-
Notifications
You must be signed in to change notification settings - Fork 97
AAD Invite User Apis
This illustrates how you invite any MSA account as a guest into your tenant. The ultimate goal is to grant a user access to your Azure Resources (such as WebSites).
The steps involve invite a user as a guest tenant then assign to [rbac role] (https://github.com/projectKudu/ARMClient/wiki/Rbac-Policy-Apis).
- Check if a user is already a guest tenant.
ARMClient.exe get "/{tenant}/users?api-version=1.42-previewInternal&$filter=netId eq '{puid}' or alternativeSecurityIds/any(x:x/type eq 1 and x/identityProvider eq null and x/key eq X'{puid}')"
Note: PUID is last segment of altsecid claim (e.g. 1:live.com:0003BFFDD117ABCD). To get user's PUID, use chrome debugger to capture request/response during user login, extract the id_token (jwt) from one of the response and pretty dump it out (ARMClient.exe token {jwt}
).
- Check if a guest tenant invitation has been accepted or pending acceptance.
ARMClient.exe get "/{tenant}/users?api-version=1.42-previewInternal&$filter=(netId eq '{puid}' or alternativeSecurityIds/any(x:x/type eq 1 and x/identityProvider eq null and x/key eq X'{puid}')) and userState e
q 'Accepted'"
ARMClient.exe get "/{tenant}/users?api-version=1.42-previewInternal&$filter=(netId eq '{puid}' or alternativeSecurityIds/any(x:x/type eq 1 and x/identityProvider eq null and x/key eq X'{puid}')) and userState e
q 'PendingAcceptance'"
- If user is not yet invited, invite him/her as Tenant guest
ARMClient.exe post /{tenant}/users?api-version=1.42-previewInternal @payload.json
Example payload.json below
{
"creationType": "Invitation",
"displayName": "[email protected]",
"primarySMTPAddress": "[email protected]",
"userType": "Guest"
}
This will return an object that has
{
...
"inviteTicket": [
{
"Ticket": "{GUID}", // this is needed to accept the invitation
"Type": "Invite"
}
],
"userState": "PendingAcceptance"
}
- To redeem/accept the invite above, you sent the following
ARMClient POST /{tenant}/redeemInvitation?api-version=1.42-previewInternal @payload.json
Example payload.json
below
{
"altSecIds": [{
"identityProvider": null,
"type": "1", // for MSA accounts
"key": "{base64 string of user's puid encoded to bytes}"
}],
"acceptedAs": "[email protected]",
"inviteTicket": {
"Ticket": "{GUID from ticket above}",
"Type": "Invite"
}
}
This will return an object which userState is accepted. The response also contains ObjectId
claim that you would need as principalId during rbac role assignment.