I'm trying to use the Microsoft Graph API to create a custom claims mapping policy that will emit claims based on conditions (similar to what can be done via the portal like this). I've seen the documentation on how to create claims mapping policies via the Graph API, but cannot find info on how to set conditions.
Is what I'm trying to do even possible via the Graph API?
Through Graph API , You can use claims-mapping policies to:
Select which claims are included in tokens
Create claim types that do
not already exist
Choose or change the source of data emitted in
specific claims
Please see the docs for more info - https://learn.microsoft.com/en-us/graph/api/resources/claimsmappingpolicy?view=graph-rest-1.0
But you can achieve the same through using Customize claims through the powershell command - https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping
Hope this helps,
thanks
Related
Are nested groups supported in Azure B2C?
This page suggests there is some support, because it links to https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-limitations#restriction-on-nested-groups
If there are restrictions on them then I assume they are at least partially supported. Unfortunately that page no longer exists.
I couldn't find any information in MSFT docs about the status of this feature.
I've tried their User Voice, but the only thing I found is an entry about plain "Azure AD" (I thought that is supported already, but it appears it's not if there is an open request about it)
FWIW I cannot add a nested group in the way that's suggested by MSFT documentation. I don't see that option in the UI, though it lists "0 groups" as members.
Trying to add a group to another group via Graph API results in
{"error":{"code":"Request_BadRequest","message":"An invalid operation was included in the following modified references: 'members'.","innerError":{"date":"2022-04-20T15:32:34","request-id":"7d183819-019a-4f23-b31f-1765dcd7d44a","client-request-id":"7d183819-019a-4f23-b31f-1765dcd7d44a"}}}
Azure AD has some support for nested groups.
B2C has no groups support. Typically, you assign the groups in Azure AD and then access them from B2C via Graph via REST API.
After wrangling with MSFT support I got an answer that nested groups are not supported in B2C enabled tenants.
This can be done in Azure AD and not on the B2C AD. Adding a group as a member of another group in Azure AD B2C is not supported.
I have an Azure AD tenant and I am looking for a way to include extra attributes while creating members within my organization. I have poked around the interface and can't find a way to achieve this on the Azure portal. From my findings, I can see tones of documentation and blog posts on how to achieve this using the B2C feature and graph API for external customers. However, this does not meet my requirements.
I believe this is a basic requirement that should be possible on Azure AD. Can someone please point me to the right documentation to achieve this?
Azure portal doesn't provide such a feature but we can archive this using Microsoft Graph API: Create extensionProperty.
You need to specify the targetObjects as "User".
An example (you can use any of your app registrations for {object id of the app registration}):
Post https://graph.microsoft.com/v1.0/applications/{object id of the app registration}/extensionProperties
{"name":"customAttribute","dataType":"string","targetObjects":["User"]}
It will generate an extension property named extension_{client id of the app registration without "-"}_customAttribute.
Then you can update the extension property for a user:
Patch https://graph.microsoft.com/v1.0/users/{user id}
{"extension_{client id of the Azure AD application without "-"}_customAttribute":"value"}
While the Azure Starter Pack for B2C is helpful for getting started with creating custom policies, is there an actual list of built-in claims that one can reference? There are several claims that are referred in several of the files, though I have no clue of their purpose or why they're needed (for example upnUserName, nca, resource_id, etc.).
I did find some pages, such as Graph API reference or Customize Claims, though I'm not sure if these are the goto page for getting all built-in claims.
You can find list of all such claims from two places
User profile attributes documentation - https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes#azure-ad-user-resource-type
User attributes blade in Azure Portal. The Built in user attributes are almost same for user flows and custom policies.
