4

Does anyone know if there is an API for actions in Microsoft Active Directory (like: add user to group, changing group policy etc).

For example: if I want to update group policy - to block url for some user, I want to do it by the API

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
YRM
  • 41
  • 1
  • 3
  • I am certain that there are plenty of cmdlets for PowerShell. – Michael-O Oct 25 '21 at 12:56
  • It doesn't exist, you're gonna need to talk to multiple APIs. Modifying group memberships is as simple as doing an LDAP `modify` operation, but for GPOs you'll have to write to the SYSVOL share and speak to a different service on one of the domain controllers to ensure version updates for example. – Mathias R. Jessen Oct 25 '21 at 14:38

2 Answers2

3

As suggested by @mathias-r-jessen, there are no REST APIs provided by Microsoft for Microsoft Active Directory. You need to communicate with multiple APIs. Modifying group memberships is as simple as doing an LDAP modify operation, but for GPOs you'll have to write to the SYSVOL share and speak to a different service on one of the domain controllers to ensure version updates for example.

There are some third-party software providing REST APIs for Microsoft Active Directory.

You can use ADManager Plus REST APIs to perform AD user account management operations. You can access the APIs from your Application.

Please refer this for what operations you can perform using AD Manager Plus REST APIs :

Active Directory REST APIs from ManageEngine ADManager Plus

Also, you can use Addict to perform Active Directory operations. Addict is a drop-in REST API microservice for Active Directory implementations.

You can refer this for the operations you can perform using Addict :

neuroradiology/addict-1: Get a full Active Directory REST API in 30 seconds (github.com)

RamaraoAdapa
  • 2,837
  • 2
  • 5
  • 11
1

As other members commented, there is no official API from Microsoft, which is a big problem, in my case because I need an API to automate application integrations to both Microsoft Active Directory and DNS, and I want to create a Terraform module.

I tested these two APIs mentioned by @RamaraoAdapa-MT, and in the end, I decided to write to my own API. The idea of calling PowerShell modules or using AD credentials doesn't sound like a good idea.

Both of them lack the ability to use Microsoft DNS, and I need to register/unregister machines in DNS using an API.

Took me almost two years to develop a good REST API (and a Terraform module) for Microsoft Active Directory and DNS in my free time, using tokens for authentication instead of user/password, and definitely recommend writing yourself an API.

Guillermo Musumeci
  • 11
  • 4
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community May 13 '23 at 13:49