Automate group creation and memberships in Azure B2C - azure

Is it possible using Graph API or similar to automatically add users to a security group in Azure B2C?
The background is that during an Azure B2C user journey for signup/sign the user will access an application after successful authentication. But I would like to role assign based on the security group the user is a member of.
Therefore if a new user signs up, they could be defaulted to lets say "DefaultUsersGroup" and this will be present in their token thus giving them default access to the app. Otherwise if an existing user signs in, this will perform some logic to determine the group the user should be a member of and then grant them access dependant on their membership.
Thank you.

You can do this by introducing your own REST API/s during your user journey. Your API should then call MS Graph API to do the Group+Role assignment, and on sign in, the Role resolution based on group membership.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-exchange
This sample may also help
https://github.com/azure-ad-b2c/samples/tree/master/policies/relying-party-rbac

Related

How can I get user's group memberships included in the id token

I have an application that can successfully authenticate users through a B2C user flow policy and get an ID token in a JWT.
How can I update the user flow policy, so I get the user’s group membership as part of the ID token?
A link to documentation or concept would be a great help.
This is the older link.
Basically, add the groups in Azure AD and extract them via Graph API.
There is also a sample.
On Azure B2C , it is not possible to get the user's groups membership in the idToken unfortunately. The mentioned above example by #rbrayb is using Custom policies with Identity Experience Framework , which is one way to go if you need to add the group memberships to the idToken.
Another way to do this is Manually call the Graph API ( using msal library/ Microsoft identity Client NUGET ) , with the objectId of the connected user and an access token in order to get the groups to which the user belong : In this case you will create a group for each role , affect the users to the right groups based on their role, by finding the users group , u know what's his role , here is an example of implementing this kind of authorization on .Net5 web api and web App.

Add guest user to group during signup flow with azure ad b2b

Apologies if this question is too general.
I have created a signup/signin flow in Azure AD External Identities, using a Google Identity Provider , and added my application to this user flow.
The flow itself works as expected, as during signup the user is created, however after inserting the password, I get the following error :
The signed in user is not assigned to a role for the application
This error makes sense, as during signup the guest user is not added to any group nor given any roles, which it needs to access the application.
My question is, is there a way to give the necessary roles/add the user to a default group during the signup/signin flow process? Or alternatively, set a default group for all guest users that are added to the AD?
Thank you
You can use Dynamic Group Membership. If the users meet the defined rules criteria, they will be automatically assigned to the group.
Note: Premium P1 license is needed to use this feature.
Reference:
Create Group Rules to assign users to the group
OR
You can also create a Powershell script to automatically assign new users to enterprise application.
Reference:
Add User To Azure AD Application Powershell

Azure AD B2C - User flows (policies)

I had a page that shows the list of registered users. In the list, each row had delete and edit functionalities. Take the list page into action as an administrator view. He/she need to edit each registered users basic information. For collecting the information I call APIs. In an administrative role how can I update all the users information? Which User flows (policies) I need to try ?
The User Policies are intended to be used by the Consumers (users). Admins can delete or edit users in the Users blade in the Azure Portal.
If that's not acceptable in your case, you could easy create your own admin page to update the user attributes via Graph API calls.
User flows are used for the end user. Where end user can go through a user journey to accomplish something such as signup, signin, password reset etc.
For Admin experiences for user modification, there are two ways
Use Azure portal as it provides a rich experience already. You can use RBAC to provide limited access to the user management admins.
Use AAD Graph apis to build your own custom user management flows. You can find documentation here

How to control/set permissions for a single user when using Azure AD B2C

I have 1 SPA-Application which uses another WebApi. (ASP.NET Core) Both are running in Azure and I am able to authenticate the user against Azure AD B2C with OAuth 2.0 Implicit Flow
Now I am asking myself how I can control the permissions of a single user. (Delete, Read, etc.) Do I have to work with claims? Do I have to leverage the graph API on the server side to check if a user has a certain permission? Can I use scopes? Where can I set the User <--> Scope relationship?
I have found several questions on SO, but I don't get the idea of how it should be done the right way? My current understanding is that I ask the authentication provider for certain scopes and I will get a token with this scopes which then can be checked by the API. But how do I manage which user can ask for which scopes?
I really have a problem to wrap my head around OAuth2 and permissions. Hope one can help me here.
Unfortunately, for one specific user, you cannot assign permissions/scopes to the user.
Because Azure AD B2C doesn't support Application Role. Generally, Azure AD B2C is for all users to access your App wit their account. Even Azure AD B2C can let you store and manage users, but it cannot assign different scopes/permissions to different users. Multiple scopes are the permissions granted to the resource. Multiple granted permissions will be separated by space.It's not for users access assignment.
If this important to you, you can upvote this idea in this Uservoice Page. Azure Team will review it.
Hope this helps!
You can implement this by creating a custom attribute of type String that stores a comma- or space-separated list of roles for a user.
You can then issue this custom attribute in the ID and access tokens or read it using the Azure AD Graph API.

How to get a token with a specific group claim from azure-active-directory

I have a client .Net application that uses ADAL to access A Web API application running on azure.
The server has custom code that verifies that the user belongs to a specific security group.
The problem is that my users belong to too many groups, which causes AAD not to include the list of groups in the token at all.
Thus my custom code makes another call to the AAD Graph API to verify that the user belongs to the group - in addition to the one the client made to obtain the auth token.
Is there a way to tell AAD to only return this one specific group in the groups claim (so that AAD will include it in the token)?
Any other idea (other than caching which i don't currently have) that will prevent me from making that second call would be appreciated.
As of today there is no way for AAD to send a subset of the user's group. A possible trick would be to define a role for your app, and then assign that group to the role. In that case you'll see the role in the token only if the user belongs to that group. HTH

Resources