This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 64%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
Hello! Can someone provide a general approach to meeting these requirements? I've spent a bit of time researching these various topics and attempting to implement solutions and I'm surprised at how much work is involved. Hopefully I'm missing something.
How do I invite consumer users to a B2C tenant so that they can authenticate into our application using their social accounts (ex: Personal Microsoft or Google accounts)? The only baked in solution on the Azure Portal I've found uses B2C local accounts. Note that I do not want to use a publicly accessible Sign Up flow.
Once users have authenticated (using MSAL v2 Auth Flow w/PKCE), I want to retrieve a list of permissions the user has for our application.
Administrative users of our application need to be able to invite additional users to the application.
Thank you very much!
Hi, we are investigating your issue and will update you shortly.
Best,
James
Hi @Samuel Johnson , here are the answers that I hope will help you:
How do I invite consumer users to a B2C tenant so that they can authenticate into our application using their social accounts (ex: Personal Microsoft or Google accounts)? The only baked in solution on the Azure Portal I've found uses B2C local accounts. Note that I do not want to use a publicly accessible Sign Up flow.
- Presently I'm looking into a custom process that would work by inviting users to a 'local' b2c consumer account and then allowing the user to associate their social account with the local account.
Ans: The better way to achieve this is to create a local account in Azure AD B2C directory, Azure AD Graph API or User Portal and then send an email to the user with instructions to select "Forget Password" and update the random password used while creating the local user account initially.
There is another way to acheive the same and that is using the Custom Policies. Using custom policies, you can create a invitation flow using custom policy. The invitation flow would ideally invites a new user by pre-registering a local account in Azure AD B2C directory using Azure AD Graph api and then sending a signed redemption url to the email address of the local user. This redemption link redirects the user to the password reset policy in Azure AD B2C.
You can also take a look at the following sample available which implements the Invitation User Journey in the custom policy: https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/wingtipgamesb2c
Check out the Implementing an invitation flow, Sample by Kloud.docx present in this repo, to read more about implementing this policy and the sample app.
Once users have authenticated (using MSAL v2 Auth Flow w/PKCE), I want to retrieve a list of permissions the user has for our application.
- I'm looking into two options here:
(1) use the auth token to verify user against an internal API that, in turn, makes a call to the Microsoft Graph API to get the user's group memberships.
(2) Create a custom claim that serves the same purpose as user groups
Ans: Once the user gets the access-token, it should have a property called scp (or scopes). You can find these properties by decoding the JWT access-token using a tool like https://JWT.ms . The propery scp can be parsed from the decoded JWT access-token thats the property that would contain all the delegated permissions (user permissions) that can be used to make further Graph API calls. All applications using MSAL usually reads the scp property after decoding the access-token to fetch the user permissions.
I hope this helps! Please let me know if you have any other questions.
Best,
James
Hi @Samuel Johnson , do you still need help with this issue? If not, please mark the appropriate answer as verified.
Thank you,
James
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 41%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hi @ JamesHamil-MSFT
Can you elaborate on what you mean by "pre-registering a local account". I assume you mean by posting to /users using the graph api. What parameters would you send differently to pre-register than say to create a b2c user like shown in the documentation?: https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-beta&tabs=http#request-1
Then what follow up change to the user is conducted to the user to complete the registration? I've tried looking at the custom policies, but they're still quite foreign to me and I'm just trying to get an understanding of the changes to the user object in the directory.
Thank you,
Jeremy