5

If I have a user in Aure AD B2C that was created based on an Azure AD (enterprise) identity (as described here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom), is there an attribute stored in AADB2C that will allow me to look up (using Graph API or similar) the user object in AAD? I see that among the AADB2C attributes there is userPrincipalName and issuerUserId but it's not obvious to me if either of these match any value stored in AAD.

thanks!

Martin

M Herbener
  • 584
  • 3
  • 18
  • Can you specify how do you see these attributes ? In `User attributes`? If you use Graph API , you can just get users more details in the user's tenant. – Wayne Yang Feb 07 '18 at 01:48
  • @WayneYang-MSFT - I was finding the userPrincipalName and issuerUserId using `https://graph.windows.net/MBHB2C.onmicrosoft.com/users?api-version=1.6` against my B2C tenant. – M Herbener Feb 14 '18 at 18:20

1 Answers1

4

For an external account, the external issuer (i.e., Azure AD) and the external user identifier (i.e., the object identifier of the Azure AD user) are written to the "userIdentities" property of the user object in the Azure AD B2C directory, where the "issuerUserId" property contains the Base64-encoding of the external user identifier:

{
    "userIdentities": [
        {
            "issuer": "contoso.com",
            "issuerUserId": "Mjk2NzdlNTAtY2MwZS00MmU5LWJhNWMtZjFmMDdkZTUwMDhm"
        }
    ]
}

To find the user object by the external account, you can invoke the following Graph API operation, where the "x/issuerUserId" value is set to the hexadecimal-encoding of the external user identifier:

GET https://graph.windows.net/myorganization/users?$filter=userIdentities/any(x:x/issuer eq 'contoso.com' and x/issuerUserId eq X'32393637376535302d636330652d343265392d626135632d663166303764653530303866')

Update:

The issuerUserId from the external identity provider should be treated as string and not decimal. In above example, when you base 64 decode "Mjk2NzdlNTAtY2MwZS00MmU5LWJhNWMtZjFmMDdkZTUwMDhm" - it returns a guid 29677e50-cc0e-42e9-ba5c-f1f07de5008f. In case of facebook, the issuerUserId will be a number, but still should be treated as string.

Next step will be to use string to hexadecimal converter and then use that value in the query.

Abhishek Agrawal
  • 2,183
  • 1
  • 17
  • 24
Chris Padgett
  • 14,186
  • 1
  • 15
  • 28
  • I'm a little confused. I see how to find the issuerUserID value from the B2C directory. But should this match a value I can find in the "enterprise" AAD directory from which the user originated? thanks! – M Herbener Feb 13 '18 at 20:38
  • Yes, it should be mapped from the object identifier for the Azure AD user, i.e. ``. – Chris Padgett Feb 13 '18 at 21:58
  • If I use graph API or similar to look at the AD user object, should I be able to find an attribute that contains the same object identifier value? – M Herbener Feb 14 '18 at 15:29
  • It is the objectId property of the User object. Note that, when this property value is saved as issuerUserId in Azure AD B2C, it is written as a Base64-encoded value. – Chris Padgett Feb 14 '18 at 20:52
  • 1
    Got it now, thanks. For any future reader, a Powershell example is to plug in the IssuerUserID value from B2C into following: `[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("IssuerUserId-from-B2C"))`; the output will be the ObjectID (usable in Graph Explorer or powershell `Get-AzureADUser`) of the corresponding user in the source "enterprise" tenant. – M Herbener Feb 15 '18 at 15:41