I'm using Azure AD B2C Graph API to create and manager users. Users have data and progression so I wanted to know, how should I go about storing information about the user in my app (such as how much gold the user has)?
I want to grab their userPrincipalName or their objectId and use that as a primary key in a separate database to keep track of app related information but before doing that I wanted to know if this was the correct way to do it with graph API, unless there's a standard graph API has for storing app data per user?
Ideally I don't want to be able to associate data with specific users for security and privacy reasons.
With Azure AD B2C you can extend your schema with custom attributes and read/write to them using Azure AD Graph API.
Please see how to create a custom attribute and this page for how to use custom attributes with the Graph API.
In my opinion, if you just need to store data, use Azure AD B2C with custom attributes, but if you also need some complex logic when reading/writing the properties, or even crate some relations between properties, then consider a custom data store.
Related
In my application I have the following scenario:
Users first register in the application Using SignUp-SignIn user flow, so at that point the user is created in Azure AD B2C. Then when the users starts to use the application I want to add some information to the user and retrieve it in the token during the next authorizations.
The information I want to add to the user is the following:
1- Identifier I use in my database to store data related to that created user
2- Some application role (e.g. customer, shop owner...) - here, it would be great if I can prevent users to make requests based on that role, but not a big deal to check it in the code after the request is executed
The idea I have is to use Graph API and assign this data in a custom attribute to the users, so this data is always managed by the API and user can't change it himself.
Then I am thinking if mixing that approach with groups could be also and option so some requests will be only available for users that belong to some group.
What is the best approach to achieve my requirements?
Out-of-the-box AAD B2C SignUp-SignIn user flow does not expose any functionality related to Security Groups.
If you want to use group claims in B2C, choose to add some custom code through custom (IEF) policies. See this answer and this post.
In order to achieve your requirements, you could use custom attribute which you have mentioned.
Please note that if you don't want the user to set the custom attribute by themselves, you don't need to do this 3rd step under "Use a custom attribute in your user flow":
Select User attributes and then select the custom attribute (for example, "ShoeSize"). Click Save.
After you create the custom attribute, you can Get the application properties and Using custom attribute with MS Graph API.
Update the custom attribute for a user with Microsoft Graph:
PATCH https://graph.microsoft.com/v1.0/users/userID
{"extension_831374b3bd5041bfaa54263ec9e050fc_ShoeSize": "123"}
Then you can get the custom attribute claim in token like this: "extension_ShoeSize": "123".
I am building a Microsoft Teams application and I need to store sensitive user data (access tokens and some additional stuff) for each user using my application.
My requirement is that this data can only be accessible from the user and no one else - and it needs to potentially serve tens of thousands of users. Furthermore, this data shall be accessible from any Microsoft product (i.e. not bound to MS Teams, but let's say, as long as I get a the JWT, then I would be able to access the data).
What are my options using Azure? Is there some kind of storage I can use OOTB? Or, would I need to select an Azure service for this? If yes, which service would be the best? Can I instantiate such service for ALL the users I need to serve, or would I need a separate instance for each tenant the user is coming from (e.g. its company?).
Thanks a lot for helping me out, I tried to figure this out already and I got some ideas, but I am still confused.
Based on the requirement, you can store the sensitive user data with the following options
Azure keyvault: For Secrets Management, Key Management and Certificate Management.
Azure storage tables: To store and retrieve the access tokens, users data and the conversation.
I would like to store additional information about users in my Azure AD B2C instance. What I did is the following:
I've created a new custom attribute and the name of this attribute is Producer
I've added all required permissions for a new application registration which is intended to use Azure AD B2C API through Graph API
I call Graph API to set a custom attributed for one of the users: POST https://graph.microsoft.com/v1.0/users/{user-id} with the following data according to this example
{
"officeLocation": "US",
"extension_XXX_Producer": "AN"
}
When I try to query information about this user by using Graph API: GET https://graph.microsoft.com/v1.0/users/{user-id}, I do not get anything like my custom attribute
After reading Azure AD B2C documentation, it seems like custom attributes can be activated only if I add them to one of the user flows, but it is not what our business wants. They would like to have another UI and product to be responsible for custom attributed management, it is why I would like to use Graph API for custom attributes management.
