Azure AD/B2C Resource Owner Password Flow does not honor the "User Assignment Required" flag

Question

I have a very limited set of users who need to connect to a very limited set of APIs using the resource owner password flow. In order to restrict access to this flow, I intended to set the "User Assignment Required" flag under Enterprise Applications -> Properties -> "User Assignment Required" to 'Yes'.

Unfortunately, this doesn't work, or at least hasn't worked in my experience so far. Does anyone know if there is a way to have B2C honor this field?

My other option is to store the assignment in a database and call a REST API to return a YES/NO response on whether the user is allowed to use that flow for that Client ID. This would work, but I would rather the framework honor the settings within the portal to avoid confusion.

Any help would be appreciated!

score 0 · Answer 1 · answered Mar 23 '21 at 16:37

Azure AD B2C does not support user assignment to applications.

Although this information is theoretically available via the Graph API, it would likely be difficult to obtain and parse in a B2C custom policy. For something similar which retrieves a user's groups, check out this sample: https://github.com/azure-ad-b2c/samples/tree/master/policies/relying-party-rbac

Azure AD/B2C Resource Owner Password Flow does not honor the "User Assignment Required" flag

1 Answers1