1

I'm mid-way through a task to migrate a legacy .NET MVC app to use Single Sign On (SSO) to make integration with a to-be-developed mobile app possible. I'm planning on using Azure AD B2C to facilitate this and based on my research, I need to use custom policies to achieve the required functionality.

Work on this migration is proceeding very slowly. I'm finding the custom policy XML very clunky to work with. It's going to take quite some time to achieve parity with the existing system given the current velocity. I'm wondering whether it would be wise to sidestep a lot of the migration headaches by using the Microsoft Graph API in place of custom policies.

Take registration for example. It appears common to redirect the user to a SignUp.xml custom policy (or the integrated SignUpOrSignIn.xml) to handle adding the user record in the AD B2C data store. Part of this policy would involve calling a REST API to create a corresponding record for this user in the app's database (stores email settings and such). Instead of using these custom policies, my plan would be to instead take the existing registration process and simply add a step which creates the user record on the B2C side using the Microsoft Graph API.

It appears like most things I need may be achieved using the Microsoft Graph API. Things I'd need that I can see are not available are:

  • logging in to a user account and;
  • sending verification emails

Are there any other common authentication-related tasks I'm likely to need that couldn't be achieved using the Graph API?

As far as downsides, the fact I'd be handling user passwords (even if it was just to create the user and nothing else) is an obvious concern, but perhaps acceptable. The main thing I'm after is a simple SSO solution that generates secure access tokens (incl. handling reset tokens, etc). I hope then, that this could be a feasible option.

ajbeaven
  • 9,265
  • 13
  • 76
  • 121
  • What'd you end up going for with this? I was starting to think along the same lines. I sort of get the point of creating an xml schema so non devs can create custom policies using xml files (ignoring the fact that the schema is more complex/clunky than calling an api in almost any language anyway). Why not have an API that we can hit to perform all of these actions. It seems that Graph is that API, but I'm not sure it can do everything required? – Nick Cameron Jun 29 '23 at 04:48
  • 1
    @NickCameron - a bit of a combination really, but mostly custom policies. If I were to do this again (God help me), I would be much more inclined to use the Graph API for everything. The only things I couldn't handle externally (i.e. outside B2C altogether) or with the API was password change, password reset and signing in. Everything else I needed could be achieved with the Graph API. – ajbeaven Jun 29 '23 at 21:57
  • Thanks @ajbeaven! That's pretty much where I'm heading now. I was hoping I'd just missed the documentation for some endpoints in Graph that allowed sign in etc. – Nick Cameron Jun 30 '23 at 01:24

1 Answers1

0

You will miss out on password reset, profile edit, SSO and token expiration etc.

A better way may be to use the base custom policies and achieve a lot of what you need by having the policy call REST API's.

What is your use case?

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • I would still be using the SignIn custom policy, so presumably SSO and token expiration would still work? Surely Microsoft Graph API has an endpoint for editing a profile of a user? You can definitely change the email address. – ajbeaven Sep 27 '22 at 21:38
  • Yes - https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations - but there isn't a specific profile – rbrayb Nov 06 '22 at 03:58