When we develop services such as Web API/Web App which is external facing, managing users are very important, yet tedious task. One of the painful such processes is to create users to use our API.

The good news is that Azure AD provide self-service sing up to make this process easier! Let's see how this works.

Prerequisites

• Azure Subscription
• Postman (for easy to demonstrate)
• Azure Ad with admin privilege

Register application and setup self-service sign up

To use this feature, we need to use Azure AD to authenticate/authorize users. Let's register an application first.

Register application

1. From Azure AD, select App registrations and click "New registration".

2. Enter an application name.

3. Add web as redirect url option and set https://oauth.pstmn.io/v1/callback as its url. (This is for postman)

4. Click register and obtain application id.

5. Click "Endpoint" and note authorization endpoint (v2)
and token endpoint (v2).

6. From "Certifications & Secrets", create new secret and note the secret value.

Enable Self-Service Sing Up

Next, enable self-service sing up in Azure AD.

1. Select "User Settings" and click "Manage external collaboration settings".

2. Toggle yes for "Enable guest self-service sign up via user flows" option and save.

3. Go back to previous page and select "External Identities".

4. Select "User flows" and add new one.

5. Name it and select external identities you want to support.

6. Select additional properties to capture and create.

7. Select the created user flow and select "Applications". Add the application you created above.

Test from postman

Finally, let's test from postman to see how this works.

1. Open postman and click "Authorization" tab. Select "OAuth 2.0" for type.

2. Enter appropriate value for each section which you should already know from previous steps. Set User.Read as scope.

3. Click "Get New Access Token" which will launch browser. Click "Create One" in sign in screen.

4. Sign up with preferred option. I sing up with my hotmail account.

5. Once an account is created, you will be asked to consent.

6. Then it asks the additional properties you set in user flow.

7. Consent to app permission. Now you should get new token. You can verify the token in jwt.io for example.

Check in Azure AD

The user is now added in Azure AD.

Summary

The sign-up experience is very smooth from end user point of view, and easy to setup from developer point of view. You can use the token to further process it in your backend.