Here's how you can add the role attribute:
And here you configure it to be collected during signup and to be returned in the token:
[I see that using Microsoft Graph is not supported for] applications like 4-2-B2C. So what options do I have for enhancing such a B2C application with authorization? Some simple authorization roles like admin, delux_paid, basic_paid and guest would be a nice starter.
This 4-2-B2C example is demonstrating an authenticated ASP.NET client calling a microservice web app. I could implement my own database table with a primary key of the users object id and a varchar role_name column myself and then construct the appropriate claim before calling the downstream microservice I suppose.
I hope there is a better option.
Wed Feb 17 2021 Mid Afternoon Update:
Ah hah! Looks like I need to create a REST service and add the URL to TrustFrameworkExtensions.xml as described here: custom-policy-rest-api-claims-exchange.
Can I continue to use the B2C_1_SUSI user flow I created previously for the 4-2-B2C example as described in tutorial-create-user-flows or do I have to create a new special user flow?
Fri Feb 17 2021 Morning Update:
Darn! I I'm having trouble posting comments... I only wanted to delete one comment and it deleted both... So I am updating here.
I tried Alfredo's sample last night and it works!
Now to learn how you did that!
... Saving my work... More questions coming... Got to run errands...
Mon Feb 22 2021 Morning Update:
Please see my comment I made last night... I'm not sure how to create a local user...
I've been thinking about using MS Graph (or powershell) instead of Creating Custom Policies with a custom REST service to implement role based authorization. The advantage of custom policies is that we have a database we can manipulate.
However, AAD has implemented a little database table of users for me and the problem with MS Graph is that manipulating the table of with a script might be difficult if I had a had a hundreds of users...
I'd like to discuss using powershell scripts (instead of MS Graph) to populate the custom user attribute called Role that I created so I can write scripts. I'm hoping this will be easier than using Custom Policies... Can you provide guidance on such a powershell script? Of course, there would be merit to me learning & using MS Graph first so I can see it work on my instance of the web site.
Wed Feb 24 2021 Update:
Regarding my goal to use Graph to populate my newly created user attribute (called "Role") in my AADB2C tenant:
I keep asking how to indicate which B2C tenant I want to use and I believe a previous response was that MS Graph looks at the account I log into Graph with.
Let me clarify my accounts: I just confirmed that I have two hotmail accounts with the identical names... The only difference is their passwords... The hotmail account with the new password only works in one place and that is my instance of 4-2-B2C when running locally on my dev machine or publicly on AKS. I just confirmed this this morning. I also have a gmail account I can log into 4-2-B2C with too.
The old hotmail account with the old password works for hotmail.com and logging into portal.azure.com and logging into MSGraph... So MSGraph is obviously not successfully reading my mind and looking up accounts and passwords in my desired AADB2C tenant. And to confirm this MSGraph (not surprisingly) won't accept my gmail account/password either.
So please help me understand how to tell graph which tenant to use.
You will required OIDC who sits over OAuth2 to issue a token with claims. The other option is SAML which is more complex. Those are the protocols used by Azure authentication and authorization.
Sorry, I need some more help... So, assuming we are using MS Graph
(1) Where do I specify which AAD tenant I'm using?
(2) I assume I log in using my hotmail account that I use to login to portal.azure.com... At portal.zure.com I can see bell50team@Stuff account in the list of users.
(3) I want to make bell50team@Stuff .com an admin. So I run the query with https://graph.microsoft.com/v1.0/users/<bell50teamObjectId> Correct?
(4) I run the GET query and I see my hotmail account ... Not what I want...
Is powershell any easier?... I tried logging in with Connect-AzureAD and then
Get-AzureADUser -Searchstring "bell50team" could not find my gmail account...