I am trying to change or upload a user profile while signup or profile update in azure active directory b2c using custom policy. I found a "thumbnailPhoto" property having datatype Edm.Stream by using this I am trying to create a custom ClaimType like this. but it's not working please help in changing user profile through custom policy
<ClaimType Id="thumbnailPhoto">
<DisplayName>ProfilePicture</DisplayName>
<DataType>stream</DataType>
<UserHelpText>Upload profile picture</UserHelpText>
</ClaimType>
Thanks and Azure B2C support below predefined data types.
Reference:- https://learn.microsoft.com/en-us/azure/active-directory-b2c/claimsschema#datatype
stream
When you upload policy, you will get error - The 'http://schemas.microsoft.com/online/cpim/schemas/2013/06:DataType' element is invalid - The value 'stream' is invalid according to its datatype 'http://schemas.microsoft.com/online/cpim/schemas/2013/06:DataType' - The Enumeration constraint failed.
Proposed Solution:-
You need to use custom development using HTML or B2C with graph api.You can try to use the profilePhoto resource type which lets you get/update a photo.
This may work:
GET https://graph.windows.net/myorganization/users/{user_id}/thumbnailPhoto?api-version
PATCH https://graph.windows.net/myorganization/users/{user_id}?api-version
Related
We are using custom policies with ADB2C and are passing ui_locales in the signup_signin url for the localization. However, B2C doesn't propagate this to the Self Service Password Reset flow. We set it up following the instructions here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy#self-service-password-reset-recommended
Is there a way to propagate ui_locales to Password Reset form in Custom Policies? The url for Password Reset is out of our control and is constructed by B2C itself.
• Yes, you can surely configure the page localization option for the ‘Password Reset’ policy page by configuring the ‘Azure AD B2C Embedded Password Reset’ flow wherein the default ‘Password Reset’ flow policy gives out the error code ‘AADB2C90118’ when a specific password reset policy is not invoked through the custom policy.
• Thus, to use the ‘Azure AD B2C Embedded Password Reset’ flow policy in your Azure AD B2C Custom policy, kindly follow the below link for more details wherein the ‘B2C_1A_Demo_SignUp_SignIn_SSPR’ custom policy is used instead of the default ‘SigninOrSignUp’ starter policy: -
https://github.com/azure-ad-b2c/samples/tree/master/policies/embedded-password-reset/policy
If you use the above specified custom policy, then ensure to include the below ‘Localization’ element in the ‘TrustedFrameworkExtensions.xml’ file such that supported languages are made available in the custom policy accordingly: -
<Localization Enabled="true">
<SupportedLanguages DefaultLanguage="en" MergeBehavior="ReplaceAll">
<SupportedLanguage>en</SupportedLanguage>
<SupportedLanguage>es</SupportedLanguage>
</SupportedLanguages>
</Localization>
• Once, the above localization code is made available in the ‘TrustedFrameworkExtensions.xml’ file, ensure that the below option in the image occurs for you to translate the ‘Reset Password’ to be able to display as shown below such that when selected, the respective language is available for display and resetting the password.
To know more about this, please refer the below link for more details: -
AD B2C - ui_locales not propagated from SignIn to PasswordReset
Hi I am trying to validate the users password with onprem-api.
Below is my trusted-framework base policy code.
The famework file will be avilable from the following Github link.
https://github.com/azure-ad-b2c/user-migration/issues/30
I am getting below error while executing the above policy
"Unable to validate the information provided."
Can you please help me what i am missing here.
Thanks,
Shiva
Please check below points:
Unable to validate the information provided
This issue may occur if we put the wrong IDs or values in the extensions policy for the Identity Experience Framework and Proxy Identity Experience Frame work applications or if the extension property itself not registered successfully.
Please check if custom attribute for the B2C or extension attribute is properly registered ,So that that property is used in technical profile to be validated. Define custom attributes in Azure Active Directory B2C | Microsoft Docs
Please make sure the metadata details are all correct.To enable custom attributes in your policy,we need to provide Application ID and Application Object ID before using extension property in the AAD-Common technical profile metadata. modify-your-custom-policy as such.
<Metadata>
<Item Key="ApplicationObjectId"> objectId here</Item>
<Item Key="ClientId"> appId here</Item>
</Metadata>
Also please check if,datatype of custom attribute mentioned is correct and the received claim matches the data type .See b2c-custom-policy-starterpack/issues
References:
c# -"Unable to validate the information provided"DNA integration - Stack Overflow
azure ad B2C force password reset. Unable to validate the information provided · Issue GitHub
I have a trust framework SignUpOrSignIn custom policy user flow which sets 3 extension attributes for an app.
I can see these 3 claims and their default values in the token.
