I have added a custom User Attribute named Company Name via:
Azure AD B2C > User attributes
so that this information can be returned in the identity token after successful sign in.
I want to update these values for each user in the Azure AD B2C tenant.
As I understand it:
I cannot update these values via Azure Portal
The only way to update these values is via Microsoft Graph, specifically these methods:
Get user
Update user
I don't want to have to create an application just to be able to perform this basic administrative task.
So I am looking at:
Microsoft Graph PowerShell SDK
I installed the Microsoft Graph PowerShell SDK in PowerShell 7.
I was prompted to sign in via the browser after running this command:
Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All"
At this point I was confused which credentials to login with.
I logged in using my 'home tenant' Azure AD credentials.
(i.e the admin credentials of the Azure AD tenant from which I created the Azure AD B2C tenant - which then automatically created a guest account in the B2C tenant with the user principal name of info_my-home-tenant.onmicrosoft.com#EXT##my-dev-tenant.onmicrosoft.com).
I made the decision because I don't think I have any Azure AD B2C credentials.
(to access Azure AD B2C when I am logged into Azure Portal with my Azure AD credentials, I just click on 'switch directory').
I then ran:
Get-MgUser
And it, predictably, returned the users from my home Azure AD tenant, not the Azure AD B2C tenant.
So my question is:
In PowerShell 7, with the Microsoft Graph PowerShell SDK installed, how do I sign in so that I can interact with the Azure AD B2C tenant users, rather than my 'home' directory tenant users.
EDIT:
I started trying to follow the process described here:
Use app-only authentication with the Microsoft Graph PowerShell SDK
The first step is:
You'll need an X.509 certificate installed in your user's trusted store on the machine where you'll run the script
I created an Application Registration, however in the Certificates & secrets section it says:
Please note certificates cannot be used to authenticate against Azure AD B2C.
I agree this is tricky. Below are the steps you can use to successfully sign in to Azure AD B2C using Microsoft Graph SDK, and update a user's custom attribute value.
This post is divided into two sections:
Variables (which lists the variable values required and where to find them)
Commands (which lists the commands required)
This post assumes we have a custom attribute named Company Name defined in Azure AD B2C:
PowerShell Microsoft Graph SDK Reference
To orientate yourself, here is the link to the Microsoft.Graph.Users section:
Microsoft.Graph.Users
Variables
Below are the variables that will be referenced in this post and where to find them.
You might want to grab them at the start of the process so you can easily reference them later.
azure_ad_b2c_tenant_id
Azure AD B2C directory > Azure AD > Tenant ID
extensions_app_id
Azure AD B2C > App registrations > [ select 'All applications' ]
Click on the item named:
b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.
Copy the Application (client) ID value
Remove the dashes from this value when using it in PowerShell
custom_attribute_property
This is a string of concatenated values with this syntax:
extension_<your-extensions-app-application-id>_<your-custom-attribute>
For example: extension_lalala1234etc_CompanyName
user_id
Azure AD B2C > Users > [ click on desired user ] > Object ID
Commands
01. Connect to your Azure AD B2C tenant
Connect-MgGraph -TenantId "<azure_ad_b2c_tenant_id>" -Scopes "User.ReadWrite.All"
This will prompt you to login with your Azure AD home tenant credentials.
02. Sanity check - list all users to confirm you are in the right tenant
Get-MgUser
// you can make the results prettier by using Format-List and defining the columns you want displayed
Get-MgUser | Format-List ID, DisplayName, UserPrincipalName
03. Sanity check - see what the value of the custom attribute currently is for all users and a single user
// all users - these do not work:
Get-MgUser | Format-List ID, extension_<your-extensions-app-application-id>_CompanyName
Get-MgUser -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
// single user - these do not work:
Get-MgUser -UserId "<user-id>" | Format-List ID, DisplayName, UserPrincipalName, extension_<your-extensions-app-application-id>_CompanyName
Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
// single user - this works:
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List
04. Update a single user's custom attribute
$params = #{extension_<your-extensions-app-application-id>_CompanyName='Test Company'}
Update-MgUser -UserId "<user-id>" -BodyParameter $params
05. Verify the update was made
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List
The decoded idToken that is returned after sign in will look like this:
Or, if signing in via an identity provider (in this case the home AD tenant), the decoded idToken will look like this:
Related
Using the Microsoft Graph API v 1.0, how can I retrieve the user's MFA details?
