User Management Web API application for custom Azure AD Tenant

0
votes

I want to develop a RESTful API to manage users in a custom Azure AD tenant. User management includes the following (the AAD tenant will contain predefined groups):

  • Create Users
  • Delete Users
  • Assign User to Group(s)
  • Remove User from Group(s)
  • Reset User Password

I am confused about how to set up the application registration and hoping to get direction based on the following:

  1. The REST API application must be secured by Azure AD, so only designated admin users can access and use the API. Does that require the REST API application to be registered in the AAD Tenant where permissions to use the API and let the API access user profile (and group membership) is set?

  2. The REST API is essentially a client of the Microsoft Graph API, which I envision facilitates the above operations requested by an admin user. Does that require a separate application registration, or can the same registration be used to provide necessary permissions?

  3. Do I need the ADAL library in this situation?

1
azureoauth-2.0azure-active-directorymicrosoft-graph-api
For question 1 and 2, Do you want to make your application to be Mulit-tenant? E.g. With this API, it can do operation with 2 tenants. - Wayne Yang
There is no multi tenant requirement as of now. Everything is in the context of a single organization. - Web User
So, it's clear that you should register your API in the AAD tenant.One application registration can add multi permissions to it. - Wayne Yang

1 Answers

1
votes

Does that require the REST API application to be registered in the AAD Tenant where permissions to use the API and let the API access user profile (and group membership) is set?

Of course,you the Rest API app should be registered in the AAD.

Does that require a separate application registration, or can the same registration be used to provide necessary permissions?

You can just need to register one app and you can assign mulitple permissions to it. Also you can add different roles to the app for different access scope to your API.Although, Your REST API is just like a client for the Microsoft Graph API, You can just assign the permssions to it by Applicaiton registration.So,you can just the Microsoft Graph by sepcify the resource in the HTTP request.

Do I need the ADAL library in this situation?

Yes, you need. For your web API, if you use AAD v1 ednpoint, you can just use ADAL to validate the JWT token and do some neccessary operations.