8

I am trying to update the identities collection for an existing User in an Azure AD B2C tenant. Specifically, I am attempting to add another federated identity entry for the user.

According to the Microsoft Graph documentation this should be possible provided that I:

  1. Assign User.ManageIdentities.All permission to the client I am using to make the graph call
  2. Send the entire existing identities collection, with the new identity entry appended (this also ensures that the existing identity with signInType userPrincipalName is also sent in the request)

I have registered an application in the B2C tenant and assigned it specific permissions to access Microsoft Graph. I am using Client Credentials flow to obtain an access token with the appropriate permissions in the roles claim. I can successfully obtain an access token, and have confirmed the presence of the required permissions by examining the issued JWT.

I am also using the Microsoft.Graph SDK to make calls to the graph v1.0 endpoints from C# code. I have an existing user that I am trying to update, with a well-known userId (objectId). Using the access token and GraphServiceClient I can successfully retrieve the user. For example, the following code works fine

var user = await client.Users[userId].Request()
    .Select(o => new { o.Id, o.DisplayName, o.Identities })
    .GetAsync();

After retrieving the user, I then attempt to add another entry to the identities property for the user and issue an update graph call for the user. Note that the SDK requires update calls to only use objects created locally i.e. you can't send an existing object that was previously fetched via the SDK.

My complete update code is as follows

async Task TryUpdateUser(GraphServiceClient client, string userId)
{
    var user = await client.Users[userId].Request()
        .Select(o => new { o.Id, o.DisplayName, o.Identities })
        .GetAsync();

    // Need to re-create the existing identities since Graph client rejects existing items in requests
    var identities = user.Identities.Select(o => new ObjectIdentity 
    {
        SignInType = o.SignInType,
        Issuer = o.Issuer,
        IssuerAssignedId = o.IssuerAssignedId
    }).ToList();

    identities.Add(new ObjectIdentity
    {
        SignInType = "federated",
        Issuer = "TestIssuer",
        IssuerAssignedId = "testingId"
    });

    var updatedUser = new User
    {
        Identities = identities
    };

    await client.Users[userId].Request().UpdateAsync(updatedUser);
}

However, when UpdateAsync is called an exception is thrown with response type BadRequest. The error message states:

Message: Adding a non-federated user signInType is not permitted if the user only has social/federated identities or no identities set. Please recreate the user with a non-federated identity along with existing identities if any.

I'm clearly trying to create a federated user signInType, so the error message text referring to a non-federated user signInType is confusing me.

What am I doing wrong?

spoida
  • 2,655
  • 1
  • 23
  • 14
  • I guessing that you have to have an "anchor" identity i.e. a local account to link these other account types to. What happens if you create a "dummy" local account at the same time in "Identities.Add"? – rbrayb Apr 06 '20 at 20:26
  • 1
    This won't fix your issue, but this feature is GA. Please use the v1.0 endpoint (and the v1.0 SDK). – Dan Kershaw - MSFT Apr 06 '20 at 21:41
  • @nzpcmad I tried including additional identities with signInType `userName` and `emailAddress` but I still get the same error. – spoida Apr 06 '20 at 23:49
  • @spoida the original account is federated account right? – Jim Xu Apr 07 '20 at 08:13
  • @JimXu yes, the user was initially created through a federated sign in. – spoida Apr 07 '20 at 08:33

2 Answers2

2

At the moment, we cannot migrate Azure AD b2c federated user from one Identity Provider to another Identity Provider and add another Identity Provider or non-federated Identity(userName or emailAddress) for the Azure AD b2c federated user. If you try to do that, you will get the error as above.

enter image description here

Besides, please note that we can add one Identity Provider for Azure AD b2c local user. enter image description here

Jim Xu
  • 21,610
  • 2
  • 19
  • 39
  • thanks for confirming the current behaviour. FYI this is possible to do using the Azure AD Graph API instead. Even though AAD Graph API is deprecated, in this case it has functionality that Microsoft Graph API is currently missing. I will mark your answer as correct, but I will also submit an answer showing how to do this using AAD Graph API. – spoida Apr 09 '20 at 04:16
1

As the accepted answer points out, updating an existing federated user to add additional federated identities is not currently supported by Microsoft Graph API.

However, it is possible to do this using the Azure AD Graph API instead. See the Azure AD Graph API Update User documentation for available User update options.

Assuming we have a userId we want to update, you need to do the following:

  1. Retrieve the user's existing userIdentities by issuing a GET request to https://graph.windows.net/{tenant}/users/{userId}/userIdentities?api-version=1.6
  2. Add another UserIdentity entry to the existing identities - importantly, when you specify the issuerUserId value it MUST be base64 encoded
  3. Send a PATCH request to the base user endpoint at https://graph.windows.net/{tenant}/users/{userId}?api-version=1.6 - the content that you send is just a JSON object with a single userIdentities property which is the array containing the existing and newly added identities

After issuing the PATCH request via AAD Graph API, it is possible to then use the Microsoft Graph API to query the updated user and confirm that an additional entry has been added to the identities collection with SignInType of federated.

spoida
  • 2,655
  • 1
  • 23
  • 14