Wednesday, 21 February 2018

Azure AD B2B self-service registration - Register and Update a guest user using Graph API

Azure B2B capabilities give organizations the ability to provide external users (from partner organizations/ contractors etc) access to their data safely. This means that an External user can be added as a "Guest User" in an organization's Azure AD and this identity can be used to provide access to SharePoint online, Office 365 Groups etc.

An external user can be added to an Azure AD as a guest user using an E-mail address. An invitation email is sent out to the user to join the inviting tenant. This email ID can be of a user from another Azure AD, or a Microsoft Account or a personal/work ID which is not in an Azure AD.

In case the user is in another Azure AD, a password reset is not required for the user on accepting the invitation. User's main identity remains in the origin tenant and the user can continue to use the same set of credentials while accessing the inviting tenant. When the external user leaves their own organization and their account gets disabled, the access to inviting tenant also gets disabled automatically.

If the E-mail is a personal one, a new identity is created in the inviting tenant when the user accepts the invitation and creates a password. Here is some useful documentation to read through

Guest users can be registered through the Azure Portal or using the Graph API. Being able to send guest user invitations through the Graph API opens the possibility of creating self-service registration portals for guest users.

In this post we are going to walk through the process of

1) Sending guest user invite through Graph API

2) Updating the guest user's profile as soon as the the invitation email is sent - This makes sure that the basic user information is available in the inviting tenant. This helps in keeping data available for building People directory etc.

Self service registration can be implemented as a simple MVC web page where user provides the basic information such as

- First Name
- Last Name
- Email address
- Company
- Contact number etc

Rules/validations can be applied on the registration form as desired to make sure that only users from intended email domains are allowed to register as guest users.

In this post, we use App credentials and Graph API (GraphServiceClient) to send email invites to the guest users. Head over to to register an app that can call Graph API.

Permissions required for this app to send email invites are : User.Invite.All, User.ReadWrite.All, Directory.ReadWrite.All

First we authenticate and get the GraphServiceClient instance to work with Microsoft Graph using app credentials

Once we have the GraphServiceClient, create an "Invitation" objects and send the invite

The invitation object accepts

Email address of the Guest user
Display name with which the guest user will be registered in the Azure AD
- Redirect UI - this is the URL where the user will be redirected when the invitation is accepted - InvitedUserMessageInfo object where we can set a customized message to be send in the email

The call to send user invitation returns an Invitation object in response.

Once the invite is sent, the user gets registered in the Azure AD. We can update the user properties in Azure AD to make sure that when the user accepts the invitation, the basic information is available in the Azure AD.

The invitation object returned as a response of sending an invite also returns a Azure AD USER object. This object can be used to set the user profile properties and update it back in Azure AD.

No comments:

Post a Comment