Close

Azure AD via Logic App and Microsoft Graph

I’ve been playing around a bit with Azure AD. I wanted to able to add a user to Azure AD via a Logic App. I logged in to the Azure Portal with my MSDN account. In the top right corner you can see which directory you’re connected to, which in my case was phvbaars.onmicrosoft.com.

I created a logic app, added a request and then the Azure AD connector. I had to pick an action, so I chose Create User. Next I was asked to sign in. I tried to sign in with my MSDN account phv.baars@planet.nl, but then I received an error stating that I didn’t have the right permissions.

Looking at my Azure Active Directory tenant, I saw the MSDN account was Global Administrator, but this security role was grayed out:

Next I decided to create a new user arjan@phvbaars.onmicrosoft.com and also made this user Global Administrator. This time I could add the Azure AD connector and sign in with account arjan. The only thing you have to do next is fill out the input parameters of the Azure AD Connector. The only parameter that has to be unique is User Principle Name or UPN. UPN’s have a fixed format. It’s basically like an email address with the tenant, i.e. dennis@phvbaars.onmicrosoft.com.

Another interesting piece of technology is Microsoft Graph. With Microsoft Graph you can for instance access a user’s calendar (with the right permissions) and other Office365 applications. But you can also access Azure Active Directory. Microsoft Graph replaces Azure Active Directory Graph. For more information: Microsoft Graph. The official definition: Microsoft Graph is search-based technology underlying Office 365 applications, with an API that developers can tap.

A very interesting feature of Graph is the Graph Explorer, which can be accessed at Graph Explorer. First I had to sign in with account arjan@phvbaars.onmicrosoft.com. Then you can perform all kinds of queries, for example:
https://graph.microsoft.com/v1.0/users/dennis@phvbaars.onmicrosoft.com/?$select=displayName,skills

You can also create a user via Graph. Note that you need the right permissions to do so:

Below is the default user that gets created:
POST https://graph.microsoft.com/v1.0/users (CreateUser)

{
“accountEnabled”: true,
“city”: “Seattle”,
“country”: “United States”,
“department”: “Sales & Marketing”,
“displayName”: “Melissa Darrow”,
“givenName”: “Melissa”,
“jobTitle”: “Marketing Director”,
“mailNickname”: “MelissaD”,
“passwordPolicies”: “DisablePasswordExpiration”,
“passwordProfile”: {
“password”: “Test1234”,
“forceChangePasswordNextSignIn”: false
},
“officeLocation”: “131/1105”,
“postalCode”: “98052”,
“preferredLanguage”: “en-US”,
“state”: “WA”,
“streetAddress”: “9256 Towne Center Dr., Suite 400”,
“surname”: “Darrow”,
“mobilePhone”: “+1 206 555 0110”,
“usageLocation”: “US”,
“userPrincipalName”: “MelissaD@motion10.com”
}

A last alternative to access Azure Active Directory via Logic Apps, is to use managed identities. When accessing the managed identity menu option within logic apps and adding a new managed identity, a new application with client_id and client_secret will be created. The application will be created in the same tenant as where your logic app resides. This will be your Azure AD tenant (not your Azure AD B2C tenant for instance). Next you can add a Http action to your logic app to access Azure AD over Graph. Open the advanced options of the Http action to enter the credentials from the app registration.

A final word. You can also access the Azure AD Admin Center at AAD Admin Center. Another Link: active-directory-users-assign-role-azure-portal