1

From the documentation it seems that using an application that is in the B2C tenant and thus hosts user accounts that there is no way to directly access Microsoft Graph API via a logged in user per their own context.

I want to establish the use case properly so that the solution is that which makes the most sense.

The use case is that if a user wants to edit claims for example such as permissions they would be able to do so while logged in through Azure B2C.

The flow would be. Logged in user -> can change certain claims information such as address, surname, and other custom policy fields (SEO contact permissions.)

Is the proper way to do this is to build a proxy that will take the application's AD application permissions which are allowed to call out to Microsoft Graph and pass along user context so that the scope will be limited to that user only?

For example. User logs into the app.

  1. The app has AD permissions that are granted admin consent
  2. Create a client secret to prove application identity upon request of a token
  3. Now can access Microsoft Graph api Ref of Registering an app with Microsoft Graph api

What's not clear here exactly is the next part. My user is logged in with Azure B2C. Should I just pass along their id token which has their claims to the application? How do I put in scope/context of the logged in user of the app permissioned access to Microsoft Graph?

This part is not clear in any documentation.

  1. I don't want a logged in user to have access to everything.
  2. Is a proxy the only way to do this?
  3. If a proxy is the only way to do this what identifier or id is what should be used to pass along to the query to assure only that user is in context?
  4. Am I thinking of this incorrectly and or is there a better way to do this other than a proxy?

The documentation says this.

Apps that have a signed-in user but also call Microsoft Graph with their own identity. For example, to use functionality that requires more elevated privileges than the user has.

That doesn't fit exactly into my use case above or address it really but I think it is related. The functionality should be considered to be an elevated permission but to the scope of the user. This user can change this claim via their own logged in entity. What do you call that and what is the best way to solution this?

Lastly, is there anything that should be known in the MSAL library including Angular and React that would be useful in this process? It seems like I will have to converge the 2 to obtain the access token of the app and of the person and proxy those out to a backend service (the proxy) to then do a body of work.

Am I thinking of this correctly?

This Stack is the closest to relevance but doesn't ask or solution the entire use case as I have here. But is useful for illustrating the confusion.

Christian Matthew
  • 4,014
  • 4
  • 33
  • 43

1 Answers1

1

"Logged in user -> can change certain claims information such as address, surname, and other custom policy fields (SEO contact permissions.)"

Why can't you use the Profile Edit user flow? You can configure what attributes the user can change.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Because that comes up in a login redirect or popup. Not an integration into the application. – Christian Matthew Sep 02 '22 at 22:48
  • https://learn.microsoft.com/en-us/azure/active-directory-b2c/embedded-login?pivots=b2c-custom-policy – Jas Suri - MSFT Sep 02 '22 at 23:36
  • Either you embed the profile edit flow into your website, or you use the users B2C access token to call your own API, and your API uses its own credentials to make the change via MS Graph API. AAD B2C does not issue tokens to users to call any Microsoft API, only tokens for your own APIs. The stack post you linked is exactly describing this. – Jas Suri - MSFT Sep 03 '22 at 07:28
  • Oh look: A pointer to a Microsoft documentation page for a public preview feature, instructing us all author custom policies and then embed the B2C code in an iframe, followed by the text "Running MSAL 2.0 in an iframe is not currently supported." This is a doc page that simultaneously offers a solution before noting that it won't work. – Rob Perkins Sep 15 '22 at 05:00