How to read Azure B2C Custom Attributes with Graph API (works OK with Azure AD Graph)

Question

As of today the documentation recommends to use Microsoft Graph instead of Azure AD Graph API to access Azure AD / B2C resources.

Before, with Azure AD Graph API, we could use queries like https://graph.windows.net/[tenant]/users/1a2a9c4d-fc59-4fd9-ad14-b72b549cdf6a?api-version=2013-11-08

and the response included Azure B2C custom attributes (created on Azure portal)

{
        "odata.metadata": "https://graph.windows.net/<tenant>/$metadata#directoryObjects/Microsoft.DirectoryServices.User",
        "value": [
            {
                "objectId": "00000eab-603a-4de2-9d25-d3821e7d6583",
                ...
                "extension_3a4189d71ad149c6ab5e65ac45bd6add_MyAttribute1": "something"
            }
        ] 
}

This does not happen with the Graph API, only some "basic" attributes are returned https://graph.microsoft.com/v1.0/users/00000eab-603a-4de2-9d25-d3821e7d6583

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
    "id": "00000eab-603a-4de2-9d25-d3821e7d6583",
    ...
}

Also tried to explicitly select the property but the extension value is not returned

...graph.microsoft.com/v1.0/users/00000eab-603a-4de2-9d25-d3821e7d6583/?$select=id,extension_3a4189d71ad149c6ab5e65ac45bd6add_MyAttribute1

How can we read Azure B2C custom attributes with Graph API?

spottedmahn · Answer 1 · 2018-01-29T13:36:02.553

4

Custom attributes are returned:

Request

GET https://graph.windows.net/mytenant.onmicrosoft.com/users/8b2ceb5d-4f45-4e42-b979-419119df4eaf?api-version=1.6

Response

{
      "odata.type": "Microsoft.DirectoryServices.User",
      "objectType": "User",
      "objectId": "8b2ceb5d-4f45-4e42-b979-419119df4eaf",
      ...
      "userType": "Member",
      "extension_5c5668a4ddb44c27b0d55cb412c41787_loyaltyId": "some value from the demo"
}

Source: this is from the sample app: B2C-GraphAPI-DotNet

Lookup Extension Guid via the Azure Portal

The above is for builtin in policies.

edited Jan 29 '18 at 13:36

answered Aug 22 '17 at 12:36

spottedmahn

14,823
13
108
178

2

They are returned by Azure AD Graph API, not by Graph API. That is the issue. Azure AD Graph: https://graph.windows.net/[tenant]/users/1a2a9c4d-fc59-4fd9-ad14-b72b549cdf6a?api-version=2013-11-08 Graph API: https://graph.microsoft.com/v1.0/users/00000eab-603a-4de2-9d25-d3821e7d6583 You can use Graph Explorer and try: https://developer.microsoft.com/en-us/graph/graph-explorer# – PedroF Aug 22 '17 at 13:37
Has the 'new' Graph API been fixed yet? – radders Jan 29 '18 at 11:24
3

Where does the GUID in the 'extension' property come from? I can't see it anywhere in the B2C portal... – radders Jan 29 '18 at 11:25
Now graph.microsoft.com also works `/users?$filter=extension_4bcfd51bce4f4a63888880701f4c32d5_GroupId%20eq%20'${loggedInUser.groupId}'` – Chris Gunawardena Mar 18 '20 at 08:30
1

@radders it´s your application Id – basquiatraphaeu Jan 17 '22 at 11:24

score 3 · Answer 2 · answered Aug 22 '17 at 13:57

3

See this SO post: As of today, we recommend that you use the Azure Active Directory Graph API https://graph.windows.net to access and manage your B2C tenants

answered Aug 22 '17 at 13:57

spottedmahn

14,823
13
108
178

1

It also says "Even with those gaps, we strongly recommend that developers start using Microsoft Graph over Azure AD Graph" – PedroF Aug 22 '17 at 14:49
I know, confusing. See my exact same comment on Shawn's answer and his repsonse – spottedmahn Aug 22 '17 at 15:04
3

While we do recommend developers use Microsoft Graph over AAD Graph, there are still areas where support is not yet available in Microsoft Graph. We are working to close those gaps. This is currently documented here https://blogs.msdn.microsoft.com/aadgraphteam/2016/07/08/microsoft-graph-or-azure-ad-graph/ together with the gaps. However, having said that, I cannot repro what you see. I am able to perform a similar request to get extension properties through Microsoft Graph successfully - i.e. GET `https://graph.microsoft.com/v1.0/users/{upn}?$select=id,extension_{appId}_{extName}` – Dan Kershaw - MSFT Aug 26 '17 at 06:00
Can you add a client request id and timestamp to an "unsuccessful" attempt to retrieve a extension property please? We might be able to trace why it's not being returned in your case. – Dan Kershaw - MSFT Aug 26 '17 at 06:02

score 1 · Answer 3 · edited Nov 26 '20 at 10:27

So first step is to find in your custom policy:

<TechnicalProfile Id="AAD-Common">...<Item Key="ClientId">**57ff56e7-40a0-43fd-a9a3-8d6c1544bcf4a**</Item>

Custom attributes are named extension_attributename. To get it through graphql it is required to be like this:

extension_{client id of the app NO DASHES responsible for storing extensions }_{attributename}

e.g. extension_57ff56e740a043fda9a38d6c1544bcf4a_mycoolattribute

As you can see this is done also in the code: https://github.com/Azure-Samples/ms-identity-dotnetcore-b2c-account-management/blob/master/src/Helpers/B2cCustomAttributeHelper.cs#L7-L20

internal class B2cCustomAttributeHelper
    {
        internal readonly string _b2cExtensionAppClientId;

        internal B2cCustomAttributeHelper(string b2cExtensionAppClientId)
        {
            _b2cExtensionAppClientId = b2cExtensionAppClientId.Replace("-", "");
        }

        internal string GetCompleteAttributeName(string attributeName)
        {
            if (string.IsNullOrWhiteSpace(attributeName))
            {
                throw new System.ArgumentException("Parameter cannot be null", nameof(attributeName));
            }

            return $"extension_{_b2cExtensionAppClientId}_{attributeName}";
        }
    }

example for graph call: https://graph.microsoft.com/v1.0/users/3545c38b-3f6b-4a4b-8820-e7f954a86e1e?$select=extension_57ff56e740a043fda9a38d6c1544bcf4a_mycoolattribute

Multiple custom attributes at the same time:

https://graph.microsoft.com/v1.0/users/{user-objectid}?$select=extension_57ff56e740a043fda9a38d6c1544bcf4a_mycoolattribute,extension_57ff56e740a043fda9a38d6c1544bcf4a_myotherattribute,etc

score 0 · Answer 4 · answered Feb 17 '21 at 14:34

Specifying my tenant in the request path didn't work for me when logged into graph-explorer using the account I created the B2C Tenant with.

I needed to create a user w/an email address of @my-tenant-name.onmicrosoft.com. I created such a user, assigned it Global Admin rights, and I was able to use Graph Explorer to get custom attributes for users assigned to the B2C Tenant.

For clarification, I used this option to create a new Member account for the B2C Tenant:

How to read Azure B2C Custom Attributes with Graph API (works OK with Azure AD Graph)

4 Answers4

Linked