Create Azure AD User - Introduction
In our previous article on Azure Active Directory, we understood some theoretical concepts around what Azure Active Directory is and how it works.
In this tutorial we will cover 3 different methods to create Azure AD Tenants and Azure AD User:
- Create Azure AD User using the Azure portal
- Creating Azure AD User programmatically using PowerShell
- Create Azure AD User programmatically using Azure CLI
Recommendations to design an Azure AD Tenant
- Once we’ve decided that we are going to use Azure AD as the Identity and Access Management service for our infrastructure resources, we need to first set up our own instance of the service i.e., we need to create a new tenant for our organization.
- While we design our Azure AD solution, we need to go through the process of building a secure foundation for the service by implementing best practices and setting up self-service password reset for our users and administrators, using multi-factor authentication for our users, creating a backup global administrator so that we are not going to lock ourselves out of our accounts.
- We should also consider providing privileged users with specific roles so that we don't have to use global administrator users for performing do day-to-day administration tasks for our Azure AD tenant.
- Once we've done that, we may begin to populate identity resources by adding users, creating groups, adding devices, and determining if we're going to set up a hybrid identity environment for Azure AD.
- We could also monitor our administrators and perform access reviews to understand how and why resources and applications are being accessed.
- We could automate processes like user lifecycles--for example, automating password resets after a specific period for our users.
- Now that we've covered the components that are involved in designing a tenant, we're now going to log into the Azure portal and go through the process of creating a tenant from scratch.
Creating a new Azure AD tenant
Step 1: Access Azure Portal
Login to the Azure portal and type the word active in the search bar and select Azure Active Directory.
This will now drop us into the default AD tenant called “Default Directory” if we’ve not provisioned any Azure AD tenants. We had earlier provisioned a tenant named ‘default’ and therefore we end up on the page shown below.
Step 2: Create Azure AD Tenant
In the Azure AD tenants page, we now need to click on manage tenants. This will now navigate us to a different page where we could switch tenants if we have multiple tenants created or we could also create a new tenant.
Click on the Create button.
Step 3: Define Tenant Type
In this step, we will choose our tenant type. Azure and Microsoft apps and services provide Identity and Access Management to those services. With Azure Active Directory (B2C), we're going to provide identity management for our customers for external-facing applications. But since we are working in a lab environment and we do not need to service external customers, is we're going to choose Azure Active Directory and click Next for configuration.
Step 4: Provide Organization Name for Tenant
This is the final step towards the tenant creation process. Here we provide the organization name and the initial domain name. We have specified linuxcloud9 as the organization name as well as the initial domain name. We can see that this will be a .onmicrosoft.com
domain name. For the country we’ve specified India since that is our current location.
Adding users in Azure Active Directory
In the first part of this article, we explained how to create our own instance of the Azure AD service i.e., our Azure AD tenant. Now we will create users in Azure AD. Inside the Azure AD service we have our tenant, and this serves as our identity repository and this is where all our identities exist inside of this specific instance of the Azure Active Directory service.
Users in Azure AD are basically a set of user properties like a display name, department, job title, usage location, their user principal name, and the user type. These users will have a set of default privileges.
Different types of Azure AD Users
There are three different types of users in Azure AD.
- Administrator users: These are users with an administrator role assigned.
- Member users: These are our regular users that are native to Azure AD.
- Guest users: These are external users that have been invited to the Azure AD tenant, such as inviting in another organization's users to collaborate on some tasks with our organization in B2B exchanges.
As is the case with most Azure services, we can create users in Azure AD through the GUI i.e., the Azure portal as well as the command line using the Azure CLI or Azure PowerShell.
Method 1: Create Azure AD User using the Azure portal
Step-1: Access Azure Portal GUI
Within our Azure portal, let’s navigate to the Active directory service where we have a tenant already created for us.
Step-2: Create AD User
Under the Manage section in the left sidebar section, we see the Users tab. Click on this tab. Here we observe that we don’t have any users created on the system.
In this window, click on the + New user button to create a new user.
When we create a user in Azure AD, there are some fields that we need to populate. Some of these fields are mandatory and prefixed by an asterisk while the others are optional. We are going to go through each section of the user creation page and populate the values.
Step-3: Specify User Type
First, we will have the option of adding a new user belonging to our organization or inviting a guest user. A guest user is an external user that is not inherently part of our organization. By default, the create user radio button is selected and we will keep it that way.
Step-4: Provide Identity and Password for User
Scrolling further down on the page, we’ll be asked to provide some attributes for our user pertaining to its identity. This includes the user name, first name, last name, it’s password, assigned roles and any group memberships. We’ll name our user demo.
Please note that the default domain for your tenant will be auto populated in the user name section. You may change this if you have multiple tenants configured and the user is supposed part of a specific tenant. For example, different departments in an organization may choose to have different tenants. For the password section, you may let Azure generate a strong password for you or you may type in your own.
Step-5: Define group and roles for User
After the password section, we now come to the groups and roles section. Since we haven’t created any groups yet, we won’t select any. Azure AD provides us with the ability to group a set of privileges or permissions together into a single entity called a role. In our case, as we are adding a member user, we’ll keep the default role of User.
If you click on the role name, you would be able to view the other default roles available for you to assign to the user. We could also create our own custom roles but in order to do so we must have Azure AD Premium P1 or P2 subscription.
Step-6: Define User Settings
Under the settings section, we have the option of blocking or allowing the user to sign in and specify the user’s location i.e., the geographical location the user will be logging in from. This allows us to track suspicious logins for users wherein a user attempts to login from an area that is very far from its expected location. Under the Job info section, we have the option of specifying some properties for the user to help determine the user’s position in the organization.
Once we’ve populated the required fields, we’ll click on the create button and this will commence the user creation process. After the user has been created, we may return to the Users home page to validate and here we will find that the user we’ve just created is now being listed in the Users section.
Delete Azure AD User
Deleting a user in Azure AD is a straightforward process. We just need to navigate to the Users section in the Azure AD service menu, check mark the user name we’d like to delete and then click on the Delete user button. We’ll be prompted for confirmation and once we click on ok and press enter, the user will be deleted.
Method 2: Creating Azure AD User with Azure Powershell
Seasoned system administrators will always prefer to use the command line over graphical user interface because of the flexibility and room for automation that the command line offers. Creating users in Azure AD is a three step process.
Step 1: Connect to Azure AD
In this step, we run the below cmdlet to connect to our Azure AD tenant.
Connect-AzureAD -Confirm
Step 2: Create password object
While creating a user via the Azure PowerShell, we don’t specify the password directly but instead we create a password object, in a variable and then store our password in that variable as shown below.
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile $PasswordProfile.Password = "LinuxCloud#7"
Step 3: Create user
Finally in this step, we create the user account in Azure AD using the New-AzureADUser cmdlet.
New-AzureADUser -DisplayName "Demo User" -PasswordProfile $PasswordProfile -UserPrincipalName "demo@@azuredemo.onmicrosoft.com" -AccountEnabled $true -MailNickName "demouser"
Method 3: Create Azure AD user using Azure CLI
In contrast to the Azure PowerShell where in we used three commands, creating user via the Azure CLI is simpler as we just need to run a single command as shown below.
az ad user create –display-name democloud –password LinuxCloud#007 –user-principal-name democloud@azuredemo.onmicrosoft.com
After we’ve created our users, we could navigate to the Users section of the Azure AD service page to validate that the users have been successfully created.
Summary
In this article, we explored how and why we need to create or have an Azure AD tenant after which we explored the three available methods to create Azure AD User. After that we learned how to delete a user in Azure AD. We also briefly touched upon the concept of roles and how we could use them to provide a variety of administrator level or elevated permissions to member users allowing them to perform some advanced tasks.
References
For writing this post, we used the creating and managing sections of the Azure official documentation as references. Links to both sections have been provided below
Manage users and groups in Azure Active Directory
Create Azure users and groups in Azure Active Directory