the concierge that handles these notifications:

• Trigger: HTTP request from Graph hits your Logic App.
• Parse: Extract the user-id from the payload.
• Lookup: Call Graph to get full user details (/users/{user-id}).
• Action: Trigger an Azure Automation runbook to enable Enterprise Voice.

Flow Summary

Here’s the full flow, start to finish:

• Entra ID Group Membership Changes
• A user is added to or removed from a group like “Teams Voice Users.”
• Graph API Subscription Detects the Change
• You’ve subscribed to /groups/{group-id}/members with changeType: "updated".
• Graph Sends a Notification
• A POST hits your Logic App’s HTTP trigger with metadata like resourceData.id.
• Logic App is TriggeredValidates clientState (optional but smart).
• Extracts the user-id.
• Calls Graph to get full user details.
• Triggers the runbook to take action (enable EV, log, alert, etc.).

Note: Logic Apps don’t poll Entra ID. They rely on Graph’s webhook notifications. The subscription is the middleman that makes this reactive and efficient.

Sample Code: Creating the Subscription

Here’s a generic PowerShell snippet to create the subscription:

# Step 0: Auth setup
$tenantId = "<your-tenant-id>"
$clientId = "<your-client-id>"
$clientSecret = "<your-client-secret>"
$scope = "https://graph.microsoft.com/.default"

# Get token
$body = @{
    grant_type    = "client_credentials"
    client_id     = $clientId
    client_secret = $clientSecret
    scope         = $scope
}

$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Method POST -Body $body
$accessToken = $tokenResponse.access_token

# Step 1: Create the subscription
$subscriptionBody = @{
    changeType          = "updated"
    notificationUrl     = "https://yourlogicapp.azurewebsites.net/api/notify"
    resource            = "/groups/{group-id}/members"
    expirationDateTime  = (Get-Date).AddHours(1).ToString("yyyy-MM-ddTHH:mm:ssZ")
    clientState         = "secretSauce123"
} | ConvertTo-Json -Depth 3

$response = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/subscriptions" `
    -Headers @{ Authorization = "Bearer $accessToken" } `
    -Method POST `
    -Body $subscriptionBody `
    -ContentType "application/json"

$response

In the full deployment guide, I’ll include an additional runbook designed to run independently on a scheduled basis—separate from the Logic App trigger. This daily run ensures that the Graph subscription remains active and properly connected to the Logic App. It’s a critical step, as the subscription must be able to communicate with the Logic App endpoint to deliver notifications reliably.

Permissions Matter

To make this work, your Logic App must be exposed as an Enterprise Application so you can assign the right API permissions—namely User.Read.All and Group.ReadWrite.All. I’ll cover this in more detail in the deployment guide.

The Logic App: Lightweight, Serverless, and Smarter Than It Looks

If you’ve worked with Power Automate (formerly known as Flow), Azure Logic Apps will feel familiar. Think of them as the grown-up, serverless cousin—deployed under a consumption plan, stateless, and built to handle logic flows with minimal overhead.

In our case, the Logic App is triggered by an HTTP POST from the Microsoft Graph subscription. It’s the always-on listener that springs into action when someone joins (or leaves) our Entra ID group.

Despite being lightweight, Logic Apps are surprisingly robust. They’re great at making decisions, branching logic, and calling downstream services—like our Azure Automation runbook.

Here’s what we needed our Logic App to handle:

1. Respond to Graph’s Token Validation
• When you first create a Graph subscription, Microsoft sends a validation request to your notificationUrl. Your Logic App needs to recognize this and respond with the validationToken to complete the handshake. No token, no subscription.
2. Handle Membership Deltas (Adds and Removes)
• Graph sends a notification whenever group membership changes. That could mean one user or several. Your Logic App needs to:
• Iterate through the payload (which might be a single user or an array).
• Identify each user’s ID.
• Decide what to do next.
3. Ignore Removals, Focus on Adds
• We don’t need to trigger the runbook when a user is removed from the group. Most orgs handle license and policy cleanup separately, and we’re not trying to disable Enterprise Voice here—just enable it.
• So we added logic to:
• Filter out removes.
• Only process adds.

This keeps the automation focused and avoids unnecessary runbook executions.

When spinning up your Logic App, the first decision is the hosting plan. For this use case, Consumption is the way to go. It’s serverless, stateless, and perfect for low-volume, event-driven workflows—like ours, which only fires when Graph sends a webhook.

Once deployed, you’ll land in the Azure Portal’s Logic App Designer. If you’ve used Power Automate before, this will feel familiar: a visual drag-and-drop interface for building workflows. Prefer code? You can switch to the JSON view, which is especially handy when working with Copilot to craft precise expressions and control flow logic.

Whether you’re clicking or coding, the goal is the same: build a lightweight, reactive app that listens for Graph events and kicks off the right automation—without overcomplicating things.

Here’s a common pitfall: don’t assume that a True condition always means “run the automation” and False means “don’t.” It’s not that binary.

In our Logic App, the flow is designed to evaluate multiple conditions before ultimately reaching the step that triggers the HTTP webhook to the runbook. So while the final condition must evaluate to True to proceed, earlier branches might also return True or False depending on what you're filtering for - like whether the payload includes a validationToken, or if the user action was an add vs. a remove.

In the upcoming deployment guide, I’ll include the full JSON view of the Logic App so you can see exactly how the expressions are structured. It’s not exactly human-readable prose—it’s written in Azure Logic Apps’ Workflow Definition Language (WDL), which takes some getting used to. But once you understand the flow, it becomes much easier to debug and extend.

What’s Next?

I’ll be publishing the full deployment guide and scripts to GitHub soon—both for my client and for the many others who’ve asked for this kind of automation. Hopefully, it saves you from the same toe-stubbing I ran into.

Final Thoughts

This project reminded me that automation isn’t just about writing scripts—it’s about designing resilient systems that handle real-world messiness. And sometimes, that means multiple trips to the hardware store. It took a few iterations to get things optimized.

If you’re building something similar - or want to - stay tuned for more details and code snippets. Just don’t ask me to debug your webhook at 2 a.m.

Prologue: The Prompt That Prompted Too Much

I saved this part for the end because, well, it’s funny in hindsight. What I didn’t mention earlier was my actual first iteration. I sat down, opened GitHub Copilot, and figured I’d just “talk it out” to get the creative juices flowing. My prompt?

“I would like to start a project to automate Enterprise Voice enablement for Teams Phone, based on security group membership. Please help with initial architecture concepts.”

Sounds reasonable, right?

I had Agentic mode enabled. Ten minutes later, I had 32 files across 26 directories—including .bat files and shell scripts to spin up a local Java app on my laptop. It was like asking for a sandwich recipe and getting a blueprint for a deli franchise.

Lesson learned: prompt engineering is real. Ask a vague question, get a very enthusiastic answer. Ask a precise question, get something you can actually use.


Deployment guidance coming in the next post later this week. Enjoy for now.