CODEWITHSUNDEEP
c#asp.net-mvcmicrosoft-graph-apiazure-ad-b2c
aBlaze
aBlaze

Reputation: 2716

How to create Global Administrator user using Azure Active Directory B2C GraphServiceClient?

I would like to create a new user in Azure Active Directory B2C using the GraphServiceClient (the Microsoft Graph API, not the Azure AD Graph API). I have tried the following by setting UserType = "Global Administrator", but this doesn't work and the newAdminUser shows up as a regular User instead of a Global Administrator. What am I doing wrong?

User newAdminUser = await graphClient.Users.Request().AddAsync(new User
{
    AccountEnabled = true,
    DisplayName = userBinding.FullName,
    MailNickname = userBinding.UserName,
    UserPrincipalName = userBinding.UserName + '@' + domain,
    PasswordProfile = new PasswordProfile
    {
        Password = new NetworkCredential(string.Empty, userBinding.Password).Password,
        ForceChangePasswordNextSignIn = true
    }
});

await graphClient.Users[newAdminUser.Id].Request().UpdateAsync(new User()
{
    UserType = "Global Administrator"
});

And here is a screenshot of newAdminUser's Azure Active Directory B2C profile, showing that the permissions granted are not Global Administrator. enter image description here

Upvotes: 2

Views: 976

Answers (1)

Marc LaFleur
Marc LaFleur

Reputation: 33094

All users, Admin or not, is a user object within the directory. What access a given user has depends on the Directory Role they belong too.

In order to assign someone to the "Global administrator" Role, you need to add that user to the correct Role.

  1. Find the id for the Role you want by retrieving a list of directoryRoles:
var directoryRoles = await graphClient.DirectoryRoles
    .Request()
    .GetAsync();
  1. Add the user to the Role:
await graphClient.DirectoryRoles["role-id"]
    .Members
    .References
    .Request()
    .AddAsync(newAdminUser);

Upvotes: 3

Related Questions