How to add authorization to basic AAD/B2C Web App?

Siegfried Heintze 1,786 Reputation points

[I see that using Microsoft Graph is not supported for][1] applications like 4-2-B2C. So what options do I have for enhancing such a B2C application with authorization? Some simple authorization roles like admin, delux_paid, basic_paid and guest would be a nice starter.
This 4-2-B2C example is demonstrating an authenticated ASP.NET client calling a microservice web app. I could implement my own database table with a primary key of the users object id and a varchar role_name column myself and then construct the appropriate claim before calling the downstream microservice I suppose.
I hope there is a better option.
Wed Feb 17 2021 Mid Afternoon Update:
Ah hah! Looks like I need to create a REST service and add the URL to TrustFrameworkExtensions.xml as described here: custom-policy-rest-api-claims-exchange.
Can I continue to use the B2C_1_SUSI user flow I created previously for the 4-2-B2C example as described in tutorial-create-user-flows or do I have to create a new special user flow?
Fri Feb 17 2021 Morning Update:
Darn! I I'm having trouble posting comments... I only wanted to delete one comment and it deleted both... So I am updating here.
I tried Alfredo's sample last night and it works!
Now to learn how you did that!

  1. How did you put that extra field for Roles on the signup page? I probably don't want that for production but I might want it for debugging... I added a new attribute called Roles of type string. I also went to B2C_1_SUSI and exposed "Role" in the claim. Did I miss anything?
  2. So considering production: how can I use the Web UI to assign admin to one of my logins?
  3. What else did you do to your tenant? Did you go to Expose an API and add scopes "User" and "Admin"?
  4. Now I want to pass this new scope on to the REST API... Do I need to update Startup.cs Line 51?
  5. What else do I need to enhance?

... Saving my work... More questions coming... Got to run errands...
Mon Feb 22 2021 Morning Update:
Please see my comment I made last night... I'm not sure how to create a local user...
I've been thinking about using MS Graph (or powershell) instead of Creating Custom Policies with a custom REST service to implement role based authorization. The advantage of custom policies is that we have a database we can manipulate.
However, AAD has implemented a little database table of users for me and the problem with MS Graph is that manipulating the table of with a script might be difficult if I had a had a hundreds of users...
I'd like to discuss using powershell scripts (instead of MS Graph) to populate the custom user attribute called Role that I created so I can write scripts. I'm hoping this will be easier than using Custom Policies... Can you provide guidance on such a powershell script? Of course, there would be merit to me learning & using MS Graph first so I can see it work on my instance of the web site.
Wed Feb 24 2021 Update:
Regarding my goal to use Graph to populate my newly created user attribute (called "Role") in my AADB2C tenant:
I keep asking how to indicate which B2C tenant I want to use and I believe a previous response was that MS Graph looks at the account I log into Graph with.
Let me clarify my accounts: I just confirmed that I have two hotmail accounts with the identical names... The only difference is their passwords... The hotmail account with the new password only works in one place and that is my instance of 4-2-B2C when running locally on my dev machine or publicly on AKS. I just confirmed this this morning. I also have a gmail account I can log into 4-2-B2C with too.
The old hotmail account with the old password works for and logging into and logging into MSGraph... So MSGraph is obviously not successfully reading my mind and looking up accounts and passwords in my desired AADB2C tenant. And to confirm this MSGraph (not surprisingly) won't accept my gmail account/password either.
So please help me understand how to tell graph which tenant to use.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
9,936 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,618 questions
{count} votes

Accepted answer
  1. Alfredo Revilla (Personal Account) 376 Reputation points

    Here's how you can add the role attribute:


    And here you configure it to be collected during signup and to be returned in the token:


    And this is how you can update the role attribute. For all I recall the portal won't allow you so you need MS Graph or Powershell.


    Have fun!!!

5 additional answers

Sort by: Most helpful
  1. Alfredo Revilla (Personal Account) 376 Reputation points

    No problem.

    1. MS Graph will exctract the tenant from your accces token.
    2. If you log into Graph Explorer using your personal account (@Karima ben .com) you will work on the scope of the tenant which has nothing to do with yours. Use a local (no guest) account from tenant.
    3. No. It will be easier if you do it using the portal.
    4. This is related to number 2.

    What kind of account is bell50team@Stuff ? local? guest? b2c? (this could change my response for 2 and 4)