Share via

How do I request a personal access token in the context of an Azure AD B2C custom policy user journey

Günther Agnes 0 Reputation points
2023-10-04T09:53:35.3266667+00:00

I have a signup/signin/reset password policy (local account only) that returns an access token that I use to authorize API requests in my SPA application. I also have separate policies for changing username/email and changing MFA phone number. After a user changes MFA phone number I want to post the new number to our customer database using a REStful technical profile in the user journey. My question is how can I authorize this request with the access token issued from the sign-in policy? (other than passing it to the edit phone number policy as a url parameter). I am signed in with SSO so it seems like it should be possible to do something like aquireTokenSilent (but, again, in an orchestration step).

I don't want to return the phone number as a claim in the token for privacy/security reasons. I thought this would be a reasonably common usecase but found nothing about it in documentation or on discussion boards so maybe I'm going about it all wrong.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2023-10-04T22:22:45.42+00:00

    @Günther Agnes

    Thank you for your detailed post!

    To fully ensure I understand your issue correctly I'll summarize it below:

    • You currently have a sign up, sign in, and password reset policy (local account only).
    • The policies return an access token that you use to authorize API requests within your SPA application.
    • In addition to these 3 policies, you have a username/email and MFA phone number change policy.

    Referencing the MFA phone number change policy - after a user changes their MFA number, you want to post the updated number to your customer database using a REStful technical profile in the user journey (orchestration step). To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.

    Findings:

    To post the new MFA phone number to your customer database using a RESTful technical profile in the user journey, you should be able to do this by adding the orchestration step within your custom policy.

    For example:

    1. Within your MFA phone number change custom policy, add an orchestration step after the user changes their MFA phone number.
    2. Within the orchestration step, you can leverage the ClaimsExchange attribute by adding it to your technical profile to call your RESTful API. For more info.
    3. Specify the necessary Metadata Items within the ClaimsExchange technical profile. For more info - Send a JSON payload.

    Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.