Azure Ad B2C - Role Management

Azure AD B2C - Role management

Azure AD B2C does not yet include Group claims in the token it sends to the application thus you can't follow the same approach as you outlined with Azure AD (which does include group claims in the token).

You can support this feature ask by voting for it in the Azure AD B2C feedback forum: Get user membership groups in the claims with Azure AD B2C

That being said, you can do some extra work in this application to have it manually retrieve these claims the group claims and inject them into the token.

First, register a separate application that'll call the Microsoft Graph to retrieve the group claims.

  1. Go to https://apps.dev.microsoft.com
  2. Create an app with Application Permissions : Directory.Read.All.
  3. Add an application secret by clicking on Generate new password
  4. Add a Platform and select Web and give it any redirect URI, (e.g. https://yourtenant.onmicrosoft.com/groups)
  5. Consent to this application by navigating to: https://login.microsoftonline.com/YOUR_TENANT.onmicrosoft.com/adminconsent?client_id=YOUR_CLIENT_ID&state=12345&redirect_uri=YOUR_REDIRECT_URI

Then, you'll need to add code the following code inside of the OnAuthorizationCodeReceived handler, right after redeeming the code:

var authority = $"https://login.microsoftonline.com/{Tenant}";
var graphCca = new ConfidentialClientApplication(GraphClientId, authority, GraphRedirectUri, new ClientCredential(GraphClientSecret), userTokenCache, null);
string[] scopes = new string[] { "https://graph.microsoft.com/.default" };

try
{
    AuthenticationResult authenticationResult = await graphCca.AcquireTokenForClientAsync(scopes);
    string token = authenticationResult.AccessToken;

    using (var client = new HttpClient())
    {
        string requestUrl = $"https://graph.microsoft.com/v1.0/users/{signedInUserID}/memberOf?$select=displayName";

        HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUrl);
        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);

        HttpResponseMessage response = await client.SendAsync(request);
        var responseString = await response.Content.ReadAsStringAsync();

        var json = JObject.Parse(responseString);

        foreach (var group in json["value"])
            notification.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Role, group["displayName"].ToString(), System.Security.Claims.ClaimValueTypes.String, "Graph"));

        //TODO: Handle paging. 
        // https://developer.microsoft.com/en-us/graph/docs/concepts/paging
        // If the user is a member of more than 100 groups, 
        // you'll need to retrieve the next page of results.
    }
} catch (Exception ex)
{
    //TODO: Handle
    throw;
}

How can I use Custom Roles on Azure Ad B2C?

Am working toward the same goal , so here is what I found until this moment:

  • Use Custom Policies with Identity Esperience Framework (IEF) : Here is an example of custom policies on RBAC example :
  • Manually call the Graph API ( using msal library ) with the objectId of the connected user and an access token in order to get the groups to which the user belong : In this case you will create a group for each role , affect the users to the right groups based on their role, by finding the users group , u know what's his role , here is an example of implementing this kind of authorization on .Net5 web api and web App.

Didn' find anything related to managing users access with roles , so if you found any , do not hesitate to share . Thanks

How to include roles in issued token when using multi-tenant Azure AD with Azure AD B2C?

Solved by passing through the roles claim:

  1. Open the TrustFrameworkExtensions.xml file and add the following ClaimType element with an identifier of roles to the ClaimsSchema element:
<ClaimType Id="roles">
  <DisplayName>Roles</DisplayName>
  <DataType>stringCollection</DataType>
  <UserInputType>Readonly</UserInputType>   
</ClaimType>

  1. Add the OutputClaim element to the TechnicalProfile element used for configuring Azure AD as an identity provider:
<ClaimsProvider>
  <DisplayName>Common AAD</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="AADCommon-OpenIdConnect">
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="roles" PartnerClaimType="roles" />
      </OutputClaims>
      ...
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

  1. Save the TrustFrameworkExtensions.xml file.

  2. Open the relying party policy file, such as SignUpOrSignIn.xml, and add the OutputClaim element to the TechnicalProfile:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
  <TechnicalProfile Id="PolicyProfile">
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="roles" />
    </OutputClaims>
    ...
  </TechnicalProfile>
</RelyingParty>

  1. Save the policy file.

The token now includes roles:

{
  ...
  "roles": [
    "invoice-approver",
    "invoice-creator"
  ],
  ...
}

Related Topics

Could Not Load File or Assembly 'Microsoft.Reportviewer.Common, Version=11.0.0.0

Check Whether a Path Is Valid

Digitally Sign PDF Files

Check If Instance Is of a Type

Webapi Streamcontent VS Pushstreamcontent

How to Make a Call to My Wcf Service Asynchronous

C# Reflection and Finding All References

Linq Where List Contains Any in List

Check If Value Exists in Datatable

C# How to Find If an Event Is Hooked Up

How to Find Out If a File Exists in C#/.Net

How to Get the Closest Number from a List<Int> with Linq

C# How to Wait for a Webpage to Finish Loading Before Continuing

Creating a Temporary Directory in Windows

ASP.NET Asmx Web Service Returning Xml Instead of JSON

Inconsistency in Divide-By-Zero Behavior Between Different Value Types

What Is This Char? 65279 ''

Why Can't You Use the Keyword 'This' in a Static Method in .Net


Leave a reply



Submit