I have added custom attributes during Sign-up and added the same in the application claim in Azure AD B2C management portal.
I was expecting these custom attributes to be added as part of the user profile who signed-up using their social identity provider.
Could someone help me on getting these custom attributes in the user profile screen of Azure AD B2C?
Besides creating the custom attribute, you need to add it to your policy's Attributes. Optionally you can also configure the attribute as an application claim.
You do this in the "Sign-up attributes" or "Edit profile attributes" section while editing you policy.
Keep in mind this is different from adding the attribute to your application claims.
While the former shows it in the UI allowing the user to edit the attribute, the latter sends the value of that attribute to the application in the id_token.
See the use a custom attribute in your policy documentation for more info.
It is also worth noting that at this time, custom attributes do not show up in the Azure portal's Users & Groups blade. As an admin, you can only view and update those using the Graph. You can request this as a feature in the Azure AD B2C feedback forum
Related
I have an app that is implementing SCIM 2.0.
I have connected this app to my Azure AD and I am succeeding to provision users and groups to my app from from Azure AD.
I want to add a custom attribute and manage the value of that attribute in Azure AD for every user or a group and add that data to my provisioning mapping - to send it to my app as part of the provisioning process.
I can't find where in Azure AD I can do that.
I have tried to add a custom security attributes, I have assigned it to my app. But when I go to the provisioning mapping - the attribute is not in the list of source attributes that I can choose from.
I have also tried to add a custom attribute (which I was able to choose in the provisioning mapping), but I did not find where I can manage the value of this attribute to a user in the Azure AD .It looks like it can only be filled in a user flow (login with SSO) - which is not my case.
I did not find a way to create a custom attribute for a group and manage its values in the Azure AD and then add to provisioning group mapping.
I saw that there are extension attributes, but where in Azure AD I can enter data to these attributes for a specific users or groups?
Can anyone help?
Is there a completely different way to add extra information to user / group and send it from Azure AD to my app using SCIM?
• When you provision an application in Azure AD through SCIM (System for Cross-Domain Identity Management) for the purpose of provisioning the Azure AD users to the ‘Enterprise application’ created in Azure AD tenant, you enter the URL of the application’s SCIM endpoint as ‘https://api.contoso.com/scim/’ and since it requires an OAuth bearer token from an issuer other than Azure AD as it can validate this token issued by the Azure AD itself. Therefore, in the ‘Mappings’ section of the ‘Provisioning’ section for the Azure AD enterprise application, you have the option for reviewing the attributes that are synchronized from Azure AD to the SCIM provisioned app. These attributes are selected as ‘Matching’ properties and are used to match the users and groups in your app for update operations.
Also, to add the extension attributes to the user in Azure AD for them to be exported to the SCIM provisioned application, you will need to create a dynamic group with members added to them via a dynamic query as shown below. Before that, you will have to synchronize the extension attributes through Azure AD connect utility from the on-premises AD that were created there already. Then, these already created extension attributes can be selected to be mapped with the SCIM provisioned app as below: -
Complete the expression to suit your requirements. As above, the rule is set to ‘(user.extension_9d98ed114c4840d298fad781915f27e4_division -eq "Sales and marketing")’.
• Secondly, you can also create extension attributes for users that are to be synchronized from Azure AD to the SCIM provisioned application through Microsoft Graph API as shown below: -
First, create a ‘GET’ request to the object ID of the SCIM provisioned application to check the request sent status success. Then, send a ‘POST’ request to the object ID of the SCIM provisioned application as shown below with the custom extension attribute in the body of the request: -
Now, since this custom extension attribute is created without any value, you will have to update this attribute with a value so that this attribute is synchronized to the SCIM provisioned application accordingly as shown below: -
Thus, as shown above, you can add custom extension attributes to any Azure AD user and synchronize these attribute values to the SCIM provisioned app.
For more detailed information on the above, please refer to the below links: -
https://learningbydoing.cloud/blog/getting-started-with-azuread-extension-attributes/#:~:text=Go%20to%20the%20Azure%20AD,settings%20default%20and%20click%20Register.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions
Security Groups (Application Roles) are not currently supported in Azure AD B2C and it is the highest requested feature on the Azure AD B2C Feedback:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/10123836-get-user-membership-groups-in-the-claims-with-ad-b
Other threads are recommending Custom Attributes to simulate this:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/31997947-support-application-specific-roles-in-b2c
I added, via Azure blades UI, a Custom Attribute of type String and named it RoleAttr and assigned it against the B2C_1_SignUpSignIn User Flow (Policies) and added it to the Application claims.
For testing purposes, all done via UI, if I add this attribute to User attributes, when a user is signing up, he/she is getting a new field called RoleAttr, which means it is working (I guess?!). But this is not my intention as this value should be assigned by an admin and not by the user, my intention is to get it as part of the claims.
1 - How can I edit this value from Azure blades UI (I can only see the Built-In attributes, not the custom ones)?
