question

YashwanthReddyYenugu-2268 avatar image
1 Vote"
YashwanthReddyYenugu-2268 asked GurpreetArora-9536 answered

How to set custom claims for a user in Azure AD B2C

I've created a new user by navigating to the users section. I've even created a custom user attribute in user attributes section. But how attributes for users?

azure-active-directoryazure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
2 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

@YashwanthReddyYenugu-2268 To use custom user attribute, you need to create a User Flow as documented here. When you Run User Flow, you need to choose sign-up to create a new user account.

If you want to assign custom attribute to the existing user that you created from users section, you need to create Profile Update user flow and sign-in with that user to assign value to the custom attribute for that user. Make sure in the profile edit user flow, you select the custom attribute checkbox that you created. When you will run profile edit user flow, you will get an option to specify a value for the custom attribute.


Please "Accept as answer" wherever the information provided helps you to help others in the community.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft , Thank you for the quick response.
My use case is that, Only the admin should be able to create the user and add custom attributes and values for that user. Users shouldn't be given access to edit profile or even signup. (I'm using custom policies for the user flow)

1 Vote 1 ·

@YashwanthYenugu-6438 In that case my question would be why are you choosing to go with Azure AD B2C? Since you are not using any B2C features, you should consider using standard Azure AD for this purpose. In standard AAD as well, Admin can create and assign values to custom attributes.

0 Votes 0 ·
amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered SamJohnson-3805 commented

@YashwanthYenugu-6438, Please find below the steps to extend Azure AD Schema and assign value to it by using Admin account via Graph API and not via IEF.

  1. Create a new application in App Registration under Azure AD.

  2. Once the application is created copy the Object ID.

  3. Open Graph Explorer by using https://developer.microsoft.com/en-us/graph/graph-explorer# url.

  4. Click on Sign in with Microsoft on the left and Sign in with Global Admin account who is a member of same directory and not added as external (guest) user.

  5. Click on Modify permissions > select Directory.AccessAsUser.All > click Modify Permissions.

  6. Click on Accept at consent page.

  7. In Graph Explorer, use following query. Where the <Tenant Name> is your_tenat.onmicrosoft.com in your case and <ObjectID of the application> is the value copied in Step 2.
    POST https://graph.microsoft.com/beta/<Tenant Name>/applications/< ObjectID of the application >/extensionProperties

  8. Use following text in the Request body. Since the targetObject is user, the attribute will be created for all Users in the tenant. Note: Please type the request body manually as with copy-paste Graph Explorer will not recognize some of the characters.
    {
    “name”: “Role”,
    “dataType”: “String”,
    “targetObjects”: {“User”]
    }

  9. To update the attribute with a value use following query:
    PATCH https://graph.microsoft.com/beta/users/globaladmin@your_tenant.onmicrosoft.com
    And use following Request Body:
    {
    "extension_e175b1fc21b144019cadxxxxxxxxxxxx_Role":"Admin"
    }

  10. To verify if the attribute is updated successfully run following query:
    GET Accept as answer" wherever the information provided helps you to help others in the community.

· 3

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft

I'm working on the same issue described in this post.

Walking through this instruction set, when I run the graph query:

https://graph.microsoft.com/beta/ligob2c.onmicrosoft.com/applications/e117c62b-7a85-4cc7-8e24-f78a814f2c09/extensionProperties

I get a not found for my application's object ID. I'm certain it is there. I'm logged into graph as a global admin and have granted every permission available in Graph Explorer. Is there a configuration setting on the application configuration that I'm missing?

Any help you can provide would be greatly appreciated. Thanks!

 "error": {
     "code": "Request_ResourceNotFound",
     "message": "Resource 'e117c62b-7a85-4cc7-8e24-f78a814f2c09' does not exist or one of its queried reference-property objects are not present.",
     "innerError": {
         "date": "2021-02-11T15:31:39"

0 Votes 0 ·

Hey,

I had the same error and was wondering just like you.
I accidentially copied the "Client Id" from registered apps instead of Object-ID. Please check again.

I { "name": "yourownattributename", "dataType": "String", "targetObjects": [ "User" ] }


yielded

 {
     "@odata.context": "https://graph.microsoft.com/beta/$metadata#applications('<redacted id>')/extensionProperties/$entity",
     "id": "b68ef4c2-e4d0-4245-8291-<redacted>",
     "deletedDateTime": null,
     "appDisplayName": "<redacted app name>",
     "name": "extension_<redacted id>_<yourownattributename>",
     "dataType": "String",
     "isSyncedFromOnPremises": false,
     "targetObjects": [
         "User"
     ]
 }


0 Votes 0 ·

I had to create a new B2C user with an email address of @my-tenant-name.onmicrosoft.com, grant Global Admin rights, for this to work.

I was using an account with @#ext# in it when I initially logged into graph explorer.

Thanks for the feedback!

0 Votes 0 ·
soumi-MSFT avatar image
1 Vote"
soumi-MSFT answered YashwanthYenugu-6438 commented

@YashwanthReddyYenugu-2268, If you create a custom user attribute, then that attribute is not added to any user, but that attribute is connected with any of the user flows like signup-signin policy. When the user accesses the signup-signin policy, in that a text box appears to enter the value for that custom user attribute.

You can read more about it here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-custom-attributes#use-a-custom-attribute-in-your-user-flow

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@soumi-MSFT , Thank you for the quick response.
My use case is that, Only the admin should be able to create the user and add custom attributes and values for that user. Users shouldn't be given access to edit profile or even signup. (I'm using custom policies for the user flow)

1 Vote 1 ·
GurpreetArora-9536 avatar image
0 Votes"
GurpreetArora-9536 answered

Hey @amanpreetsingh-msft can we add a new attribute during the time of Update User details using Graph API.

Let say the User is already created using Facebook Login and details like Name, Country, etc stored in B2C. Now using Update method of Graph API I need to add new attributes such as Description and Language.

Is it possible?

When I try to add a new attribute during using Update method I get the following error.

Code: Request_BadRequestMessage: One or more property values specified are invalid.Inner error

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.