1

B2C uses an alternative security ID to uniquely identify users from social accounts. We have a problem where a user enters credentials for a user, but somehow B2C authenticates the user as someone else. I suspect the IDP is returning bad claims data or the alternative security IDs are the same. How do I view the alternative security ID of a user in Active Directory?

I tried the following MS Graph query trying all the attributes I can think of (including the ones listed in this article), but graph doesn't return data for these attributes.

https://graph.microsoft.com/v1.0/users/<userId>?$select=id,alternativeSecurityId,alternativeSecurityIds,extension_<b2cExtensionAppId>_alternativeSecurityId,extension_<b2cExtensionAppId>_alternativeSecurityIds

Thanks in advance!

KingTwinkie
  • 53
  • 6

1 Answers1

2

AlternativeSecurityId for a B2C user is found in the Identities collection via MS Graph API.

The AlternativeSecurityId claim used in the B2C policy maps to the Identities: issuerAssignedId value for the corresponding issuer.

Eg, for issuerAssignedId: 123 (id from google token) from issuer: google.com

  "identities": [
    {
      "signInType": "federated",
      "issuer": "google.com",
      "issuerAssignedId": "123"
    }
  ],

You can return the identities collection by calling the /users endpoint of MS Graph API. https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • Thanks Jas! This was exactly what I was looking for. Yea, the root problem appears to be the IDP (a custom implementation of Identity Server 4) our B2C is federated with as this MS Graph query and the B2C logs both confirm the IDP sends us the same issuerAssignedId and sub claim (where the B2C policy gets the issuerAssigneID from) but different user details. – KingTwinkie Feb 14 '22 at 15:37