How to get/set custom Azure Active Directory B2C user attributes in ASP.NET MVC?

Question

I have added a custom Organization field as a User Attribute in my Azure Active Directory B2C tenant, like so:

I am using the Microsoft Graph .NET Client Library to manage users in Azure Active Directory B2C and would like to use something similar to the following code to set the user's custom Organization field and the user's built-in Email Addresses field.

await graphClient.Users[user.Id].Request().UpdateAsync(new User()
{
    Email Addresses = new StringCollection("myemail@mydomain.com")
    Organization = "Microsoft"
});

Two questions:

How do I set a Built-in field, like the Email Addresses?
How do I set a Custom field, like Organization?

This documentation shows how to create a custom attribute but does not tell how to access or use that attribute using the Graph Client.

This documentation shows how to create custom attributes and edit the Relying Party (RP) file.

Is there an easier way? And what is the graphClient code to then get/set these custom user attributes?

score 3 · Accepted Answer · answered Feb 14 '18 at 10:24

3

It is a bit confusing about whether the Microsoft Graph API, and hence the Microsoft Graph Client, supports the extension properties that are registered with an Azure AD B2C tenant.

When I query a user object using the Azure AD Graph API, then the custom attributes (e.g. "CreatedTime") are returned.

https://graph.windows.net/{tenant}/users/{objectId}

returns:

{
    "odata.metadata": "https://graph.windows.net/{tenant}/$metadata#directoryObjects/Microsoft.DirectoryServices.User/@Element",
    "odata.type": "Microsoft.DirectoryServices.User",
    "objectType": "User",
    ...
    "extension_917ef9adff534c858b0a683b6e6ec0f3_CreatedTime": 1518602039
}

When I query the same object using the Microsoft Graph API, then the custom attributes aren't returned.

https://graph.microsoft.com/v1.0/users/{id}/extensions

returns:

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('{id}')/extensions",
    "value": []
}

Unless you receive a better answer, then I suggest you use the Azure AD Graph API, and optionally the Azure AD Graph Client, to get and set the extension properties for the Azure AD B2C users.

Examples of getting and setting the extension properties for users can be found at Announcing Azure AD Graph API Client Library 2.0

answered Feb 14 '18 at 10:24

Chris Padgett

14,186
1
15
28

Thank you for your help @chris-padgett. It sounds like the Azure AD Graph Client doesn't support the get/set of extensions. Do you know if Microsoft is working on releasing this functionality soon? – aBlaze Feb 14 '18 at 20:52
Also, if I am to switch over my application from using the Microsoft Graph Client to the Azure AD Graph API, I now also need to figure out a way to safely store the currently signed-in user's `AccessToken` so that the `AccessToken` can be put into the header of every API request. When using the Microsoft Graph Client, I would just pass in the `AccessToken` as soon as the user signed in, and wouldn't have to do anything else, but it sounds like this approach won't work anymore. What are the best practices in storing the `AccessToken` when using the Azure AD Graph API? – aBlaze Feb 14 '18 at 21:10
Hi @Emilia. To be clear, both the Azure AD and Microsoft Graph APIs and client libraries support extensions, however it doesn't appear that the Microsoft Graph API supports them for an Azure AD B2C directory. I don't know if this is being considered by the Microsoft Graph team or not. If you are developing a server-based app, then you can access the Azure AD Graph API using an app-based access token rather than a user-based one, as described at [Use the Azure AD Graph API](https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet). – Chris Padgett Feb 15 '18 at 22:26
I understand now. Thank you. It seems that this feature to get/set extension properties using Microsoft Graph is coming soon, per #12 at the very bottom of the page. https://dev.office.com/blogs/microsoft-graph-or-azure-ad-graph. I'll try to update this answer when this new functionality is released. – aBlaze Feb 22 '18 at 02:53

score 3 · Answer 2 · answered Sep 02 '20 at 22:05

You are able to do this with the Micorsoft Graph API SDK.

See this example, UserService.CreateUserWithCustomAttribute() https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C

To update a custom property:

var updateUser = new User();
updateUser.AdditionalData = new Dictionary<string, object>();
updateUser.AdditionalData["extension_{app id}_{property name}"] = "new value";

var result = await graphClient.Users["{id}"].Request().UpdateAsync(updateUser);

The {app id} in the code above is the id of the app created by default with the name b2c-extensions-app. Do not modify. Used by AADB2C for storing user data. However the "-" are all removed.

Thanks for your response! This approach is clean and straight. However, it causes me the following error: "Error! Updating User information failed with message Code: BadRequest\r\nMessage: The request is currently not supported on the targeted entity set\r\nInner error:\r\n\tAdditionalData Better detailed here:https://stackoverflow.com/questions/70716662/update-azure-b2c-custom-attributes-using-graph-api-sdk-error-the-request-is-cu Any ideas on what might be going wrong? — basquiatraphaeu, Jan 17 '22 at 12:47

score 2 · Answer 3 · answered Sep 08 '20 at 12:00

In addition to Aaron Hoffman's answer on how to set a custom attribute I use the following snippet to get my attribute:

var graphClient = new GraphServiceClient(authenticationProvider)
{
    BaseUrl = "https://graph.microsoft.com/beta"
};
var user = await graphClient
    .Users["{id}"]
    .Request()
    .GetAsync();
var field = user.AdditionalData["extension_{app id}_{property name}"];

score 1 · Answer 4 · answered Nov 25 '20 at 19:08

So first step is to find in your custom policy:

<TechnicalProfile Id="AAD-Common">...<Item Key="ClientId">57ff56e7-40a0-43fd-a9a3-8d6c1544bcf4a</Item>

Custom attributes are named extension_attributename. To get it trough graphql you will require it like this extension_{client id of the app NO DASHES responasble for storing extensions }_{attributename} e.g. extension_57ff56e740a043fda9a38d6c1544bcf4a_mycoolattribute as you can see this is done also in the code: https://github.com/Azure-Samples/ms-identity-dotnetcore-b2c-account-management/blob/master/src/Helpers/B2cCustomAttributeHelper.cs#L7-L20 example for graph call: https://graph.microsoft.com/v1.0/users/3545c38b-3f6b-4a4b-8820-e7f954a86e1e?$select=extension_57ff56e740a043fda9a38d6c1544bcf4a_mycoolattribute https://graph.microsoft.com/v1.0/users/{user-objectid}?$select=extension_57ff56e740a043fda9a38d6c1544bcf4a_mycoolattribute,extension_57ff56e740a043fda9a38d6c1544bcf4a_myotherattribute,etc

How to get/set custom Azure Active Directory B2C user attributes in ASP.NET MVC?

4 Answers4

Linked