Reputation: 10839
How to interact with Azure AD B2C custom User Attributes via Microsoft Graph PowerShell SDK?
I have added a custom User Attribute named Company Name via:
Azure AD B2C > User attributes
so that this information can be returned in the identity token after successful sign in.
I want to update these values for each user in the Azure AD B2C tenant.
As I understand it:
I cannot update these values via Azure Portal
The only way to update these values is via Microsoft Graph, specifically these methods:
I don't want to have to create an application just to be able to perform this basic administrative task.
So I am looking at:
Microsoft Graph PowerShell SDK
I installed the Microsoft Graph PowerShell SDK in PowerShell 7.
I was prompted to sign in via the browser after running this command:
Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All"
At this point I was confused which credentials to login with.
I logged in using my 'home tenant' Azure AD credentials.
(i.e the admin credentials of the Azure AD tenant from which I created the Azure AD B2C tenant - which then automatically created a guest account in the B2C tenant with the user principal name of info_my-home-tenant.onmicrosoft.com#EXT#@my-dev-tenant.onmicrosoft.com).
I made the decision because I don't think I have any Azure AD B2C credentials.
(to access Azure AD B2C when I am logged into Azure Portal with my Azure AD credentials, I just click on 'switch directory').
I then ran:
Get-MgUser
And it, predictably, returned the users from my home Azure AD tenant, not the Azure AD B2C tenant.
So my question is:
In PowerShell 7, with the Microsoft Graph PowerShell SDK installed, how do I sign in so that I can interact with the Azure AD B2C tenant users, rather than my 'home' directory tenant users.
EDIT:
I started trying to follow the process described here:
Use app-only authentication with the Microsoft Graph PowerShell SDK
The first step is:
You'll need an X.509 certificate installed in your user's trusted store on the machine where you'll run the script
I created an Application Registration, however in the Certificates & secrets section it says:
Please note certificates cannot be used to authenticate against Azure AD B2C.
Upvotes: 0
Views: 2475
Answers (1)
Reputation: 3157
I agree this is tricky.
Below are the steps you can use to successfully sign in to Azure AD B2C using Microsoft Graph SDK, and update a user's custom attribute value.
This post is divided into three sections:
- Solution Summary (to get an idea of the scope before diving into the details)
- Variables (which lists the variable values required and where to find them)
- Commands (which lists the commands required)
This post assumes we have a custom attribute named Company Name defined in Azure AD B2C:
PowerShell Microsoft Graph SDK Reference
To orientate yourself, here is the link to the Microsoft.Graph.Users section:
Summary
The solution requires the definition of 4 variables and 5 commands that will reference them:
Variables:
azure_ad_b2c_tenant_idextensions_app_idcustom_attribute_propertyuser_id
Commands:
Make a connection:
Connect-MgGraph -TenantId "<azure_ad_b2c_tenant_id>" -Scopes "User.ReadWrite.All"
Sanity check - list all users:
Get-MgUser | Format-List ID, DisplayName, UserPrincipalName
Sanity check - view existing value of custom attribute for single user:
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List
Update a user's custom attribute:
$params = @{extension_<your-extensions-app-application-id>_CompanyName='Test Company'}
Update-MgUser -UserId "<user-id>" -BodyParameter $params
Verify the update:
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List
Variables
Below are the variables that will be referenced and where to find them.
You might want to grab them at the start of the process so you can easily reference them later.
azure_ad_b2c_tenant_id
Azure AD B2C directory>Azure AD>Tenant ID
extensions_app_id
Azure AD B2C>App registrations>[ select 'All applications' ]- Click on the item named:
b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.- Copy the
Application (client) IDvalue - Remove the dashes from this value when using it in PowerShell
custom_attribute_property
This is a string of concatenated values with this syntax:
extension_<your-extensions-app-application-id>_<your-custom-attribute>
For example: extension_lalala1234etc_CompanyName
user_id
Azure AD B2C>Users>[ click on desired user ]>Object ID
Commands
01. Connect to your Azure AD B2C tenant
Connect-MgGraph -TenantId "<azure_ad_b2c_tenant_id>" -Scopes "User.ReadWrite.All"
This will prompt you to login with your Azure AD home tenant credentials.
02. Sanity check - list all users to confirm you are in the right tenant
Get-MgUser
// you can make the results prettier by using Format-List and defining the columns you want displayed
Get-MgUser | Format-List ID, DisplayName, UserPrincipalName
03. Sanity check - see what the value of the custom attribute currently is for all users and a single user
// all users - these do not work:
Get-MgUser | Format-List ID, extension_<your-extensions-app-application-id>_CompanyName
Get-MgUser -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
// single user - these do not work:
Get-MgUser -UserId "<user-id>" | Format-List ID, DisplayName, UserPrincipalName, extension_<your-extensions-app-application-id>_CompanyName
Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
// single user - this works:
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List
04. Update a single user's custom attribute
$params = @{extension_<your-extensions-app-application-id>_CompanyName='Test Company'}
Update-MgUser -UserId "<user-id>" -BodyParameter $params
05. Verify the update was made
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List
The decoded idToken that is returned after sign in will look like this:
Or, if signing in via an identity provider (in this case the home AD tenant), the decoded idToken will look like this:
Upvotes: 4
Related Questions
- Checking Regular File and Directory Ownership and Group Membership in a Bash Shell Script
- Test if a directory is writable by a given UID?
- Checking file owner permissions
- How to check if any file or directory is not owned by 'root' through unix or shell scripts?
- Recursively check ownership of all files
- Find files which have (or have not) a specific owner
- Bash Script: Changing file permissions recursively
- Running chown only on files with a specific UID or GID
- how to find the permissions of owner of a file and to assign same permissions to group and others using script
- Bash script to test if a given user can read a directory and all files inside?