Azure AD User management delegation

1
votes

I am using Azure AD to create users, groups for an application that sits outside of Azure AD (hosted internally)

I want the ability to delegate the user management to an admin of that application (create users, assign groups etc)

I can see that in the Premium Azure AD subscription you can create AD users that have access to the WAAD Access Panel (myapps.microsoft.com) and they can see groups, you can assign users to groups and view/action approval requests

There however doesnt look like there is any way to create users through this interface which is odd. Seems like it should be there if the user has "User Management" role.

Is there any other way to provide basic level user management delegation to an application admin?

The only other way I can see is for a user admin to create a whole new azure subscription (but part of same tenant) and go through the management portal - which is not ideal because they have access to other Azure resources (creating instances, db etc). I only need the admin to be able to access user management of AD

I know I can create another application and use the Graph API but this might be re-inventing the wheel if Azure AD already has something like this.

1
azureactive-directoryazure-active-directory
no, there is no such feature. Beyond the User/Group management in Azure Management Portal and User / Group management in Office365 Admin Portal. Azure Graph API is the way to go for your scenario.astaykov

1 Answers

3
votes

You can achieve your goal with your current setup by using the Azure AD Graph API.

Using the Azure AD Graph API Client library as a base and create a local area in your application, where given Administrator user for your application can manage users and groups in the Azure AD via the Graph API.

There is a good sample on how to use Graph API with .NET on the GitHub sample pages for AD.