Source Code

Highlight

If your organization needs a place to learn building and test Azure solutions, then ephemeral sandboxes might be the answer you need.

Sandboxes are a great way to enable your team to test, validate and learn but in a controlled and cost effective manner. Exposing such functionality via Teams chatbot makes it easy for the users and avoids yet another unnecessary user interface. While Azure Logic Apps connect the dots so you can do it easily with no coding or chatbot experience.

All of this can be set up in just a couple of hours, so you can quickly enable your organization even Today.

The idea

The general idea is simple

  • A chatbot based on Azure Logic Apps to avoid maintenance and learning any frameworks
  • Available on Microsoft Teams as a user called “Azure Buddy” to create natural flow
  • Resource group creation and automatic deletion after 12 hours to ensure costs are kept in check
  • User with Owner permissions so they can test as much as they need

With extra enterprise features

  • In multi-tenant architecture (section a bit further down) users can also have more extensive Entra permissions to test more scenarios
  • Quotas and Azure policies prevent abuse and costly resources (SKUs), but not all scenarios are supported, so be careful
  • Resource providers or policies prevent use of non-authorized resources
  • Preconfigured sandboxes via terraform or bicep

Single tenant architecture

Here is a high-level diagram of proposed solution

With the following components

  • Microsoft Teams as a chat interface
  • Azure Logic App to act as a ‘chatbot’ via workflows and teams connectors
  • Azure Subscription where we will host our sandbox resource groups

Lower level diagram

I omitted Entra objects in the first diagram to avoid confusion, but now that we covered it let me add Entra to the picture to help you understand how this flow looks closer

In Entra, we get

  1. Service Principal with Owner role on Sandbox subscription so that we can create, delete resource groups and manage permissions to them
  2. Service User (user account with MFA) and Microsoft Teams license (why not Service Principal? check next FAQ section)
  3. Requestor, an actual user who will request an Azure sandbox via Microsoft Teams

FAQ

Here are the most common questions I get asked about this setup

Q1: Why not use an AI agent for this?

We don’t need AI everywhere. While AI could be a cool option here, I prefer a regular chatbot with checkboxes instead of full text chat here. AI Agent would be a very good choice if you have more options, and/or if you need to ask a lot of extra details from our users, e.g. names of resource groups, regions, etc. In that case low-code agents in Logic Apps would be my preferred option. I promise I will cover this in a future post.

In short, I wanted this to be super simple.

Q2: Why a user with a Teams license instead of Microsoft Graph with Service Principal?

I wanted to keep it simple and allow for quick implementation, but most of all, Microsoft Teams connectors do not support service principal authentication. You would need to code this yourself.

Q3: Why not use bot channels with Azure Bot Service?

This would be a top notch solution, and I did this in the past. But it works a bit differently and bots are available only on teams they were installed in. Also the flow feels less natural compared to a user which is available globally in teams and to which you speak to like any other user.

Q4: Why service principal instead of managed identity?

Technically, no reason. This setup can work with service principal or managed identity. I used service principal because it also shows in the “App Registrations” where I can ClickOps the permissions and screenshot it, but managed identity will work too.

Q5: Why single subscription instead of multiple?

Some smaller organizations do not have Management Landing zones, but if you do, it would be a great place for such logic app automation, otherwise I wanted to make sure that anyone can leverage this in their environment.

Q6: Does this support MFA?

Yes! That is the big benefit of using logic app connectors, they support MFA and refresh tokens so you don’t need to worry about that.

Workflow

Here is a screenshot of my logic app, with end-2-end description for each step

Source code: https://github.com/MarczakIO/marczakio-samples/blob/main/2026/2026-07-azure-sandbox-chatbot/logic-app.json

Testing the chat

Search for your user in teams. Mine is called “Azure Buddy”

Say anything to the bot, like hi to start the workflow, and click on desired option.

Today I have

  • Azure Learning Sandbox
  • Fabric Sandbox Capacity (which I will cover in a future post)

But you can easily extend it with more options.

Bot will respond, create a group, and provide a link to it

If you click on Open Resource Group button, the following Azure Portal view will be opened

Adaptive cards are cool

If you like this kind of response with interactive buttons, this is something in teams called Adaptive Cards. It’s basically a JSON formatted response which is displayed like a small form on Teams.

Microsoft has an interactive adaptive card designer for you to use. It’s available HERE.

Source code: https://github.com/MarczakIO/marczakio-samples/blob/main/2026/2026-07-azure-sandbox-chatbot/adaptive-card.json

Cancelling workflow when bot responds to avoid false “successful” runs

I always add ‘terminate’ action with ‘cancelled’ status to indicate bot workflow triggers, so they don’t show up as either failed or succeeded in my logs. This allows me to easily find workflows triggered by a human.

