Custom AD B2C policy to add a User to a group

Robert Florian Raicu 21 Reputation points
2022-11-14T17:55:50.223+00:00

I would like to add a user to a group using a custom policy.

I have this claim:
<ClaimType Id="graphUserUri">
<DisplayName>graphUserUri</DisplayName>
<DataType>string</DataType>
</ClaimType>

Which I use it with this transformation:

  <ClaimsTransformation Id="REST-AddToFreelancersGroup-UserUri" TransformationMethod="FormatStringClaim">  
        <InputClaims>  
          <InputClaim ClaimTypeReferenceId="objectId" TransformationClaimType="inputClaim" />  
        </InputClaims>  
        <InputParameters>  
          <InputParameter Id="stringFormat" DataType="string" Value='{{  "@odata.id " : "https://graph.microsoft.com/v1.0/users/{0}" }}' />  
        </InputParameters>  
        <OutputClaims>  
          <OutputClaim ClaimTypeReferenceId="graphUserUri" TransformationClaimType="outputClaim" />  
        </OutputClaims>  
</ClaimsTransformation>  

I get a token for the graph api using:

<TechnicalProfile Id="REST-AcquireAccessTokenForGraph">  
          <DisplayName>Acquire Token</DisplayName>  
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
          <Metadata>  
            <Item Key="ServiceUrl">https://login.microsoftonline.com/TestAuth312.onmicrosoft.com/oauth2/v2.0/token</Item>  
            <Item Key="AuthenticationType">Basic</Item>  
            <Item Key="SendClaimsIn">Form</Item>  
          </Metadata>  
          <CryptographicKeys>  
            <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_MSGraphClientId" />  
            <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_MSGraphClientSecret" />  
          </CryptographicKeys>  
          <InputClaims>  
            <InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="client_credentials" />  
            <InputClaim ClaimTypeReferenceId="scope" DefaultValue="https://graph.microsoft.com/.default" />  
          </InputClaims>  
          <OutputClaims>  
            <OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />  
          </OutputClaims>  
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />  
</TechnicalProfile>  

And I make a call to the graph api to add the user to a group:

        <TechnicalProfile Id="REST-AddToFreelancersGroup">  
          <DisplayName>Add user to group</DisplayName>  
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
          <Metadata>  
            <Item Key="ServiceUrl">https://graph.microsoft.com/v1.0/groups/4e780e3e-1d75-4b5b-b1da-7c71edbac077/members/$ref</Item>  
            <Item Key="SendClaimsIn">Body</Item>  
            <Item Key="ClaimUsedForRequestPayload">graphUserUri</Item>  
            <Item Key="AuthenticationType">Bearer</Item>  
            <Item Key="UseClaimAsBearerToken">bearerToken</Item>  
            <Item Key="DebugMode">true</Item>  
          </Metadata>  
          <InputClaimsTransformations>  
            <InputClaimsTransformation ReferenceId="REST-AddToFreelancersGroup-UserUri"/>  
          </InputClaimsTransformations>  
          <InputClaims>  
            <InputClaim ClaimTypeReferenceId="objectId" />   
            <InputClaim ClaimTypeReferenceId="graphUserUri" />   
            <InputClaim ClaimTypeReferenceId="bearerToken" />   
          </InputClaims>  
          <OutputClaims>  
            <OutputClaim ClaimTypeReferenceId="err" />  
          </OutputClaims>  
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />  
</TechnicalProfile>  

All these steps work perfectly in PostMan but as a custom policy they end up in a Bad Request.
My issue is with Custom Policies and Application Insights.
The logs are limited at 30k characters and they terminate right at the important part
260159-image.png

The next log available is just stating that the error happened without further details.

260199-image.png

The generated claim inside the logs looks fine:
"graphUserUri": "{ \"@odata.id \" : \"https://graph.microsoft.com/v1.0/users/f0d3a13e-c2f3-4607-be90-ba0e41ffd0b1\" }"
and I tested the generated bearer token in postman and it works.

The issue seems to be with the call to the API but due to the lack of logs I can't figure it out.
I've tried to enable all the debugging features of the custom policies including
<Item Key="DebugMode">true</Item> for the techincal profile and

DeploymentMode="Development"
UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights"

for the TrustFrameworkPolicy

I'm happy to offer additional details if asked.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,770 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,601 questions
0 comments No comments
{count} votes

Accepted answer
  1. 2022-11-16T21:38:36.72+00:00

    Hello @Robert Florian Raicu and thanks for reaching out. To better inspect data from both Azure AD B2C request and MS Graph response place create an ngrok HTTP tunnel to MS Graph and target it from your custom policies. You can inspect requests and responses using the ngrok Web Inspection Interface:

    1. Set up the tunnel: ngrok http https://graph.microsoft.com --log-level debug
    2. In your custom policy: Replace https://graph.microsoft.com/v1.0/users/{0} with https://ngrok public facing url/v1.0/users/{0}.
    3. Call the custom policy and inspect the ngrok web interface. E.g. http://127.0.0.1:4040

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful