Pass parameters to Sign-up policy

Question

I am creating B2C users with Social Identity Providers with the help of a Sign-up policy but we have a requirement to add some user attributes (extended properties) to this new user. For example set "AccountId" for the user.

If i add "AccountId" as a Sign-up Attribute and enter some value it works fine, when I check the user properties via Graph API the "AccountId" is correct.

But in this case the "AccountId" should not be editable or visible to the user, I just want the Sign-up policy to add "AccountId" to the user created with for example facebook,as a hidden field on the Sign-up page.

Is it possible, from my ASP.Net MVC application using Azure B2C AD, to pass this value to the Sign-up page and associate it with a Sign up attribute ? Can it be done via parameter (&accountid=1234) or from some OpenId-propperties ?

Answer 1

Azure AD B2C does not currently accept any extra query string parameters that are used to populate a users profile attributes. There is a request for this in the Azure AD B2C UserVoice forum.

You can, however, achieve the same result by implementing it in yourself in the application using the Graph.

For your specific example, you'd need to ensure you're sending the configure your Signup or Signup/Signin policy to send the newUser claim and then use that after authentication to call the Graph and make your necessary updates.

Here's an example of how you can achieve that, assuming you're using ASP.Net as per this SignIn sample or this SignUp/SignIn sample, by leveraging the SecurityTokenValidated notification while setting up your OpenIdConnectAuthenticationOptions like so:

new OpenIdConnectAuthenticationOptions
{
  // Skipping for brevity
  // (...)
  Notifications = new OpenIdConnectAuthenticationNotifications
  {
    // (...)
    SecurityTokenValidated = OnSecurityTokenValidated
  },
  // (...)
};

And use the ClientCredentials flow to call out to the Graph API to make an update like so:

private async Task OnSecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
  string userObjectId = notification.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier")?.Value;
  bool newUser = false;
  bool.TryParse(notification.AuthenticationTicket.Identity.FindFirst("newUser")?.Value, out newUser);

  if (!newUser) return;

  ClientCredential credential = new ClientCredential(graphClientId, graphClientSecret);
  AuthenticationContext authContext = new AuthenticationContext("https://login.microsoftonline.com/sacacorpb2c.onmicrosoft.com");

  AuthenticationResult result = await authContext.AcquireTokenAsync("https://graph.microsoft.com", credential);

  string body = "{ \"extension_e5bf5a2db0c9415cb62661a70d8f0a68_AccountId\" : \"Your_New_Value"\"}";

  HttpClient http = new HttpClient();
  string url = "https://graph.microsoft.com/beta/users/" + userObjectId + "/";
  HttpRequestMessage request = new HttpRequestMessage(new HttpMethod("PATCH"), url)
  {
    Content = new StringContent(body, Encoding.UTF8, "application/json")
  };
  request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
  HttpResponseMessage response = await http.SendAsync(request);

  return;
}

Important notes:

• If you want to update built-in attributes, you can use the Azure AD Graph (https://graph.windows.net), however if you want update custom attributes, you'll need to query the Beta endpoint of the Microsoft Graph (https://graph.microsoft.com). If you do go for custom attributes, note that they have funkier names (prepended with Guids), use Graph Explorer, query /beta/users and see what the full attribute name is.
• You'll need to register a separate (from the one you are using for signin/up) application with permissions to talk to the Graph. See this article for more, though not that the article requests permission for the Azure AD Graph, you might need to get permissions for the Microsoft Graph as per my previous point.