User impersonation - Can I get id programmatically on behalf of another user?

OctavioCunha-8450 25 Reputation points
2023-05-05T14:56:35.4866667+00:00

Is it possible using user impersonation to get an ID token on behalf of another user?

Lets say I have an admin user (user A) that can impersonate other users, and I have another user (user B) that logins in the application using his Identity Provider.

Is it possible for this user A to get an ID token (through api) on behalf of user B?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,181 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Patchfox 3,801 Reputation points
    2023-05-05T15:59:56.2066667+00:00

    Hi OctavioCunha-8450 I want to help you with this question.

    If I understand you right, you want to have a user principal who has the privilege to act on behalf of another user.

    If the identity of (admin A) could be another EA app in the AzureAD, then you are able to act on behalf of another user in application B and get the user token.

    I make a quick search and found the following, related thread: https://stackoverflow.com/questions/74516076/how-to-impersonate-user-of-other-azure-ad-app

    Maybe it helps you in your scenario too.


    If the reply was helpful, please don’t forget to upvote or accept it as an answer, thank you.


  2. 2023-05-06T07:48:10.9466667+00:00

    Hello @OctavioCunha-8450 , for custom or complex Azure AD B2C flows, you need to switch to Custom Policies. Take a look to the Impersonation Flow for Azure AD B2C sample. For ID token refresh you will need to add a new OrchestrationStep (before SendClaims) with a new ClaimsExchange that would reference a new TechnicalProfile that calls the AAD-ImpersonatedUserRead technical profile (similar to SelfAsserted-TargetEmailExchange but of Protocol Name=None). Keep in mind you will need to pass the targetemail claim as a query param during the token refresh call. You can call API during refresh token as usual.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    0 comments No comments