Share the password for the o365 new user as link to the secret.

Mountain Pond 1,061 Reputation points
2023-07-23T13:35:23.5566667+00:00

Hello community.

Perhaps Azure has a service that allows you to share a secret via a link.

For example, I need to send a password to a new employee in an email. I would like to use a link to a secret such as onetimesecret. But not to create manually, but using the API.

Perhaps there are some source codes for the application that I can publish in Azure, or there are some ready-made solutions.

I don't want to pass the password through third party services like onetimesecret, it would be great to do it inside Azure.

Thank you.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,016 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,724 questions
0 comments No comments
{count} votes

Accepted answer
  1. Konstantinos Passadis 16,481 Reputation points
    2023-07-23T16:12:28.75+00:00

    Hello @Mountain Pond !

    Thank you for the info!

    This is the Documented procedure for new users by Microsoft

    As i can see in your question you are asking whether there is a similar procedure via a Link

    The answer is no there is not such a service or procedure

    The case here is possible with a Mix of Services

    For Example :

    Create an Azure Key Vault where you'll store the secrets. Configure access policies so that only your Azure Function can access the secrets.

    https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjGir3Vm6WAAxUBRPEDHSGkByEQFnoECA0QAQ&url=https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fproducts%2Fkey-vault&usg=AOvVaw3fA8u2xrs9rPZh37IHK7jj&opi=89978449

    Create an Azure Function that exposes two endpoints:

    a. POST /secrets - This endpoint generates a unique ID, saves the secret to Azure Key Vault with the ID as the name, and returns the ID to the caller.

    b. GET /secrets/{id} - This endpoint retrieves the secret from Azure Key Vault using the ID, deletes the secret from Azure Key Vault, and returns the secret to the caller.

    • You can configure your Azure Function to require this access token on incoming requests to POST /secrets. This way, only applications that have a valid client ID and secret can create new secrets.
    • To set this up, you need to register your service as an app in Azure AD, obtain the client ID and client secret, and configure your service to present these credentials.

    Azure AD Client Credentials Flow - This is used to protect the endpoint that creates new secrets (POST /secrets).

    With the Client Credentials Flow, an application requests an access token by presenting its own credentials (a client ID and client secret, or a client certificate) to Azure AD. In return, Azure AD issues an access token to the application.

    You can configure your Azure Function to require this access token on incoming requests to POST /secrets. This way, only applications that have a valid client ID and secret can create new secrets.

    To set this up, you need to register your service as an app in Azure AD, obtain the client ID and client secret, and configure your service to present these credentials.

    b. Azure AD Implicit or Authorization Code Flow - This is used to protect the endpoint that retrieves secrets (GET /secrets/{id}).

    https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow


    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards


2 additional answers

Sort by: Most helpful
  1. Konstantinos Passadis 16,481 Reputation points
    2023-07-23T13:45:06.25+00:00

    Hello

    The procedure for O365 is documented

    So , you can create a new user and require a password change

    Following the Procedure the user will have to create the new Password :

    User's image

    https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-new-employee?view=o365-worldwide

    You can see here the option to send the password as well!

    https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-new-employee?view=o365-worldwide

    https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-new-employee?view=o365-worldwide

    Also you can enable SSPR so users can reset their Passwords in case they forgot

    https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/let-users-reset-passwords?view=o365-worldwide

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    0 comments No comments

  2. Mountain Pond 1,061 Reputation points
    2023-07-23T16:01:09.51+00:00

    Sorry, this is completely irrelevant to the question.

    1. The user's password must be changed, but first of all, he must receive a correct password to his personal mail. I don't want to send it out in the open.
    2. Sending the password will be done by a script.
    3. There is an independent password change, but this does not apply to the topic of the question.
    0 comments No comments