Azure B2C Invite Consumer Users & Retrieve User Permissions

0
votes

Can someone provide a general approach to meeting these requirements? I've spent a bit of time researching these various topics and attempting to implement solutions and I'm surprised at how much work is involved. Hopefully I'm missing something.

How do I invite consumer users to a B2C tenant so that they can authenticate into our application using their social accounts (ex: Personal Microsoft or Google accounts)? The only baked in solution on the Azure Portal I've found uses B2C local accounts. Note that I do not want to use a publicly accessible Sign Up flow.

  • Presently I'm looking into a custom process that would work by inviting users to a 'local' b2c consumer account and then allowing the user to associate their social account with the local account.

Once users have authenticated (using MSAL v2 Auth Flow w/PKCE), I want to retrieve a list of permissions the user has for our application.

  • I'm looking into two options here: (1) use the auth token to verify user against an internal API that, in turn, makes a call to the Microsoft Graph API to get the user's group memberships. (2) Create a custom claim that serves the same purpose as user groups

Administrative users of our application need to be able to invite additional users to the application.

  • I've found some articles that point, again, to using custom policies.

Thank you very much!

EDIT #1 - Looking into using B2C & Microsoft Graph API I came across some decent, and recent, MS Resources: https://docs.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations

And this important-to-me statement -> Microsoft January 28th, 2021: "Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants."

I'll update my post when I find a solution. Thanks again!

1
azure-ad-b2cmsal

1 Answers

1
votes

You need to use custom policies.

For first bullet point, see my sample: https://github.com/azure-ad-b2c/samples/tree/master/policies/link-local-account-with-federated-account

You could do either option. For option 1, AAD B2C can call your api which can call graph api to fetch groups. Then embed the info into the token. For option 2, you could write a role value to an extension attribute and return it in the token.

To invite users, you could use the invite sample. Essentially make an app that calls an API to generate these invite links and send those to the users email. The user clicks the link which allows them to complete their sign up.

https://github.com/azure-ad-b2c/samples/tree/master/policies/invite