While the Azure Starter Pack for B2C is helpful for getting started with creating custom policies, is there an actual list of built-in claims that one can reference? There are several claims that are referred in several of the files, though I have no clue of their purpose or why they're needed (for example upnUserName, nca, resource_id, etc.).
I did find some pages, such as Graph API reference or Customize Claims, though I'm not sure if these are the goto page for getting all built-in claims.
You can find list of all such claims from two places
User profile attributes documentation - https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes#azure-ad-user-resource-type
User attributes blade in Azure Portal. The Built in user attributes are almost same for user flows and custom policies.
Related
I'm trying to use the Microsoft Graph API to create a custom claims mapping policy that will emit claims based on conditions (similar to what can be done via the portal like this). I've seen the documentation on how to create claims mapping policies via the Graph API, but cannot find info on how to set conditions.
Is what I'm trying to do even possible via the Graph API?
Through Graph API , You can use claims-mapping policies to:
Select which claims are included in tokens
Create claim types that do
not already exist
Choose or change the source of data emitted in
specific claims
Please see the docs for more info - https://learn.microsoft.com/en-us/graph/api/resources/claimsmappingpolicy?view=graph-rest-1.0
But you can achieve the same through using Customize claims through the powershell command - https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping
Hope this helps,
thanks
I would like to show Identity providers dynamically based on the tenant[ i.e OIDC domain_hint] during the Azure B2C Sign In user journey. I have referred several examples on custom policies, however unable to find a way to display/hide an IdP based on tenant. I was able to use this good example to do Home Realm discovery in custom policy using an Azure Function, but it doesn't show 'list of IdP' applicable for the tenant/domain. Other SO questions, that came close to this but didn't answer are 1, 2. Even if I serve custom HTML file from blob storage, how to show only certain Identity providers and hide some based on the tenant/domain_hint ?
Depending on the number of domains/tenants permutations, you could put that logic on the application side to execute different PolicyID's. This is assuming the number is low therefore it would be a policyID : IdPs mapping.
This is a bad solution if you have a HIGH volume of hints.
Alternatively, you could perform an API call via JavaScript to delegate populating the list of Identity Providers. Then, it would execute another self-assertive page that would trigger that specific identity provider. The flow would look like:
App (passes domain hint)--> B2C login page (JavaScript REST API on page and request list of IdP's based on previous domain hint) --> 2nd Self-assertive page (value passed from first page to initiative the correct IdP) --> IdP pages load.
You can adjust the logic in different ways to meet your needs.
You could store the tenant in a claim using claim resolvers, then have an orchestration step for each possible combination of IdPs you want and use preconditions on those steps to only execute them depending on the tenant. Hopefully that works.
Are nested groups supported in Azure B2C?
This page suggests there is some support, because it links to https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-limitations#restriction-on-nested-groups
If there are restrictions on them then I assume they are at least partially supported. Unfortunately that page no longer exists.
I couldn't find any information in MSFT docs about the status of this feature.
I've tried their User Voice, but the only thing I found is an entry about plain "Azure AD" (I thought that is supported already, but it appears it's not if there is an open request about it)
FWIW I cannot add a nested group in the way that's suggested by MSFT documentation. I don't see that option in the UI, though it lists "0 groups" as members.
Trying to add a group to another group via Graph API results in
{"error":{"code":"Request_BadRequest","message":"An invalid operation was included in the following modified references: 'members'.","innerError":{"date":"2022-04-20T15:32:34","request-id":"7d183819-019a-4f23-b31f-1765dcd7d44a","client-request-id":"7d183819-019a-4f23-b31f-1765dcd7d44a"}}}
Azure AD has some support for nested groups.
B2C has no groups support. Typically, you assign the groups in Azure AD and then access them from B2C via Graph via REST API.
After wrangling with MSFT support I got an answer that nested groups are not supported in B2C enabled tenants.
This can be done in Azure AD and not on the B2C AD. Adding a group as a member of another group in Azure AD B2C is not supported.
I have a custom policy which adds a custom value, HoldingId, to new users who sign up (using these docs) as the value is passed to the policy via the token (along with verified_email).
I was hoping to not need to create a custom policy for sign in, so used the Azure Portal UI to create the custom attribute against the b2c-extensions-app application (and am using the respective client and object ids to line it up with the custom policy), and using the Portal have added this custom attribute to the sign up/sign in policy claims.
Using the Graph API, I have been able to successfully confirm that the custom value is saving against newly signed up users (returning as extension_[AppId]_HoldingId), and these new users are able to sign in subsequently without issue using the built in sign in/sign up policy.
However, any users which already existed in the directory are no longer able to sign in. Unfortunately, because it's a built-in policy, I'm not sure of a way to dig into the logs a-la App Insights to see what's going on.
My suspicion is that because these existing users don't have this custom attribute against them, the built-in sign up/sign in policy is attempting to get this value and failing.
Is it possible to get the built-in policies to ignore this attribute on users who don't have this attribute set, or will I need to create a custom policy to handle this scenario with a default value?
For context, the HoldingId is not required for existing users (application needs to be backwards compatible). This is also my first venture into B2C, so I'm still learning many of these concepts.
Where can I find a list of all supported Azure AD B2C Custom Policy Claims Transformation Methods?
I have searched Google, Bing, DuckDuckGo and GitHub for such list, but can't find it.
And TrustFrameworkPolicy_0.3.0.0.xsd schema doesn't contain it.
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Documentation/Features%20part%206.md - does have an outdated list - some of methods like AddParameterToStringCollection can't be used - policy can't be imported when I use it.
No such list exists at this time. You should request it via the Azure AD B2C feedback forum.
Your best bet is to go through all the starter packs and see which transformations are included in those. While there might be others, if they are not referenced in the starter packs or docs, they are unsupported and not recommended for broad use.
Update!
We have released a full documentation of the schema here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claimstransformations
All elements of custom policies for b2c, also known as Identity Experience Framework or IEF are published.