CODEWITHSUNDEEP
azure-ad-b2c
rbrayb
rbrayb

Reputation: 46700

Calling the Azure AD Graph API from an Azure AD B2C custom policy?

The REST API call in an Azure AD B2C custom policy defines a fixed URL in the "ServiceUrl" field.

The Graph API call for a read is of the form e.g.:

.../users/objectID

so the URL needs to be dynamic.

You could add objectID as an input claim but how would it get into the URL?

The output is a JSON object. I presume you could do a claims transformation on that to get a particular attribute defined in the output claim.

Writing to the Graph API requires a PATCH but the custom policy REST API call only allows GET and POST.

There doesn't seem to be a claims transformation to build up a JSON object to write from output claims.

Is calling the Azure AD Graph API from a custom policy possible?

Upvotes: 1

Views: 2384

Answers (2)

user1348051
user1348051

Reputation: 52

Edit March 1st: Regarding your question

Is calling the Azure AD Graph API from a custom policy possible?

To call azure AD you have to use the AzureActiveDirectoryProvider. The restful provider is for calling an arbitrary rest api that you might setup and control yourself.

To use the AAD provider, you can follow the documentation here. https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom

Below is my original answer regarding the capabilities of Restful Provider:

Dynamic Urls can be supported in Restful Provider with the metadata key "SendClaimsAs" = "Url"

If you use this, you can specify a url like this "https://my.tld/{partnerClaim1}/{partnerClaim2}" And the claims will be populated into the url.

However if you do this, the request will always be a Get request.

The output is a JSON object. I presume you could do a claims transformation on that to get a particular attribute defined in the output claim.

You are right you can use a claims transformation to get a claim from a json.

Writing to the Graph API requires a PATCH but the custom policy REST API call only allows GET and POST.

There doesn't seem to be a claims transformation to build up a JSON object to write from output claims.

You are correct, today we dont have claims transformations for output claims, and rest api doesn't support patch requests.

Upvotes: 1

Jose Rojas
Jose Rojas

Reputation: 216

Adding an additional perspective:

You asked: Is calling the Azure AD Graph API from a custom policy possible?

As noted above, there are some challenges using a the REST API technical provider to call Azure AD, however we do call Azure Graph API from a custom policy all the time. We use the Azure AD Provider.
As you take a close look at the starterpack you will see all the Azure AD -related calls (AAD Technical ProfileS). Except for authentication, all the other Azure AD provider calls are indeed calls to Azure AD graph to create a user, to update a user profile.

Can you tell us what you are trying to accomplish with your call to Azure AD Graph?

Update / Answer

We have a user provisioning flow outside of B2C.

Part of that flow invokes a B2C custom policy. In the user journey we want to access / update some B2C attributes. Some of them are standard. Some are custom extension attributes.

Depending on the value, we follow different flows inside the journey using "Preconditions".

So essentially get / set methods on B2C attributes.

To do that, we looked at the "Web.TPEngine.Providers.RestfulProvider" option to call the GraphAPI.

But that does not seem to be possible.

Are you saying that we could achieve the same result by using "AAD-UserReadUsingObjectId" and "AAD-UserWriteProfileUsingObjectId"?

That makes sense as long as it can all run in the background. There is no UI involved.

Upvotes: 2

Related Questions