I am creating users using the Azure Graph API (using Microsoft.Graph;), and I am seeing issues when I try to add local account users. I want to be able to create an account where the user can log in with a username, such as "jimmy" and not have to specify a domain. I am able to do this with the Azure Portal, but not with Graph API.
When I add users through Graph API, the issue is with the userPrincipalName. I must include a userPrincipalName, and userPrincipalName must include a domain. Conversely, when I create a user account with Azure Portal, I do not specify a userPrincipalName, and the userPrincipalName is created automatically with the format being objectid#mydomain.onmicrosoft.com.
In summary, I want to be able to use the graph API to create a user who can log in as "Jimmy" as I can with the Azure Portal, but I am only able to create a user who can log in as jimmy#mydomain.onmicrosoft.com.
You could generate a GUID and set the UPN to "guid#domain.onmicrosoft.com"? If that's what the portal does, shouldn't it be fine for your app too? If you specify an identity for the user with the username type, they should be able to log in with that.
So you can set the user's identities to something like:
{
"identities": [{
"signInType": "userName",
"issuer": "mydomain.onmicrosoft.com",
"issuerAssignedId": "jimmy"
}]
}
And the UPN can be the generated one with the GUID.
Reference: https://learn.microsoft.com/en-us/graph/api/resources/objectidentity?view=graph-rest-1.0
Related
We are allowing External Azure AD users to signup and login to our application via a custom policy. This creates a shell user in our azure ad org and we use the user's email address under user profile, not the user's UPN from the external AD. If the user's email address is different from their UPN, the shell user in our adb2c org will have the email address as the UPN. We customized the custom policy to return the user attributes from the external AD together with the user attributes from the shell user in adb2c. Our application will detect if there is a change in the name or email address and will update adb2c shell user via Microsoft Graph.
When the user's email address changes, I want to update the shell user in our adb2c org. Since the email address is used as the UPN, how can I update my federated users userPrincipalName in our adb2c shell user via Graph API?
var identities = graphUser.Identities.Select(o => new ObjectIdentity
{
SignInType = o.SignInType,
Issuer = o.Issuer,
IssuerAssignedId = o.IssuerAssignedId,
ODataType = o.ODataType,
AdditionalData = o.AdditionalData
}).ToList();
var federatedIdentity = identities.FirstOrDefault(i => i.SignInType == "federated");
Both of these wont work:
federatedIdentity.IssuerAssignedId = "mynameuser#federatedAAD.org";
or
var updatedUser = new User
{
//other user attributes here
UserPrincipalName = "mynameuser#federatedAAD.org";
};
await _graphServiceClient.Users[idpId]
.Request()
.UpdateAsync(updatedUser);
Thanks in advance!
• You can update the external user identity or shell user identity in Azure AD B2C using Microsoft graph API through the HTTP response interface by using the below commands: -
‘ PATCH https://graph.microsoft.com/v1.0/users/{object id}
{"userPrincipalName":"jdoe#abc.com"} ‘
Where instead of the “jdoe#abc.com”, enter the user principal name of the already created Azure AD B2C shell user or federated user that logs in to Azure AD B2C. Since, the user identity is already created when the user logs in for the first time to use the application created, it needs to update the existing user principal name only which can be done through the above command.
• Also, Microsoft Graph seems not to allow to set userPrincipalName when creating the user for Azure B2C. It will generate the userPrincipalName as {object id}#abc.com. And then you could update the userPrincipalName. Thus, your second command script to create or update the shell user’s UPN didn’t work. As well as ensure to add the federated domain as a verified domain in Azure AD B2C for the above command and options to succeed.
Please refer the below links for more information: -
Pre-Create Federated Users in Azure B2C Using Graph
https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http
I'm following the Microsoft tutorial Create a user (local or social account). So I'm trying to create a user from HTTP call, for this I'm sending a similar payload to the tutorial:
{
"accountEnabled": true,
"creationType": "LocalAccount",
"displayName": "Alex Wu",
"passwordProfile": {
"password": "Test1234",
"forceChangePasswordNextLogin": false
},
"signInNames": [
{
"type": "userName",
"value": "AlexW"
},
{
"type": "emailAddress",
"value": "alexw#gmail.com"
}
],
"userIdentities": [
{
"issuer": "google.com",
"issuerUserId": "MATxTNg5MzYyMzMyMNY1Njc="
}
]
}
My question is how I can generate the issuerUserId as it is necessary for the Google supplier to recognize the user. I'm trying with a random value encode with base64 but when I run the user flow the user it's created again with a duplicate email. I suppose Google don't recognize the issuerUserId.
Update:
Base on Allen Wu answer:
issuerUserId is a unique user identifier for the issuer. You can set any valid string (don't be duplicate) for it.
I create this issuerUserId with a valid string: 12345678909823456789
As before, I create successfully the user and the source show as Google:
But when I want to log in the account with Google provider
The user is duplicated:
I assume instead of launch Sign in process Azure/Google don't recognize the account's issuerUserId and launch the Sign-up process, for that reason that's why I think issuerUserId might be created by Google.
Some notes:
I'm changed the emails for demo emails, but that is the current
behavior.
I'm only using Google authentication, I don't using email and password fields of the login, because the purpose of the app is only for Social Authentication (Google specifically)
I'm using Sign up and sign in (Recommended) user type flow.
If you have more thoughts about issuerUserId that can help me, let me know, I'll really appreciate.
It's not true.
Based on my test, the user flow won't create a new user which has a duplicate email. (the previous user is created via AAD Graph)
issuerUserId is a unique user identifier for the issuer. You can set any valid string (don't be duplicate) for it.
And Google / Facebook or any other social idp won't verify it, because this user is created in B2C. It's an B2C local account. ("creationType": "LocalAccount")
Create an B2C local account doesn't mean this user has been created in Google.
I guess that you add Google idp into the user flow and are trying to create a new user in Google rather than B2C.
You should click on the "Sign up now" in user flow to create the local account. Kindly check it.
Update:
As I have mentioned above, the user you created with Azure AD graph is an B2C local account. You should use the default sign in feature to log into that user. B2C will verify your credential.
But when you click on the "Google" to sign in, in fact the Google will verify your credential and will associate your Google account to a new B2C account. It's not a local account.
So they are two different accounts. You can verify this by changing the password of the B2C local account. After changing the password, you still need to use the old password to sign in with the "Google" option. But you will need to use the new password to sign in with the first user (B2C local account).
You can use GET https://graph.windows.net/myorganization/users?api-version to get the two users and find that the issuerUserId of them are different.
I have developed an Azure Workbench Application that has an administrator who can create other users(by giving name and email id) and assign them roles.
The new users are created by using a REST API call here. https://votemaadi-4bm4ew-api.azurewebsites.net/swagger/ui/index.html#!/Users/UsersPost
and I assign it a role.
And later i would want the user to login with his credentials into the webapp and carry out his necessary tasks.
However, I am unable to figure out the login credentials for the new user that's created. The API (POST /api/v1/users) takes in only an email id but doesn't take in any password.
This is how i have added the new user
POST to https://votemaadi-4bm4ew-api.azurewebsites.net/api/v1/users
Body contents:
{
"externalID": "sample",
"firstName": "sample",
"lastName": "sample",
"emailAddress": "sample#kumarshobhit98outlook.onmicrosoft.com"
}
and i get a 200 response
I would want to know how would the new user login to a URL like this?
https://login.microsoftonline.com/kumarshobhit98outlook.onmicrosoft.com/oauth2/authorize?response_type=id_token%20code&client_id=c80344c2-d7fc-41e1-adcc-dd33683a7f6b&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fshobhit&state=c0756113-6172-47f2-8afc-666f315c15b1&client-request-id=0de0f9e0-a2f4-4853-9bd2-7326f1f409d1&x-client-SKU=Js&x-client-Ver=1.0.17&nonce=3f993c47-3042-4669-bdce-02024f6c802f&response_mode=form_post
Blockchain Workbench users need to exist in the Azure AD tenant before you can assign them to applications and roles. To add users to Azure AD, you can follow this document.
The users will have a temporary password when you create them. If you forget it, you can reset the password on Azure portal.
I need to programmatically add user account to Azure API Catalog portal.
I use ApiManagementClient class from package Microsoft.Azure.Management.ApiManagement (3.4) and if collection Users does not have a user with a particular e-mail (Azure Active Directory has a user whose username is our company e-mail, for every user that we have in or internal Active Directory)
then I'd try to call Users.CreateAsync which will take a parameter of type UserCreateParameters that consists of Email, FirstName, LastName, State and Password.
The issue here is that my user has been added to the portal manually by administrator and my password was not required for that (as it is an AAD user)
but this method won't let me create a new user if I don't provide a password.
How can I add an AAD user to the API Catalog, from code and without knowing the password. Otherwise, I won't be able to add an API subscription for a user that has not been added to the portal, yet.
We are working a new nuget package, which has support for that. For now, you can use the rest api https://learn.microsoft.com/en-us/rest/api/apimanagement/user/createorupdate
But you would need to know the unique Id of the User in AAD System. The operation above will create a user which can log-in both using AAD or Basic Auth.
{
"properties": {
"firstName": "foo",
"lastName": "bar",
"email": "foobar#mytenant.onmicrosoft.com"
"identities" :[
"provider": "Aad",
"id": "<unique id in AAd Tenant>"
]
}
}
I have two requirements that seem to conflict:
Use the email as the username.
Allow users to change their email.
The problem: if you configure the directory to use the email as the username then the edit profile policy does NOT show the email to allow you to change it.
Any solution I think of is a kludge and involves creating a whole new local account for the user.
Any ideas or suggestions?
You'll need to use the Azure AD Graph API to update the 'User' entity.
You can do this via Microsoft Graph now too.
Example:
PATCH: https://graph.microsoft.com/v1.0/users/{UUID}
{
"identities": [
{
"signInType": "emailAddress",
"issuer": "xxxx.onmicrosoft.com",
"issuerAssignedId": "{new email address}"
}
]
}
The possibilities have changed and #pswillies answer is not true anymore.
It is possible to change the sign-in name of local accounts where the sign-in name is an email address.
See this official sample: https://github.com/azure-ad-b2c/samples/tree/master/policies/change-sign-in-name
It is using custom policies.