SOLVED

Unable to create Azure AD user using Graph API

Iron Contributor

Note I'm somewhat new to using the Graph API, so please forgive me (and correct me) if my terminology is wrong 👍

As I understand, https://docs.microsoft.com/en-us/graph/api/user-post-users documents that it should be possible for an Application to call the API and specifies the required permissions, headers and body to create a new Azure AD user account.

Using PowerShell, I've tried a POST to both the v1.0 and beta endpoints with an authorization token that has the appropriate permissions assigned to create a new user account, but in both cases I see the following error:

Invoke-RestMethod : The remote server returned an error: (400) Bad Request.

The parameters I passed are a variation of those from https://docs.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example-1-c... (with the user principal name amended to have the appropriate suffix for the tenant in question, and a different password).

When I run the following

 

try { Invoke-RestMethod -Headers $header -Uri $uri -Method "POST" -Body $userparams -ErrorAction Stop  }
catch [System.Net.WebException] {
	if ($_.Exception.Response -eq $null) { throw }
	$streamReader = [System.IO.StreamReader]::new($_.Exception.Response.GetResponseStream())
	$streamReader.BaseStream.Position = 0
	$streamReader.ReadToEnd() | ConvertFrom-Json
}

 


I see the "(400) Bad Request" error is apparently due to an invalid passwordProfile:

@{code=Request_BadRequest; message=Invalid property 'PasswordProfile'.; innerError=}

Amending the properties of the passwordProfile object according to https://docs.micerosoft.com/en-us/graph/api/resources/passwordprofile?view=graph-rest-1.0 hasn't helped.  If I entirely remove the passwordProfile parameter from the body of my POST I get a slight variation on the exception.response inasmuch as it says:

@{code=Request_BadRequest; message=A password must be specified to create a new user.; innerError=}

Having checked, I am also unable to create a new user account when using a Delegated (work or school account) to call the same API and specify the same headers and body, with the same resulting errors.

Note, I am able to create a new user account using https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.users/new-mguser?view=graph-power... (version https://www.powershellgallery.com/packages/Microsoft.Graph.Users/1.9.2) using exactly the same body parameters, so I have hope that the parameters are defined correctly after all :smile:

Can anyone help me understand what I need to do to be able to create users using the Graph API, ideally with Application permissions?

1 Reply
best response confirmed by rs_oakford (Iron Contributor)
Solution

I think I may have worked out (part of) the answer to my question. The password I had created was 20 characters long random mix of only lower case letters, upper case letters, and numbers.

When I amended the password to match the example from https://docs.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example-1-c... the new user was created using my Application.

I subsequently tried to create a new user with an 8-character long password containing two each of: lower case letters, upper case letters, numbers, and symbols. I then see an error:

@{code=Request_BadRequest; message=The specified password does not comply with password complexity requirements. Please provide a different password.; innerError=}


At least that's clearer than the error I had before.  However, I'm still confused as to why that original 20-character random password didn't work altogether and I'm also intrigued that the 8-character password didn't work as both of those matched the minimum requirements listed at https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-....

8-character password used for testing: 4k3qC$B!

20-character password used for testing: sU4NOuX3skjNQGx3Uk3n

 

To check I wasn't going crazy, I then tried again creating a new user account with that original 20-character password and this time the account was created - great (odd it didn't work before though)!

As I had run these tests on a new dev tenant, I checked and Get-MsolPasswordPolicy returns:

ExtensionData    : System.Runtime.Serialization.ExtensionDataObject
NotificationDays : 14
ValidityPeriod   : 2147483647


Hopefully at least this post helps someone else if they run into the same issues.

1 best response

Accepted Solutions
best response confirmed by rs_oakford (Iron Contributor)
Solution

I think I may have worked out (part of) the answer to my question. The password I had created was 20 characters long random mix of only lower case letters, upper case letters, and numbers.

When I amended the password to match the example from https://docs.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example-1-c... the new user was created using my Application.

I subsequently tried to create a new user with an 8-character long password containing two each of: lower case letters, upper case letters, numbers, and symbols. I then see an error:

@{code=Request_BadRequest; message=The specified password does not comply with password complexity requirements. Please provide a different password.; innerError=}


At least that's clearer than the error I had before.  However, I'm still confused as to why that original 20-character random password didn't work altogether and I'm also intrigued that the 8-character password didn't work as both of those matched the minimum requirements listed at https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-....

8-character password used for testing: 4k3qC$B!

20-character password used for testing: sU4NOuX3skjNQGx3Uk3n

 

To check I wasn't going crazy, I then tried again creating a new user account with that original 20-character password and this time the account was created - great (odd it didn't work before though)!

As I had run these tests on a new dev tenant, I checked and Get-MsolPasswordPolicy returns:

ExtensionData    : System.Runtime.Serialization.ExtensionDataObject
NotificationDays : 14
ValidityPeriod   : 2147483647


Hopefully at least this post helps someone else if they run into the same issues.

View solution in original post