So in your chat, when you say Hi and click on option for sandbox

You will see following log entries (numbers 1, 2, 3, 4 correspond to messages marked respectively as 1-4 from previous screenshot)

Multi-tenant setup

While the previous setup is step one, I typically recommend everyone who can to set up multi-tenant sandboxes. In this case, setting up a separate Microsoft Entra tenant allows for more flexibility.

This is mostly because in many organizations your main Entra tenant is locked and heavily controlled.

For many Azure sandbox testing/learning scenarios you might need access to Entra, for scenarios like

  • Creation of service principals
  • Assignment of graph/api/exchange/etc. permissions
  • Enterprise apps setup
  • Creation of demo users and groups
  • Account level changes in Azure Databricks
  • Setting up SSO integrations like Databricks SCIM
  • and many more…

Separate tenant allows you to grant higher permissions to users without creating a risk for your organisation.

Important note: do NOT grant admin permission on sandbox tenant to users, it’s good for them to learn how to set up things without being highly privileged. They could also potentially break the whole setup.

Multi-tenant architecture

Below an architecture diagram for multi-tenant setup

With a few changes to previous one

  • A new Microsoft Entra tenant was created called marczakio-sandbox
  • Azure subscription moved from marczakio tenant to a new marczakio-sandbox tenant
  • Logic App chatbot was moved along with the subscription
  • Logic App has extra permissions
    • User.Invite.All to add users from marczakio to marczakio-sandbox tenant as external guests
  • Logic App has extra steps to add user as guest, before granting permissions on sandbox RG

Lower level diagram

In a lower level diagram, again, we are showing how new tenant entra objects correspond to each other and the whole setup.

Things worth noting

  • Microsoft Teams is in the main tenant (this is where users are)
  • Teams licensed user is still in main tenant (same as MS teams)

Invite user to your sandbox tenant

Inviting user to sandbox tenant is fairly straightforward as it is a simple REST call with 2 parameters

POST https://graph.microsoft.com/v1.0/invitations
Content-type: application/json

{
  "invitedUserEmailAddress": "[email protected]",
  "inviteRedirectUrl": "<doesn't matter as it's a silent invite>"
}

In logic app, we do it through HTTP action

With the following required API permission

Docs

You can use official documentation to review how invitations work and how you can further parameterize this request

API Reference: https://learn.microsoft.com/en-us/graph/api/invitation-post

Enterprise Setup

In an enterprise setup your users might have issues deploying resources on their own because of org policies. In such a case I recommend setting up Azure DevOps or GitHub pipeline with your Bicep/Terraform templates and executing that pipeline from the logic app.

Terraform/Bicep via pipelines

An enterprise ready architecture with GitHub/ADO in place would look like this

Resource providers

Resource providers are not a security feature, but you can use them to whitelist allowed resource types to ensure no one is provisioning resources outside of the allowed list, although Azure policies can achieve the same, so the choice is yours. The upside here is that this is just simple “on/off” switch. Both are supported as connectors, so it’s fairly straightforward.

Azure Policies

Following policies are something I always use

  1. Allowed SKU for resource type - to avoid user ramping up expensive resources

    • SKU for VMs
    • SKU for App Services
    • SKU for Azure SQL Server
    • etc…
  2. Inherit tag from resource group - to allow for granular tracking of costs

    • Project Tag - to track projects/sandboxes in the same view
    • Creator Tag - to track by creator
    • SandboxName Tag - to track by a single sandbox
      In Azure Logic App, following block was added to the tags when creating resource group
  3. Allowed Locations - to ensure compliance and pick cheapest regions

    • For me always Sweden Central

Cost Tracking

This is the screenshot I have from my subscription where I have long-term and short-term sandboxes set up

A few notes

  • Ensure you have tag inheritance policy for each tag you want to track
  • In Azure Logic App add tags depending on what you want to track
  • Validate the costs every day for the first 2 weeks to find issues/abuse
  • Azure Policies do not work on all resources, like for example Azure Databricks, so be careful when enabling these

Final Takeaway

In just couple of hours you can enable your organization to have a quick and easy sandbox solution that enables innovation, learning and many opportunities. All of that through nice and convenient Microsoft Teams chatbot.

Just make sure to check the costs every now and then!

Source Code

Adam Marczak

I've spent most of my career working with software and cloud technologies, but at heart I'm simply someone who loves learning new things and sharing what I discover. Through this blog and my Azure 4 Everyone YouTube channel, I try to make Azure and cloud computing more approachable for developers, architects, and anyone curious about technology.

Did you enjoy the article?

Support me

Join as member

Share it

More tagged posts