I'm using an Azure B2C tenant to store users. At present I have to go through the graph API to retrieve the user details from my MVC application.
The annoying thing however is that the most of the details I'm interested in are already contained within the list of claims within the ClaimsPrincipal.Current object (in this case name, job title and email), so for the most part this call isn't actually needed. Department is the only one not included by default and is the only reason I'm making the call. In addition going through the graph API seems to slow things down enormously when running the site on Azure.
Is there any way of including the department in the claims list contained within the ClaimsPrincipal.Current object so I can skip the call to the graph API entirely?
If I understand your question, it sounds like you are asking how to include additional claims in the ID token returned by Azure AD B2C. The claims returned are configured on a per-policy basis.
Navigate to the B2C features blade on the Azure portal.
Click All policies.
Click your sign-up policy to open it. Click Edit at the top of the blade.
Click Application claims and select the attribute. (for example "Department") Click OK.
Click Sign-up attributes and make sure "Department" is one of the attributes collected from the user.
Click Save at the top of the blade.
Click "Run now" on the policy to verify the consumer experience. You can use "http://jwt.ms" as the redirect URI to inspect the token returned by Azure AD B2C. You should now see "Department" in the list of attributes collected during consumer sign-up, and see it in the token sent back to your application.
Related
I would like to show Identity providers dynamically based on the tenant[ i.e OIDC domain_hint] during the Azure B2C Sign In user journey. I have referred several examples on custom policies, however unable to find a way to display/hide an IdP based on tenant. I was able to use this good example to do Home Realm discovery in custom policy using an Azure Function, but it doesn't show 'list of IdP' applicable for the tenant/domain. Other SO questions, that came close to this but didn't answer are 1, 2. Even if I serve custom HTML file from blob storage, how to show only certain Identity providers and hide some based on the tenant/domain_hint ?
Depending on the number of domains/tenants permutations, you could put that logic on the application side to execute different PolicyID's. This is assuming the number is low therefore it would be a policyID : IdPs mapping.
This is a bad solution if you have a HIGH volume of hints.
Alternatively, you could perform an API call via JavaScript to delegate populating the list of Identity Providers. Then, it would execute another self-assertive page that would trigger that specific identity provider. The flow would look like:
App (passes domain hint)--> B2C login page (JavaScript REST API on page and request list of IdP's based on previous domain hint) --> 2nd Self-assertive page (value passed from first page to initiative the correct IdP) --> IdP pages load.
You can adjust the logic in different ways to meet your needs.
You could store the tenant in a claim using claim resolvers, then have an orchestration step for each possible combination of IdPs you want and use preconditions on those steps to only execute them depending on the tenant. Hopefully that works.
This is mostly playing around at the moment but I'm attempting to use Azure AD B2C as the login provider / user store for a website I'm working on.
I want to limit what users can access based on a user level.
At the moment, in order to handle this I have a database entry for UserLevel that stores the users OID, and an enum for the user level (admin, moderator, user etc) and then for page / api access I've set up a requirement that checks the authenticated user is in the UserLevel repository, and that their level matches, or exceeds the required level.
What I'm wondering is if there are any major problems with doing things this way / is there a better way to handle this.
You can use Custom Attributes to save all your User properties - it will act like DB columns in B2C.
How to create?
Navigate to the directory that contains your B2C tenant.
Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C.
Select User attributes, and then select Add.
Provide a Name for the custom attribute (for example, UserLevel)
Choose a Data Type as String (Note that only String, Boolean, and Int are available).
Optionally, enter a Description for informational purposes.
Click Create.
The custom attribute is now available in the list of User attributes and for use in your user flows.
How to use in your User Flows?
In your Azure AD B2C tenant, select User flows.
Select your policy (for example, "B2C_1_SignupSignin") to open it.
Select User attributes and then select the custom attribute (for example, UserLevel). Click Save.
Select Application claims and then select the custom attribute.
Click Save.
You should now see UserLevel in the list of attributes collected during the sign-up journey, and see it in the token sent back to your application - based on which you will be able to identify the access you want to give to that user (instead of making another DB call which will increase latency).
I am using Azure Graph API Explorer. I want to query the apps list in a tenant. I am user in tenant_x (where user was originally created) as well as admin in tenant_y (created later with my user). I understand that when I log in I go directly in the origin tenant (so tenant_x) therefore Graph Explorer does not allow me to query tenant_y. So as admin of tenant_y I have added a new user in tenant_y. I log in now with that user but still I am not able to query the applications that are in tenant_y. So how can I query apps in tenant_y? Is there a way? thanks.
The API I am calling (with new user log-in) to first retrieve all applications:
https://graph.microsoft.com/beta/applications
Response is:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications",
"value": []
}
Of course I have apps in that tenant.
Based on our communication, you have used a personal account as guest of tenant_y to query the apps list in tenant_y.
