Hi, 
We are looking at decommissioning use of our LDAP and IDM systems and part of the user account creation flow is reliant on these and some other systems. Essentially new accounts are triggered from an HR system, which writes into LDAP>IDM and then AD>AAD. Part of the process sends the user the account details to their registered email and newly created random password for them to logon to their new account.

As part of the redesign we are looking at SSPR in AAD with password sync back to AD, which seems easy enough to setup but it is the initial account creation stage that Im trying to find a solution.
Essentially we need to be able to trigger the account creation from the HR system as we currently do and create that directly in AD which syncs to AAD. This we can achieve but we ideally would like to be able to:

- set the password to a random secure password

- enforce change at next logon

- write the alternative email address into ad/aad programmatically (graph api to write into AAD profile?)

- someone use SSPR to allow the user to set an initial password but without recieving the originally set one, preferably using a magic link they can click and be prompted to set password and enable the account.

It is this last step Im wondering if it is at all possible and if anyone has any pointers / advice as to how we might achieve this? Doesnt have to be exactly the way I outlined of course and Im open to suggestions on ways to meet that end goal, even if it involves third party additions (I am also going to look into manageengine to see what that can offer). Ive seen some info on using magiclinks for B2C but nothing for standard AD/AAD internal accounts.

Thanks

Phil