Create and update a user on Azure AD or Azure AD B2C

Hao WU
Published by Hao WU
Category : Azure
20/09/2021

In this blog article, we will show you how to create and update AD users in Azure.

Azure provides us with Identity and Access Management (IAM) services. We can use either Azure AD or Azure AD B2C. Both services are based on the same technologies and are used to log in and access the resources. Azure AD B2C also lets users sign in with their social media accounts (Google, Facebook, etc.). The main difference is that AAD targets internal organizations, while AAD B2C targets customers and consumers.

The following accounts are available:

  • Work account: gives access to resources in Azure;
  • Guest account: Microsoft account or AAD user;
  • Consumer account: user of applications registered with AAD B2C.

 

Creating a user in AAD with Azure AD Connector

 

We can use the AAD Connector to create a user in AAD. This connector is used to connect Logic App to SaaS services:

 

AD

 

To use it, an account must be created in AAD, and Global Administrator rights assigned to it. From then on, authenticate the connector with that account.

 

Droit Global Admin

 

In our example, we directly entered the information for a user. In fact, this information can be retrieved in different ways. The recurring flow is triggered as follows:

 

Flux Azure AD

 

We entered the following information in the Azure AD shape:

 

Azure AD info

 

The “User Principal Name” parameter must be unique. As indicated below, we now have a user created in the AAD, where the tenant is mwhwu.

 

User Enzo

 

Creating a user in AAD B2C

 

The Azure AD connector cannot be used to access the AAD B2C. Microsoft Graph API (graph.microsoft.com) or Azure AD Graph API (https://graph.windows.net/{tenant_id}{resource}?{version}&query-parameters) must be used.

For testing purposes, we constructed the workflow as follows:

 

AAD flux

 

The following steps are required:

 

Step 1: App Registration

Add an app registration to Azure AD B2C and create a client_secret for this app registration. Note: the necessary permissions must be granted.

  • The delegated authorizations: User.ReadWrite.All, Directory.ReadWrite.All and Directory.ActAsUser.All;
  • The application permissions: User.ReadWrite.All, Directory.ReadWrite.All.

For more information on permissions, see here.

Then, we can access Microsoft Graph/Azure AD Graph through the Logic Apps via an HTTP action.

 

App registration

 

Step 2: AAD B2C Login (Get Token)

POST a message to the URI https://login.microsoftonline.com/tenant/oauth2/token, with the tenant: mwhwu.onmicrosoft.com, and with content-type application/x-www-form-urlencoded. In the body of the message, enter client_id and client_secret that we created in Step 1. At the end of this step, we will obtain an access_token that will be valid for one hour.

  • Example: Microsoft Graph API query

 

Microsoft Graph API

 

  • Example: Azure AD Graph API query

 

Azure AD Graph API

 

Step 3: Creating an account in AAD B2C

We can use the access_token obtained at Step 2 via Authorization Header to create an account in AAD B2C. As explained above, we use the user information directly in the Logic Apps. For information, all the properties we can assign when creating an account are listed here.

  • Example: Creating an account via Microsoft Graph API

 

Account Microsoft Graph API

 

In AAD B2C, we have this account:

 

User Lisa

 

  • Example: Creating a work account via Azure AD Graph API

 

user Azure AD Graph API

 

We have the account in AAD B2C:

 

User Paul

 

Updating a user in AAD B2C

 

We can describe the flow as follows:

 

update Flux

 

We are going to change a user’s city and occupation (the URI being https://graph.microsoft.com/v1.0/users/ObjectID) with the PATCH method.

 

Update user

 

Here is the result in AAD:

 

user modified

See all articles