Unfortunately, Microsoft Graph Explorer will not recognize your personal account as a guest user. It will still treat it as a personal account.
So it will query the apps list for the personal account rather than tenant_y.
So now you have two choices:
Create a new user in tenant_y by following add a new user and
then use this new user to log into Microsoft Graph Explorer to query
the apps list.
Implement Get access on behalf of a user and make sure that you
call {your tenant} endpoint rather than common endpoint while
requesting the access token. And you should use another tool (for
example Postman) instead of Microsoft Graph Explorer.
Update:
You can modify the permissions in Microsoft Graph Explorer like this:
Click on the "modify permissions" under your username in Microsoft Graph Explorer and check the Directory.Read.All permission.
Today that's possible if you pass the tenant query string parameter like this:
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=mydomainname.onmicrosoft.com
Note that you need to logout before going to this URL with the tenant query string. It'll ask you to login again. After login you can issue queries against the other tenant you have access to (not your home tenant where your account was originally created on).
If you get a 401 while running the specific query, make sure you grant the required permissions on "Modify permissions" tab and click the Consent button in each required permission. After that your query should return a 200 success result.
Graph Explorer today does not support signing in to the tenanted endpoint. A tenanted endpoint is used in the following format
https://login.microsoftonline.com/{tenantId}/V2.0
Once your user account from tenant_x is made a guest user in tenant_y, to effectively query tenant_y using your guest user account, an app (like Graph explorer) has to sign you in the other tenant. Instead Graph Explorer uses the /Common endpoint, which will always sign you in your home tenant (tenant_x).
The only available workaround is to develop a application quickly and sign-in to a tenant of your choice and run Apis in it.
Graph explorer is a tool to help developer's discover and learn about the Graph Api and thus might shy away from introducing too much complexity. But it does not hurt to ask for this feature at their Github repo.
In Azure API Management you can enable integration with AAD, by following the guidelines in this article:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad
This part describes the sign in after setting up AAD integration:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad#a-idlogintodevportalsign-in-to-the-developer-portal-by-using-an-azure-ad-account
In step 3 of of this part, the following is mentioned:
"You might be prompted with a registration form if any additional information is required."
I don't want to bother my consumers with this dialog, but I can't find what 'additional information' is meant here.
The sign up dialog only shows email, first name and last name.
Anyone knows what information the registration process is missing, which leads to this dialog to show up?
I don't want to bother my consumers with this dialog, but I can't find what 'additional information' is meant here. The sign up dialog only shows email, first name and last name.
If you don't want to enable the registration process, you could delete Username and password
provider from azure portal.
It will just use the Azure AD provider. then it will not prompted with a registration form.
Updated:
If I click sign up, I get the registation is disabled.
After consulting the Azure API Management product group, it became clear you cannot disable this dialog at the moment.
The documentation is mentioning the dialog is only prompted in a certain case, but that's is not accurate. The dialog will always be shown when you sign in on the developer portal, when the Azure API Management is integrated with AAD.
I'm working with Azure B2C from a MVC (4.6) WebApp. I've followed this guide to make it work and it's all good:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-web-dotnet
However, regarding the Edit Profile Policy, I need custom values coming from another system for a specific User profile property (i.e: Favorite Categories, coming from a custom Categories table). I don't want to add all the possible categories to the User profile property settings in the Azure portal, cos values can change frequently. So, couple of questions:
1- Is there a way to tell Azure AD B2C Edit profile policy, what are the values to use for a specific user profile property? (I don't think so)
2- Can I call the Edit Profile policy Endpoint to update the user profile? that way, I'd have a custom page with the user profile properties, and I will update the user from code. I've "fiddled" the MS page, and it's doing a post to a specific endpoint, but I'm not able to make it work from code. I've also tried a bunch of different things.
The only approach that seems will work is to call the Graph API from code, following this article (but it requires to register another App from PowerShell, and also, execute the action with an App Token, instead of the current logged user):
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Any help would be very appreciate it.
Thanks a lot.
1- Is there a way to tell Azure AD B2C Edit profile policy, what are the values to use for a specific user profile property? (I don't think so)
No. All the users use the policy you config on the portal. We can create multiple profile edit policy and choose the right policy based on you business with custom code.
2- Can I call the Edit Profile policy Endpoint to update the user profile? that way, I'd have a custom page with the user profile properties, and I will update the user from code. I've "fiddled" the MS page, and it's doing a post to a specific endpoint, but I'm not able to make it work from code. I've also tried a bunch of different things.
No. It is impossible. As you mentioned, if you want to update the users profile programatically, the Azure AD Graph is recommend.
you not able use JS, but you able customize with css;
(enable cors to ms login domain on your web app etc)
see msdm docs all are desribed;
you able add custom properties in AD B2C to user sign up; so to edit profile should be possible too;
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-ui-customization