Create a new user in Azure Active Directory (B2C) with Graph API, using http post request

mellberg picture mellberg · Sep 11, 2016 · Viewed 13.3k times · Source

I have previously been adding users programmatically using Active Directory Authentication Library (ADAL), but now I need to define "signInNames" (= users email), and that doesn't seem to be possible with ADAL (please tell me if im wrong).

Now I'm trying to add a new user (local account) programmatically using HTTP POST, following the documentation on MSDN.

//Get access token (using ADAL)
var authenticationContext = new AuthenticationContext(AuthString, false);
var clientCred = new ClientCredential(ClientId, ClientSecret);
var authenticationResult = authenticationContext.AcquireTokenAsync(ResourceUrl, clientCred);
var token = authenticationResult.Result.AccessToken;


//HTTP POST CODE
const string mail = "[email protected]";
// Create a new user object.
var user = new CustomUser
{
    accountEnabled = true,
    country = "MS",
    creationType = "LocalAccount",
    displayName = mail,
    passwordPolicies = "DisablePasswordExpiration,DisableStrongPassword",
    passwordProfile = new passwordProfile { password = "jVPmEm)6Bh", forceChangePasswordNextLogin = true },
    signInNames = new signInNames { type = "emailAddress", value = mail }
};

var url = "https://graph.windows.net/" + TenantId + "/users?api-version=1.6";

var jsonObject = JsonConvert.SerializeObject(user);

using (var client = new HttpClient())
{
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);

    var response = client.PostAsync(url,
        new StringContent(JsonConvert.SerializeObject(user).ToString(),
            Encoding.UTF8, "application/json"))
            .Result;

    if (response.IsSuccessStatusCode)
    {
        dynamic content = JsonConvert.DeserializeObject(
            response.Content.ReadAsStringAsync()
            .Result);

        // Access variables from the returned JSON object
        var appHref = content.links.applications.href;
    }
}

But i have no success, getting this response:

{StatusCode: 400, ReasonPhrase: 'Bad Request', Version: 1.1, Content:....}

Any ideas what i should do? I succeeded using Powershell-script, but I need to do this in my C# app.

Answer

Fei Xue - MSFT picture Fei Xue - MSFT · Sep 16, 2016

Did you grant the app sufficient permission to operate users? The create user REST API works well for me for the B2C tenant.

Here are the steps I tested:

1.Create the app via the PowerShell below

PowerShell:

$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$rand.Dispose()
$newClientSecret = [System.Convert]::ToBase64String($bytes)

New-MsolServicePrincipal -DisplayName "My New B2C Graph API App" -Type password -Value 

2.Grant the app to User Account Administrator role.

Add-MsolRoleMember -RoleObjectId fe930be7-5e62-47db-91af-98c3a49a38b1 -RoleMemberObjectId 7311370c-dac3-4f34-b2ce-b22c2a5a811e -RoleMemberType servicePrincipal

3.Get the token for the app with client credential flow

POST: https://login.microsoftonline.com/adb2cfei.onmicrosoft.com/oauth2/token
grant_type=client_credentials&client_id={AppPrincipalId return by PowerShell}&client_secret={client_secret}&resource=https%3A%2F%2Fgraph.windows.net

4.Create the user with REST below:

POST: https://graph.windows.net/adb2cfei.onmicrosoft.com/users?api-version=1.6
authorization: bearer {token}
content-type: application/json

{
  "accountEnabled": true,
  "creationType": "LocalAccount",
  "displayName": "Alex Wu",
  "passwordProfile": {
    "password": "Test1234",
    "forceChangePasswordNextLogin": false
  },
  "signInNames": [
    {
      "type": "userName",
      "value": "AlexW"
    },
    {
      "type": "emailAddress",
      "value": "[email protected]"
    }
  ]
}