Change Microsoft Entra External ID custom attribute using Microsoft Graph API

Michal Durista 66 Reputation points
2024-03-04T14:10:58.2666667+00:00

We are using Microsoft Entra External ID. I have defined custom user attribute TestAttribute (string) which is collected during the sign up and is also added as a claim into the JWT token. View from Entra admin center -> Enterprise applications -> Single sign-on:enter image description here

Everything works fine, the token has TestAttr value as expected (collected from sign up).

However, I want to change this value using Graph API. Previously when working with Azure B2C, this code worked fine:


var extensionInstance = new Dictionary<string, object> { { customAttribute, attributeValue } };
var updatedResult = await _graphServiceClient
	.Users[userId]
	.PatchAsync(new User
	{
		AdditionalData = extensionInstance
	});

where customAttribute was indeed extension_extAppId_testattribute. This doesn't work now - it isn't a part of JWT token anymore once I change it's value although I can see the value when using Microsoft Graph:


var user = await _graphServiceClient.Users[userId].GetAsync(config =>
{
	config.QueryParameters.Select = new[] { "extension_extAppId_testattribute" };
});

What bothers me, before changing it via API, this Get request didn't return anything, BUT the collected value was in the token. Logical assumption would be that working with the attributes is different for Entra External ID than for Azure B2C - but I have no idea how to get this to work.

So the question is, how can I change the value of a custom user attribute so that it is still part of the JWT token?

Thanks

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,775 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,277 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shweta Mathur 29,741 Reputation points Microsoft Employee
    2024-03-05T07:58:46.6033333+00:00

    Hi @Michal Durista ,

    Thanks for reaching out.

    Microsoft Entra External ID and Azure AD B2C are two separate platforms powered by ESTS and IEF respectively.

    There are different endpoints of Microsoft Graph API allows you to manage resources in your Microsoft Entra ID for customers directory.

    However, you can update the extension attribute of External Id of customer in similar way for Entra ID for customers as B2C and Microsoft Entra custom attributes as mentioned below:

    I created this custom attribute in my External ID for customer's tenant extension_700295f86fbe4d649b152100a99c7370_TestAttribute and collected data during sign up for user.

    User's image

    using Microsoft.Graph.Models;
    var requestBody = new User
    {
    AdditionalData = new Dictionary<string, object>
    {
      {
        "extension_700295f86fbe4d649b152100a99c7370_TestAttribute" , "Test1"
      },
    },
    };
    var result = await graphClient.Users["{user-id}"].PatchAsync(requestBody);
    

    To get the extension attribute of user, you can still use existing user's v1 endpoint with select or directly beta endpoint.

    User's image

    Reference - https://learn.microsoft.com/en-us/graph/extensibility-overview?tabs=csharp#update-or-delete-directory-extensions

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Michal Durista 66 Reputation points
    2024-03-05T08:24:36.6333333+00:00

    Thank you for your answer, but basically you just did what I did in the question, this still doesn't resolve my problem that the custom attribute stops being part of the JWT token as claim after updating it.

    Note: have you tried to get the value of the custom attribute (just as you do in your answer) BUT before actually patching it? So that you have the value that was collected from the sign up?

    0 comments No comments

  2. Shweta Mathur 29,741 Reputation points Microsoft Employee
    2024-03-06T07:50:06.3133333+00:00

    Michal Durista

    Apologies to misunderstood the ask. So, your ask it after updating the custom claim through Graph API, updated value of custom claim is not reflecting in the token. Is my understanding correct?

    I repro the scenario again using below steps:

    1. Sign up with new user to collect custom claim. User's image
    2. Update the custom claim with new value using Graph API. User's image
    3. Sign in with same user from step1 to check the updated value. User's image As you can see my initial value collected during signup was "CustomAttribute" which has been updated to "CustomAttributeUpdated" in the token.

    Make sure, it took some time to reflect the changes in the token. I waited 15 minutes to sign in again with same user.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.