How to perform CRUD operations for Azure B2C users?

Clay Casper 161 Reputation points
2022-10-19T19:16:48.157+00:00

I have a B2C tenant, an app registered, and the built in user flows set up. When I sign in as one of the users on the client app and go through the edit profile flow, the user's information is updated on Azure's side but not on the client side. The only way I've been able to get the updated information on the client side is to logout of the client application and log back in. Obviously, this is not ideal. A few ideas that I thought have potential are

  1. using the refresh token to get new tokens (I thought maybe that would have the updated user data as well)
    sending the request to https://tenantname.b2clogin.com/tenantname.onmicrosoft.com/thesignupflow/oauth2/v2.0/token returns all the new tokens, but it doesn't seem to have the updated profile data. I checked the new profile_info token and the new id_token to see if they had the updated profile data, but they didn't. See [this](https://stackoverflow.com/questions/60016498/azure-ad-b2c-how-to-propogate-new-user-claims-to-the-access-token?rq=1#:~:text=B2C%20doesn%E2%80%99t%20refresh%20token%20claims%20on%20refresh%20token%20flows%20(yet).
  2. using the graph api to send a read request of the signed in user after completing the edit profile flow to fetch the updated information from the azure side.

Is it possible to use the Microsoft graph api with b2c? With the research I've done, the access token that b2c gives the client can't be used to call the graph api. See this; The first suggested option (in that stackoverflow) references an article talking about getting access without a user (link), but I want to only be able to fetch data of the signed in user and not other users. I think that's what delegated permissions are for (see this), but b2c apps only seem to support 2 delegated permissions for the ms graph api. Am I correct in understanding that using app delegated permissions would allow access to all the users? When attempting to call the https://graph.microsoft.com/v1.0/users/me graph endpoint, I get and error: "InvalidAuthenticationToken" and message: "Access token validation failure. Invalid audience." which makes sense if the b2c access token can't be used for the ms graph api.

Another use case for being able to use the graph api would be to allow the user to edit their b2c profile information without having to go through the edit profile user flow. For instance, the client could just have input fields where the user can update their information and then behind the scenes the graph api updates the information with a post request.

So my questions are,

  1. How can I retrieve the updated user account data after the user has updated their data with the edit profile user flow?
  2. Is it possible to use the Microsoft graph api with an app registration that authenticates with Azure B2C?
Not Monitored
Not Monitored
Tag not monitored by Microsoft.
37,120 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2022-10-20T17:17:49.767+00:00

    Hello @Clay Casper and thanks for reaching out. As already found MS Graph scopes available to signed in Azure AD B2C consumer users are limited to two: offline_access and openid.

    In order to update any user profile, you may create a custom API that calls the MS Graph as an application and consume it through an API connector.

    For more information on what you can achieve doing MS Graph from an Azure AD B2C tenant please take a look at Manage Azure AD B2C with Microsoft Graph.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    0 comments No comments