This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 56.00000000000001%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
My application utilizes Azure b2c to handle authentication and authorization. Users are created by backend service via Graph API, and only enable Sign In User Flow with some attributes return in application claim. During user creation process, some user attributes and custom attribute "Role" will be assign value, these attributes will be use by backend service for access control.
As my application rely on user attributes(claims) in token for access control, these attributes should not be modify by user. Although Sign In User Flow does not collect user attributes, but I am not sure is any other ways for user to modify attributes.
How to prevent b2c user update attributes ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Sen Hui Lim ,
Just to make sure I understand your question correctly, is your goal to ensure that users are not able to update any user attributes, or just custom roles? They won't be able to increase the scope of their roles. Can you clarify what your concern and main objective is?
An admin can edit an existing user's custom attributes using Graph API , or allow the existing user to edit their own attributes via a Profile Edit policy or a Signup\Sign In policy that has the extension attribute as an output claim (step 12 -> collect\return). If the user doesn't have the claim populated, they will be asked to provide it.
To add additional info to my question.
The "user" defined in above question is b2c user (external user).
My concern is whether user able to edit their own attributes in any other ways, is okay for admin (internal user) to edit. Since my backed service rely on attributes to perform access control, I don't want user to edit their own attributes, this break my system.
In User Flow, I only create Sign In Policy to allow user sign in without collect user attributes. But I am not sure this is secure enough to prevent user to to edit their own attributes, or any further actions I should do.
Hi @Sen Hui Lim ,
Thanks for adding more context. If you are only using a Sign In flow, consumer b2c accounts cannot modify their attributes, as the policy prevents it. That is why we have a "Profile edit" flow. Also, those consumer accounts cannot sign in into the Entra ID Portal/Azure Portal.
Hope this clarifies.
Hi @Sen Hui Lim ,
To add to the previous comments, you would need to add the user in the role of External ID User Flow Attribute Administrator to allow the creation of the custom attributes. Users with the role of "External ID User Flow Attribute Administrator" can add or delete custom attributes available to all user flows in the tenant. As such, users with this role can change or add new elements to the end user schema and impact the behavior of all user flows and indirectly result in changes to what data may be asked of end users and ultimately sent as claims to applications.
If you add the user to above role then they should be able to create the custom attributes. Otherwise I believe they would lack the permissions you are describing. Please feel free to add more context though if I am missing something.
I added more info in comment for clarify my question.
My main concern is If I only create Sign In Policy in user flow, is it enough to prevent user (b2c external user) to edit their own attributes. Or any further action I should do to achieve this.