0

I'm actually trying to get user information from IEF custom policy via Microsoft Graph API.

I've two technical profiles for access_token and MSGraph API call, access_token is working properly. MSGraph API call Technical profile only works for global queries i.e. /users, /me, etc.

I tried passing the user ObjectID via inputClaim in the request body, header, queryString, but I get "Bad Request" or "Access denied", because Bearer token must be sent in the "Authorization" request header according to https://learn.microsoft.com/en-us/graph/auth/auth-concepts#access-tokens, and URI parameters must be sent in the request body.

Not Working MSGraph API call Technical profile:

  <Item Key="ServiceUrl">https://graph.microsoft.com/v1.0/users</Item>
            <Item Key="SendClaimsIn">Body</Item>
            <Item Key="AuthenticationType">Bearer</Item>
            <Item Key="UseClaimAsBearerToken">bearerToken</Item>
            <Item Key="AllowInsecureAuthInProduction">false</Item>
            <Item Key="ResolveJsonPathsInJsonTokens">true</Item>            
          </Metadata>          
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="bearerToken" />
            <InputClaim ClaimTypeReferenceId="userID" />            
          </InputClaims>
...

Working MSGraph API call Technical profile:

<Item Key="ServiceUrl">https://graph.microsoft.com/v1.0/users</Item>
            <Item Key="SendClaimsIn">Header</Item>
            <Item Key="AuthenticationType">Bearer</Item>
            <Item Key="UseClaimAsBearerToken">bearerToken</Item>
...
<InputClaims>
            <InputClaim ClaimTypeReferenceId="bearerToken" />                        
          </InputClaims>
...

How can I pass id or resources to MSGraph i.e. /users/{a4d7r8s5d}, /users/{user1@domain.com}, etc.

Thanks in advance.

JRLOPS
  • 11
  • 4
  • Hi @JRLOPS. What if you change the **ServiceUrl** metaproperty to `https://graph.microsoft.com/v1.0/users/{Claim:objectId}` as well as add `true`? I don't believe that this will execute -- but you might want to try it out?? – Chris Padgett Aug 09 '20 at 09:32
  • Hi @JRLOPS, You should be able to access all of the B2C built-in and custom attributes using the **AAD-UserReadUsingObjectId** and **AAD-UserWriteProfileUsingObjectId** technical profiles. Neither of these technical profiles requires any user interaction. Let me know if you are trying to achieve something else which you are not getting from the read/write technical profiles. – Rohit Prasad Aug 09 '20 at 11:12
  • Hi @ChrisPadgett thank you so much for your response, I tried the **ServiceUrl** with {Claim:issuerUserId} both in Header and Body, passing the respective **InputClaim** unsuccessfully. I get the error `The claims exchange 'MyTechnicalProfileName' specified in step '8' returned HTTP error response with Code 'BadRequest' and Reason 'Bad Request'`. – JRLOPS Aug 09 '20 at 22:02
  • Hi @RohitPrasad thank you so much for your response. **AAD-UserReadUsingObjectId** and **AAD-UserWriteProfileUsingObjectIdWeb** use the Handler **Web.TPEngine.Providers.AzureActiveDirectoryProvider**, which communicate with Azure AD, but I trying to use the **REST API** technical profile to make dynamic queries or calls to MSGraph, i.e `/users/{id | userPrincipalName}`. – JRLOPS Aug 09 '20 at 22:10
  • Considering that **Claim Resolvers** can be used in InputClaims and/or OutputClaims only, according to [https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview](https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview), the trick here is how can I pass **Bearer token** and **URI resource** in the **request header**, **body** or **form** to Microsoft Graph API? – JRLOPS Aug 10 '20 at 00:31
  • See this thread: https://stackoverflow.com/questions/54875609/calling-the-azure-ad-graph-api-from-an-azure-ad-b2c-custom-policy – Allen Wu Aug 10 '20 at 01:40
  • Rohit's comment is valid, why would you model access to MS Graph API via REST API technical profile, when AzureActiveDirectoryProvider already does this. – Jas Suri - MSFT Aug 10 '20 at 10:17
  • @AllenWu thank you so much for your response, Unfortunately, I tried the metadata item key `Url` with `{Claim:issuerUserId}` and `{issuerUserId}`, but I get the error `The claims exchange 'MyTechnicalProfile' specified in step '8' returned HTTP error response with Code 'MethodNotAllowed' and Reason 'Method Not Allowed'`, because it cannot interpret the **Claim Resolver** in **ServiceUrl**, I think this process only works for **Azure AD handler** and not for **RestApi handler**. – JRLOPS Aug 10 '20 at 20:14
  • @JasSuri thank you so much for your response, We've a requeriment to read an attribute that is in user's calendar and files, that's why we cannot use AzureActiveDirectoryProvider, question posted is just to give context and example. – JRLOPS Aug 10 '20 at 20:22
  • 1
    Lastly I think, actually it cannot be achieve, the only two methods would work should be allowing to pass Claim Resolvers outside InputClaims and OutputClaims, or adding support to send the Authorization header and Resource, both in Request Body or Request Header to Microsoft Graph API. – JRLOPS Aug 10 '20 at 20:52
  • 1
    @AllenWu setting the item key to `Url` instead of `Url`, it doesn't get any error, Orchestration Steps runs successfully, but OutputClaims are not captured, So it apparently executes something, but doesn't return OutputClaims. – JRLOPS Aug 10 '20 at 21:00
  • 1
    Why not return the IdP token (AAD you are federating with) into the B2C token and have the application read this info via graph? – Jas Suri - MSFT Aug 10 '20 at 21:42
  • @JasSuri because our security department doesn't allow to do that, and development department doesn't want to build that logic. Finally we offered the solution knowing that we can call rest apis, but didn't take into account that passing resources dynamically is not possible actually. – JRLOPS Aug 11 '20 at 13:43
  • ChrisPadgett, RohitPrasad, AllenWu, JasSuri, thank you so much for your time and help, I really appreciate it. I think it cannot be achieve currently, and I need to create a pull request or a feedback, what do you think? – JRLOPS Aug 11 '20 at 13:51
  • You can voice your interest in such a feature or support similar ones in the [Azure AD Feedback Forum](https://feedback.azure.com/forums/169401-azure-active-directory?category_id=166251). – Shiva Keshav Varma Aug 19 '20 at 20:10

0 Answers0