Share via

How to add array of strings returned by Azure Function to OutputClaim in Custom Policy

Cerebral Calm 5 Reputation points
2023-06-06T17:13:46.1366667+00:00

Hi,

I wanted user groups in outputclaims but since Azure AD B2C doesn't support it, I followed the answers to this question.
https://learn.microsoft.com/en-us/answers/questions/818404/role-based-access-for-webapi-in-azure-b2c

I have created an Azure Function to return a string array of groups. I have created custom policy to call the Azure Function. The function is getting executed properly but the return value is not getting processed. Any ideas?

The claims exchange REST-GetUserGroups specified in step 4 returned HTTP error response that could not be parsed. Correlation ID 6940b64c-28fd-4c21-b147-ce924021f8a2

Microsoft Security Microsoft Entra Microsoft Entra External ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Cerebral Calm 5 Reputation points
    2023-06-08T04:06:47.91+00:00

    Those who are facing the same problem should refer to the following post. There is no need for claims transformation. We just need to make sure that the return values returned from the function are in the format that is expected by Azure AD B2C.
    https://nicolas-yuen.medium.com/azure-ad-b2c-custom-policy-with-rest-api-e4dc560b7245

    1 person found this answer helpful.
    0 comments
  2. Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator
    2023-06-09T04:29:55.7033333+00:00

    @Cerebral Calm

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: How to add array of strings ( user groups ) returned by Azure Function to OutputClaim in Custom Policy.

    Cause: We can't use Role-based Authorization with Azure AD B2C as it follows Identity Experience Framework to specify which attributes should be collected from the user(s) during sign-up and which application claims should be returned in the token after successful authentication.

    Resolution: We need to make sure that the return values returned from the function are in the format that is expected by Azure AD B2C. Ref: https://nicolas-yuen.medium.com/azure-ad-b2c-custom-policy-with-rest-api-e4dc560b7245

    • The REST Api has a single Outputclaim : <OutputClaim ClaimTypeReferenceId="groups" /> which matches the return value of our Azure Function
    • To return the User customer attribute configured as role in the AD B2C UI and reflected as extension_role in the Graph API we need to add an output claim for the Azure Active Directory Claim provider inherited from TrustFrameworkBase.xml:
    • The REST API defined in a Claim Provider is called by adding a new step in the UserJourney section of TrustFrameworkExtension.xml

    We add an orchestration step right before sending the jwt :

    <OrchestrationStep Order="7" Type="ClaimsExchange">
    <ClaimsExchanges>
    <ClaimsExchange Id="GetUserGroups" TechnicalProfileReferenceId="GetUserGroups" />
    </ClaimsExchanges>
</OrchestrationStep>

<OrchestrationStep Order="8" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

    The new orchestration step is of type ClaimsExchange and references the GetUserGroups TechnicalProfile defined in our REST API ClaimProvider defined in TrustFrameworkExtensions.xml

    Thanks,

    Akshay Kaushik

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.