0

We are allowing External Azure AD users to signup and login to our application via a custom policy. This creates a shell user in our azure ad org and we use the user's email address under user profile, not the user's UPN from the external AD. If the user's email address is different from their UPN, the shell user in our adb2c org will have the email address as the UPN. We customized the custom policy to return the user attributes from the external AD together with the user attributes from the shell user in adb2c. Our application will detect if there is a change in the name or email address and will update adb2c shell user via Microsoft Graph.

When the user's email address changes, I want to update the shell user in our adb2c org. Since the email address is used as the UPN, how can I update my federated users userPrincipalName in our adb2c shell user via Graph API?

var identities = graphUser.Identities.Select(o => new ObjectIdentity
                {
                    SignInType = o.SignInType,
                    Issuer = o.Issuer,
                    IssuerAssignedId = o.IssuerAssignedId,
                    ODataType = o.ODataType,
                    AdditionalData = o.AdditionalData
                }).ToList();

                var federatedIdentity = identities.FirstOrDefault(i => i.SignInType == "federated");

Both of these wont work:

federatedIdentity.IssuerAssignedId = "mynameuser@federatedAAD.org";

or

 var updatedUser = new User
                {
                    //other user attributes here
                    UserPrincipalName = "mynameuser@federatedAAD.org";
                };

await _graphServiceClient.Users[idpId]
                    .Request()
                    .UpdateAsync(updatedUser);

Thanks in advance!

Sdiego
  • 27
  • 4

1 Answers1

1

• You can update the external user identity or shell user identity in Azure AD B2C using Microsoft graph API through the HTTP response interface by using the below commands: -

 ‘ PATCH https://graph.microsoft.com/v1.0/users/{object id}

    {"userPrincipalName":"jdoe@abc.com"} ‘

Where instead of the “jdoe@abc.com”, enter the user principal name of the already created Azure AD B2C shell user or federated user that logs in to Azure AD B2C. Since, the user identity is already created when the user logs in for the first time to use the application created, it needs to update the existing user principal name only which can be done through the above command.

• Also, Microsoft Graph seems not to allow to set userPrincipalName when creating the user for Azure B2C. It will generate the userPrincipalName as {object id}@abc.com. And then you could update the userPrincipalName. Thus, your second command script to create or update the shell user’s UPN didn’t work. As well as ensure to add the federated domain as a verified domain in Azure AD B2C for the above command and options to succeed.

Please refer the below links for more information: -

Pre-Create Federated Users in Azure B2C Using Graph

https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9
  • From what I've seen, the API call to create user requires userPrincipalName for B2C and it has to use a verified domain. – Alex Mar 22 '23 at 15:18