If you have already got an Office 365 subscription, and would like manage your users account using Azure AD Graph API (RESTful API) instead of Powershell CmdLets. Yes you can. While this statement is technically true, the story is far from complete. Azure Active Directory subscription comes free with Office 365 subscription. You will not be require to subscribe to Azure to manage your users and group and user’s manager.
Now to access Azure AD using Graph API, you need to following details to authenticate with Azure AD.
- Tenant Domain Name
- Client Application Service Principal ID
- Client Application Secret Key.
The main challenge here is that you need to register you client web application with Azure to get above details. So you have go to Microsoft Azure Manage Portal to register your client application. To use Microsoft Azure Management Portal, you need to subscribe for this service with Microsoft Azure Portal. But as I said you can access Azure AD without any additional subscription of any Microsoft Azure Service. You can register your client application with Azure just by using your Office 365 admin account credentials. Now your job is to configure Powershell console where you can register your application using some Powershell Cmdlets. Click on following link to download the require tools to configure Powershell Console.
After Installation above tools, click on Start Menu and Open Powershell Console and typeConnect-MsolService CmdLet
Type Office 365 admin account credentials and click on Ok. After successful Login to Office 365 cloud account execute following Powershell CmdLets to register your application with Azure AD in order to get above said details for Graph API.
- Import-Module MSOnline
- Import-Module MSOnlineExtended
- $servicePrincipalName =”GraphWebClientApp”
- $sp = New-MsolServicePrincipal -ServicePrincipalNames $servicePrincipalName -DisplayName $servicePrincipalName -AppPrincipalId “7829c758-2bef-43df-a685-717081174554″
- New-MsolServicePrincipalCredential -ObjectId $sp.ObjectId -Type Password -Value “FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=”
- Add-MsolRoleMember -RoleObjectId “62e90394-69f5-4237-9190-012177145e10″ -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
Execute above CmdLets One by One in Powershell Console. In above line 1 and 2 is meant for Importing the Powershell module. In line 4 for -AppPrincipalID I have given 32 bit hard coded guid value, you can give any 32 bit Guid. In line 5 I have given hard coded a complex string as password parameter that can be used as Client Secret Key. Line 6 is for adding read-write permission to ServicePrincipal to access Azure AD.
After above execution of CmdLet, you get the required details to authenticate your Client web application to access Azure AD as follows:
Tenant Domain = eg. logicspark.onmicrosoft.com
AppPrincipalID = 7829c758-2bef-43df-a685-717081174554
Client Secret Key or Password = FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=
Now download MVC sample web client application to connect to Azure AD to check your Office 365 Users and Groups.
After downloading this sample application, open Web.config file and modify details as shown below and run the application. If every thing goes well, you can explore the users and groups.
<add key="TenantDomainName" value="logicspark.onmicrosoft.com"/>
<add key="AppPrincipalId" value="7829c758-2bef-43df-a685-717081174554"/>
<add key="Password" value="FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=" />
<add key="webpages:Version" value="126.96.36.199" />
<add key="webpages:Enabled" value="false" />
<add key="PreserveLoginUrl" value="true" />
<add key="ClientValidationEnabled" value="true" />