@Sneha N. Patil The Azure Active Directory Graph API is used to manage users and groups in Azure Active Directory, which is a cloud-based identity and access management service. It cannot be used to manage users in on-premises Windows Active Directory.
Regarding the use of PrincipalContext to create a user in Windows Active Directory from Azure App Service, it should work as long as the credentials and permissions are correct and the firewall rules are configured correctly.
Since you have confirmed that the user has the required permissions to create a user and the code works fine on your local machine, it is possible that the issue is related to the firewall rules. Please check the firewall rules to ensure that traffic from Azure App Service to the Active Directory is allowed.
If the issue persists, you can try enabling diagnostic logging in Azure App Service to get more details about the error. You can also try using the LDAP protocol to connect to the Active Directory instead of the default Kerberos protocol used by PrincipalContext.
Enabling diagnostic logging in Azure App Service:
- Go to the Azure portal and navigate to your App Service.
- Click on "App Service logs" under the Monitoring section.
- Turn on "Application Logging (Filesystem)" and "Detailed error messages".
- Save the changes and restart your App Service.
This will enable diagnostic logging for your App Service, which should provide more details about the error you are encountering.
Using the LDAP protocol to connect to Windows Active Directory:
- Replace the
PrincipalContext
constructor with the following code:
var ldapPath = string.Format("LDAP://{0}", Domain);
using (var context = new DirectoryEntry(ldapPath, UserName, UserPassword))
{
using (var user = context.Children.Add(string.Format("CN={0}", userLogonName), "user"))
{
user.Properties["samAccountName"].Value = userLogonName;
user.Properties["userPrincipalName"].Value = string.Format("{0}@{1}", userLogonName, Domain);
user.Properties["displayName"].Value = $"{firstName} {lastName}".Trim();
user.Properties["givenName"].Value = firstName;
user.Properties["sn"].Value = lastName;
user.CommitChanges();
user.Invoke("SetPassword", new object[] { password });
user.CommitChanges();
user.Properties["userAccountControl"].Value = 0x200;
user.CommitChanges();
return true;
}
}
This code uses the DirectoryEntry
class to connect to the Active Directory using the LDAP protocol. The Children.Add
method is used to create a new user object, and the Properties
collection is used to set the user's properties. The Invoke
method is used to set the user's password, and the userAccountControl
property is set to enable the user account.
Please note that using the LDAP protocol may require additional configuration, such as opening the LDAP port on the firewall and configuring SSL/TLS encryption.
If you find the above information helpful, we would appreciate you to provide a new survey or to accept this reply as an answer. This will help us recover the previous survey. If there is anything else we can do, please let us know.