2- Can I do this programmatically (PowerShell, C#, GraphAPI, etc...)? Say by creating a tool that will act on behalf of an admin and manipulate a user object using his/her Object Id?
1) Currently, you can't edit the custom attributes (a.k.a. the extension properties) for a user object via the Azure portal.
2) You can manage the extension properties for a user object using the Azure AD Graph API with the Azure AD B2C tenant.
I am running a Dot Net web application on App Service in an Azure subscription.
My application uses Azure B2C with an Azure Active Directory for user authentication.
Users are redirected from my application's base URL to the B2C login page, which has been customised to show the company logo.
Now, I'll need to point a second domain to the same application, and when users hit the application through that domain, I will need the login page to display a completely different logo. The choice of the logo is not based on language or location. It is purely based on the domain the user used to get to the application in the first place.
I see the Branding option is at the AD level, not at the B2C level. Therefore, all B2C applications registered under the same AD will be sharing the same login page.
AD only seems to allow me to create additional login page customisations based on language/region pairs.
Is there any way I can have multiple customised login pages using the same AD?
I would be willing to register multiple B2C applications and redirect users to the login page with different application Ids if necessary. I could change my code to identify the domain the user used to get to the application and then use the correct Id, but I couldn't find a way to have different login page customisations for different B2C applications under the same AD.
Following on from the previous answer by #Sunny, you can select the custom page UI based on any of the authentication request parameters, using a custom policy.
Example 1: Select on the standard "client_id" parameter
This following content definition loads the custom page UI where the client_id parameter is part of the URL path to the page resource:
<ContentDefinition Id="api.signuporsignin">
<LoadUri>https://somewhere.com/{OIDC:ClientId}/signuporsignin.html</LoadUri>
</ContentDefinition>
Example 2: Select on a non-standard "brand" parameter
This following content definition loads the custom page UI where the brand parameter is part of the URL path to the page resource:
<ContentDefinition Id="api.signuporsignin">
<LoadUri>https://somewhere.com/{OAUTH-KV:brand}/signuporsignin.html</LoadUri>
</ContentDefinition>
The main advantage of including parameters as parts of the URL paths to the page resources is that these page resources can be deployed to a storage service, such as Amazon S3 or Azure Storage, where this storage service doesn't support a query string parameter that is described by the "Step 8: Add dynamic content" section in the "Azure Active Directory B2C: Configure the UI with dynamic content by using custom policies" document.
The Azure AD B2C tenant represents a collection of identities to be used with relying party applications, it can use Customize UI dynamically to configure the identity provider selection page for sign in or sign up, but what you want to configure is just for the different Azure AD tenant, all of them are considered as one same kind identity provider in the Azure AD B2C,it cannot make this like the Company Branding in Azure AD.
How does one implement user groups to protect the APIs using .net core 2.0 and Azure AD B2C?
Most of my functions are available for anyone to use, but there are a handful that are for administrators only (e.g. delete account, list all users, etc.).
In Azure one can set up a bunch of custom claims, but the user seems to have permission to edit these claims.
So, for example, I could set up an attribute which is 'Group' and set the value to 'User' or 'Administrator', but it appears to me the user could edit this attribute, thus making the whole scheme worthless.
How?
Custom attributes are not editable by the user unless they are exposed in a B2C policy (like a sign-up or edit policy)
You can set custom attributes through the Azure AD Graph API.
or
You can set custom attributes by sending a JWT to B2C with Custom Policies. One example is here.
I got Azure AD B2C up and running in my ASP.NET Core web app. But I wonder what's the best way to actually approve new users when they sign up? Is there anything built-in?
Now, anyone can click on Sign-Up link and there you go, you provide your data and click a button. And you're in my tenant Azure AD B2C directory! Now, I'd like to have some control over this.
Did I mention every user costs $1/month when you want to customize Azure AD UI??? (as far as I understand it, correct me if I'm wrong). So if someone goes and sign up 1000 users I'll have to pay for it $1000??
At this time there is not built-in support for user sign up approval workflows.
You can achieve this by:
Having a custom attribute to determine whether a user has been "approved" or not. You would let users sign up by themselves and you would create an experience or flow that queries the Azure AD Graph for users that haven't been "approved" and then either approve them or delete them.
Building an invitation flow. When you invite a user, you'd create the user through the Azure AD Graph. You would then direct your users to the Password Reset policy as their "account verification" flow.
As for your pricing question, if you customize the UI via the newer unified sign-up/sign-in policies, you'll only pay the regular Azure AD B2C pricing model: between $0.0011 and $0.00063 per user depending on how many you have.
Customizing the UI in the older sign-up policy is not really available. As a workaround, you can use Azure AD Premium's company branding feature which is the one that costs $1 per user. If this is the route you are pursuing, I'd recommend voting for this ask: Fully Customizable Sign-In Page.