question

alvipeo avatar image
1 Vote"
alvipeo asked alvipeo commented

User Attributes and ExtensionProperties - how are they related?

I made a method that creates ExtensionProperty for User and it works - I'm able to define a property for a User and then read/write its values for the Application. But I do not see these as User Attributes in the portal.

So what are User Attributes (Portal => Azure B2C => User Attributes) ? How are they related to Extension Properties? How should ExtensionProperty be defined to show up in the Portal?

azure-active-directoryazure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered alvipeo commented

@alvipeo The method you are following for schema extension (https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions), creates attribute in Azure AD but the result will not show up in the portal, because B2C service itself tracks it, rather than looking at the directory. If you create the attribute again under B2C > User Attributes with the same name, then B2C will reconcile it and show it in the portal. But, as of now it is not possible to programmatically create a User Attribute that will show up in the Portal.

To answer your second question, schema extension is done under user context and the account must have Directory.AccessAsUser.All permission. Although we use Object ID of the application during this process but the application doesn't need to be authenticated using client secret or certificate.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you, now it's all clear.

1 Vote 1 ·
FrankHuMSFT-3200 avatar image
0 Votes"
FrankHuMSFT-3200 answered alvipeo edited

Hey @alvipeo

User Attributes are typically meant for AAD B2C custom policies and user flows but their underlying technical mechanics utilize the extension properties. Note that extension properties are the same thing as schema extensions.

Essentially they are the same, but User Attributes are oriented around AAD B2C users. The docs on this can be found here : https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-custom-attr

For more information on extension properties please see the follow links below: https://docs.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0
https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions
https://docs.microsoft.com/en-us/graph/api/resources/schemaextension?view=graph-rest-1.0

There is currently no blade to display extension properties, you have to use the MSFT Graph API in order to see them. If you're interested in this feature, I suggest filing this as feedback against the AAD Uservoice feedback here : https://feedback.azure.com/forums/169401-azure-active-directory

Please let us know if you have anymore questions in regards to this,

Thanks,
- Frank Hu

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

As I said I already have the code that defines extension properties on User, reads/writes its value and unregister extension. What I can't understand is how to create those extensions that are available in the Portal as User Attributes?

Are those kind of extensions defined not for a User but for other object? As it states here,
https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions

The property types above can be registered on the following objects in a directory:

User
Group
TenantDetail
Device
Application
ServicePrincipal

So for which object should I register an extension to see it in the portal???

If I request getAvailableExtensionProperties I do see the User Attribute I created in the portal. But I need to create it in code! So please let me know how? I just tried for Tenant - it doesn't show up in the Portal. So it's some other kind of extension.

0 Votes 0 ·

ok, I think I figured that out. Give me an hour.

0 Votes 0 ·

No, I can't create User Attribute so it would appear in the Portal's User Attributes.

I found the app with the name of "b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.", created an Extension Property for this app (target is User). But I don't see this new User Attribute in the Portal. What am I missing?

0 Votes 0 ·
amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered alvipeo edited

@alvipeo Azure AD B2C shares some functionality with the standard Azure AD enterprise tenant. When you directly extend schema by adding new attribute for users, using the b2c-extensions-app, that attribute becomes available only for the standard Azure AD functionality of the Azure AD B2C tenant but not for the B2C functionality.

On the other hand, if you extend schema by using Portal => Azure B2C => User Attributes to add new attribute, it utilizes b2c-extensions-app to extend the schema and the new attribute becomes available for both standard Azure AD as well as the B2C functionality and the attribute name will be in below format:
extension_< AppID of b2c-extensions-app >_AttributeName

You can use below cmdlet to see this attribute under extensionProperty of the user, if this attribute is assigned with a value:

 Get-AzureADUser -ObjectId < User's Object ID > | select -ExpandProperty ExtensionProperty

or by using below graph call at https://developer.microsoft.com/en-us/graph/graph-explorer#

 GET https://graph.microsoft.com/beta/users/username@your_tenant.onmicrosoft.com


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just to be clear - are you saying there's not way to create a User Attribute that will show up in the Portal programmatically?

Because these are 2 attributes - the first (IsGlobalAdmin) is created with the Portal.
alt text

The second created with code (testAttribute):
alt text

They are exactly what you said - they belong to the same app, but only one that was created by the Portal is visible. So, the IsGlobalAdmin is present in the Portal, testAttribute is not! How are they different? Can I create the visible in the Portal user attribute in code? How?

Look at what I see in the Portal:
alt text


0 Votes 0 ·

Also, I see that this Azure B2C extensions app doesn't have any secrets nor certificates. So how does it authenticates then? I mean if I need to create a new User Attribute for this internal app, how can I do this?

(For my own app registration I use app secret and it works.)

In my example mentioned previously I just used AppID of that internal app in the POST request and it created that 'testAttribute' (which is not present in the Portal for some reason).

0 Votes 0 ·