Which API should I call on Azure B2C to create a CONSUMER user? Apparently this one is going away...
Here is the correct example and doc.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/manage-user-accounts-graph-api
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example-2-create-a-user-with-social-and-local-account-identities
Do not use forceChangePassword=true unless using User Flows V1 (deprecated). You must always set password expiry policy to never.
Use this Microsoft Graph Api.
here is a sample request
POST https://graph.microsoft.com/v1.0/users
Content-type: application/json
{
"accountEnabled": true,
"displayName": "displayName-value",
"mailNickname": "mailNickname-value",
"userPrincipalName": "upn-value#tenant-value.onmicrosoft.com",
"passwordProfile" : {
"forceChangePasswordNextSignIn": true,
"password": "password-value"
}
}
Related
I have a POST request that I am using to create a relying party application for my Azure AD Tenant.
POST
https://graph.microsoft.com/beta/{{tenant_id}}/applications
Headers:
Authorization: {{graph_access_token}}
Content-Type: application/json
Body:
{
"displayName": "JWT.MS 8",
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "5b567255-7703-4780-807c-7be8301ae99b",
"type": "Role"
}
]
},
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
},
{
"id": "6234d376-f627-4f0f-90e0-dff25c5211a3",
"type": "Scope"
}
]
}
],
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"web": {
"redirectUris": [
"https://jwt.ms/"
],
"implicitGrantSettings": {
"enableIdTokenIssuance": true,
"enableAccessTokenIssuance": true
}
}
}
I receive a 201 created response for this application.
When I attempt to use this relying party via the authorize endpoint using an implicit flow I get the following error:
https://{{TenantName}}.b2clogin.com/{{TenantName}}.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_TEST_SIGNIN_LATEST&client_id=f7d77147-383f-4da0-9ca4-5da5628574a4&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms%2F&scope=openid&response_type=id_token&prompt=login
AADB2C90018: The client id 'f7d77147-383f-4da0-9ca4-5da5628574a4'
specified in the request is not registered in tenant
'{{TenantName}}.onmicrosoft.com'.
In the Azure Portal I see that the API permissions are not granted.
How should the application be changed via the Graph API so that the relying application can be seen as registered in B2C?
The URL request is correct
https://{{TenantName}}.b2clogin.com/{{TenantName}}.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_TEST_SIGNIN_LATEST&client_id=f7d77147-383f-4da0-9ca4-5da5628574a4&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms%2F&scope=openid&response_type=id_token&prompt=login
But an Azure AD B2C application should be created using the Azure AD B2C blade of the Azure Portal. You need to register your application by going to Azure AD B2C tenant and search for Azure AD B2C on Azure portal to register applications instead of going to normal Azure AD application registration page.Otherwise it become fault app and you then recieve
AADB2C90018: The client id 'f7d77147-383f-4da0-9ca4-5da5628574a4'
specified in the request is not registered in tenant
'{{TenantName}}.onmicrosoft.com'.
If you have registered the application on Azure AD then delete those and register application on Azure AD B2C.
Reference : https://learn.microsoft.com/en-us/answers/questions/73443/the-client-id-39039-specified-in-the-request-is-no.html
The following steps will allow someone to create a relying party application for Azure AD B2C via Graph API:
The application that is used to retrieve the token requires the following permissions:
https://graph.microsoft.com/Application.Read.All
https://graph.microsoft.com/Application.ReadWrite.All
https://graph.microsoft.com/Application.ReadWrite.OwnedBy
https://graph.microsoft.com/DelegatedPermissionGrant.ReadWrite.All
The POST applications request is in the question above.
The next step is to create a service principal for that application.
POST https://graph.microsoft.com/beta/{{tenant_id}}/servicePrincipals
Headers:
Authorization: {{graph_access_token}}
Content-Type: application/json
Body
{
"appId": "{{app_appId}}"
}
Where the {{app_appId}} is the appId taken from the response of POST /applications
The next request is granting the oauth2 permissions.
POST https://graph.microsoft.com/beta/{{tenant_id}}/oauth2PermissionGrants
Header:
Authorization: {{graph_access_token}}
Content-Type: application/json
Body:
{
"clientId": "{{service_principal_id}}",
"consentType": "AllPrincipals",
"expiryTime": "2030-05-12T00:00:00.9831598Z",
"principalId": null,
"resourceId": "{{graph_app_id}}",
"scope": "openid offline_access"
}
Where the {{service_principal_id}} is the id from the POST /servicePrincipals response.
