I'm trying to script a B2C tenant and need to switch the Local Accounts Identity Provider to be Username based instead of email as per below picture.
MS Graph API returns an empty list for the path GET https://graph.microsoft.com/beta/{tenantid}/identityproviders.
Is it possible to switch this programmatically?
I can migrate to the trustframework policy xml upload method if necessary but it seems like overkill.
The scene you described should be for Azure AD B2C instead of Azure AD B2B.
It has a limitation in Microsoft Graph currently.
When we try to List identityProviders, local account identity Provider won't be listed in the response. See reference here.
The supported types for identityProviders are:
Microsoft
Google
Amazon
LinkedIn
Facebook
GitHub
Twitter
Weibo
QQ
WeChat
So I'm afraid that we can't update the local account identity Provider via Microsoft Graph API.
If you are using user flow, I think the easiest way is to change it in Azure Portal.
If you can use custom policy, modify the configuration in custom policy is necessary.
Related
Can someone provide a general approach to meeting these requirements? I've spent a bit of time researching these various topics and attempting to implement solutions and I'm surprised at how much work is involved. Hopefully I'm missing something.
How do I invite consumer users to a B2C tenant so that they can authenticate into our application using their social accounts (ex: Personal Microsoft or Google accounts)? The only baked in solution on the Azure Portal I've found uses B2C local accounts. Note that I do not want to use a publicly accessible Sign Up flow.
Presently I'm looking into a custom process that would work by inviting users to a 'local' b2c consumer account and then allowing the user to associate their social account with the local account.
Once users have authenticated (using MSAL v2 Auth Flow w/PKCE), I want to retrieve a list of permissions the user has for our application.
I'm looking into two options here:
(1) use the auth token to verify user against an internal API that, in turn, makes a call to the Microsoft Graph API to get the user's group memberships.
(2) Create a custom claim that serves the same purpose as user groups
Administrative users of our application need to be able to invite additional users to the application.
I've found some articles that point, again, to using custom policies.
Thank you very much!
EDIT #1 -
Looking into using B2C & Microsoft Graph API I came across some decent, and recent, MS Resources:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations
And this important-to-me statement -> Microsoft January 28th, 2021:
"Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants."
I'll update my post when I find a solution. Thanks again!
You need to use custom policies.
For first bullet point, see my sample:
https://github.com/azure-ad-b2c/samples/tree/master/policies/link-local-account-with-federated-account
You could do either option. For option 1, AAD B2C can call your api which can call graph api to fetch groups. Then embed the info into the token. For option 2, you could write a role value to an extension attribute and return it in the token.
To invite users, you could use the invite sample. Essentially make an app that calls an API to generate these invite links and send those to the users email. The user clicks the link which allows them to complete their sign up.
https://github.com/azure-ad-b2c/samples/tree/master/policies/invite
I'm trying to register an application in Azure programmatically. Most examples are targeting use of Azure Portal, which doesn't meet my requirements. Other examples assume that I have a registered app already and hold a bearer token to use for this operation. Again that doesn't meet my requirements.
In my scenario. I'm an Azure AD administrator, and I want to programmatically register my first application, without going to the Azure Portal. Since this is easily done via portal, I was hoping to do this in code as well (http/C# preferred). And as a step 2, Add permissions and Grant admin consent - again programmatically.
Eventually, I'm using the registered app's ClientId and ClientSecret to retrieve the bearer token and then query Graph API. (This part is working fine, when I make the app registration manually via Azure Portal)
I hope this makes sense.
You can use the Microsoft Graph API.
The API to use to create an app is: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/application_post_applications
To grant permission you can refer here
I want to get user information, not only from Azure Active Directory, but also from Azure B2C Tenant Users. I was able to reproduce results for AAD users, but I couldn't find enough resource as for how to access to B2C Users (e.g. Gmail.com). I get this error when I swap to my desired clientid/clientsecret (fetched from Azure AD B2C - Application) in this project (https://github.com/microsoftgraph/aspnetcore-connect-sample):
'unsupported_response_type', error_description: 'AADSTS700054: response_type 'id_token' is not enabled for the application.
I couldn't find the recent resources helpful, as a lot of Azure component changed. I would greatly appreciate your kind guidance!
If I understand your question correctly, you want to be able to programatically CRUD B2C Users.
AADB2C has a documentation for same using AADGraph (and not using Microsoft Graph)
Build user CRUD operations by using the Graph API
As of today,you must use the Azure AD Graph API to manage users in an Azure AD B2C directory. This is different from the Microsoft Graph API. The sample you referred to is not appropriate for managing B2C tenant users.
From the Azure Active Directory v2.0 authentication libraries we can see lots of samples about how to use libraries to connect Active Directory. It seems all of them should create an application at apps.dev.microsoft.com first. Then use the Application ID and a new password to act the clientID and clientSecret in a client or server middleware application.
This way, one user can use the application to login by oauth 2 or openid through the Azure Active Directory API. Also can get the personal information such as user profile correctly.
But, if I want to get all the users information in a tenant one time, is there an API can do?
But, if I want to get all the users information in a tenant one time,
is there an API can do?
You can use Microsoft Graph API - specifically List Users API.
https://graph.microsoft.com/v1.0/users
For a quick test, try using Microsoft Graph Explorer
Similarly you can list users with Azure AD Graph API as well, but it would be recommended to use Microsoft Graph API.
Read Microsoft Graph or Azure AD Graph and this SO Post (Only case to use Azure AD Graph API would be if you need something very specific that you aren't able to achieve with stable version of the newer Microsoft Graph API.)
Azure AD Graph API to list users (not recommended)
https://graph.windows.net/myorganization/users
I have created a WebApi app which can create a user on Azure AD B2C tenant using Graph API.
Now the user has to authenticate on Azure AD B2C as the same way I have used like Graph API. I mean a programmatic approach to sign in instead of Microsoft login page. Is it possible to authenticate against Azure AD B2C using Graph API? If yes can you please suggest me the way to do it.
It is not possible to authenticate an user in azure AD using graph API. Graph API provides methods to various AD related operations on the users, signed on user, groups, directory roles, policies and so on. https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations
You can programmatically authenticate users against Azure AD using a certain call but MS refuses to officially support the method in libraries, despite it existing for over 4 years.
For node, the denied pull request is here: https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/pull/99?_pjax=%23js-repo-pjax-container
The code repo referenced in the pull is here: https://github.com/testdouble/azure-activedirectory-library-for-nodejs/tree/client_secret_optional