Sample code for openid connect protocol and the graph API can be found, today, at https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet.
Having configured this webapplication per the instructions, for our rapmlsqa.com tenant, on one screen we see the UI by using which one creates a user in the directory.
Using the creation tool lets us see what passes on the wire:
we are unable, however, to find which parameters one must pass using this API when we want creation of a “federated” user. So far, we have created only “managed” users – who do not have federated status, by definition.
Spying on powershell commandlets gives us a glimpse however, of the semantic rules concerning federated user creation. Though the service uses a different and non-RESTful protocol, we can see the type of information to be passed during “provisioning
OK. so it turns out to be simple:
add the immutableID to the binding list, and amend the form to expose the immutableid label and field editor:
Then we can create and list users created in certified domains:
This gets us to proving it works… with our IDP: