Hi @Samuel Johnson , here are the answers that I hope will help you:
How do I invite consumer users to a B2C tenant so that they can authenticate into our application using their social accounts (ex: Personal Microsoft or Google accounts)? The only baked in solution on the Azure Portal I've found uses B2C local accounts. Note that I do not want to use a publicly accessible Sign Up flow.
- Presently I'm looking into a custom process that would work by inviting users to a 'local' b2c consumer account and then allowing the user to associate their social account with the local account.
Ans: The better way to achieve this is to create a local account in Azure AD B2C directory, Azure AD Graph API or User Portal and then send an email to the user with instructions to select "Forget Password" and update the random password used while creating the local user account initially.
There is another way to acheive the same and that is using the Custom Policies. Using custom policies, you can create a invitation flow using custom policy. The invitation flow would ideally invites a new user by pre-registering a local account in Azure AD B2C directory using Azure AD Graph api and then sending a signed redemption url to the email address of the local user. This redemption link redirects the user to the password reset policy in Azure AD B2C.
You can also take a look at the following sample available which implements the Invitation User Journey in the custom policy: https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/wingtipgamesb2c
Check out the Implementing an invitation flow, Sample by Kloud.docx present in this repo, to read more about implementing this policy and the sample app.
Once users have authenticated (using MSAL v2 Auth Flow w/PKCE), I want to retrieve a list of permissions the user has for our application.
- I'm looking into two options here:
(1) use the auth token to verify user against an internal API that, in turn, makes a call to the Microsoft Graph API to get the user's group memberships.
(2) Create a custom claim that serves the same purpose as user groups
Ans: Once the user gets the access-token, it should have a property called scp (or scopes). You can find these properties by decoding the JWT access-token using a tool like https://JWT.ms . The propery scp can be parsed from the decoded JWT access-token thats the property that would contain all the delegated permissions (user permissions) that can be used to make further Graph API calls. All applications using MSAL usually reads the scp property after decoding the access-token to fetch the user permissions.
I hope this helps! Please let me know if you have any other questions.
Best,
James