I made a method that creates ExtensionProperty for User and it works - I'm able to define a property for a User and then read/write its values for the Application. But I do not see these as User Attributes in the portal.
So what are User Attributes (Portal => Azure B2C => User Attributes) ? How are they related to Extension Properties? How should ExtensionProperty be defined to show up in the Portal?
@alvipeo The method you are following for schema extension (https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions), creates attribute in Azure AD but the result will not show up in the portal, because B2C service itself tracks it, rather than looking at the directory. If you create the attribute again under B2C > User Attributes with the same name, then B2C will reconcile it and show it in the portal. But, as of now it is not possible to programmatically create a User Attribute that will show up in the Portal.
To answer your second question, schema extension is done under user context and the account must have Directory.AccessAsUser.All permission. Although we use Object ID of the application during this process but the application doesn't need to be authenticated using client secret or certificate.
Please "Accept as answer" wherever the information provided helps you to help others in the community.
Hey @alvipeo
User Attributes are typically meant for AAD B2C custom policies and user flows but their underlying technical mechanics utilize the extension properties. Note that extension properties are the same thing as schema extensions.
Essentially they are the same, but User Attributes are oriented around AAD B2C users. The docs on this can be found here : https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-custom-attr
For more information on extension properties please see the follow links below: https://docs.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0
https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions
https://docs.microsoft.com/en-us/graph/api/resources/schemaextension?view=graph-rest-1.0
There is currently no blade to display extension properties, you have to use the MSFT Graph API in order to see them. If you're interested in this feature, I suggest filing this as feedback against the AAD Uservoice feedback here : https://feedback.azure.com/forums/169401-azure-active-directory
Please let us know if you have anymore questions in regards to this,
Thanks,
- Frank Hu
As I said I already have the code that defines extension properties on User, reads/writes its value and unregister extension. What I can't understand is how to create those extensions that are available in the Portal as User Attributes?
Are those kind of extensions defined not for a User but for other object? As it states here,
https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions
The property types above can be registered on the following objects in a directory:
User
Group
TenantDetail
Device
Application
ServicePrincipal
So for which object should I register an extension to see it in the portal???
If I request getAvailableExtensionProperties I do see the User Attribute I created in the portal. But I need to create it in code! So please let me know how? I just tried for Tenant - it doesn't show up in the Portal. So it's some other kind of extension.
No, I can't create User Attribute so it would appear in the Portal's User Attributes.
I found the app with the name of "b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.", created an Extension Property for this app (target is User). But I don't see this new User Attribute in the Portal. What am I missing?
@alvipeo Azure AD B2C shares some functionality with the standard Azure AD enterprise tenant. When you directly extend schema by adding new attribute for users, using the b2c-extensions-app, that attribute becomes available only for the standard Azure AD functionality of the Azure AD B2C tenant but not for the B2C functionality.
On the other hand, if you extend schema by using Portal => Azure B2C => User Attributes to add new attribute, it utilizes b2c-extensions-app to extend the schema and the new attribute becomes available for both standard Azure AD as well as the B2C functionality and the attribute name will be in below format:extension_< AppID of b2c-extensions-app >_AttributeName
You can use below cmdlet to see this attribute under extensionProperty of the user, if this attribute is assigned with a value:
Get-AzureADUser -ObjectId < User's Object ID > | select -ExpandProperty ExtensionProperty
or by using below graph call at https://developer.microsoft.com/en-us/graph/graph-explorer#
GET https://graph.microsoft.com/beta/users/username@your_tenant.onmicrosoft.com
Please "Accept as answer" wherever the information provided helps you to help others in the community.
Just to be clear - are you saying there's not way to create a User Attribute that will show up in the Portal programmatically?
Because these are 2 attributes - the first (IsGlobalAdmin) is created with the Portal.
The second created with code (testAttribute):
They are exactly what you said - they belong to the same app, but only one that was created by the Portal is visible. So, the IsGlobalAdmin is present in the Portal, testAttribute is not! How are they different? Can I create the visible in the Portal user attribute in code? How?
Look at what I see in the Portal:
Also, I see that this Azure B2C extensions app doesn't have any secrets nor certificates. So how does it authenticates then? I mean if I need to create a new User Attribute for this internal app, how can I do this?
(For my own app registration I use app secret and it works.)
In my example mentioned previously I just used AppID of that internal app in the POST request and it created that 'testAttribute' (which is not present in the Portal for some reason).
6 people are following this question.