Could you please recommend me how I can manage custom attributes without including them into Azure AD B2C user flows?
I also found a couple of resources where people recommend to use Azure AD Graph API, but Microsoft tells me in Azure that this API is legacy (I've checked it and it works, but I have some concerns because of Legacy API):
I looked at the document example you provided, and I noticed that the example is a demonstration with Azure Active Directory Graph, so I suggest you also try to use Azure Active Directory Graph. When you use api to query user information, it looks like this :
https://graph.windows.net/{tenant}.onmicrosoft.com/users/{user_id}?api-version = 1.6
Before that, as the document says, you need to obtain an access token for the api, and when granting permissions, you need to grant Azure Active Directory Graph permissions to the application.
For AAD Graph, it is an older API that only allows access to directory data, and some of its functions have been migrated from AAD Graph to Microsoft Graph. But in some cases, we can only achieve the requirements through AAD Graph.
please see:The difference between AAD Graph and Microsoft Graph.
What i've done:
Add a custom attribute (for example Producer) using the Azure Portal AD B2C
Add this attribute in the Application claims of the signin user flow
Use the Graph API to list the extension properties of the b2c-extensions-app. Do not modify. Used by AADB2C for storing user data. (where the custom attributes are stored, read https://learn.microsoft.com/en-us/azure/active-directory-b2c/extensions-app, https://learn.microsoft.com/en-us/graph/api/resources/extensionproperty?view=graph-rest-beta and https://learn.microsoft.com/en-us/graph/api/application-list-extensionproperty?view=graph-rest-beta&tabs=http).
client is an initialized MicrosoftGraphClient, appObjectId is the Object ID of the b2c-extensions-app:
async function getExtensionProperties(client, appObjectId) {
return await client
.api(`/applications/${appObjectId}/extensionProperties`)
.version('beta')
.get();
}
The response should contain a line like:
name: 'extension_<Application (client) ID of the b2c-extensions-app without the dashes>_Producer'
This is the name of the custom attribute as an extension property.
Use the Graph API to set your custom attribute on a user.
id is the user Object ID in AD, attributes is { "extension_<Application (client) ID of the b2c-extensions-app without the dashes>_Producer": "your_value" }
async function updateUser(client, id, attributes) {
return await client
.api(`/users/${id}`)
.version('beta')
.header("content-type", "application/json")
.patch(attributes);
}
When login using the signin user flow, in the browser, using MSAL, myMSALObj.getAccount().extension_Producer is now set to the custom attribute value (note: extension_Producer without the Application ID between extension and Producer).
This answer https://learn.microsoft.com/en-us/answers/questions/21843/how-to-set-custom-claims-for-a-user-in-azure-ad-b2.html from amanpreetsingh-msft has been a great help to solve this.
I've an Azure Active Directory for B2B client.
AAD provides all the necessary fields like name, email, custom email, etc.
I need to store some more information in it.
I'm using a VOIP provider and it has a unique data for each User, I need to store some of that data in AAD itself.
I've seen B2C allows us to create the custom fields.
My question is can we create the custom fields in AAD-B2B, if yes then how to create it?
I did not found any well documented steps for that
Forgive my amateur question, however, I can't seem to find an answer on google/stackoverflow.
I created an app (Xamarin) and I want to store application data in a database, for example an Azure SQL database. I created and integrated a tenant in azure b2c for handling user accounts in the app.
I would like to somehow relate data in my "own" database to user accounts in b2c (is this strange?). All I can find is that you can create custom user attributes but this seems, in my opinion, pretty limited. So I need something unique from b2c that "cannot" change to relate to from my own database.
Seems to me like common use case, what is the preferred approach and is there some unique attribute that I can relate to? (object id maybe??)
Users in an Azure AD B2C tenant are identified by the objectId property of the user object.
This objectId property is immutable.
It is common for tokens, which are issued by policies to applications, to contain the sub and/or oid claim/s, which are mapped from the objectId property.
This enables applications to cross-reference their "own" data for users.