I'm using the azure b2c sign-up policy(built-in policy) in my application. I am getting the first name and last name from the user during sign-up. Since I am not taking display name, so display name is getting saved as unknown.
I am thinking of creating an azure function that will update the display name as firstname_lastname and link it to user flow as an API connector. Can you please let me know if you have tried the same. It will be great if I can get a sample azure function code for the same.
You can definitely do this in a custom policy.
However, for the API connector, the docs say that the claim returned "overrides any value that has already been provided by a user in the attribute collection page". You haven't provided "displayName" so this may not be possible.
There are some function quick starts here.
In your case, the claims names in the API are:
"displayName" = "givenName" + " " + "surname"
Related
Within Azure, we set up our OATH2.0 credentials in AAD with three separate AppRegistrations.
I will be referring to these below.
1: Client : this is the main registration.
2: Read: This one holds the AppRole 'Read'
3: Write: This one holds the AppRole 'Write'
Here's some pictures to clearify:
3 Registrations
enter image description here
AppRole inside Read:
enter image description here
enter image description here
I am trying to automate adding these last two as APIpermissions to the first one with powershell.
I have found this command:
Add-AzADAppPermission and took a good look at the documentation here:https://learn.microsoft.com/en-us/powershell/module/az.resources/add-azadapppermission?view=azps-9.3.0
However, Either I am missing something, or this maybe cannot be done with custom appregistrations?
I keep getting the message
"Resource does not exist or one of its queried reference-property objects are not present."
I have checked that I am on the correct Tenant, and I have sufficient rights.
There are four parameters to consider, some more clear to me then others.
APIid: Which I assume, based on the documentation, should be Client.AppId
ApplicationId: Could be ObjectId/ ApplicationId from Read, but perhaps it's from it's corresponding ServicePrincipal (External Application)?, the documentation is not very clear on this one.
ObjectId: Can replace ApplicationId, but I have the exact same question. the documentation does not specify anything other then "The unique identifier in Azure AD."
PermissionId: The documentation says but in the examples they use Guids. I have seen other examples with Strings like "User.Read", so I figure this could be my DisplayName from the appRole inside my Read / Write AppRegistrations.
I've looked for other examples beside the documentation, but so far I've found only examples regarding Built-in appRoles in MsGraph.
The fact that the message is twofold (either it is not there OR something is missing) does not help either.
Bottom line is, I can't figure out which Guid goes where.
I have tried numerous combinations of parameters and AAD Guids, be it ObjectIds and AppIds from both AppRegistrations and their respective Service Principles.
I tried to reproduce the same in my environment and got the same error as below:
Note that: By using Add-AzADAppPermission, one can add the API permissions to the Application, but it is not possible to add
custom roles as API permissions.
Add-AzADAppPermission -ObjectId ObjectID -ApiId APIIdofthepermissions -PermissionId GUIDofAPIPermission
I am trying to add Group.Read.All Microsoft Graph API permission like below:
Add-AzADAppPermission -ObjectId ObjectID -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 5f8c59db-677d-491f-a6b8-5f174b11ec1d
I need a starting point to solve the following problem:
Assume there is a model with different entities (e.g. school classes) and different roles that are connected to entities.
Now I want to check in my Azure Function if Bob has a role on this entity which entitles him to rate a student from the school class.
I think of a claim of the form:
TEACHER : [
"class 2b"
]
before.
Which Azure Resources do I need to map such a thing?
I already use Azure AZ for the ID token and my API is implemented in an Azure Function.
I would like to call Azure AD to get an access token which contains those roles and resources of my domain.
I'm afraid that this form is not supported by Azure AD.
The supported form should be "{claim name}": "{claim value}".
If you accept this form, you can refer to my previous answer.
What you need to modify is:
When you create the extensionProperty, you should name the extensionProperty as "TEACHER".
Post https://graph.microsoft.com/v1.0/applications/{object id of the Azure AD application}/extensionProperties
{"name":"TEACHER","dataType":"string","targetObjects":["User"]}
And update the extension property for your account:
Patch https://graph.microsoft.com/v1.0/me
{"extension_6d8190fbf1fe4bc38a5a145520221989_TEACHER":"class 2b"}
Then you can get the custom claim as "TEACHER": "class 2b".
I have an Azure accounts and I want to make deployment of ARM templates using the ASP.NET libraries. I've noticed that in the Azure Portal generated Deployment class (in the DeploymentHelper.cs file that I've downloaded from the Portal) I have the following fields that I need to provide my own data:
string subscriptionId = "your-subscription-id";
string clientId = "your-service-principal-clientId";
string clientSecret = "your-service-principal-client-secret";
string resourceGroupName = "resource-group-name";
string deploymentName = "deployment-name";
string resourceGroupLocation = "resource-group-location";
string pathToTemplateFile = "path-to-template.json-on-disk";
string pathToParameterFile = "path-to-parameters.json-on-disk";
string tenantId = "tenant-id";
I'm having a hard time with these:
string clientId = "your-service-principal-clientId";
string clientSecret = "your-service-principal-client-secret";
I know that the subscriptionId I can get in the Subscriptions blade. I also know that the tenantId I can get in the Azure Active Directory > Properties blade under the Directory ID field.
