3

Is it possible to pre-create federated users in Azure B2C via the Graph API? Here's the scenario:

I have added to my B2C tenant an Azure AD tenant as an IdP. However, I do not want federated users to be able to signup. I want them to only be able to signin if they are already present in the B2C directory. So, if they are not, they get an error message. So I was thinking I could create the federated users using Graph instead. Below is the request body I attempted to use but I get the error that follows, which says the UPN has to be using one of the domains in the organization. Is it possible to accomplish what I a looking to achieve with Graph? If not by Graph API, how can I accomplish? REST API call in custom policy is not desired.

{
    "givenName": "John",
    "identities": [
        {
            "signInType": "federated",
            "issuer": "abc.com",
            "issuerAssignedId": "jdoe@abc.com"
        }
    ],
    "surName": "Doe",
    "mail": "jdoe@abc.com",
    "accountEnabled": true,
    "displayName": "John Doe",
    "mailNickname": "jdoe",
    "userPrincipalName": "jdoe@abc.com",
    "passwordPolicies": "DisablePasswordExpiration"
}

{

    "error": {
        "code": "Request_BadRequest",
        "message": "The domain portion of the userPrincipalName property is invalid. You must use one of the verified domain names in your organization.",
        "innerError": {
            "date": "2020-08-05T03:45:26",
            "request-id": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxx"
        },
        "details": [
            {
                "target": "userPrincipalName",
                "code": "InvalidValue"
            }
        ]
    }
}
Bandz
  • 253
  • 4
  • 15

1 Answers1

3

Remove "userPrincipalName": "jdoe@abc.com", will fix this issue.

Microsoft Graph seems not to allow us to set userPrincipalName when creating the user for Azure B2C. It will generate the userPrincipalName as {object id}@abc.com.

And then you could update the userPrincipalName.

PATCH https://graph.microsoft.com/v1.0/users/{object id}

{"userPrincipalName":"jdoe@abc.com"}
Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • Thank you @Allen! Removing the userprincipalname allowed me run the query. But the PATCH wasn't allowed because of the same error I reported earlier. Is there a way around this? – Bandz Aug 05 '20 at 14:42
  • If not, I'll mark your answer correct. Just in case someone else comes across this, to prevent a different account from being created when I tried to signin with the account, I had to change the Identities portion "identities": [ { "signInType": "federated", "issuer": "https://login.microsoftonline.com/{tenant_id}/v2.0", "issuerAssignedId": "{tobjid_in_home_tenant}" } ] – Bandz Aug 05 '20 at 14:58
  • @Rock I can use `PATCH` to update the `UPN`. Could you please share the full `PATCH` request? – Allen Wu Aug 06 '20 at 01:27
  • 1
    [B2C Tenant: xyz.onmicrosoft.com] PATCH https://graph.microsoft.com/beta/object_id {"userPrincipalName":"jdoe@abc.com"} abc.com is not a verified domain in xyz.onmicrosoft.com hence the error. – Bandz Aug 06 '20 at 02:36
  • @Rock You should add abc.com as idp into B2C by following https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-add-identity-providers#add-the-identity-providers. If abc is not verified domain I don't think you can PATCH it. – Allen Wu Aug 06 '20 at 02:42
  • Thanks again. However, I already added abc as an Idp to B2C. I guess the PATCH is not possible then. Technically it is not a limitation as I am not using the UPN in any major way. I am just curious as to how it can get updated when a federated user does a signup signin but not via the Graph API. Thank you for your help all the same. – Bandz Aug 06 '20 at 03:44
  • @Bandz Maybe it's related to the Idp type. I added another Azure AD tenant here for testing. Anyway, if you don't need UPN, it should not be a problem. – Allen Wu Aug 06 '20 at 03:56
  • 1
    I'm running into the same scenario, @Bandz how did you manage to get the `issuerAssignedId`? @AllenWu is there an elegant way of doing this? From what I'm thinking, I would have to create some sort of service that makes a graph request to the `Azure AD` that's set as identity provider to give me the `ObjectId` of the user by using the `email`. Am I correct in this assumption? – Vivere Sep 23 '21 at 11:05