17

I have created Azure B2C application in Azure Portal. I need to use only sign-in policy for this application(no sign-up). I need to create two kinds of users - Simple User and Admin. For this purpose I have created custom string attribute - Role. It is returned as a claim for sign-in policy via token.

Now I want to add new user with Role = Admin using Azure portal - but I can not find any place where I can edit Role(custom attribute) for this user.

The only way I managed to edit Role attribute is using Azure B2C Graph API Application. But I dont want to create extra UI for this purpose in my application.

So, my questions are:

  1. Is it possible to add new user with custom attribute using Azure Portal without using sign-up policy?
  2. Are there any other ways of adding custom attribute to user except GraphAPI and sign-up?
Cœur
  • 37,241
  • 25
  • 195
  • 267
Pavel
  • 616
  • 1
  • 7
  • 13
  • 3
    Almost 3 years later and this still isn't an option within the Azure UI portal. I'm guessing there's a reason why but this seems like a use case people would want to use. I know I do. However, it looks to achieve updating custom attributes you'd need to use the Graph API - https://learn.microsoft.com/en-us/azure/active-directory-b2c/manage-user-accounts-graph-api?tabs=applications#use-custom-attributes – Jack Marchetti Feb 01 '20 at 22:55

1 Answers1

15

Short answer, 1. no and 2. no.

At this point in time, there are only two ways to manage a user's custom attributes:

  • The user him/herself can update them via the signup, unified signup/signin and edit profile policies. This is not useful for your scenario though.

  • Via the Graph API, using either a delegated non-admin user token (can only update that user's attributes), a delegated admin token (can update any user's attributes) or an app token (can update any user's attributes as well). Strictly speaking, you don't have to build a UI and can have a console application for this. Check out this sample.

I'd recommend that you create an entry in the Azure AD B2C UserVoice forum to request a way for an admin to manage custom attributes via the UI.

A completely different approach you can follow is to use Azure AD Groups which you can manage via the UI, the caveat with this is that they are not included in the claims and you'd need to add an extra call to the Graph API in your app to get the group claim and pivot off that. Here's the link to UserVoice ask to add Groups in claims for Azure AD B2C.

Saca
  • 10,355
  • 1
  • 34
  • 47
  • 3
    Using the Graph API to access claims requires that you put the Graph API secret in the user code. This is a HUGE security breach as someone could easily pull apart the request, find the secret, and then update their group membership from 'User' to 'Administrator'. This whole product is a mess and Microsoft seems to have no interest in fixing it. – Quark Soup Mar 17 '19 at 17:00
  • 5
    @DonaldAirey The Graph API call should be done by a backend service. If the app / frontend requires knowledge of roles this would be returned by an API of the backend. If your app / program doesn't have a backend this isn't a possibility (although I'm not sure what scenarios B2C could be used without some sort of backend service). Regarding B2C being a mess, unfortunately I have to agree. – playsted May 05 '19 at 17:51