I would like to store additional information about users in my Azure AD B2C instance. What I did is the following:
I've created a new custom attribute and the name of this attribute is Producer
I've added all required permissions for a new application registration which is intended to use Azure AD B2C API through Graph API
I call Graph API to set a custom attributed for one of the users: POST https://graph.microsoft.com/v1.0/users/{user-id} with the following data according to this example
{
"officeLocation": "US",
"extension_XXX_Producer": "AN"
}
When I try to query information about this user by using Graph API: GET https://graph.microsoft.com/v1.0/users/{user-id}, I do not get anything like my custom attribute
After reading Azure AD B2C documentation, it seems like custom attributes can be activated only if I add them to one of the user flows, but it is not what our business wants. They would like to have another UI and product to be responsible for custom attributed management, it is why I would like to use Graph API for custom attributes management.
Could you please recommend me how I can manage custom attributes without including them into Azure AD B2C user flows?
I also found a couple of resources where people recommend to use Azure AD Graph API, but Microsoft tells me in Azure that this API is legacy (I've checked it and it works, but I have some concerns because of Legacy API):
I looked at the document example you provided, and I noticed that the example is a demonstration with Azure Active Directory Graph, so I suggest you also try to use Azure Active Directory Graph. When you use api to query user information, it looks like this :
https://graph.windows.net/{tenant}.onmicrosoft.com/users/{user_id}?api-version = 1.6
Before that, as the document says, you need to obtain an access token for the api, and when granting permissions, you need to grant Azure Active Directory Graph permissions to the application.
For AAD Graph, it is an older API that only allows access to directory data, and some of its functions have been migrated from AAD Graph to Microsoft Graph. But in some cases, we can only achieve the requirements through AAD Graph.
please see:The difference between AAD Graph and Microsoft Graph.
What i've done:
Add a custom attribute (for example Producer) using the Azure Portal AD B2C
Add this attribute in the Application claims of the signin user flow
Use the Graph API to list the extension properties of the b2c-extensions-app. Do not modify. Used by AADB2C for storing user data. (where the custom attributes are stored, read https://learn.microsoft.com/en-us/azure/active-directory-b2c/extensions-app, https://learn.microsoft.com/en-us/graph/api/resources/extensionproperty?view=graph-rest-beta and https://learn.microsoft.com/en-us/graph/api/application-list-extensionproperty?view=graph-rest-beta&tabs=http).
client is an initialized MicrosoftGraphClient, appObjectId is the Object ID of the b2c-extensions-app:
async function getExtensionProperties(client, appObjectId) {
return await client
.api(`/applications/${appObjectId}/extensionProperties`)
.version('beta')
.get();
}
The response should contain a line like:
name: 'extension_<Application (client) ID of the b2c-extensions-app without the dashes>_Producer'
This is the name of the custom attribute as an extension property.
Use the Graph API to set your custom attribute on a user.
id is the user Object ID in AD, attributes is { "extension_<Application (client) ID of the b2c-extensions-app without the dashes>_Producer": "your_value" }
async function updateUser(client, id, attributes) {
return await client
.api(`/users/${id}`)
.version('beta')
.header("content-type", "application/json")
.patch(attributes);
}
When login using the signin user flow, in the browser, using MSAL, myMSALObj.getAccount().extension_Producer is now set to the custom attribute value (note: extension_Producer without the Application ID between extension and Producer).
This answer https://learn.microsoft.com/en-us/answers/questions/21843/how-to-set-custom-claims-for-a-user-in-azure-ad-b2.html from amanpreetsingh-msft has been a great help to solve this.
Where can I find a list of all supported Azure AD B2C Custom Policy Claims Transformation Methods?
I have searched Google, Bing, DuckDuckGo and GitHub for such list, but can't find it.
And TrustFrameworkPolicy_0.3.0.0.xsd schema doesn't contain it.
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Documentation/Features%20part%206.md - does have an outdated list - some of methods like AddParameterToStringCollection can't be used - policy can't be imported when I use it.
No such list exists at this time. You should request it via the Azure AD B2C feedback forum.
Your best bet is to go through all the starter packs and see which transformations are included in those. While there might be others, if they are not referenced in the starter packs or docs, they are unsupported and not recommended for broad use.
Update!
We have released a full documentation of the schema here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claimstransformations
All elements of custom policies for b2c, also known as Identity Experience Framework or IEF are published.