Using custom attributes to store additional information about a user in Azure AD B2C

0
votes

I would like to store additional information about users in my Azure AD B2C instance. What I did is the following:

  1. I've created a new custom attribute and the name of this attribute is Producer

  2. I've added all required permissions for a new application registration which is intended to use Azure AD B2C API through Graph API

  3. I call Graph API to set a custom attributed for one of the users: POST https://graph.microsoft.com/v1.0/users/{user-id} with the following data according to this example

    { "officeLocation": "US", "extension_XXX_Producer": "AN" }

  4. When I try to query information about this user by using Graph API: GET https://graph.microsoft.com/v1.0/users/{user-id}, I do not get anything like my custom attribute

After reading Azure AD B2C documentation, it seems like custom attributes can be activated only if I add them to one of the user flows, but it is not what our business wants. They would like to have another UI and product to be responsible for custom attributed management, it is why I would like to use Graph API for custom attributes management.

Could you please recommend me how I can manage custom attributes without including them into Azure AD B2C user flows?

I also found a couple of resources where people recommend to use Azure AD Graph API, but Microsoft tells me in Azure that this API is legacy (I've checked it and it works, but I have some concerns because of Legacy API):

enter image description here

2
azureazure-ad-b2cazure-ad-graph-api
try using the beta version of the graph api ?Thomas
@Thomas I am not sure that I got what you mean, but I use version 1.0 - graph.microsoft.com/v1.0/users{user-id}Anuar Nurmakanov
The microsoft graph api has a beta version that will return the extension attributes or you can use the AAD graph api => the AAD grpah api is being deprecated also. docs.microsoft.com/en-us/graph/api/resources/…Thomas
Hi,If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). See meta.stackexchange.com/questions/5234/… can be beneficial to other community members. Thank you.Carl Zhao

2 Answers

2
votes

I looked at the document example you provided, and I noticed that the example is a demonstration with Azure Active Directory Graph, so I suggest you also try to use Azure Active Directory Graph. When you use api to query user information, it looks like this :

https://graph.windows.net/{tenant}.onmicrosoft.com/users/{user_id}?api-version = 1.6

Before that, as the document says, you need to obtain an access token for the api, and when granting permissions, you need to grant Azure Active Directory Graph permissions to the application.

For AAD Graph, it is an older API that only allows access to directory data, and some of its functions have been migrated from AAD Graph to Microsoft Graph. But in some cases, we can only achieve the requirements through AAD Graph.

please see:The difference between AAD Graph and Microsoft Graph.

1
votes

What i've done:

  1. Add a custom attribute (for example Producer) using the Azure Portal AD B2C

  2. Add this attribute in the Application claims of the signin user flow

  3. Use the Graph API to list the extension properties of the b2c-extensions-app. Do not modify. Used by AADB2C for storing user data. (where the custom attributes are stored, read https://docs.microsoft.com/en-us/azure/active-directory-b2c/extensions-app, https://docs.microsoft.com/en-us/graph/api/resources/extensionproperty?view=graph-rest-beta and https://docs.microsoft.com/en-us/graph/api/application-list-extensionproperty?view=graph-rest-beta&tabs=http).

    client is an initialized MicrosoftGraphClient, appObjectId is the Object ID of the b2c-extensions-app:

    async function getExtensionProperties(client, appObjectId) {
    return await client
        .api(`/applications/${appObjectId}/extensionProperties`)
        .version('beta')
        .get();
}

    The response should contain a line like:

    name: 'extension_<Application (client) ID of the b2c-extensions-app without the dashes>_Producer'

    This is the name of the custom attribute as an extension property.

  4. Use the Graph API to set your custom attribute on a user.

    id is the user Object ID in AD, attributes is { "extension_<Application (client) ID of the b2c-extensions-app without the dashes>_Producer": "your_value" }

    async function updateUser(client, id, attributes) {
    return await client
        .api(`/users/${id}`)
        .version('beta')
        .header("content-type", "application/json")
        .patch(attributes);
}

  5. When login using the signin user flow, in the browser, using MSAL, myMSALObj.getAccount().extension_Producer is now set to the custom attribute value (note: extension_Producer without the Application ID between extension and Producer).

This answer https://docs.microsoft.com/en-us/answers/questions/21843/how-to-set-custom-claims-for-a-user-in-azure-ad-b2.html from amanpreetsingh-msft has been a great help to solve this.