Login/Register
How to interact with Azure AD B2C custom User Attributes via Microsoft Graph PowerShell SDK?
Asked Answered
Solved microsoft-graph-apiazure-ad-b2cmicrosoft-graph-sdkspowershell-7.0
E

1

0

I have added a custom User Attribute named Company Name via:

Azure AD B2C > User attributes

so that this information can be returned in the identity token after successful sign in.

I want to update these values for each user in the Azure AD B2C tenant.

As I understand it:

I don't want to have to create an application just to be able to perform this basic administrative task.

So I am looking at:

Microsoft Graph PowerShell SDK

I installed the Microsoft Graph PowerShell SDK in PowerShell 7.

I was prompted to sign in via the browser after running this command:

Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All"

At this point I was confused which credentials to login with.

I logged in using my 'home tenant' Azure AD credentials.

(i.e the admin credentials of the Azure AD tenant from which I created the Azure AD B2C tenant - which then automatically created a guest account in the B2C tenant with the user principal name of info_my-home-tenant.onmicrosoft.com#EXT#@my-dev-tenant.onmicrosoft.com).

I made the decision because I don't think I have any Azure AD B2C credentials.

(to access Azure AD B2C when I am logged into Azure Portal with my Azure AD credentials, I just click on 'switch directory').

I then ran:

Get-MgUser

And it, predictably, returned the users from my home Azure AD tenant, not the Azure AD B2C tenant.

So my question is:

In PowerShell 7, with the Microsoft Graph PowerShell SDK installed, how do I sign in so that I can interact with the Azure AD B2C tenant users, rather than my 'home' directory tenant users.

EDIT:

I started trying to follow the process described here:

Use app-only authentication with the Microsoft Graph PowerShell SDK

The first step is:

You'll need an X.509 certificate installed in your user's trusted store on the machine where you'll run the script

I created an Application Registration, however in the Certificates & secrets section it says:

Please note certificates cannot be used to authenticate against Azure AD B2C.

enter image description here

Eyewash answered 29/1, 2023 at 7:39 Comment(0)
W
4

I agree this is tricky.

Below are the steps you can use to successfully sign in to Azure AD B2C using Microsoft Graph SDK, and update a user's custom attribute value.

This post is divided into three sections:

  • Solution Summary (to get an idea of the scope before diving into the details)
  • Variables (which lists the variable values required and where to find them)
  • Commands (which lists the commands required)

This post assumes we have a custom attribute named Company Name defined in Azure AD B2C:

enter image description here

PowerShell Microsoft Graph SDK Reference

To orientate yourself, here is the link to the Microsoft.Graph.Users section:

Microsoft.Graph.Users

Summary

The solution requires the definition of 4 variables and 5 commands that will reference them:

Variables:

  • azure_ad_b2c_tenant_id
  • extensions_app_id
  • custom_attribute_property
  • user_id

Commands:

Make a connection:

Connect-MgGraph -TenantId "<azure_ad_b2c_tenant_id>" -Scopes "User.ReadWrite.All"

Sanity check - list all users:

Get-MgUser | Format-List  ID, DisplayName, UserPrincipalName

Sanity check - view existing value of custom attribute for single user:

$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List

Update a user's custom attribute:

$params = @{extension_<your-extensions-app-application-id>_CompanyName='Test Company'}
Update-MgUser -UserId "<user-id>" -BodyParameter $params

Verify the update:

$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List

Variables

Below are the variables that will be referenced and where to find them.

You might want to grab them at the start of the process so you can easily reference them later.

azure_ad_b2c_tenant_id

  • Azure AD B2C directory > Azure AD > Tenant ID

enter image description here

extensions_app_id

  • Azure AD B2C > App registrations > [ select 'All applications' ]
  • Click on the item named:
  • b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.
  • Copy the Application (client) ID value
  • Remove the dashes from this value when using it in PowerShell

enter image description here

enter image description here

custom_attribute_property
This is a string of concatenated values with this syntax:

extension_<your-extensions-app-application-id>_<your-custom-attribute>

For example: extension_lalala1234etc_CompanyName

user_id

  • Azure AD B2C > Users > [ click on desired user ] > Object ID

enter image description here

Commands

01. Connect to your Azure AD B2C tenant

Connect-MgGraph -TenantId "<azure_ad_b2c_tenant_id>" -Scopes "User.ReadWrite.All"

This will prompt you to login with your Azure AD home tenant credentials.

enter image description here

02. Sanity check - list all users to confirm you are in the right tenant

Get-MgUser   

// you can make the results prettier by using Format-List and defining the columns you want displayed   
Get-MgUser | Format-List  ID, DisplayName, UserPrincipalName

03. Sanity check - see what the value of the custom attribute currently is for all users and a single user

// all users - these do not work:  
Get-MgUser | Format-List  ID, extension_<your-extensions-app-application-id>_CompanyName
Get-MgUser -Property "id,extension_<your-extensions-app-application-id>_CompanyName"

// single user - these do not work:  
Get-MgUser -UserId "<user-id>" | Format-List  ID, DisplayName, UserPrincipalName, extension_<your-extensions-app-application-id>_CompanyName
Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"

// single user - this works:
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List

04. Update a single user's custom attribute

$params = @{extension_<your-extensions-app-application-id>_CompanyName='Test Company'}
Update-MgUser -UserId "<user-id>" -BodyParameter $params

05. Verify the update was made

$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List

enter image description here

The decoded idToken that is returned after sign in will look like this:

enter image description here

Or, if signing in via an identity provider (in this case the home AD tenant), the decoded idToken will look like this:

enter image description here

Wenn answered 29/1, 2023 at 9:10 Comment(6)
thank you, i just have to make some time to test this today, but i think it will work, and will accept answer after i have tested it.Eyewash
Thank you, please let me know the final result, fingers crossed!Wenn
Quick related question - when adding a custom attribute via Azure AD B2C > User Attributes, what type of extension is it? Extension attribute, Directory extension, Schema extension or Open extension? (see: Choose an extension type for your application) I am troubleshooting commands in the PowerShell Graph SDK and there seem to be various considerations depending on what type of extension it is.Eyewash
I added some screenshots to your answer to flesh out the process a bit more as I found your answer very helpful. I was unable to figure out how to return ALL users with the custom attribute displaying from a single command. I included my attempts in step 03 with the prefix 'these do not work'. If you know how to do this, it would be great if you could add it to the answer. I spent the whole day googling how to do it, but couldn't find a way that was specific to the PowerShell Microsoft Graph SDK.Eyewash
Just doing research from my mobile, assuming this custom attribute is of type ‘directory extension’ it seems like it is possible to return it directly, but there is no snippet provided for the PowerShell SDK - Retrieve a directory extension propertyEyewash
Yes, correct, this is directory extension. Unfortunately MS does not provide any snippets so this is more tricky to implement with PowerShell and Graph SDK. However I can confirm that this is directory extension as I also used C# snipped which is for directory extension type and it worked as expected: learn.microsoft.com/en-us/graph/… Thank you for adding more details to my answer, looks good.Wenn

© 2022 - 2024 — McMap. All rights reserved.