Reputation: 71
Creating users in Azure AD via angular using MSAL.js
From a Web Applications perspective, is it possible to have a user create an Azure AD account (by providing a email, name, phone number, etc) that the web application can forward to Azure AD?
I am trying to use MSAL.js for Angular and following the sample I can have a login popup which prompts me for a Microsoft email via getUser():
From the sample:
constructor(private broadcastService: BroadcastService , private authService : MsalService, private productService: ProductService)
{
// This is to avoid reload during acquireTokenSilent() because of hidden iframe
this.isIframe = window !== window.parent && !window.opener;
if(this.authService.getUser())
{
this.loggedIn = true;
}
else {
this.loggedIn = false;
}
}
However I feel like I am missing over the part where users get added. Can users only be added by invitation from the Azure portal? Is it possible to programatically add a user to Azure AD by supplying a name, email, phone number, etc and having them have to generate a password on first sign in?
Upvotes: 1
Views: 2411
Answers (1)
Reputation: 9664
msal-angular library that you mention and other similar Microsoft client authentication libraries (more info here) only help with authenticating users/applications and acquiring to tokens to call protected web API's.
You can look at Microsoft Graph API to add users to Azure AD. So msal-angular could help your application to acquire token(s) to authenticate to Microsoft Graph API, which can then provide the needed functionality.
Look at Create User Microsoft Graph API.
Permissions required:
Your application will need the relevant permissions to be able to create users in Azure AD. It is a higher privilege to be able to write to Azure AD (as compared to just read information for existing users in order to authenticate them, which is what most common applications need). Make sure your use case really calls for it and secure your application so that only appropriate users are able to access it.
As you mention angular, so if this is an SPA that runs on client browser, you will need to work with Delegated permissions only i.e. in context of the signed in user. (Application permissions can be used by confidential clients like a backend daemon application but that may not be relevant for your case.)
Sample request:
POST https://graph.microsoft.com/v1.0/users
Content-type: application/json
{
"accountEnabled": true,
"displayName": "displayName-value",
"mailNickname": "mailNickname-value",
"userPrincipalName": "[email protected]",
"passwordProfile" : {
"forceChangePasswordNextSignIn": true,
"password": "password-value"
}
}
Quick Testing
Microsoft Graph Explorer - You can use it to quickly test out create user or any other Microsoft Graph APIs for that matter.
Upvotes: 3
Related Questions
- Azure AD authentication environments
- Login redirect a user with Azure AD B2C from an Angular application and msal.js
- Passport-Azure-AD not validating access_token from MSAL Angular authentication
- Not able to get tokens / msal objects in angularJS after successful login for AzureAD
- Authenticate to Azure AD from Angular 9 Application
- Azure AD Authentication of Angular app with MVC Core on Azure AppService
- How do I configure MSAL in Angular?
- Authentification to Azure Ad in Angular using Msal
- Msal undefined in Angular 4.5 Service for Azure B2C authentication
- Angularjs doesn't authenticate with Azure Active Directory