skip to Main Content

I have an Azure AD B2C tenant and app within it with enabled authentication using Facebook, other AAD and local accounts. Users in B2C have some custom fields which are populated on registration and used as claims in JWT token.

But I cannot see this fields value’s anywhere in the Azure portal nor using Microsoft Graph API.

Where they are stored and how to get access to them?

2

Answers


  1. You can access custom claims by including them in the token sent to the app or by querying the Azure AD Graph API (not the Microsoft Graph yet).

    1. Including custom claims in the token: In the Azure portal’s B2C blade, select the policy you are using, click on Edit, Application claims and select the custom attribute. Full documentation
    2. Querying the Azure AD Graph API: Register an Azure AD application, query the Azure AD Graph API. Full documentation

    Here’s some C# code for #2

    // The client_id, client_secret, and tenant are pulled in from the App.config file
    var clientId = "YOUR_CLIENT_ID";
    var clientSecret = "YOUR_CLIENT_SECRET";
    var tenant = "yourtenant.onmicrosoft.com";
    
    var userObjectID = "OID_OF_THE_USER"
    var query = "/users/" + userObjectId
    
    this.authContext = new AuthenticationContext("https://login.microsoftonline.com/" + tenant);
    
    // The ClientCredential is where you pass in your client_id and client_secret, which are 
    // provided to Azure AD in order to receive an access_token using the app's identity.
    this.credential = new ClientCredential(clientId, clientSecret);
    
    // First, use ADAL to acquire a token using the app's identity (the credential)
    // The first parameter is the resource we want an access_token for; in this case, the Graph API.
    AuthenticationResult result = authContext.AcquireToken("https://graph.windows.net", credential);
    
    // For B2C user managment, be sure to use the Azure AD Graph API for now.
    HttpClient http = new HttpClient();
    string url = "https://graph.windows.net/" + tenant + api + "?" + Globals.aadGraphVersion;
    url += "&" + query;
    
    // Append the access token for the Graph API to the Authorization header of the request, using the Bearer scheme.
    HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, url);
    request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
    HttpResponseMessage response = await http.SendAsync(request);
    
    if (!response.IsSuccessStatusCode)
    {
        string error = await response.Content.ReadAsStringAsync();
        object formatted = JsonConvert.DeserializeObject(error);
        throw new WebException("Error Calling the Graph API: n" + JsonConvert.SerializeObject(formatted, Formatting.Indented));
    }
    
    return await response.Content.ReadAsStringAsync();
    
    Login or Signup to reply.
  2. See this guide to include custom claims/attributes in your JWT: Use custom attributes to collect information about your consumers


    See this guide: Use the Azure AD Graph API and sample app to view custom claims via Azure AD Graph API.

    In the Graph API they will come back as: extension_[GUID]_[ClaimName]

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search