Azure AD B2C Application won't show up as an option to add role assignment. (Graph API)

Leandro Teles 36 Reputation points
2021-01-14T02:33:53.107+00:00

I'm following this documentation:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga

And I found another question answered that I thought fit my case:
https://learn.microsoft.com/en-us/answers/questions/199433/can39t-add-role-assignments-to-azure-b2c-applicati.html

My problem is that the app that I registered will not appear as an option when I try to follow the "Enable user delete and password update" portion of the documentation.

I am also mindful of the notice "Please allow a few minutes to for the permissions to fully propagate." But I've at it for 2 hours now, so I don't think that is the problem.

Here is my App and its API permissions:

56358-image.png

And my B2C Tenant

56259-image.png

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,672 questions
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,466 Reputation points Microsoft Employee
    2021-01-21T21:09:08.343+00:00

    @Leandro Teles and @arun mohan ,
    Thank you both for the quick follow-up! I've created a short GIF that should help walk you through the steps.

    @Varun CT
    I've reached out to our Product Group regarding your ask and providing them the details you mentioned.
    -Is there any way to automate this process without Graph explorer?(i.e. using AzureAD app registration)

    Alternate Solution:
    Using this MS Graph API to assign the service principal of the application the necessary role if desired.

    1. Find the service principal id of the application. You can use GET /servicePrincipals to do this. Graph Explorer Link.
      59205-getserviceprincipals.gif
    2. Find the role template id of the desired role. You can use GET /DirectoryRoles for listing them. If you don't see User Admin role proceed to step 3.
      59247-getdirectoryrolesv2.gif
    3. Activate the desired role using POST /directoryRoles and the RoleTemplateID.
    4. Add the service principal as a "member" to the directory role using POST /directoryRoles/{ID}/members/$ref in which the body is {
      "@odata.id": "https://graph.microsoft.com/beta/servicePrincipals/<servicePrincipalId>"
      }
      59080-addrole.gif
    5. Check if your role was assigned correctly to your B2C app.
      59281-checkrole.gif

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. Randall Rivera 31 Reputation points
    2021-01-17T18:40:23.117+00:00

    ano update on this? this has become our blocker in our application..

    2 people found this answer helpful.
    0 comments No comments

  2. AmanpreetSingh-MSFT 56,316 Reputation points
    2021-01-18T12:40:32.15+00:00

    Hi All · Thank you for reaching out.

    There seems to be an issue with the UI. I will report the issue to the product team and get it addressed.

    However, as of now, you can follow below steps and use PowerShell to add application to the User Administrator role:

    1. Install latest Azure AD PowerShell Module.
    2. Run Connect-AzureAD -TenantId Your_B2CTenant.onmicrosoft.com and sign in with Global Administrator account in that tenant.
    3. Run Get-AzureADDirectoryRole cmd and copy the object id of the User Administrator role.
    4. Navigate to Azure AD > Enterprise Applications > Search the app and copy the object id of the app.
    5. Run Add-AzureADDirectoryRoleMember -ObjectId object_ID_copied_in_Step3 -RefObjectId object_ID_copied_in_Step4 cmdlet.

    To verify, navigate to Azure AD B2C > Roles and Administrators > User Administrator. You should see the application present under this role.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  3. JamesTran-MSFT 36,466 Reputation points Microsoft Employee
    2021-01-19T17:36:10.587+00:00

    Hi All,
    Thank you for adding to this thread and for your patience. I received a response from our product team and will post the alternate solution below while the portal experience is being investigated.

    Alternate Solution:
    Using this MS Graph API to assign the service principal of the application the necessary role if desired.

    1. Find the service principal id of the application. You can use GET /servicePrincipals to do this.
    2. Find the role template id of the desired role. You can use GET /DirectoryRoles for listing them
    3. Activate the desired role using POST /directoryRoles
    4. Add the service principal as a "member" to the directory role using POST /directoryRoles/{ID}/members/$ref in which the body is {
      "@odata.id": "https://graph.microsoft.com/beta/servicePrincipals/<servicePrincipalId>"
      }

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.