For example, if I have an email based sign-in/sign-up policy with phone/SMS MFA, how can I see the phone number entered by the user? (and also set update it)
I know if I select 'identities' in the GET /users method I can see the email they've signed up with, but not the phone number they set for MFA. (https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0)
Of course I'm looking for all the mfa settings: mfa phone number, mfa email address, is mfa set, etc.
Hopefully there is some kind of extension attribute that contains this that I can select, and set on creation, but I cannot find documentation on this.
[UPDATE]
In the Azure portal, I can see the entered data if I go to user > profile > authentication methods. So I tried accessing the authentication relationships on the user. but it didn't provide any details (all empty arrays) https://learn.microsoft.com/en-us/graph/api/resources/authentication?view=graph-rest-1.0
There's a write-up here.
e.g:
GET https://graph.microsoft.com/beta/users/objectID/authentication/methods
I created a Twins instance and got a basic example up and running. A few days go by and I launch the Twins Explorer from my dashboard in Azure Portal. The Single Sign on lets me sign on using my Microsoft Account and upon logging in it states:
Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application '856....' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.
How can I resolve this?
Successful Login After Host Popup with No Changes
As of the writing of this message, and after previous failed attempts, the Twins Dashboard (no settings changed mind you), on the last attempt the Enter Host popup was preseented to me. I was allowed to re-add my host and it worked.
I have created one application where I am using MS oauth2. But It's allowing only my Azure AD user to use MS auth. I want to make it available for all outlook users. So what changes I need to made in manifest or any other file in Azure?
I am Getting below screen after login using any other outlook account:
It seems you are having trouble with personal#outlook.com account while login azure portal tenant
Error You Have Encountered :
I have successfully reproduce your problem. See the screen shot below:
Reason Of Error:
The email account you are trying to log in with. Is not exist on your current tenant.
Resolution:
Go to your tenant where you would like to add your example.outlook.com account to login into and follow below steps:
Azure portal
Azure Active Directory
Users
New Guest User
Put Your example#outlook.com email
Invite
See the screen shot below:
Issue Solution and Test:
After above steps I have successfully login with example#outlook.com. See the screen shot below:
Access Code:
Access Token With Code:
Decode Token:
You can decode your token on https://jwt.io/
See the screen shot below:
Note: Once you successfully add your example.outlook.com email account on your tenant you can get your token with login.
I am working with Graph Explorer to experiment with permissions:
https://developer.microsoft.com/en-us/graph/graph-explorer
When I authenticate to Graph Explorer, it always sends queries to the AD tenant that my identity is created in.
However, the identity I am using can query multiple Azure AD tenants.
How can I change default tenant in Graph Explorer
If you want to sign into your own tenant in Graph explorer, use tenant query string parameter.
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=contoso.onmicrosoft.com
A simple url to go to Graph explorer is https://aka.ms/ge, when you land on the destination, just add tenant query string parameter (domain name or tenantId, both work).
If you are already signed into a tenant, you will have to logout from
there. currently automatic switch of tenant is not supported.
Create a service account in the tenant you want to access.
Create a Service account with appropriate accesses/groups in the Target Tenent.
In a clean/Private Window bring up https://aka.ms/ge the Graph Explorer. Note that the test tenant will be engaged.
Select the user button and initiate a login with the credentials setup in step 1.
Initiate the first Get the Get My Profile to verify the service account logged in is found.
This is fundamentally how Microsoft Graph works, it retrieves data from the tenant you (or your app) authenticated against. It cannot query across multiple tenants.
Current auth system has a auth table:
uid | username | password
What should I do if I want to enable the user to sign up and login with facebook, twitter account.
Create a different table to store the tokens?
I would have a separate table with at least the following fields:
uid|system(facebook or twitter)|private token|public token
The system field would have to link to another table that holds the public/private application tokens for each system. This allows you to add in additional systems (Google Plus, Linked in, etc.) without having to change the DB model.