I have followed this documentation page in order to try and set up an App Registration on Azure Active Directory, which I've read is what I need to obtain the cliendId and clientSecret values. I think it's worth mentioning I have no experience whatsoever with Active Directory or Azure Active Directory.
When following the docs my first issue is with this blade:
I don't know what I should put in the "Sign-on URL" field. I've tried filling it with my personal website just because it's required (probably my first mistake). Then with the Registered App I go in "Application ID" and use the value as clientId within my code.
I then generate the key in the "Settings" blade and use it as the clientSecret within my code.
However when I run my code I get the following error:
Exception thrown: 'Microsoft.Rest.Azure.CloudException' in System.Private.CoreLib.dll
An exception of type
'Microsoft.Rest.Azure.CloudException' occurred in System.Private.CoreLib.dll but was not handled in user code
Operation returned an invalid status code 'Forbidden'
I wouldn't want to do any fancy Azure AD set up in order to make deployments via Azure. I'm trying this on my personal account, so it's not like a have an AD environment set up.
I don't know what I should put in the "Sign-on URL" field. I've tried filling it with my personal website just because it's required (probably my first mistake).
If you develop a WebApplication, you could Webapplication address it as sign-on url. In your case your could add a vaild url address. And you could add your personal website.
Operation returned an invalid status code 'Forbidden'
It means that you have no access to deploy the resource to the subscription.
You need to assgin role to the WebApplication. For more information, refer to how to registry an Azure AD application and assigin role.
I'm trying to make a POST request to Azure AD GraphAPI to create a user in my AD B2C tenant, but I'm getting the following error
"Error Calling the Graph API:
{
"odata.error": {"code": "Request_DataContractVersionMissing",
"message": {"lang": "en",
"value": "The specified api-version is invalid. The value must exactly match a supported version"}
}
I do send the version, and based on the docs it is supported.
Version 1.6
This section lists the changes for Graph API version 1.6.
Graph API version 1.6 introduces the following feature changes:
Added support for Azure Active Directory B2C local account users. This involves new properties on the User entity and a new complex type
SignInName to support local account sign-in to Azure Active Directory
B2C tenants. For more information about Azure Active Directory B2C,
see the Azure Active Directory B2C documentation.
[Edit]
submitted json
{"accountEnabled":true,"signInNames":[{"type":"userName","value":"ausername"}],"creationType":"LocalAccount","displayName":"A display name","passwordProfile":{"password":"a password","forceChangePasswordNextLogin":true},"passwordPolicies":"policies","country":"MX","givenName":"Fstname","surename":"Lstname","department":"Dpt","jobTitle":"Title","mail":"mail#server.com","otherMails":[],"preferredLanguage":"es-MX"}
Any clue on why I'm getting the error?
There is something wrong with the api-version query parameter: Request_DataContractVersionMissing
Data contract version parameter is missing. Include api-version as a query parameter with all your requests.
Doesn't Work
https://graph.windows.net/ebenefitsdev.onmicrosoft.com/users?api‐version=1.6
I get Request_DataContractVersionMissing error when submitting that.
Does Work
https://graph.windows.net/ebenefitsdev.onmicrosoft.com/users?api-version=1.6
The difference is the hyphen char. One is the 'normal' one I typed on my keyboard. The other is from here.
I suspect it is a copy paste problem (I've experienced these in the past).
I see one problem: signInNames not signInName
Documentation for user entity
For future readers, I ran into this issue with 2.0 of graph.windows.net, but it was not the hyphen. It seems this error is also shown if the client ID you used to get a resource token for graph.windows.net is not correct.
If i have a tenant name such as "contoso.onmicrosoft.com" can i get the tenantID using an API call?
I have already checked the API for Microsoft.Azure.Management.ResourceGroup
You can simply call https://login.microsoftonline.com/tenantDomain/.well-known/openid-configuration and get the tenant id from there. Just parse the JSON it returns and get the tenant id from it - for example from issuer.
Full info can be found here.
The call doesn't have to be authenticated so it is very simple to call.
You can get the name of the tenant you are logged into by calling
https://management.azure.com/tenants?$skiptoken={skiptoken}&api-version={api-version}
see here for details
This will give you a list of all tenants that you authorized for.
This is actually listed under 'Tenants' rather than resource groups.
Te easiest way to get tenantID is to find it in Azure portal. Please click -> APPLICATION -> VIEW ENDPOINT. like the following screenshot:
If you want to use C# to get the tenant ID from the name. Please try to get the JWT token first (use the user under the "contoso.onmicrosoft.com" to sign in). The JWT token will contain tid. "tid" means tenant id. Refer to this article for more details.
Then we can use the following code to get the tenant id:
var token = new JwtSecurityToken(jwtToken);
var oid = token.Claims.FirstOrDefault(m=>m.Type == "tid").Value;