Introduction
Microsoft Graph is a RESTful API that lets you programmatically interact with Microsoft 365 services and data, including Azure AD, Office 365, Intune, SharePoint, Teams, OneNote, and other Microsoft Cloud products. This article demonstrates how to use Microsoft Graph to invite users to your Azure AD instance via HelloID's PowerShell target connector. This is useful when you need complex functionality beyond what is provided by the native Azure AD target connector, and/or you want to create new users by invitation rather than by creating guest accounts.
Configure Azure AD
Register your application
The first step is to register a new Azure AD Application. The application is used to connect to the Graph API and manage permissions.
- In your Azure portal, go to Azure Active Directory > App registrations > New registration).
- Give the application a Name. For this example, we'll use
HelloID PowerShell
as the application name. - For Supported account types, select Accounts in this organizational directory only.
- For the Redirect URI, you can enter any URL. For this example, we'll use
http://localhost
because it doesn't have to resolve. - Select the Register button to create your new application.
- Copy the Application (client) ID and the Directory (tenant) ID to a notepad app on your computer. You will need these shortly.
- Go to Certificates & secrets.
- Select New client secret. Enter
HelloID PowerShell
as the Description. Choose an expiration date and select the Add button. - Copy the client secret's Value to a notepad app on your computer.
- Go to your tenant's Overview.
- In the Tenant information tile, copy the Primary domain (tenant URL) to a notepad app on your computer (ending in
.onmicrosoft.com
).
Configure permissions
- In your Azure portal, go to Azure Active Directory > App registrations.
- Select the
HelloID PowerShell
application you just created. - Select API Permissions.
- Select Add a permission.
- Select Microsoft Graph.
- Select Application permissions.
- Add the following permissions. Modify these as necessary, depending on what you are planning to implement.
- User.ReadWrite.All to read/write all users' full profiles
- Group.ReadWrite.All to read/write all groups
- Directory.ReadWrite.All to read/write data to your organization's directory
- Select the Add permissions button to confirm.
- Select the three-dot menu next to Add a permission, and select the Grant admin consent link.
- Select the Yes button to confirm. The Status of each permission will change to Granted.
The Microsoft Graph documentation provides additional details on permissions.
Customize the connector's lifecycle stages
Next, create a new custom PowerShell target system in HelloID. Name it Microsoft Graph API (Azure AD)
. Customize its options as needed.
You are now ready to customize its lifecycle stages on the Account tab.
The following scripts can be assigned to each of the lifecycle stages. Update the scripts' headers with your own Directory (tenant) ID, Tenant URL, Application (client) ID, and Client Secret that you copied during setup.
These scripts serve as basic examples of how to use the Microsoft Graph API to invite users to your Azure AD instance. You are free to extend them as you see fit.
Note that there are multiple ways to authenticate to the Graph API. Each method has its own pros and cons. In these examples, we use the Authorization Code grant type.
Account Create Example
The Account Create script sends an invitation. The invitation is sent to an existing email address, e.g., j.doe@tools4ever.com
. The user can then log into the Azure domain (e.g., tools4ever.onmicrosoft.com
) with their invited email address.
Account Enable Example
Account Update Example
Account Disable Example
Account Delete Example