Custom AD B2C policy to add a User to a group

Question

I would like to add a user to a group using a custom policy.

I have this claim:
<ClaimType Id="graphUserUri">
<DisplayName>graphUserUri</DisplayName>
<DataType>string</DataType>
</ClaimType>

Which I use it with this transformation:

  <ClaimsTransformation Id="REST-AddToFreelancersGroup-UserUri" TransformationMethod="FormatStringClaim">  
        <InputClaims>  
          <InputClaim ClaimTypeReferenceId="objectId" TransformationClaimType="inputClaim" />  
        </InputClaims>  
        <InputParameters>  
          <InputParameter Id="stringFormat" DataType="string" Value='{{  "@odata.id " : "https://graph.microsoft.com/v1.0/users/{0}" }}' />  
        </InputParameters>  
        <OutputClaims>  
          <OutputClaim ClaimTypeReferenceId="graphUserUri" TransformationClaimType="outputClaim" />  
        </OutputClaims>  
</ClaimsTransformation>  

I get a token for the graph api using:

<TechnicalProfile Id="REST-AcquireAccessTokenForGraph">  
          <DisplayName>Acquire Token</DisplayName>  
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
          <Metadata>  
            <Item Key="ServiceUrl">https://login.microsoftonline.com/TestAuth312.onmicrosoft.com/oauth2/v2.0/token</Item>  
            <Item Key="AuthenticationType">Basic</Item>  
            <Item Key="SendClaimsIn">Form</Item>  
          </Metadata>  
          <CryptographicKeys>  
            <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_MSGraphClientId" />  
            <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_MSGraphClientSecret" />  
          </CryptographicKeys>  
          <InputClaims>  
            <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" />  
            <InputClaim ClaimTypeReferenceId="scope" DefaultValue="https://graph.microsoft.com/.default" />  
          </InputClaims>  
          <OutputClaims>  
            <OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />  
          </OutputClaims>  
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />  
</TechnicalProfile>  

And I make a call to the graph api to add the user to a group:

        <TechnicalProfile Id="REST-AddToFreelancersGroup">  
          <DisplayName>Add user to group</DisplayName>  
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
          <Metadata>  
            <Item Key="ServiceUrl">https://graph.microsoft.com/v1.0/groups/4e780e3e-1d75-4b5b-b1da-7c71edbac077/members/$ref</Item>  
            <Item Key="SendClaimsIn">Body</Item>  
            <Item Key="ClaimUsedForRequestPayload">graphUserUri</Item>  
            <Item Key="AuthenticationType">Bearer</Item>  
            <Item Key="UseClaimAsBearerToken">bearerToken</Item>  
            <Item Key="DebugMode">true</Item>  
          </Metadata>  
          <InputClaimsTransformations>  
            <InputClaimsTransformation ReferenceId="REST-AddToFreelancersGroup-UserUri"/>  
          </InputClaimsTransformations>  
          <InputClaims>  
            <InputClaim ClaimTypeReferenceId="objectId" />   
            <InputClaim ClaimTypeReferenceId="graphUserUri" />   
            <InputClaim ClaimTypeReferenceId="bearerToken" />   
          </InputClaims>  
          <OutputClaims>  
            <OutputClaim ClaimTypeReferenceId="err" />  
          </OutputClaims>  
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />  
</TechnicalProfile>  

All these steps work perfectly in PostMan but as a custom policy they end up in a Bad Request.
My issue is with Custom Policies and Application Insights.
The logs are limited at 30k characters and they terminate right at the important part

The next log available is just stating that the error happened without further details.

The generated claim inside the logs looks fine:
"graphUserUri": "{ \"@odata.id \" : \"https://graph.microsoft.com/v1.0/users/f0d3a13e-c2f3-4607-be90-ba0e41ffd0b1\" }"
and I tested the generated bearer token in postman and it works.

The issue seems to be with the call to the API but due to the lack of logs I can't figure it out.
I've tried to enable all the debugging features of the custom policies including
<Item Key="DebugMode">true</Item> for the techincal profile and

DeploymentMode="Development"
UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights"

for the TrustFrameworkPolicy

I'm happy to offer additional details if asked.

Answer 1

Hello @Robert Florian Raicu and thanks for reaching out. To better inspect data from both Azure AD B2C request and MS Graph response place create an ngrok HTTP tunnel to MS Graph and target it from your custom policies. You can inspect requests and responses using the ngrok Web Inspection Interface:

1. Set up the tunnel: ngrok http https://graph.microsoft.com --log-level debug
2. In your custom policy: Replace https://graph.microsoft.com/v1.0/users/{0} with https://ngrok public facing url/v1.0/users/{0}.
3. Call the custom policy and inspect the ngrok web interface. E.g. http://127.0.0.1:4040

Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.