samples icon indicating copy to clipboard operation
samples copied to clipboard

Published 20 hours ago verified publisher icon azure-ad-b2c

You can utilize the Microsoft Graph API to populate the "can_impersonate" extended attribute

Open mmushatt opened this issue 5 years ago • 1 comments

In the "Impersonation Flow for Azure AD B2C - https://github.com/azure-ad-b2c/samples/tree/master/policies/impersonation " procedure, instead of having the users populate the "extension_GUID_can_impersonate" attribute using the Azure Graph API Explorer ( https://graphexplorer.azurewebsites.net/ ), you can have them utilize the Microsoft Graph API Explorer ( https://developer.microsoft.com/en-us/graph/graph-explorer) . Listed below is what they can do.

  • I am assuming you created the "extension_GUID_can_impersonate" attribute using either the Azure B2C Portal Blade ( Define custom attributes in Azure Active Directory B2C - https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-custom-attr ) or the Azure Graph API per the GitHub ( Extend Azure Active Directory Schema using Graph API - https://blogs.msdn.microsoft.com/aadgraphteam/2014/03/05/extend-azure-active-directory-schema-using-graph-api-preview/ )

  • Go to the Microsoft Graph Explorer ( https://developer.microsoft.com/en-us/graph/graph-explorer ) and log into the App using an account that can consent and modify the user's accounts ( example: Global Admin )

  • Verify that the "extension_GUID_can_impersonate" attribute does exist using the following request.

    GET https://graph.microsoft.com/beta/applications/{Application_Object_ID}/extensionProperties

  • Display the user you wish to modify to verify that the extension attribute is not populated for them

    GET https://graph.microsoft.com/beta/users/{GUID_or_UPN}

  • Modify the user object to populate the extension attribute

    PATCH https://graph.microsoft.com/beta/users/{GUID_or_UPN} { "extension_GUID_can_impersonate": '1' }

    NOTE: If successful, you should see an HTTP 204 return

  • Verify that the extension attribute now exist for the user and is populated:

    GET https://graph.microsoft.com/beta/users/{GUID_or_UPN}

After doing this, the Impersonation Flow for Azure AD B2C policy should work as desired

mmushatt avatar Dec 19 '19 18:12 mmushatt

Thanks, we will change this now MS Graph API is supported for B2C accounts.

JasSuri avatar Jan 02 '20 11:01 JasSuri