CODEWITHSUNDEEP
azure-ad-b2c
Michael Simon
Michael Simon

Reputation: 3

Calling MS Graph API for additional attribute from within B2C IEF Policy

I am trying to prevent duplicate accounts from being created in Azure B2C by looking at a custom field (i.e. Employee ID) and if there is a record of that Employee ID already existing, not allowing the user to create a new account. Since it doesn't appear you can use custom fields as an Input, I was considering using the Graph API to see if a record is returned for a given Employee ID- if it does, then it would stop the registration process, if it doesn't the registration can continue.

Is it possible to directly call the Graph API and do this record count comparison within a policy. Or would I need to have a separate script/function to call Graph API with the given employee ID and then return the number of records to compare?

Upvotes: 0

Views: 313

Answers (2)

Jas Suri - MSFT
Jas Suri - MSFT

Reputation: 11315

During sign up, store the employeeId value in the signInNames attribute using a custom policy. This attribute has a uniqueness constraint.

Upvotes: 1

Harshita Singh
Harshita Singh

Reputation: 4870

You can acheive this using Microsoft Graph SDK.

Any request to the Microsoft Graph API requires an access token for authentication. The solution makes use of the Microsoft.Graph.Auth NuGet package that provides an authentication scenario-based wrapper of the Microsoft Authentication Library (MSAL) for use with the Microsoft Graph SDK.

For instance, you are using C# to achieve this, Program.cs code snippet will look like:

// Read application settings from appsettings.json (tenant ID, app ID, client secret, etc.)
AppSettings config = AppSettingsFile.ReadFromJsonFile();

// Initialize the client credential auth provider
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
    .Create(config.AppId)
    .WithTenantId(config.TenantId)
    .WithClientSecret(config.ClientSecret)
    .Build();
ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);

// Set up the Microsoft Graph service client with client credentials
GraphServiceClient graphClient = new GraphServiceClient(authProvider);

UserService.cs:

public static async Task ListUsers(GraphServiceClient graphClient)
{
    Console.WriteLine("Getting list of users...");

    // Get all users (one page)
    var result = await graphClient.Users
        .Request()
        .Select(e => new
        {
            e.employeeId
        })
        .GetAsync();

    foreach (var user in result.CurrentPage)
    {
        Console.WriteLine(JsonConvert.SerializeObject(user));
    }
}

If you get result as an existing employee, you will invalidate the login and send error response with an error message.

Upvotes: 0

Related Questions