Jan 31 2022 03:00 AM - edited Jan 31 2022 03:15 AM
Note I'm somewhat new to using the Graph API, so please forgive me (and correct me) if my terminology is wrong 👍
As I understand, https://docs.microsoft.com/en-us/graph/api/user-post-users documents that it should be possible for an Application to call the API and specifies the required permissions, headers and body to create a new Azure AD user account.
Using PowerShell, I've tried a POST to both the v1.0 and beta endpoints with an authorization token that has the appropriate permissions assigned to create a new user account, but in both cases I see the following error:
Invoke-RestMethod : The remote server returned an error: (400) Bad Request.
The parameters I passed are a variation of those from https://docs.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example-1-c... (with the user principal name amended to have the appropriate suffix for the tenant in question, and a different password).
When I run the following
try { Invoke-RestMethod -Headers $header -Uri $uri -Method "POST" -Body $userparams -ErrorAction Stop }
catch [System.Net.WebException] {
if ($_.Exception.Response -eq $null) { throw }
$streamReader = [System.IO.StreamReader]::new($_.Exception.Response.GetResponseStream())
$streamReader.BaseStream.Position = 0
$streamReader.ReadToEnd() | ConvertFrom-Json
}
I see the "(400) Bad Request" error is apparently due to an invalid passwordProfile:
@{code=Request_BadRequest; message=Invalid property 'PasswordProfile'.; innerError=}
Amending the properties of the passwordProfile object according to https://docs.micerosoft.com/en-us/graph/api/resources/passwordprofile?view=graph-rest-1.0 hasn't helped. If I entirely remove the passwordProfile parameter from the body of my POST I get a slight variation on the exception.response inasmuch as it says:
@{code=Request_BadRequest; message=A password must be specified to create a new user.; innerError=}
Having checked, I am also unable to create a new user account when using a Delegated (work or school account) to call the same API and specify the same headers and body, with the same resulting errors.
Note, I am able to create a new user account using https://docs.microsoft.com/en-us/powershell/module/microsoft.graph.users/new-mguser?view=graph-power... (version https://www.powershellgallery.com/packages/Microsoft.Graph.Users/1.9.2) using exactly the same body parameters, so I have hope that the parameters are defined correctly after all
Can anyone help me understand what I need to do to be able to create users using the Graph API, ideally with Application permissions?
Jan 31 2022 03:37 AM
SolutionI think I may have worked out (part of) the answer to my question. The password I had created was 20 characters long random mix of only lower case letters, upper case letters, and numbers.
When I amended the password to match the example from https://docs.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example-1-c... the new user was created using my Application.
I subsequently tried to create a new user with an 8-character long password containing two each of: lower case letters, upper case letters, numbers, and symbols. I then see an error:
@{code=Request_BadRequest; message=The specified password does not comply with password complexity requirements. Please provide a different password.; innerError=}
At least that's clearer than the error I had before. However, I'm still confused as to why that original 20-character random password didn't work altogether and I'm also intrigued that the 8-character password didn't work as both of those matched the minimum requirements listed at https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-....
8-character password used for testing: 4k3qC$B!
20-character password used for testing: sU4NOuX3skjNQGx3Uk3n
To check I wasn't going crazy, I then tried again creating a new user account with that original 20-character password and this time the account was created - great (odd it didn't work before though)!
As I had run these tests on a new dev tenant, I checked and Get-MsolPasswordPolicy returns:
ExtensionData : System.Runtime.Serialization.ExtensionDataObject
NotificationDays : 14
ValidityPeriod : 2147483647
Hopefully at least this post helps someone else if they run into the same issues.
Jan 31 2022 03:37 AM
SolutionI think I may have worked out (part of) the answer to my question. The password I had created was 20 characters long random mix of only lower case letters, upper case letters, and numbers.
When I amended the password to match the example from https://docs.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example-1-c... the new user was created using my Application.
I subsequently tried to create a new user with an 8-character long password containing two each of: lower case letters, upper case letters, numbers, and symbols. I then see an error:
@{code=Request_BadRequest; message=The specified password does not comply with password complexity requirements. Please provide a different password.; innerError=}
At least that's clearer than the error I had before. However, I'm still confused as to why that original 20-character random password didn't work altogether and I'm also intrigued that the 8-character password didn't work as both of those matched the minimum requirements listed at https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-....
8-character password used for testing: 4k3qC$B!
20-character password used for testing: sU4NOuX3skjNQGx3Uk3n
To check I wasn't going crazy, I then tried again creating a new user account with that original 20-character password and this time the account was created - great (odd it didn't work before though)!
As I had run these tests on a new dev tenant, I checked and Get-MsolPasswordPolicy returns:
ExtensionData : System.Runtime.Serialization.ExtensionDataObject
NotificationDays : 14
ValidityPeriod : 2147483647
Hopefully at least this post helps someone else if they run into the same issues.