Home > Workflows > Supported Workflow Triggers, Conditions, and Actions
Export to PDFSupported Workflow Triggers, Conditions, and Actions
The supported conditions for each trigger are listed in the following table.
| Trigger | Condition | Description |
|---|---|---|
| User is created / User is disabled | Department | The workflow will be triggered when the department of the target user falls into the configured scope. |
| User is created / User is disabled | Job title | The workflow will be triggered when the job title of the target user falls into the configured scope. |
| User is created / User is disabled | Password age | The workflow will be triggered when the password age of the target user falls into the configured scope. |
| User is created / User is disabled | Password never expires | The workflow will be triggered when the password setting of the target user is to expire or never expire. |
| User is created / User is disabled | Country | The workflow will be triggered when the country of the target user falls into the configured scope. |
| User is created / User is disabled | Manager | The workflow will be triggered when the manager of the target user falls into the configured scope. |
| User is created / User is disabled | Within security group | The workflow will be triggered when the target user is or is not in the configured security group. |
| User is created / User is disabled | With Microsoft 365 Group | The workflow will be triggered when the target user is or is not in the configured Microsoft 365 Group. |
| User is created / User is disabled | Within distribution group | The workflow will be triggered when the target user is or is not in the configured distribution group. |
| User is created / User is disabled | Within mail-enabled security group | The workflow will be triggered when the target user is or is not in the configured mail-enabled security group. |
| User is created / User is disabled | Status | The workflow will be triggered when the status of the target user falls into the configured scope. |
| User is created / User is disabled | Created by | The workflow will be triggered when the user template from which the target user is created falls into the configured scope. |
| User is created / User is disabled | Type | The workflow will be triggered when the user type of the target user falls into the configured scope. |
| User security is scanned | Conditional access policy disabled | The workflow will be triggered when conditional access policies are disabled for the target user. |
| User security is scanned | Device out of compliance | The workflow will be triggered when the target user’s device is not in compliance. |
| User security is scanned | Email not forwarded to domain | The workflow will be triggered when the target user’s emails are not forwarded to the configured domains. |
| User security is scanned | Guest user out of trusted domain | The workflow will be triggered when the target user is a guest user out of the configured trusted domains. |
| User security is scanned | Guest user with admin privilege | The workflow will be triggered when the target user is a guest user with admin privilege. |
| User security is scanned | Sign-ins from multiple IP addresses | The workflow will be triggered when the number of the target user’s sign-in IP addresses in one week is greater than the configured value. |
| User security is scanned | Failed sign-ins in last 7 days | The workflow will be triggered when the number of the target user’s failed sign-in in last 7 days is greater than the configured value. |
| User security is scanned | Sign-in out of IP address range | The workflow will be triggered when the target user’s sign-in IP addresses is out of the configured range. |
| User security is scanned | User status | The workflow will be triggered when the target user has not enabled MFA. |
| User security is scanned | Access from untrusted devices | The workflow will be triggered when the target user accesses from untrusted devices. |
| User security is scanned | File deletion activities in a day | The workflow will be triggered when the number of the target user’s file deletion activities in a day is greater than the configured value. |
| User security is scanned | File modification activities in a day | The workflow will be triggered when the number of the target user’s file modification activities in a day is greater than the configured value. |
| User security is scanned | Sign-in from regions | The workflow will be triggered when the target user’s sign-in country or region falls into the configured scope. |
| User security is scanned | Sensitive information access | The workflow will be triggered when the target user accesses sensitive information. |
| Risk is detected | Sensitive information access without MFA enabled | The workflow will be triggered when the target user accesses sensitive information without MFA enabled. |
| Risk is detected | Failed sign-ins in last 7 days | The workflow will be triggered when the number of the target user’s failed sign-in in last 7 days is greater than the configured value. |
| Risk is detected | Sign-in out of IP address range | The workflow will be triggered when the target user’s sign-in IP addresses is out of the configured range. |
| Risk is detected | Sign-in from regions | The workflow will be triggered when the target user’s sign-in country or region falls into the configured scope. |
| Risk is detected | Sensitive information access from unmanaged device | The workflow will be triggered when the target user accesses sensitive information from an unmanaged device. |
| Risk is detected | Sensitive information access from non-compliant device | The workflow will be triggered when the target user accesses sensitive information from a non-compliant device. |
| Risk is detected | Sensitive information access without conditional access policy enabled | The workflow will be triggered when the target user accesses sensitive information without conditional access policy enabled. |
| Risk is detected | Sensitive information access from invalid IP addresses | The workflow will be triggered when the IP address that the target user accesses the sensitive information is out of the configured range. |
| Risk is detected | Sensitive information access from regions | The workflow will be triggered when the country or region where the target user accesses the sensitive information falls into the configured scope. |
| Risk is detected | File deletion activities in a day | The workflow will be triggered when the number of the target user’s file deletion activities in a day is greater than the configured value. |
| Risk is detected | File modification activities in a day | The workflow will be triggered when the number of the target user’s file modification activities in a day is greater than the configured value. |
| User license status is scanned | Assigned licenses | The workflow will be triggered when the licenses of the target user fall into the configured scope. |
| User license status is scanned | User inactive for x days | The workflow will be triggered when the target user has been inactive for a duration exceeding the configured number of days. |
| User license assignment is scanned | User label | The workflow will be triggered when the target user’s license assignment label falls into the configured scope. |
| Deviation is detected | Detected deviations have not been processed | The workflow will be triggered when the tenant’s detected deviations have not been processed for the configured number of days. |
The supported actions for each trigger are listed in the following table.
| Trigger | Action Category | Action | Action |
|---|---|---|---|
| User is created | License | Assign license | Assign license |
| User is created | User basic | Add to department | Add to department |
| User is created | User basic | Enforce start date and end date | Enforce start date and end date |
| User is created | User basic | Set manager | Set manager |
| User is created | Group | Add to distribution group | Add to distribution group |
| User is created | Group | Add to mail-enabled security group | Add to mail-enabled security group |
| User is created | Group | Add to Microsoft 365 Group | Add to Microsoft 365 Group |
| User is created | Group | Add to security group | Add to security group |
| User is created | Notification | Send notification email | Send notification email |
| User is disabled | User action | Disable user | Remove user from groups |
| User is disabled | User action | Disable user | Remove licenses from user |
| User is disabled | User action | Delete user | Delete user |
| User is disabled | User action | Revoke cloud sessions | Revoke cloud sessions |
| User is disabled | Notification | Send notification email | Send notification email |
| User security is scanned | Risk | Add to dashboard | Add to dashboard |
| User security is scanned | Risk | Disable user | Disable user |
| Risk is detected | Risk | Mark as risky | Mark as risky |
| User license status is scanned | License | Mark user license status | Mark user license status |
| User license assignment is scanned (User license auto downgrade) | License | Downgrade license | Downgrade license |
| User license assignment is scanned (User license auto unassignment) | License | Unassign license | Unassign license |
| Deviation is detected | Notification | Send notification email | Send notification email |
On this page