I've an Azure Active Directory for B2B client.
AAD provides all the necessary fields like name, email, custom email, etc.
I need to store some more information in it.
I'm using a VOIP provider and it has a unique data for each User, I need to store some of that data in AAD itself.
I've seen B2C allows us to create the custom fields.
My question is can we create the custom fields in AAD-B2B, if yes then how to create it?
I did not found any well documented steps for that
Related
In my application I have the following scenario:
Users first register in the application Using SignUp-SignIn user flow, so at that point the user is created in Azure AD B2C. Then when the users starts to use the application I want to add some information to the user and retrieve it in the token during the next authorizations.
The information I want to add to the user is the following:
1- Identifier I use in my database to store data related to that created user
2- Some application role (e.g. customer, shop owner...) - here, it would be great if I can prevent users to make requests based on that role, but not a big deal to check it in the code after the request is executed
The idea I have is to use Graph API and assign this data in a custom attribute to the users, so this data is always managed by the API and user can't change it himself.
Then I am thinking if mixing that approach with groups could be also and option so some requests will be only available for users that belong to some group.
What is the best approach to achieve my requirements?
Out-of-the-box AAD B2C SignUp-SignIn user flow does not expose any functionality related to Security Groups.
If you want to use group claims in B2C, choose to add some custom code through custom (IEF) policies. See this answer and this post.
In order to achieve your requirements, you could use custom attribute which you have mentioned.
Please note that if you don't want the user to set the custom attribute by themselves, you don't need to do this 3rd step under "Use a custom attribute in your user flow":
Select User attributes and then select the custom attribute (for example, "ShoeSize"). Click Save.
After you create the custom attribute, you can Get the application properties and Using custom attribute with MS Graph API.
Update the custom attribute for a user with Microsoft Graph:
PATCH https://graph.microsoft.com/v1.0/users/userID
{"extension_831374b3bd5041bfaa54263ec9e050fc_ShoeSize": "123"}
Then you can get the custom attribute claim in token like this: "extension_ShoeSize": "123".
Hoping someone can shed some light on the following matter;
I got an Angular & .Net core Web API application that uses Azure B2C to authenticate users.
User accounts are created by the users themselves via the signin/signup custom policy or administrator can create accounts via the app using the Graph API.
Due to the requirements, the app uses usernames (as opposed to email addresses) to log into the application. So far I've managed to get everything working except for the following scenario:
When an account is created via the Graph API, the owner of that account cannot reset the account's password. The error is "An account could not be found for the provided user ID".
This isn't the case for accounts that get created via the custom signup policy so I did some comparison and found that for those account that get created via the Graph API, the Email is missing (which can be found under User -> Authentication Methods). I looked at populating that field, but it appears the "Mail" attribute is 'read only' (not sure if that's the right attribute anyway).
At the moment I'm having to manually set the email via Azure so those account's passwords can be reset by their owner if necessary. This is obviously not ideal and wanted to see if there is anyone that might have gotten around this issue, or a least get confirmation that this is indeed a limitation of the Graph API.
Thanks in advance for your help
So I managed to get this working using the approach outlined by Jas Suri. These are the steps that I went through
Created a custom attribute in my B2C tenant to hold the account email address
Included the custom attribute claim type (extension_emailAddress) as well as the strongAuthenticationEmailAddress in the TrustFrameworkBase.xml
Updated my apps's custom policies to include the technical profile for local account discovery. I basically just copied the necessary bits and pieces from here
Updated the local account discovery to perform the comparison against the extenstion_emailAddres instead of strongAuthenticationEmailAddress.
Added an extra step to the Sign up user journey so that the value in strongAuthenticationEmailAddress is copied to extension_emailAddress
Updated my Web API / Graph API "create user" function so that it sets the extension_appidguid_emailAddress
That's it. Now it doesn't matter how the account gets created, the email address will be stored in the extension attribute and the password reset will be able to find the account using that attribute.
happy to provide more details if anyone comes across this.
The problem is as you’ve identified, the Sign Up policy uses the strongAuthEmail attribute to store the verified email for a username based account. The Password reset policy will use this to verify the user owns the username. When creating the user with graph api, you can’t populate this field, it’s not exposed. The only option is to use a custom policy which stores this secure email in an extension attribute, and your graph api created users can then also target the same attribute to allow the stars to align.
Mail attribute is not the same as the Email under Authentication Methods, and currently there is no such graph api to set the Email value under Authentication Methods.
By the way, there is no need to create Azure AD B2C user for a user as users can sign up themselves.
We use Azure Active Directory(OpenId and OAuth2) for authorization and authentication needs.
We also would like to keep users' profiles in one of our microservices, let's name this service "User Preferences".
The service will store many specific fields required only for one of our products and it is why we don't want to store them in Active Directory(custom fields).
Having all of this, we are searching for the best Azure AD field we can use to connect user's profile to Active Directory account.
There're several candidates:
UPN - in some cases JWT doesn't contain it
ObjectId - always available, but not read-friendly and unique in multi tenant structure
Unique Name - should be used only to display it on UI(recommended by Azure)
Could you please recommend the best field for our case?
Compiling my comments as an answer:
Object id or name identifier (sub claim) are the only immutable fields you can choose from. Using the UPN is dangerous as it can be changed.
Object id is unique across directories, though if you support multiple tenants you should store the tenant id (tid) as well.
UPN can change when an admin changes it.
And also, if a user is invited as a guest to other AAD tenants, they'll have an object id per directory, it won't be the same.
Forgive my amateur question, however, I can't seem to find an answer on google/stackoverflow.
I created an app (Xamarin) and I want to store application data in a database, for example an Azure SQL database. I created and integrated a tenant in azure b2c for handling user accounts in the app.
I would like to somehow relate data in my "own" database to user accounts in b2c (is this strange?). All I can find is that you can create custom user attributes but this seems, in my opinion, pretty limited. So I need something unique from b2c that "cannot" change to relate to from my own database.
Seems to me like common use case, what is the preferred approach and is there some unique attribute that I can relate to? (object id maybe??)
Users in an Azure AD B2C tenant are identified by the objectId property of the user object.
This objectId property is immutable.
It is common for tokens, which are issued by policies to applications, to contain the sub and/or oid claim/s, which are mapped from the objectId property.
This enables applications to cross-reference their "own" data for users.
I'm using Azure AD B2C Graph API to create and manager users. Users have data and progression so I wanted to know, how should I go about storing information about the user in my app (such as how much gold the user has)?
I want to grab their userPrincipalName or their objectId and use that as a primary key in a separate database to keep track of app related information but before doing that I wanted to know if this was the correct way to do it with graph API, unless there's a standard graph API has for storing app data per user?
Ideally I don't want to be able to associate data with specific users for security and privacy reasons.
With Azure AD B2C you can extend your schema with custom attributes and read/write to them using Azure AD Graph API.
Please see how to create a custom attribute and this page for how to use custom attributes with the Graph API.
In my opinion, if you just need to store data, use Azure AD B2C with custom attributes, but if you also need some complex logic when reading/writing the properties, or even crate some relations between properties, then consider a custom data store.