However, when I GET the user via MS Graph API (https://graph.microsoft.com/beta/{tenantId}/users/{userId}), I do not see these extension attributes.
Once I PATCH the user, I can then see the value via the GET to the {userId} segment as expected.
PATCH
{
"extension_{appId}_subscription_expiry":"2020-04-10"
}
Why are any extension attributes not returned until they've been subsequently PATCHed?
Although you have set default values for the 3 extension attributes in your custom policy, you can only see them in the token after your sign-up at that time. But you didn't store them into Azure AD.
I guess that you just add such a code <OutputClaim ClaimTypeReferenceId="extension_subscription_expiry" AlwaysUseDefaultValue="true" DefaultValue="xxx" /> in your SignUpOrSignIn.xml file.
But if you want to store the values into Azure AD, you should write the custom claim to the user profile by using AAD-UserWriteUsingLogonEmail TechnicalProfile. See Read and write a claim.
You should finish all the steps listed in this document: Add claims and customize user input using custom policies in Azure Active Directory B2C
I'm trying to make a POST request to Azure AD GraphAPI to create a user in my AD B2C tenant, but I'm getting the following error
"Error Calling the Graph API:
{
"odata.error": {"code": "Request_DataContractVersionMissing",
"message": {"lang": "en",
"value": "The specified api-version is invalid. The value must exactly match a supported version"}
}
I do send the version, and based on the docs it is supported.
Version 1.6
This section lists the changes for Graph API version 1.6.
Graph API version 1.6 introduces the following feature changes:
Added support for Azure Active Directory B2C local account users. This involves new properties on the User entity and a new complex type
SignInName to support local account sign-in to Azure Active Directory
B2C tenants. For more information about Azure Active Directory B2C,
see the Azure Active Directory B2C documentation.
[Edit]
submitted json
{"accountEnabled":true,"signInNames":[{"type":"userName","value":"ausername"}],"creationType":"LocalAccount","displayName":"A display name","passwordProfile":{"password":"a password","forceChangePasswordNextLogin":true},"passwordPolicies":"policies","country":"MX","givenName":"Fstname","surename":"Lstname","department":"Dpt","jobTitle":"Title","mail":"mail#server.com","otherMails":[],"preferredLanguage":"es-MX"}
Any clue on why I'm getting the error?
There is something wrong with the api-version query parameter: Request_DataContractVersionMissing
Data contract version parameter is missing. Include api-version as a query parameter with all your requests.
Doesn't Work
https://graph.windows.net/ebenefitsdev.onmicrosoft.com/users?api‐version=1.6
I get Request_DataContractVersionMissing error when submitting that.
Does Work
https://graph.windows.net/ebenefitsdev.onmicrosoft.com/users?api-version=1.6
The difference is the hyphen char. One is the 'normal' one I typed on my keyboard. The other is from here.
I suspect it is a copy paste problem (I've experienced these in the past).
I see one problem: signInNames not signInName
Documentation for user entity
For future readers, I ran into this issue with 2.0 of graph.windows.net, but it was not the hyphen. It seems this error is also shown if the client ID you used to get a resource token for graph.windows.net is not correct.
I have configured Azure AD B2C with custom policies but I am unable to authenticate with a new user created in the Azure portal. The user has a temporary password. Azure AD B2C returns the error text Invalid username or password, even though the username and password is correct.
I have confirmed that it is possible to login with the new user and temporary password in Azure AD B2C using non custom policies. After logging in, the user gets prompted to change their password.
The problem can be reproduced using the custom policies described in this guide:
Get started with custom policies.
Additional information:
I have configured the b2crecorder https://b2crecorder.azurewebsites.net/stream?id=<guid> in the UserJourneyRecorderEndpoint. Which gives access to more information through https://b2crecorder.azurewebsites.net/trace_102.html?id=<guid>
The problem result in the following logging:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Using validation endpoint at: https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(d56987e9-be2e-46fc-a7a4-23e317f8f174) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
The most common reason for this that Grant Permissions has not been executed.
On the "ProxyIdentityExperienceFramework application" -> after selecting the checkbox for Access IdentityExperienceFramework -> clicking on Select and hitting Done, you must also complete the next step:
Select Grant Permissions, and then confirm by selecting Yes.
Edit:
Sorry, after reading your situation carefully, both a "sign-up or sign-in policy" or "custom policy" do not support the Azure Active Directory forceChangePasswordNextLogin flag. (forceChangePasswordNextLogin will only work with a "sign-up policy") There is a feature request tracking this here.
Since this is the first SO article that pops up on this question, I'll add that another possibility to check when hitting this problem is, make sure the Proxy app type is Native, not Web.