Managing Azure Active Directory Users from CLI

Introduction

Managing users in Azure Active Directory (AAD) is crucial for any organization that leverages cloud services. The Azure CLI command az ad user create plays a pivotal role in this management, allowing administrators to create new user accounts directly from the command line. This command is essential for automating user provisioning and ensuring that users have the necessary access to resources within the Azure ecosystem.

Understanding how to use this command not only enhances productivity but also supports various use cases such as onboarding new employees, managing user access in bulk, and integrating with other automated workflows. As organizations increasingly migrate to cloud-based solutions, mastering AAD user management via the CLI becomes a valuable skill for developers, system administrators, and DevOps professionals. 🚀

Prerequisites

Before diving into user creation with Azure CLI, ensure you have the following:

1. Azure CLI: Installed and configured on your machine. You can download it from the Azure CLI installation guide.
2. Azure Subscription: A valid Azure subscription is necessary to create users in your AAD tenant.
3. Permissions: You must have the appropriate permissions in Azure AD, such as User Administrator or Global Administrator roles.
4. Authentication: Make sure you are signed in to your Azure account using the command:

   az login
   

Fundamental Concepts

• Azure Active Directory (AAD): A cloud-based identity and access management service that helps organizations manage user accounts and access to applications.
• User Principal Name (UPN): A unique identifier for a user in Azure AD, typically in the format of an email address (e.g., user@domain.com).
• Display Name: The name that is shown in the Azure portal and other Azure services.
• Password Policy: A set of rules that define the conditions under which passwords must be created and managed.

Command Syntax

The basic syntax for creating a user in Azure AD using Azure CLI is:

az ad user create --display-name <display-name> --password <password> --user-principal-name <user-principal-name> [optional-parameters]

Parameters Table

Parameter	Description	Required/Optional
--display-name	The name displayed for the user.	Required
--password	The password assigned to the user for authentication.	Required
--user-principal-name	The UPN of the user (must be a verified domain).	Required
--force-change-password-next-sign-in	Marks the user to change the password at the next sign-in. Default is false.	Optional
--immutable-id	Associates an on-premises Active Directory user account with the AAD user object.	Optional
--mail-nickname	The mail alias for the user. Defaults to the UPN if not specified.	Optional

Practical Examples

1. Basic User Creation

Creating a basic user with a display name, UPN, and password.

az ad user create --display-name "John Doe" --password "Password123!" --user-principal-name "johndoe@contoso.com"

2. User Creation with Password Change Requirement

Creating a user that must change their password at the next sign-in.

az ad user create --display-name "Jane Smith" --password "Password123!" --user-principal-name "janesmith@contoso.com" --force-change-password-next-sign-in true

3. Creating a User with Mail Nickname

Setting a specific mail nickname for the user.

az ad user create --display-name "Emily Johnson" --password "Password123!" --user-principal-name "emily.johnson@contoso.com" --mail-nickname "emilyj"

4. Creating a User with an Immutable ID

Associating a user with an on-premises Active Directory account.

az ad user create --display-name "Michael Brown" --password "Password123!" --user-principal-name "michael.brown@contoso.com" --immutable-id "abc123"

5. Bulk User Creation using a Loop

Using a loop to create multiple users from a list.

for i in {1..5}; do
  az ad user create --display-name "User$i" --password "Password123!" --user-principal-name "user$i@contoso.com" --force-change-password-next-sign-in true
done

6. User Creation with Error Handling

Adding error handling to ensure the user is created successfully.

if az ad user create --display-name "Error User" --password "Password123!" --user-principal-name "error.user@contoso.com"; then
  echo "User created successfully."
else
  echo "Failed to create user."
fi

7. Creating a User with Azure CLI Output Redirection

Saving the output of the user creation command.

az ad user create --display-name "Log User" --password "Password123!" --user-principal-name "log.user@contoso.com" > log_user_creation.txt

8. Creating a User in a Script with Variables

Using variables for better script management.

DISPLAY_NAME="Alice Cooper"
UPN="alice.cooper@contoso.com"
PASSWORD="Password123!"

az ad user create --display-name "$DISPLAY_NAME" --password "$PASSWORD" --user-principal-name "$UPN"

Real-World Use Cases

1. Onboarding New Employees

When a company hires new staff, the HR department can use Azure CLI to quickly create user accounts without needing to navigate through the Azure Portal, speeding up the onboarding process.

2. Automating User Provisioning

In a DevOps environment, automated scripts can create user accounts as part of continuous integration and delivery (CI/CD) pipelines, facilitating seamless access management.

3. Managing User Roles

By creating users with specific roles directly from the CLI, organizations can manage user access more efficiently, especially when combined with role assignments in Azure AD for specific applications or resources.

Best Practices

1. Use Strong Passwords: Ensure that passwords meet security standards to minimize the risk of unauthorized access. 🔒
2. Employ MFA: Always enable Multi-Factor Authentication for users, especially administrators, to enhance security.
3. Automate User Management: Use scripts to automate user creation, updates, and deletions to improve efficiency and reduce errors.
4. Regular Audits: Periodically review user access and permissions to ensure compliance and security.
5. Document User Management Processes: Maintain clear documentation on user management procedures for better governance and compliance.

Common Errors

1. Error: User already exists

   • Cause: Attempting to create a user that already exists in Azure AD.
   • Solution: Check if the user already exists using az ad user show --id <user-principal-name>.

2. Error: Invalid password

   • Cause: The password provided does not meet the complexity requirements.
   • Solution: Use a stronger password that meets the required complexity.

3. Error: Access denied

   • Cause: Insufficient permissions to create users in Azure AD.
   • Solution: Ensure you have the proper role assigned, such as User Administrator.

4. Error: Invalid User Principal Name

   • Cause: The UPN does not match any verified domains in the tenant.
   • Solution: Ensure that the UPN you are using is part of verified domains in Azure AD.

Related Commands

Command	Description
az ad user list	List all users in Azure AD.
az ad user show --id <id>	Show details of a specific user.
az ad user update --id <id>	Update properties of an existing user.
az ad user delete --id <id>	Delete a user from Azure AD.
az ad group create	Create a new group in Azure AD.

Automation Script

Here’s a complete functional bash script that automates the creation of multiple users in Azure AD:

#!/bin/bash

# Variables
PASSWORD="Password123!"
DOMAIN="contoso.com"
NUM_USERS=5

# Create users
for i in $(seq 1 $NUM_USERS); do
  DISPLAY_NAME="User$i"
  UPN="user$i@$DOMAIN"
  
  echo "Creating user: $DISPLAY_NAME with UPN: $UPN"
  
  az ad user create --display-name "$DISPLAY_NAME" --password "$PASSWORD" --user-principal-name "$UPN" --force-change-password-next-sign-in true
  
  if [ $? -eq 0 ]; then
    echo "User $DISPLAY_NAME created successfully."
  else
    echo "Failed to create user $DISPLAY_NAME."
  fi
done

Conclusion

In this tutorial, we explored the az ad user create command in detail, covering its syntax, parameters, practical examples, and real-world applications. Mastering this command enables Azure administrators to efficiently manage user accounts in Azure Active Directory, contributing to streamlined identity and access management processes.

Moving forward, you can practice creating, updating, and managing Azure AD users through the CLI to enhance your skills. Exploring additional Azure CLI commands for user and role management will further enrich your understanding of Azure’s identity services.

References

• az ad user create - Azure CLI Documentation
• Manage users in Azure Active Directory
• Azure Active Directory Overview
• Best practices for security in Azure Active Directory