I have an angular client app which talks to an ASP.NET Web API backend. I am using Azure Active Directory to authenticate users, and I have registered my Web API with my Azure AD tenant. I am using the ADAL JS client library in my angular app to authenticate with Azure AD and obtain a bearer token to access my Web API (i.e. this authentication scenario). I have this all working successfully with users that I have created via the portal.
Now I want my users of my angular app to be able to create new users in my Azure AD tenant. Only users who are administrators should be able to do this. I know that I must use the Graph API, and that I can use a Graph Client library to make this simpler. This is how I think this should be implemented:
- User of angular app authenticates via Azure AD and obtains bearer token to access Web API.
- Angular app makes call to Web API's
UserControllerto create a new Azure AD User, presenting bearer token. - Web API verifies that user of angular app is an administrator using bearer token.
- Because Graph API is also secured using Azure AD, Web API then needs to authenticate with Azure AD tenant in order to use Graph API. It does this using the Graph Client.
- Web API then uses Graph Client library to do CRUD operations in Azure AD tenant.
My questions:
- Is this a valid way of implementing this?
- Which type of permissions should I select for Graph API: Application or Delegation?