Where the {{graph_app_id}} is the id of the service principal with the displayName of "Microsoft Graph". This can be retrieved by the following request:
GET https://graph.microsoft.com/beta/{{tenant_id}}/servicePrincipals?$filter=startswith(displayName,'Microsoft Graph')
Header:
Authorization: {{graph_access_token}}
Content-Type: application/json
I am working on creating a user in azure ad. For this, I am using microsoft graph API https://graph.microsoft.com/v1.0/users. Below is the json post I am using:
{
"accountEnabled": true,
"displayName": "test",
"mailNickname": "test",
"userPrincipalName": "test#mytennantname.onmicrosoft.com",
"passwordProfile" : {
"forceChangePasswordNextSignIn": false,
"password": "<password>"
}
}
Using above data, I am able to create user in azure ad. User is also able to sign in using test#mytennantname.onmicrosoft.com. I wanted to know if is there any way I can save the external email id of the user for ex test#gmail.com in azure, so that he can use test#gmail.com to sign in. Please help. Thanks
If the domain, e.g. gmail.com is not in your tenant's verified domains, you cannot "create" the user.
You will need to use the B2B invitation features to invite the user.
That's this API: https://learn.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0&tabs=http.
So you will need to make a POST to /invitations with a request body like:
{
"invitedUserEmailAddress": "test#gmail.com",
"inviteRedirectUrl": "https://myapp.com"
}
Note these are the 2 mandatory properties, you can check what others are supported in the docs.
The redirect URI is where the user will be sent after they accept the invitation through the link they receive.
When you call this API, an email is sent to the user with a standard content.
To add users to our Azure Organization, we go to this page https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers and then create or invite a new user.
Is it possible to do it via a REST API? I looked into their REST API docs https://learn.microsoft.com/en-us/rest/api/apimanagement/ but I couldn't find this information anywhere.
You can do this using Azure Graph API. In this link you can find an example for creating a user using the Graph API and here is the quick start guide for this API.
Basically, it looks like follows:
POST https://graph.windows.net/myorganization/users?api-version
Authorization: Bearer {token}
Content-type: application/json
{
"accountEnabled": true,
"displayName": "Alex Wu",
"mailNickname": "AlexW",
"passwordProfile": {
"password": "Test1234",
"forceChangePasswordNextLogin": false
},
"userPrincipalName": "Alex#a830edad9050849NDA1.onmicrosoft.com"
}
You can find the Grprah API reference to create users here. The Graph API quick-start can help you with sample codes on how to do it.
You would need to make sure that you have user creation rights in azure AD where you are trying to create users. generally, our account must have user account administrator role or global admin role in the directory.
I'm able to create app id using Graph API but app secret/password is not generated with it. I need a way to generate/set a password using APIs.
Am I missing something?
You could create the password via Azure AD Graph API, you can test it in the AAD Graph Explorer.
My test sample:
Request URL:
PATCH https://graph.windows.net/{tenant id}/applications/{application object id}?api-version=1.6
Request body:
{
"passwordCredentials": [{
"endDate": "2020-08-12T02:54:44.2530506Z",
"keyId": "77fe4bf5-5d04-4a62-abc2-f064a9213d3f",
"startDate": "2019-08-12T02:54:44.2530506Z",
"customKeyIdentifier": "dGVzdA==",
"value": "XnkNIsT+cScOYeYJayQ4WNmp9tgAqw5z773uI9WQtAw="
}]
}
For more details about the request body, refer to this link - PasswordCredential.
Note: In the AAD Graph Explorer, when you send the request, the progress bar will never finish, but actually it works, you could check the result in the portal -> Azure Active Directory after a while.
Besides, there is also a Beta api in Microsoft Graph - Update application, I have not tested it, so I am not sure if it works. It is a Beta version, even if it works, I don't recommend you to use it in the production environment.
Are you following the correct API link?
Create User
It is easy to create Azure AD users using the Microsoft Graph REST. Here is a code sample for your reference:
POST https://graph.microsoft.com/v1.0/users
Authorization: Bearer {token}
Content-type: application/json
{
"accountEnabled": true,
"displayName": "Sajee",
"mailNickname": "Sinna",
"userPrincipalName": "upn-value#tenant-value.onmicrosoft.com",
"passwordProfile" : {
"forceChangePasswordNextSignIn": true,
"password": "password-value"
}
}
I'm trying to overload the OAuth ID Token by adding additional claims. I can already use the Graph API to get the claims that I need but I would like to understand if it's possible to add the additional claims directly into the ID Token? I've updated the manifest by adding the required claims in and then flipping "acceptMappedClaims" to true, however I still don't see these in the ID token. What am I missing?
"optionalClaims": {
"idToken": [
{
"name": "employeeid",
"source": "user",
"essential": true,
"additionalProperties": []
},
{
"name": "mail",
"source": "user",
"essential": true,
"additionalProperties": []
}
],
"accessToken": [],
"saml2Token": []
},
"acceptMappedClaims": true,
This depends on where the ID token is generated from. If it's on-premises AD and federated identity is used take a look at Customizing the OIDC id_token in ADFS 2016.
If it's just a cloud identity I'd take a look at the second link jwmiller5 posted or this one: how-to-set-claims-from-asp-net-openid-connect-owin-components.
Hope this helps,
Bernie
If you are trying to add additional claims into your AD token, you would need Azure AD premium and you can add the values as attributes. See Claim augmentation with Azure AD authentcation
If you just need the claims in one particular application, you can add the claims in the app itself. See Azure AD PostAuthentication add claims