Applies to version 2019.1.4.x; Author: Michał Bednarz
While implementing a system based on AAD authentication it might be necessary to create user management in o365 from WEBCON BPS level. BPS delivers dedicated actions for local AD. In AAD it’s possible to use standard actions available in BPS (REST invoke method) and in REST Service Microsoft Graph.
1. Preparing the application in the AAD
Register a new application in the AAD management console. It is done in a similar manner to registering an application to synchronize BPS user list (https://howto.webcon.com/bps-user-list-synchronization/).
The difference is in the API Permissions window, a new application should be granted following privileges:
2. Creating user in AAD with REST invoke method
Methods which we can use in order to manage user’s object in AAD are described here: https://docs.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-beta User is created by using: https://docs.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-beta&tabs=http
It is a good idea to create a User ID form field – it will store user’s ID from AAD, ID will be required for a further management over the created user.
2.1. Data source configuration for Graph connection
Data required for authentication is downloaded from application configuration with AAD analogously as with the application to synchronize BPS users list (https://howto.webcon.com/bps-user-list-synchronization/).
2.2. REST Invoke Method – creating AAD user
In the first tab choose a previously configured connection:
In the next tab configure REST suffix and choose a HTTP method, if creating a new user set it to POST:
Next step is transferring the user object in JSON format, form field list of the user workflow is available in Graph documentation.
If we want to transfer response data to the BPS instance a Response tab configuration is also required. When invoking Graph, value loading will fail if the JSON tab has parameters (variables). To bypass that problem fill in necessary data on JSON tab. Do it once during the configuration. Important: Loading configuration will cause invoking the method and will create user. In this specific case we are interested in the created object’s ID:
2.3. REST action configuration – creating a AAD group
For groups use this object: https://docs.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-beta and following method https://docs.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-beta&tabs=http
Autentication and Request data tab configuration is analogous to creating a user.
In JSON tab choose form fields for the AAD group:
In the Response tab load data in an analogous way as when creating a user, save new object ID in a specific form field:
2.4. REST action configuration – managing AAD groups content
Similarly as in the previous paragraph, we will use a Group object, and more specifically, we will add a user to the group https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-beta&tabs=http
Authentication tab configuration is analogous as in previous actions.
In Request data tab’s REST suffix field point to the AAD group’s ID where the modifications are taking place. HTTP method is still POST:
In JSON tab pass the object of the user which we want to add to the group:
When modifying group content Graph returns HTTP 204 status when it succeeded. There is no need to modify Response tab (response body is empty).
When implementing advanced scenarios, AAD’s objects’ ID can be downloaded from CacheOrganizationStructure table. But only if the AAD is the synchronization source of the BPS user list.
With these examples we presented only a handful of possibilities from many available by Microsoft Graph.