Automating Azure Active Directory: Provision Users and Apps
Some time ago I wrote about User App Provisioning in Azure, which can be achieved manually through the Azure Portal.
But if you happen to have already an application that you use to manage your users and permissions, and you want to deploy such application to Azure, you might want to automate things a bit more.
At a high level, this is the Graph API flow:
The Management App (green color) is the main application where you already manage users and permissions, which did not require AAD integration so far.
However, once the application is deployed to Azure, AAD integration becomes essential.
This is the place where you would want to integrate this POC application.
The POC application is represented by the App Provision App (yellow color), and it manages the Graph API flow. It executes HTTP Requests to the Graph REST APIs (blue color), and it parses and displays the returned JSON data.
Considering that this process should be automated behind the scenes of your existing Management App (unlike in this POC where it is a standalone MVC web app), when things go wrong and errors are returned instead of JSON data, an email is sent to an Admin address (so that a manual action in the Azure portal can be performed and the error fixed).
As of now there are 2 different versions of Graph API:
Microsoft recommends to use the Microsoft Graph API, however it is still very raw and unstable (beta), with many features not available yet.
So in this POC I implemented the Azure Graph API for almost all calls, and just used the Microsoft API for the AAD Invitation (not available in the Azure one).
Here are the screenshots of the App Provision App:
And that's it.
Feel free to ask questions (or code) in the comments below!
But if you happen to have already an application that you use to manage your users and permissions, and you want to deploy such application to Azure, you might want to automate things a bit more.
At a high level, this is the Graph API flow:
- Find the User in AAD
- Invite the User to AAD
- Find the App to Assign in AAD
- Find existing App Assignment for the User
- Assign the App to the User
The Management App (green color) is the main application where you already manage users and permissions, which did not require AAD integration so far.
However, once the application is deployed to Azure, AAD integration becomes essential.
This is the place where you would want to integrate this POC application.
The POC application is represented by the App Provision App (yellow color), and it manages the Graph API flow. It executes HTTP Requests to the Graph REST APIs (blue color), and it parses and displays the returned JSON data.
Considering that this process should be automated behind the scenes of your existing Management App (unlike in this POC where it is a standalone MVC web app), when things go wrong and errors are returned instead of JSON data, an email is sent to an Admin address (so that a manual action in the Azure portal can be performed and the error fixed).
As of now there are 2 different versions of Graph API:
Microsoft recommends to use the Microsoft Graph API, however it is still very raw and unstable (beta), with many features not available yet.
So in this POC I implemented the Azure Graph API for almost all calls, and just used the Microsoft API for the AAD Invitation (not available in the Azure one).
Here are the screenshots of the App Provision App:
And that's it.
Feel free to ask questions (or code) in the comments below!
Comments
Post a Comment