Forgive my amateur question, however, I can't seem to find an answer on google/stackoverflow.
I created an app (Xamarin) and I want to store application data in a database, for example an Azure SQL database. I created and integrated a tenant in azure b2c for handling user accounts in the app.
I would like to somehow relate data in my "own" database to user accounts in b2c (is this strange?). All I can find is that you can create custom user attributes but this seems, in my opinion, pretty limited. So I need something unique from b2c that "cannot" change to relate to from my own database.
Seems to me like common use case, what is the preferred approach and is there some unique attribute that I can relate to? (object id maybe??)
Users in an Azure AD B2C tenant are identified by the objectId property of the user object.
This objectId property is immutable.
It is common for tokens, which are issued by policies to applications, to contain the sub and/or oid claim/s, which are mapped from the objectId property.
This enables applications to cross-reference their "own" data for users.
Related
In my application I have the following scenario:
Users first register in the application Using SignUp-SignIn user flow, so at that point the user is created in Azure AD B2C. Then when the users starts to use the application I want to add some information to the user and retrieve it in the token during the next authorizations.
The information I want to add to the user is the following:
1- Identifier I use in my database to store data related to that created user
2- Some application role (e.g. customer, shop owner...) - here, it would be great if I can prevent users to make requests based on that role, but not a big deal to check it in the code after the request is executed
The idea I have is to use Graph API and assign this data in a custom attribute to the users, so this data is always managed by the API and user can't change it himself.
Then I am thinking if mixing that approach with groups could be also and option so some requests will be only available for users that belong to some group.
What is the best approach to achieve my requirements?
Out-of-the-box AAD B2C SignUp-SignIn user flow does not expose any functionality related to Security Groups.
If you want to use group claims in B2C, choose to add some custom code through custom (IEF) policies. See this answer and this post.
In order to achieve your requirements, you could use custom attribute which you have mentioned.
Please note that if you don't want the user to set the custom attribute by themselves, you don't need to do this 3rd step under "Use a custom attribute in your user flow":
Select User attributes and then select the custom attribute (for example, "ShoeSize"). Click Save.
After you create the custom attribute, you can Get the application properties and Using custom attribute with MS Graph API.
Update the custom attribute for a user with Microsoft Graph:
PATCH https://graph.microsoft.com/v1.0/users/userID
{"extension_831374b3bd5041bfaa54263ec9e050fc_ShoeSize": "123"}
Then you can get the custom attribute claim in token like this: "extension_ShoeSize": "123".
We currently have a number of users in Azure AD with the account type "member" that we are converting to account type "guest" as part of a Azure B2B initiative. These users were originally replicated from our on-prem AD environment and are accessing applications based on on-prem AD groups. Whenever we convert these users from "member" to "guest," will they lose access to all groups? If so, does anyone have a way either via script or using an Azure tool to make sure they're access doesn't disappear?
I've searched through the documentation and only found information on converting "member" to "guest," but not the other way around.
This is not a coding related question
If the UserType attribute of the existing User object is changed from "Member" to "Guest" (and the object ID stays the same), existing access grants, app assignment, and group memberships will still be valid. (Though not all applications will necessarily continue to work like they did before, as the guest user will have limited permissions some services.)
If you replace the User object with a new one (different object ID), all the previous access grants and app assignments will be lost.
We use Azure Active Directory(OpenId and OAuth2) for authorization and authentication needs.
We also would like to keep users' profiles in one of our microservices, let's name this service "User Preferences".
The service will store many specific fields required only for one of our products and it is why we don't want to store them in Active Directory(custom fields).
Having all of this, we are searching for the best Azure AD field we can use to connect user's profile to Active Directory account.
There're several candidates:
UPN - in some cases JWT doesn't contain it
ObjectId - always available, but not read-friendly and unique in multi tenant structure
Unique Name - should be used only to display it on UI(recommended by Azure)
Could you please recommend the best field for our case?
Compiling my comments as an answer:
Object id or name identifier (sub claim) are the only immutable fields you can choose from. Using the UPN is dangerous as it can be changed.
Object id is unique across directories, though if you support multiple tenants you should store the tenant id (tid) as well.
UPN can change when an admin changes it.
And also, if a user is invited as a guest to other AAD tenants, they'll have an object id per directory, it won't be the same.
My goal is to have the user authenticate with Azure AD and then be presented with a drop-down of profiles they want to access. Based on which profile is selected, the user will have different permissions on the site. I'm trying to avoid a user having to have multiple logins to enforce the different permissions per profile.
Can Azure AD handle this or do I need to tie in custom code in a database?
No, Users have one identity and can have a set of roles on an app.
Well, just one role unless you have group-based role assignment available :)
This concept sounds like something you will have to build in your app.
Or you will have to have multiple users registered for this one person.
I'm using Azure AD B2C Graph API to create and manager users. Users have data and progression so I wanted to know, how should I go about storing information about the user in my app (such as how much gold the user has)?
I want to grab their userPrincipalName or their objectId and use that as a primary key in a separate database to keep track of app related information but before doing that I wanted to know if this was the correct way to do it with graph API, unless there's a standard graph API has for storing app data per user?
Ideally I don't want to be able to associate data with specific users for security and privacy reasons.
With Azure AD B2C you can extend your schema with custom attributes and read/write to them using Azure AD Graph API.
Please see how to create a custom attribute and this page for how to use custom attributes with the Graph API.
In my opinion, if you just need to store data, use Azure AD B2C with custom attributes, but if you also need some complex logic when reading/writing the properties, or even crate some relations between properties, then consider a custom data store.