30DaysMSGraph – Day 16 – Use Case: Create user in Azure AD

Brian T. Jackett

List of all posts in the #30DaysMSGraph series

-Today’s post written by Gavin Barron

In Day 15 we registered an Azure Active Directory (Azure AD) application and created a console application using .Net Core.  The application uses a client secret and the Microsoft Authentication Library (MSAL) to establish an authentication context with the Microsoft Graph API.  Today we’ll extend that application to create a user within Azure AD.

Microsoft Graph enables develops and IT Pros to create applications and automation tools that span across a wide array of Microsoft services without the need to create multiple authentication contexts or make calls to many individual services. Microsoft Graph acts as a proxy to simplify the development process and reduce the complexity of code that can interact with many individual services.

In many companies the process of on-boarding a new user or employee is managed via check-lists or perhaps workflow processes that assign tasks to many users, each of whom may use manual processes to get an account set up for the new user to match the company’s needs.

Using Microsoft Graph it is now possible for an organization to create a set of tools that can automate these processes. Over the next few days we will take the .Net Core console application created in Day 15 and extend that sample console application to cover a number of common user on-boarding tasks that can be automated using Microsoft Graph.

Today we will explore the process of creating a user in Azure AD.

Create a user

Creating a new user via Microsoft Graph is relatively simple. A minimal user object needs to be POSTed to <version>/users/ as described in the documentation.

Creating new users requires a new permission that was not requested when setting up the App Registration in Day 15, as such the Azure AD App Registration needs to be updated to include either User.ReadWrite.All or Directory.ReadWrite.All. To adhere to the principle of least privilege we will request, and grant, the User.ReadWrite.All permission.

With the necessary permissions configured it is time to look at new the code required.

The console application is using the .Net Core SDK for Microsoft Graph which uses a fluent api to abstract the mechanics of the underlying RESTful API call so the code looks a little different from what the Microsoft Graph API documentation describes.

First, we need to create an object that represents the user to be created. For this purpose, a helper method has been created:

 

        private static User BuildUserToAdd(string displayName, string alias, string domain, string password)
        {
            var passwordProfile = new PasswordProfile
            {
                Password = password,
                ForceChangePasswordNextSignIn = true
            };
            var user = new User
            {
                DisplayName = displayName,
                UserPrincipalName = $@"{alias}@{domain}",
                MailNickname = alias,
                AccountEnabled = true,
                PasswordProfile = passwordProfile
            };
            return user;
        }

 

There are a few important things to note here:

  • The domain that is supplied must match one of the domains associated with the target Azure Active Directory tenant
  • The alias supplied must be unique within the target Azure AD tenant
  • The user will be enabled in Azure AD once created, and therefore able to be used immediately
  • The user will have to change their password upon signing in.

Depending on your use cases you may wish to adjust the defaults for the last two points.

 

This user object has not yet been created in Azure AD and needs to be sent to the Microsoft Graph API using the GraphServiceClient object that was created in Day 15. With the help of our BuildUserToAdd method we can encapsulate the entire process in a single method like this:

        public async Task CreateUser(string displayName, string alias, string domain, string password)
        {
            var userToAdd = BuildUserToAdd(displayName, alias, domain, password);
            await _graphClient.Users.Request().AddAsync(userToAdd);
        }

That’s all there is to it! Of course, there are a great many options of properties that you can set depending on your use case, but the minimal code to get an active user in Azure AD via Microsoft Graph is simple and easy to follow.

 

The complete set of instructions and code are on GitHub in the dotnetcore-console-sample repo for you try it yourself.

Try It Out

Navigate to the dotnetcore-console-sample repo.  Do one (or both) of the following:

Day 16 repo link

  1. Clone the repo and configure the project in the Day 16 subfolder.
  2. Follow the instructions in Day 16 to build the project from scratch yourself.

If you run into any issues while building or configuring the project please create a new Issue on the repo.

Join us tomorrow as we assign user licenses within an Office 365 tenant using Microsoft Graph requests in Day 17.

Discussion is closed.

Feedback usabilla icon