Implementing Admin Access in Azure Function with B2C Integration

hampton123 1,135 Reputation points

I'm working on an SPA with Azure AD B2C integration, where users sign in via B2C to perform upload/download requests to an Azure Storage account. The B2C token is sent to an Azure Function that performs storage blob requests, and based on the token sent to the Azure Function the users are assigned a container (after the token is decoded).

I want to create a B2C administrator account that is allowed to access all of the files within all containers. I was wondering what approach I should take in order to do this? A main way that I was thinking about doing this is to take the B2C user's "User type", and include that in the token on login. Then when the token is received with the Azure Function and decoded, if the user is an administrator (or User type higher than Member) then they can access all storage containers in the API. Is this possible, and would it be a good approach?

Thank you in advance, and please let me know if anything needs clarification!

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,869 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,504 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,833 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,719 questions
{count} votes

Accepted answer
  1. Thomas Meads 1,586 Reputation points


    This seems like an acceptable approach assuming you can accept that the access token will be valid until the point it expires. Hence if someones role was changed they could continue to access the function until the access token expired. This is the main reason ID and Access tokens should be short lived. If this isn't acceptable then you could use the graph API to get the role of the user at the point off calling the API.

    To round this out a little more Azure B2C has custom attributes for these kinds of use cases as it is an attribute about the user which is slow moving and is shared across an application (or many applications). There is the alternative approach of storing the roles of a user in a separate store which you can get at the point of auth to attach to the token/have an authorisation service that the function calls directly.

    Given it was the approach you asked about I would store the role claim in B2C and attach it on the token on the user authenticating.

    Hope this helps.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful