question

SamuelJohnson-8260 avatar image
0 Votes"
SamuelJohnson-8260 asked JamesHamil-MSFT commented

Azure B2C Invite Consumer Users & Retrieve User Permissions

Hello! Can someone provide a general approach to meeting these requirements? I've spent a bit of time researching these various topics and attempting to implement solutions and I'm surprised at how much work is involved. Hopefully I'm missing something.

How do I invite consumer users to a B2C tenant so that they can authenticate into our application using their social accounts (ex: Personal Microsoft or Google accounts)? The only baked in solution on the Azure Portal I've found uses B2C local accounts. Note that I do not want to use a publicly accessible Sign Up flow.
- Presently I'm looking into a custom process that would work by inviting users to a 'local' b2c consumer account and then allowing the user to associate their social account with the local account.

Once users have authenticated (using MSAL v2 Auth Flow w/PKCE), I want to retrieve a list of permissions the user has for our application.
- I'm looking into two options here:
(1) use the auth token to verify user against an internal API that, in turn, makes a call to the Microsoft Graph API to get the user's group memberships.
(2) Create a custom claim that serves the same purpose as user groups

Administrative users of our application need to be able to invite additional users to the application.
- I've found some articles that point, again, to using custom policies.

Thank you very much!

azure-ad-b2cazure-ad-msal
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, we are investigating your issue and will update you shortly.

Best,
James

1 Vote 1 ·

1 Answer

JamesHamil-MSFT avatar image
1 Vote"
JamesHamil-MSFT answered JamesHamil-MSFT commented

Hi @SamuelJohnson-8260 , here are the answers that I hope will help you:

How do I invite consumer users to a B2C tenant so that they can authenticate into our application using their social accounts (ex: Personal Microsoft or Google accounts)? The only baked in solution on the Azure Portal I've found uses B2C local accounts. Note that I do not want to use a publicly accessible Sign Up flow.
- Presently I'm looking into a custom process that would work by inviting users to a 'local' b2c consumer account and then allowing the user to associate their social account with the local account.

Ans: The better way to achieve this is to create a local account in Azure AD B2C directory, Azure AD Graph API or User Portal and then send an email to the user with instructions to select "Forget Password" and update the random password used while creating the local user account initially.
There is another way to acheive the same and that is using the Custom Policies. Using custom policies, you can create a invitation flow using custom policy. The invitation flow would ideally invites a new user by pre-registering a local account in Azure AD B2C directory using Azure AD Graph api and then sending a signed redemption url to the email address of the local user. This redemption link redirects the user to the password reset policy in Azure AD B2C.


You can also take a look at the following sample available which implements the Invitation User Journey in the custom policy: https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/wingtipgamesb2c


Check out the Implementing an invitation flow, Sample by Kloud.docx present in this repo, to read more about implementing this policy and the sample app.



Once users have authenticated (using MSAL v2 Auth Flow w/PKCE), I want to retrieve a list of permissions the user has for our application.
- I'm looking into two options here:
(1) use the auth token to verify user against an internal API that, in turn, makes a call to the Microsoft Graph API to get the user's group memberships.
(2) Create a custom claim that serves the same purpose as user groups

Ans: Once the user gets the access-token, it should have a property called scp (or scopes). You can find these properties by decoding the JWT access-token using a tool like https://JWT.ms . The propery scp can be parsed from the decoded JWT access-token thats the property that would contain all the delegated permissions (user permissions) that can be used to make further Graph API calls. All applications using MSAL usually reads the scp property after decoding the access-token to fetch the user permissions.

I hope this helps! Please let me know if you have any other questions.

Best,
James

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @SamuelJohnson-8260 , do you still need help with this issue? If not, please mark the appropriate answer as verified.

Thank you,
James

0 Votes 0 ·