Поделиться через


Inviting users to Azure Active directory

Summary: Learn how to invite users (live accounts or users from another directory) into your own Azure Active directory (henceforth called out as AAD) using REST APIs. Also, how to allow guests of the AAD to use this feature of inviting more guests (B2B collaboration) without providing administrative rights over the active directory.

Azure B2B feature is all about collaboration. Your company uses an active directory to maintain secured access and authentication to company apps and even partner facing apps. Now to extend the reach of these apps, you may need to provide access to more number of people. You may also want these newly added guests to be able to further the reach by adding others while at the same maintaining these guests are not provided with higher privileges.

This is basically a two-part problem. Let us target the first one. Adding an external user to an AAD. There are few ways in which we can achieve this:

  1. Manual & one-at-a-time: An admin of the AAD (or others in the AAD with invitation rights) can go the Azure active directory in the azure portal and manually invite the user.
  2. Manual but in bulk: Azure AD provides a bulk-addition mechanism wherein an admin of the AAD can upload a csv file (containing the details of all the users to be invited) and with one click invite all the users to the AAD.
  3. Rest API: Invitation Manager of Microsoft graph API. Any programming language that supports REST calls can be used to call the API with user details. This POST call creates a new user entity in the AAD and returns with a redemption link. The said user can open the redemption link and complete the user creation process. An invitation email is sent to the corresponding invited email Id which contains the redemption link. sendInvitationMessage= false will disable the invitation email so that you can use your own email mechanism for custom content along with the redemption link. Once completed, the invited user becomes an external user in the organization. Please refer Invitation Manager for other parameters.

Great, we now have a better way to add a user to Azure AD. Now let us target the second elephant in the room - enabling these users to add more users. The main challenge here is the privileges of these users. They may or may not be sufficient to invite another user. Instead of elevating these users with necessary rights, we can rather impersonate an another account (for ex. a service account), provide it with higher privileges and use it to achieve the desired functionality. Here we need Silent Authentication of Azure AD.

Silent Authentication using native apps in Azure AD

  1. For this, you need to register your app in AAD as a native app.
  2. Sign in to the Azure portal and choose your Azure AD tenant by clicking on your account in the top right corner of the page.
  3. Go to Azure Active directory -> App Registrations -> Add
  4. Fill in the details. Select Application type as Native. Redirect Url in case of native app can be a dummy value as.
  5. Once the app is created, navigate to that app and in the Setting blade, click on Required permissions to delegate permission to use Microsoft Graph - invitation manager.
  6. Now, there is no specific permission for this. You can use read/write to Active Directory or Access directory as signed in user.  All these require Admin consent. This will depend on your organization's policies .  The least that is needed and is quite plausible is Access directory as signed in user, where you will need an account (for ex. a service account) which the admin of the Azure AD can add to the role that can add external users.

Here we are trying to delegate this service account's permission to the application. Following steps are one-time activity which you need to perform for the same wherein the service account consents to the application you registered for the above permission. Henceforth this service account's credentials can be used to retrieve the token needed to call the Invitation manager.

We will create a console app to provide one-time consent to the application (if you change some permissions, re-consent is needed. The same console app can be used)

  1. In Visual studio, create a console app.

  2. Add the Active directory nuget package.

  3. Add the below code snippet.

    string resourceId = "https://graph.microsoft.com";
    string clientId = "{client_id_of_native_app}";
    string redirectUrl = "{dummy_redirect_uri_of_native_app}";
    string authority = "https://login.windows.net/{tenant_id}";
    AuthenticationContext authContext = new AuthenticationContext(authority);
    AuthenticationResult result = authContext.AcquireTokenAsync(resourceId, clientId, new Uri(redirectUrl), new PlatformParameters(PromptBehavior.Auto)).Result;

  4. Run the console app

  5. You will see a consent screen which has the list of all the permissions that are being delegated from the service account to the application. Click on Accept.

  6. Now you can use this service account in your application to retrieve the access token needed to call the Invitation manager. See the snippet below.

    string resourceId = "https://graph.microsoft.com";
    string clientId = "{client_id_of_native_app}";
    UserCredential userCredentials = new UserCredential("{user_id}", "{password}");
    string authority = "https://login.windows.net/{tenant_id}";
    AuthenticationContext authContext = new AuthenticationContext(authority);
    AuthenticationResult result = authenticationContext.AcquireTokenAsync(resourceId, clientId, userCredentials).Result;string token = result.AccessToken;

  7. Use user_id and password of the service account in the above code. Since consent is already provided, it will run silently (irrespective of the application user) and get the access token.

  8. Now any user of the application irrespective of the permission he/she has, he/she can add external users to the active directory, and without any manual intervention.

Summary

What we have read here is a way to add external users to an Azure AD, enabling users of the Azure AD to invite other users without actually providing them the necessary rights. Simply put, securely and easily enable Azure Active directory B2B collaboration.

Please leave a comment below if you have any questions. I will be glad to help.

Comments

  • Anonymous
    October 29, 2017
    How many users can be invited? It seems there is limit of only 5 users invitation for Azure AD.
    • Anonymous
      October 29, 2017
      Hey, could you please cite the source of this info. I myself has not seen this.